Javali

Malware updated 7 days ago (2024-11-29T14:08:05.252Z)
Download STIX
Preview STIX
Javali is a multistage malware that has been active since November 2017, primarily targeting customers of financial institutions in Portuguese- and Spanish-speaking countries, with a particular focus on Brazil and Mexico. Part of a group of banking trojans including Guildma, Melcoz, and Grandoreiro, Javali is an example of a Brazilian banking operation expanding its attacks abroad. It distributes its initial payload via phishing emails, either as an attachment or a link to a website, and uses allowlisted and signed binaries, Microsoft Installer files, and DLL hijacking to infect victims en masse, all while specifically targeting by country. On February 26, 2024, cybersecurity researchers warned about a spike in email phishing campaigns weaponizing the Google Cloud Run service to deliver various banking trojans such as Astaroth (aka Guildma), Mekotio, and Ousaban (aka Javali) across Latin America and Europe. Notably, the Grandoreiro malware family, which includes strains like Javali, Casabeniero, Mekotio, and Grandoreiro itself, has been active for years. These malware families share a lineage: a Delphi-based ancestor from which source code components have been passed down and modified through generations. The widespread success of these malware attacks can be attributed to a lack of user awareness around phishing and malware threats, resulting in a higher number of victims who unknowingly click and are affected. As the general population becomes more upwardly mobile, there's an increase in opportunities to victimize a larger pool of people. Javali, along with other malware variants, has been successful in evading detection by using modular installers and adopting third-party libraries like IndyProject for communication with the C2. After deobfuscation, Javali was found to be specifically looking for Mexican bank customers.
Description last updated: 2024-05-04T19:48:17.247Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Grandoreiro is a possible alias for Javali. Grandoreiro is a malicious software, or malware, specifically a banking Trojan that targets banks worldwide. Initially originating from a Brazilian banking group, Grandoreiro has expanded its reach to other countries, becoming a significant threat in the cyber landscape. It operates by infiltrating
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Banking
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Javali Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more