Kaspersky GReAT experts describe the unprecedentedly complex Brazilian banking Trojan GoPix that employs memory-only implants, Proxy AutoConfig (PAC) files for man-in-the-middle attacks, and malvertising via Google Ads.

Securelist is a cybersecurity blog and research platform operated by Kaspersky Lab. It offers insights, analysis, and reports on cybersecurity threats, vulnerabilities, and malware campaigns. Developers can learn about emerging cyber threats, security best practices, and mitigation strategies to protect their applications and systems. Additionally, Securelist provides insights into cybersecurity trends, threat intelligence, and industry developments, offering resources for cybersecurity professionals.

Securelist

Kaspersky GReAT researchers detail GoPix, an advanced banking Trojan targeting Brazilian financial institutions and cryptocurrency users. Active since at least December 2022, GoPix spreads via Google Ads malvertising impersonating WhatsApp, Chrome, and other popular services. The malware uses memory-only implants, multi-stage obfuscated PowerShell scripts, and stolen code-signing certificates to evade detection. It performs man-in-the-middle attacks using Proxy AutoConfig (PAC) files combined with injected rogue root certificates to intercept HTTPS traffic on targeted banking sites. GoPix monitors and manipulates Pix transactions, Boleto slips, and cryptocurrency wallet addresses. It uses legitimate anti-fraud scoring services to pre-qualify victims and avoid sandboxes, employs very short-lived C2 infrastructure, and injects its payload into browser processes to intercept financial data while leaving minimal disk artifacts.

GoPix banking Trojan targeting Brazilian financial institutions