Latin American trojans are on the rise, and Javali is another piece of malware that uses a legitimate binary from Avira AV to load into the memory of the malicious payload.
What is the Javali trojan?
The Javali trojan was first observed by the Kaspersky Team in November 2017 and described later in detail by Segurança-Informática. This piece of malware has increased in volume and sophistication in recent months. As noted in other threats from Latin American, Javali is using similar routines and calls also observed on other trojans, such as Grandoreiro, URSA and Lampion.
As described by Segurança-Informática:
(…) part of these trojan families are using padding to enlarge the binary; empty sections or even BPM images attached as a resource (…). Other trojans use this technique as it allows to evade detection and execute the malicious code on the target machines bypassing detection based on static file signatures.
The researchers said that these trojans are sharing several modules and code, a clear sign of collaboration between the Latin American threat groups. [CLICK IMAGES TO ENLARGE]
Figure 1: High-level diagram of the modus operandi of the most popular Latin American banking trojans.
Javali’s modus operandi