Casbaneiro Banking Trojan Spreads via Dynamic PDF Phishing

A Brazilian cybercrime group tracked as Augmented Marauder is running a multi-vector campaign to spread the Casbaneiro banking trojan across Latin America and Europe. Trend Micro researchers documented the operation, which uses dynamically generated court summons PDFs and a worm-like propagation mechanism to maximize infections among Spanish-speaking targets.

The Phishing Operation

The campaign begins with phishing emails disguised as legal notices. Victims receive messages claiming to contain court summons or judicial documents, with password-protected PDF attachments. The password requirement adds perceived legitimacy—real court documents are sometimes encrypted—while also evading email gateway scanning that can't analyze protected files.

When users open the PDF and click the embedded link, they trigger an automatic ZIP archive download. This archive contains HTML Application (HTA) and VBS payloads that initiate the infection chain.

What makes this campaign unusual is the PDF generation. The documents aren't static files copied across thousands of emails. Instead, a remote PHP API dynamically creates personalized judicial summons documents for each target, incorporating details harvested from reconnaissance or purchased data. Each victim receives a unique, tailored lure.

Casbaneiro and Horabot: A Two-Stage Payload

The final malware deployment includes two components: Casbaneiro (the primary banking trojan) and Horabot (a propagation tool).

Casbaneiro, also known as Metamorfo, is a well-documented Brazilian banking trojan active since at least 2018. The current variants target major financial institutions across Central and South America—including Santander, Banco do Brasil, and various regional banks—plus payment platforms and cryptocurrency exchanges.

The trojan monitors browser activity, waiting for users to navigate to targeted banking sites. It then overlays fake login pages to harvest credentials, intercepts two-factor authentication codes, and can initiate fraudulent transactions in real-time while the victim believes they're using their legitimate banking session. For readers unfamiliar with these techniques, our guide to social engineering attacks explains the psychological manipulation tactics that make these campaigns effective.

Horabot handles distribution. Once installed on a victim's system, it:

• Harvests email contacts from Microsoft Outlook
• Generates unique password-protected PDFs via the remote server API
• Sends phishing emails to harvested contacts using compromised email accounts
• Hijacks Yahoo, Live, and Gmail accounts for additional distribution capacity

This worm-like behavior means each successful infection can spawn dozens of new phishing campaigns targeting the victim's contacts, colleagues, and business partners. We've seen similar contact-harvesting techniques in the EvilTokens device code phishing campaign that hit 340+ Microsoft 365 organizations.

Attack Vectors Beyond Email

Augmented Marauder (also tracked as Water Saci) doesn't rely solely on email phishing. The group employs multiple delivery mechanisms:

• WhatsApp automation targeting retail and consumer users
• ClickFix social engineering that tricks users into running malicious commands
• Compromised email accounts for trusted-sender phishing

The WhatsApp vector is particularly effective against individuals who might be suspicious of email attachments but trust messages from apparent contacts. We covered similar WhatsApp-based malware delivery that Microsoft flagged this week, suggesting Brazilian threat actors are sharing techniques or infrastructure.

Technical Infection Chain

The full infection sequence involves multiple stages designed to evade detection:

1. Victim clicks PDF link → ZIP archive downloads automatically
2. HTA payload executes, dropping VBS script
3. VBS performs environment checks (including Avast antivirus detection)
4. If checks pass, AutoIt-based loaders retrieve encrypted payloads
5. Final stage deploys Casbaneiro ("staticdata.dll") and Horabot ("at.dll")

The Avast detection check is interesting. Rather than attempting to disable security software, the malware simply exits if specific products are detected. This reduces the chances of triggering alerts and preserves the phishing infrastructure for future attempts against less-protected targets.

Geographic Targeting

The campaign primarily targets Spanish-speaking users in:

• Mexico
• Argentina
• Colombia
• Peru
• Spain

Enterprise targets in Europe appear to receive more sophisticated, individually crafted lures, while Latin American consumer targets receive higher-volume, more generic phishing. This tiered approach maximizes return on investment across different victim segments.

Why This Matters

Latin American banking trojans have historically stayed regional, but Augmented Marauder's expansion into European targets signals growing ambition. The group's infrastructure for dynamic document generation and automated propagation represents significant operational investment.

For organizations with Spanish-speaking employees or Latin American operations, the threat is immediate. Even employees who wouldn't fall for English-language phishing may be vulnerable to well-crafted Spanish lures that reference local judicial systems and cultural contexts.

Financial institutions on Casbaneiro's target list should ensure:

• Session monitoring can detect overlay attacks
• Transaction verification occurs through out-of-band channels
• Customer communications warn about court summons phishing

For individual users, the guidance is familiar but worth repeating: courts don't send summons via email attachments, password-protected PDFs from unknown senders are almost always malicious, and any urgency in a message demanding immediate action should trigger suspicion rather than compliance.