{"id":901,"date":"2025-03-13T16:30:10","date_gmt":"2025-03-13T16:30:10","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=901"},"modified":"2025-03-13T16:30:10","modified_gmt":"2025-03-13T16:30:10","slug":"golden-jaguar-new-threat-discovered-by-scilabs","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2025\/03\/13\/golden-jaguar-new-threat-discovered-by-scilabs\/","title":{"rendered":"Golden Jaguar, new threat discovered by SCILabs"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/GoldenJaguarLogo-4.jpg\" alt=\"\" class=\"wp-image-936\" width=\"340\" height=\"343\" \/><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>OVERVIEW<\/strong><\/h1>\n\n\n\n<p>This report aims to describe the TTPs and provide indicators of compromise related to a new banking trojan observed by SCILabs&nbsp; and named <em>Golden Jaguar<\/em>. Some of its characteristics include the use of legitimate executables associated with Microsoft Edge and Google Chrome, and the exposure of stolen information through&nbsp; <a href=\"https:\/\/www.ibm.com\/docs\/es\/aix\/7.2?topic=concepts-sockets\">socket <\/a>openings and keyboard monitoring.<\/p>\n\n\n\n<p><em>Golden Jaguar<\/em>&#8216;s main objective is stealing information from financial institutions such as Banco do Brasil and Banco Caixa (both from Brazil), among others, by monitoring the sites accessed by the victim through their web browser.<\/p>\n\n\n\n<p>SCILabs identified that this banking trojan is distributed through phishing emails, using alleged judicial matters as pretexts to impersonate the <em>Juizado Especial C\u00edvel de S\u00e3o Paulo<\/em> (S\u00e3o Paulo Small Claims Court)<\/p>\n\n\n\n<p>Based on the research conducted and the malware analysis, SCILabs determined, with a high level of confidence, that the Golden Jaguar campaigns observed are directed at Brazil.<\/p>\n\n\n\n<p>It is important to note that, at the time of writing this document, some of the artifacts identified during the investigation and used in the <em>Golden Jaguar<\/em> infection chain were not detected by some of the security solutions contained in the VirusTotal platform, which increases the risk of compromise for employees of different organizations, so companies must be alert to this threat.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>HOW COULD IT AFFECT AN ORGANIZATION?<\/strong><\/h1>\n\n\n\n<p><em>Golden Jaguar <\/em>can steal banking information belonging to all types of users, including organization employees. If an attack is successful within an organization, cybercriminals can leak or sell stolen information on underground forums on the Dark Web or the black market, putting their information&#8217;s confidentiality, integrity, and availability at risk and causing financial and reputational losses.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">ANALYSIS<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Threat context<\/h2>\n\n\n\n<p>Between the first and second week of February 2025, SCILabs identified a phishing email using alleged judicial matters as a pretext to impersonate the <em>Juizado Especial C\u00edvel de S\u00e3o Paulo, Brasil<\/em>. The email contains a hyperlink with the URL hxxps[:]\/\/127[.]175[.]153[.]160[.]host[.]secureserver[.]net\/gerar\/gera[.]php embedded in it, from which the victim obtains a file in VBS format.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/PishingTemplate-1024x540.jpg\" alt=\"\" class=\"wp-image-941\" width=\"910\" height=\"480\" \/><figcaption><strong>Figure 1. Phishing email distributing <em>Golden Jaguar <\/em>download URL<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>The template displayed when clicking the hyperlink contained in the email or visiting the URL shows a message in Portuguese (pt-BR) informing the user that the download is being prepared; after 5 seconds, the victim gets the first <em>Golden Jaguar<\/em> dropper, which uses the following regular expression as nomenclature, <strong>^[a-f0-9]{6}-[a-f0-9]{8}-[a-f0-9]{3}$<\/strong>, for example ce7348-9df885d0-a4a.vbs.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/DownloadSiteTemplate.jpg\" alt=\"\" class=\"wp-image-932\" width=\"578\" height=\"498\" \/><figcaption><strong>Figure 2. Template used on <em>Golden Jaguar<\/em> download site<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>It is important to mention that the malicious site restricts downloading artifacts with the same name. Otherwise, a message is displayed, indicating that the file was not found or was deleted.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/AdviceNotFoundFile-1024x215.jpg\" alt=\"\" class=\"wp-image-929\" \/><figcaption><strong>Figure 3. File not found or removed notice<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Technical resume<\/strong><\/h2>\n\n\n\n<p>By analyzing the source code of the download site, SCILabs identified that it is written in Portuguese (pt-BR), and the URL from which the first dropper is obtained is embedded within it.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/FragmentCodeDownloadSite-1024x145.jpg\" alt=\"\" class=\"wp-image-935\" width=\"924\" height=\"131\" \/><figcaption><strong>Figure 4. Source code fragment from the download site<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>The VBS file obtained by the victim is also written in Portuguese (pt-BR), with a message indicating that it is obfuscated for protection. When analyzing the code, SCILabs identified multiple segments separated into functions, each containing a series of integers separated by an asterisk, on which an XOR operation is applied with a key that can fluctuate between 15 and 100, according to the investigation.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/DropperCode.jpg\" alt=\"\" class=\"wp-image-933\" width=\"784\" height=\"414\" \/><figcaption><strong>Figure 5. Code snippet the first <em>Golden Jaguar<\/em> dropper<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>SCILabs deobfuscated the entire code, identifying that, in addition to the valuable fragments, it also contained multiple lines of \u201cjunk\u201d code intended to distract the attention of malware analysts.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"995\" height=\"317\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/TrashCode.jpg\" alt=\"\" class=\"wp-image-943\" \/><figcaption><strong>Figure 6. Code snippet without functionality from the first dropper<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/UsefulCode.jpg\" alt=\"\" class=\"wp-image-944\" width=\"854\" height=\"407\" \/><figcaption><strong>Figure 7. Useful code snippet from the first dropper<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>After separating the functional code from the non-essential code, SCILabs observed a reduction in size of at least 90 % of the original, identifying the following functionalities:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Downloading the second dropper: Using the <a href=\"https:\/\/curl.se\/\">Curl <\/a>command, the second <em>Golden Jaguar<\/em> dropper is downloaded. According to the tests carried out by SCILabs, it has the names Installer.msi, Installer.msi, or Windows.msi, to make the user believe it is a legitimate artifact.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Executing the second dropper: Once the second dropper is downloaded, it is renamed with a name formed by a group of numbers described with the regular expression, <strong>^\\d{4}-\\d{3}-\\d{4}$<\/strong>, for example, 4821-256-7452.msi, then, using PowerShell commands, the MSI artifact is executed.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>It is crucial to mention that the MSI artifact contains an embedded PowerShell script, the malicious <em>Golden Jaguar<\/em> DLL, and several legitimate artifacts, which will be described later in this report.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Artifact removal: After completing this stage, the malware deletes the temporary files and MSI files created during the first phase.<\/li><\/ul>\n\n\n\n<p>After inspecting the second dropper, SCILabs identified 45 compressed artifacts without extensions, which will be described below. The artifacts are the malicious banking trojan DLL, a malicious PowerShell script, and several legitimate executables.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/CompresedFiles-1024x316.jpg\" alt=\"\" class=\"wp-image-931\" \/><figcaption><strong>Figure 8. Example of the compressed files in the second dropper<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>After the second dropper was executed, SCILabs observed the following capabilities and characteristics:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Directory creation: The malware creates an installation directory inside <em>%PROGRAMDATA%<\/em> with a name that attempts to impersonate a legitimate folder, likely aiming to gain the user\u2019s trust. During the tests conducted by SCILabs, the following names were found: <em>C:\\ProgramData\\WindowsDefender_-8464<\/em> and<em> C:\\ProgramData\\Mozilla-4640<\/em>.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>File decompression and installation: <em>Golden Jaguar<\/em> decompresses the artifacts contained within the MSI dropper into the previously created directory, showing the following result:<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/MaliciousFiles-1024x539.jpg\" alt=\"\" class=\"wp-image-939\" width=\"863\" height=\"454\" \/><figcaption><strong> Figure 9. Files located in the installation directory <\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<ul class=\"wp-block-list\"><li>Mozilla digitally signed the legitimate <a href=\"https:\/\/www.thunderbird.net\/es-ES\/\">Thunderbird <\/a>executable containing a <a href=\"https:\/\/www.emsisoft.com\/en\/blog\/43943\/what-is-dll-side-loading\/\">DLL Side-Loading<\/a> vulnerability.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/igitalSignTunderbird.jpg\" alt=\"\" class=\"wp-image-937\" width=\"591\" height=\"394\" \/><figcaption><strong>Figure 10. Digital signatures of the legitimate artifact<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>Legitimate Thunderbird DLLs are used during the legitimate execution of Thunderbird.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Malicious DLL of <em>Golden Jaguar<\/em> named <strong>xull.dll<\/strong> and compiled in <a href=\"https:\/\/www.embarcadero.com\/es\/products\/delphi\">Delphi<\/a>.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/MaliciousDll-1024x477.jpg\" alt=\"\" class=\"wp-image-938\" width=\"846\" height=\"394\" \/><figcaption><strong>Figure 11. Properties of the malicious DLL<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>SCILabs identified the use of different APIs commonly used in malware development, among the most relevant are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winuser\/nf-winuser-monitorfromwindow\">MonitorFromWindow<\/a><\/strong>: Returns the handle of the monitor that is associated with a specific window.<ul><li>Possible malicious use: Identify whether the active window is in a virtualized environment to evade analysis.<\/li><\/ul><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><a href=\"https:\/\/learn.microsoft.com\/es-es\/windows\/win32\/api\/winuser\/nf-winuser-enumwindows\">EnumWindows<\/a><\/strong>: Lists all top-level windows on the system.<ul><li>Possible malicious use: Look for open antivirus windows or sandboxes to terminate or bypass them.<\/li><\/ul><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winuser\/nf-winuser-getmonitorinfow\">GetMonitorInfoW<\/a><\/strong>: Gets information about a specific monitor, such as dimensions and flags.<ul><li>Possible malicious use: Detect debugging environments or small monitors typical of virtual machines.<\/li><\/ul><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winuser\/nf-winuser-enumdisplaymonitors\">EnumDisplayMonitors<\/a><\/strong>: Lists all monitors connected to the system.<ul><li>Possible malicious use: Identify if the system has a single monitor (indicative of a VM) and modify malware behavior.<\/li><\/ul><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><a href=\"https:\/\/learn.microsoft.com\/es-es\/windows\/win32\/api\/winuser\/nf-winuser-getdesktopwindow\">GetDesktopWindow<\/a><\/strong>: Gets a handle to the desktop window.<ul><li>Possible malicious use: Capture the user&#8217;s screen without their knowledge using screen scraping techniques.<\/li><\/ul><\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/Apis-1024x370.jpg\" alt=\"\" class=\"wp-image-930\" width=\"798\" height=\"288\" \/><figcaption><strong>Figure 12. Example of used API by <em>Golden Jaguar<\/em><\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<ul class=\"wp-block-list\"><li>Malicious PowerShell script called <strong>run_hidden.ps1<\/strong> which is written in Portuguese (pt-BR) and has the following capabilities:<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Extracting additional settings from a file with an .INI extension.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Execution in stealth mode (to avoid being detected by the user) of the vulnerable legitimate file.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/PowerShellCode-1024x505.jpg\" alt=\"\" class=\"wp-image-942\" width=\"852\" height=\"420\" \/><figcaption><strong>Figure 13. Malicious PowerShell code snippet<\/strong>+<\/figcaption><\/figure><\/div>\n\n\n\n<ul class=\"wp-block-list\"><li>Computer log: <em>Golden Jaguar<\/em> obtains data from the victim&#8217;s computer, such as the operating system version, antivirus version, processor data, location, and IP address. This information is sent to the command-and-control server and recorded in an infection counter.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"615\" height=\"95\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/Query.jpg\" alt=\"\" class=\"wp-image-946\" \/><figcaption><strong>Figure 14. Fragment of the data obtained by <em>Golden Jaguar<\/em><\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<ul class=\"wp-block-list\"><li>Persistence Generation: The malware generates persistence using Windows registry keys, specifically in <em>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/em>, through a PowerShell command intended to stealthy execute the legitimate <strong>Thunderbird-477.exe<\/strong> artifact.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"413\" height=\"225\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/PowerShellCommand.jpg\" alt=\"\" class=\"wp-image-945\" \/><figcaption><strong>Figure 15. Appearance of persistence generated by <em>Golden Jaguar<\/em><\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<ul class=\"wp-block-list\"><li>Malicious DLL injection: Finally, the malware injects the malicious DLL into legitimate processes using the DLL Side-Loading technique. At this stage, SCILabs observed two different behaviors (in different infection tests) described below.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Injection into legitimate Edge executable: The malicious DLL is injected into the legitimate msedge.exe process belonging to the targeted Microsoft Edge.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Injection into legitimate Google Chrome executable: During the execution of the second dropper, an additional legitimate file named GoogleUpdate.exe is downloaded, into which the malicious DLL is injected.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"91\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/Injection.jpg\" alt=\"\" class=\"wp-image-947\" \/><figcaption><strong>Figure 16. Example of the processes into which <em>Golden Jaguar<\/em> injects the malicious DLL<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<ul class=\"wp-block-list\"><li>Malicious Activity: <em>Golden Jaguar<\/em> waits for the user to visit a banking site of interest, then opens a socket<a href=\"#_ftn11\">[11]<\/a>, monitors the victim&#8217;s keyboard activity, and begins stealing sensitive information, such as username, password, and other confidential data. Finally, it trasmits the stolen information with the attackers&#8217; command-and-control server.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"699\" height=\"72\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/InformationSteal.jpg\" alt=\"\" class=\"wp-image-949\" \/><figcaption><strong>Figure 17. Example of the infection record of one of the users who visited the \u201cBanco Entre Rios\u201d website<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>Within the <em>Golden Jaguar<\/em> process chains, a list of more than 200 banks was identified, serving as a dictionary of banks of interest to the banking Trojan.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"364\" height=\"177\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/Banks.jpg\" alt=\"\" class=\"wp-image-948\" \/><figcaption><strong>Figure 18. Example of a dictionary used by <em>Golden Jaguar<\/em><\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>The list recovered by SCILabs identified different banks around the world, including at least 21 institutions from Latin America. Therefore, it is highly likely that <em>Golden Jaguar<\/em> will soon expand to other Latin American countries and potentially on a global scale.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Bank<\/strong><strong><\/strong><\/td><td><strong>Country<\/strong><strong><\/strong><\/td><td><strong>Bank<\/strong><strong><\/strong><\/td><td><strong>Country<\/strong><strong><\/strong><\/td><\/tr><tr><td>Bancatlan<\/td><td>Honduras<\/td><td>Utilcash<\/td><td>Belice<\/td><\/tr><tr><td>Tigo money<\/td><td>Honduras<\/td><td>Banco Galicia<\/td><td>Argentina<\/td><\/tr><tr><td>BBVA<\/td><td>Mexico<\/td><td>Banco Provincia<\/td><td>Argentina<\/td><\/tr><tr><td>Mercado Pago<\/td><td>Mexico<\/td><td>Banco Chile<\/td><td>Chile<\/td><\/tr><tr><td>BBVA<\/td><td>Peru<\/td><td>Banco Continental<\/td><td>Paraguay<\/td><\/tr><tr><td>Banco Ripley<\/td><td>Peru<\/td><td>Practipago<\/td><td>Paraguay<\/td><\/tr><tr><td>Banco Promerica<\/td><td>Guatemala<\/td><td>Scotiabank<\/td><td>Uruguay<\/td><\/tr><tr><td>Bantrab<\/td><td>Guatemala<\/td><td>Bicentenariobu<\/td><td>Venezuela<\/td><\/tr><tr><td>Caixa<\/td><td>Brazil<\/td><td>Banco do Brasil<\/td><td>Brazil<\/td><\/tr><\/tbody><\/table><figcaption><strong>Table 1. Some of the target banks, from LATAM<\/strong><\/figcaption><\/figure>\n\n\n\n<p>Additionally, it is important to mention that <em>Golden Jaguar<\/em> can also query the victim\u2019s browsing history for data that may be related to the targeted banks.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"669\" height=\"19\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/Steal.jpg\" alt=\"\" class=\"wp-image-950\" \/><figcaption><strong>Figure 19. Example of queries to the victim&#8217;s browsing history<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Target country attribution and probable origin<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Provenance: <\/strong>After analyzing the evidence obtained from the investigation, malware analysis, and <em>Golden Jaguar<\/em> infrastructure, observing coincidences in the code writing language, malware download servers, command-and-control servers, and malware creation sites, SCILabs determined with medium confidence that the operators of <em>Golden Jaguar<\/em> are of Brazilian origin.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Objective: <\/strong>After researching and analyzing malware and <em>Golden Jaguar<\/em> infrastructure, SCILabs identified the following evidence, concluding with high confidence that this <em>Golden Jaguar<\/em> campaign is entirely targeted at Brazil.<ul><li>Phishing email written in Portuguese (pt-BR).<\/li><li>The institution impersonated in the email is from Brazil (S\u00e3o Paulo).<\/li><\/ul><\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Atack Flow Sumary<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>The user receives a phishing email, which is used as a pretext to allege judicial matters related to the special court of S\u00e3o Paulo.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>The email contains a hyperlink. If the user opens it, they are redirected to an automatic download site from where they obtain a VBS file.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>If the victim executes the first dropper in VBS format, the malware downloads and executes a second MSI artifact that performs the following tasks:<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Creating directories<\/li><li>Unzipping files<\/li><li>Executing a legitimate Thunderbird artifact vulnerable to DLL Side-Loading<\/li><li>Registering the infected computer in an infection counter<\/li><li>Generating persistence<\/li><li>Injecting the malicious <em>Golden Jaguar<\/em> DLL into legitimate Microsoft Edge or Google Chrome processes.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><em>Golden Jaguar<\/em> begins inspecting the victim&#8217;s browser. When the user enters a site of interest to the banking Trojan, it opens a socket to start monitoring keyboard activity and begin stealing banking information.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Finally, the data is sent to the attackers&#8217; command-and-control server.<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">ATTACK FLOW CHART<\/h1>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/FlowDiagram-1-1024x796.jpg\" alt=\"\" class=\"wp-image-952\" width=\"780\" height=\"606\" \/><figcaption><strong>Figure 20. Attack flow chart of <em>Golden Jaguar<\/em><\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\">OBERVED TTPs ALIGNED TO THE MITRE ATT&amp;CK\u00ae FRAMEWORK<\/h1>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"884\" height=\"718\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2025\/03\/MITRE.jpg\" alt=\"\" class=\"wp-image-940\" \/><figcaption><strong>Table 2. Observed TTPs aligned to the MITRE ATT&amp;CK\u00ae framework<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\">ASSESSMENT<\/h1>\n\n\n\n<p>SCILabs considers <em>Golden Jaguar<\/em> a significant threat in the region due to its defense evasion techniques and malware generation mechanisms. Its artifacts and legitimate processes are also difficult for victims to detect due to the low detection rate of some of them.<\/p>\n\n\n\n<p>Based on the evidence collected during this investigation, SCILabs determined with high confidence that this threat is primarily targeting Brazil. However, it is highly likely that it will soon expand its activity to other Latin American countries such as Mexico, Peru, Colombia, Guatemala, Argentina, and Venezuela, among others.<\/p>\n\n\n\n<p>Based on the analyzed artifacts and infrastructure, SCILabs believes that <em>Golden Jaguar<\/em> will continue to be present in Latin America during the following months, using a similar attack flow in its campaigns but making small modifications to its infrastructure and TTPs, for example, using a larger number of files during its infection chain, different XOR keys in its obfuscation and variants in the legitimate executables (vulnerable to DLL Side-Loading) in which it is injected.<\/p>\n\n\n\n<p>SCILabs considers it essential that institutions and companies monitor updates to TTPs and Indicators of Compromise to reduce the risk of infection and mitigate the impact of the theft of banking information on their operations. We recommend considering the following measures:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Block the indicators of compromise present in this document.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Conduct awareness campaigns on the various social engineering techniques used to distribute malicious artifacts<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Conduct threat hunting tasks looking for suspicious directories with names that look legitimate but contain a dash (-) or an underscore (_) at the end, followed by four pseudo-random numbers, for example, characters including underscores, for example, WindowsDefender_-8464, especially in the <em>%PROGRAMDATA%<\/em> directory, or that contain regular expressions, such as ^\\d{4}-\\d{3}-\\d{4}$ as part of their name.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Identify suspicious registry keys within: <em>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run<\/em><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Identify applications that run at system startup on your organization&#8217;s EndPoints, primarily suspicious PowerShell executions.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Assess the impact of restricting Thunderbird usage in your organization and, if possible, blocking it.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Be aware of suspicious PowerShell executions, primarily if they execute processes with names like Thunderbird-477.exe.<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">INDICATORS OF COMPROMISE<\/h1>\n\n\n\n<p><strong>Hashes SHA256<\/strong><br>89ABFC58F66A72400AC4B96CB3F6191A9B42CE16B223CD1A901F599192C770E0<br>5CD13D21EAD949B6589E6199CB04A38AAF16EC331090633FFDB346A16D7D4539<br>238620D09C78E707156CAA7E7AD329CC96764833A7C2C23D10C024B01484751D<br>201A275C5742EF42A84B1DAE6EB04175068356CE0D5B4A85AE0C32A17D6A5B61<br>67D150D65FB24ABD07D21771BE4022180875AEE02ABD63515D03DB1AF8DB312A<br>2DC0D31078B4948D6889AFD2B11695ABE830716679FAE2AFD576ABA34E9384C1<br>8E15979F592947305BC407C0F2645369303AC2B4F0BC265BDFB216F95F9E3E4F<br>2E3E8A6428114F3F69E1F721E23BA5FC83CAD4A98E0F4E76D7B87EA00D5BF5A9<br>C4154A4341994F478248D72DDDB610B7095C779DEB10AF58823A42AEAF0E9190<br>D28B6056F73DB48389223A60992824B580DD2F96BF0DCD8C1CDE99065845B274<br>520996EE74B8890B11ADAA337FAED735B8C09FCAED64A51DC9CCF75BAABFCCB8<\/p>\n\n\n\n<p><strong>URLs<\/strong><br>It is recommended to block the entire URL to avoid future false positives or operation failures.<\/p>\n\n\n\n<p>hxxps[:]\/\/127[.]175[.]153[.]160[.]host[.]secureserver[.]net\/gerar\/gera[.]php?token=902491a33b59feea450f226448423a2c7e7b76f37328b6d082349ad8c43649c4<br>hxxps[:]\/\/241[.]129[.]205[.]92[.]host[.]secureserver[.]net\/Instalador[.]msi<br>hxxps[:]\/\/lasaludesunderecho6[.]com\/download\/installer[.]msi<br>hxxps[:]\/\/241[.]129[.]205[.]92[.]host[.]secureserver[.]net\/<br>hxxps[:]\/\/lasaludesunderecho6[.]com\/<br>hxxps[:]\/\/lasaludesunderecho6[.]com\/download\/<br>hxxps[:]\/\/127[.]175[.]153[.]160[.]host[.]secureserver[.]net<br>hxxps[:]\/\/41[.]232[.]205[.]92[.]host[.]secureserver[.]net\/json\/gera[.]php?token=7c1261b0c9a8c029e230acf312e57952684eef38db0608f4cd58f5e966ef0725<br>hxxps[:]\/\/41[.]232[.]205[.]92[.]host[.]secureserver[.]net\/<br>hxxps[:]\/\/41[.]232[.]205[.]92[.]host[.]secureserver[.]net\/json\/<br>hxxps[:]\/\/41[.]232[.]205[.]92[.]host[.]secureserver[.]net\/windows[.]msi<br>hxxps[:]\/\/41[.]232[.]205[.]92[.]host[.]secureserver[.]net\/json\/Contador\/contador[.]php<br>hxxps[:]\/\/41[.]232[.]205[.]92[.]host[.]secureserver[.]net\/json\/Contador\/<br>hxxps[:]\/\/41[.]232[.]205[.]92[.]host[.]secureserver[.]net\/json\/Contador\/data[.]php<br>hxxps[:]\/\/41[.]232[.]205[.]92[.]host[.]secureserver[.]net\/json\/Contador\/logs[.]txt<br>hxxps[:]\/\/41[.]232[.]205[.]92[.]host[.]secureserver[.]net\/json\/Contador\/delete_logs[.]php<br>hxxp[:]158[.]69[.]149[.]134:8009<\/p>\n","protected":false},"excerpt":{"rendered":"<p>OVERVIEW This report aims to describe the TTPs and provide indicators of compromise related to a new banking trojan observed<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,4],"tags":[9,14,15,18],"class_list":["post-901","post","type-post","status-publish","format-standard","hentry","category-campaign","category-malware","tag-banking-trojan","tag-latam","tag-malware","tag-trojan"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=901"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/901\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}