Civilian Police arrested the suspect who created and sold the ‘Pix virus’

The São Paulo State Civil Police arrested a person suspected of being one of the creators of the GoatRAT malware on Tuesday morning (14). The malicious program, also known as the ‘Pix virus’, was hosted on a cybercrime website known as CriminalFUN.

Two search and seizure warrants were issued in the municipality of Três Corações, Minas Gerais (MG). The request was made by the 4th DCCIBER/DEIC during the second phase of Operation DEV DOWN.

According to authorities, the operation focuses on taking down a crime center that operates a website selling bank fraud services.

‘Pix virus’ submitted as FAAS on CriminalFUN

In February, São Paulo Civil Police captured Eric da Silva Santos, who operated the aforementioned website known as CriminalFUN. Santos was also known online by the pseudonym “SickoDevz”. Today (14), another suspected operator, Ivan Wallace Pereira, was interviewed and charged with device hacking.

Investigations must continue. In addition to the indictment, a monitor, a computer and two mobile phones were also seized.

It is interesting to note that the GoatRAT malware is distributed in a different way than usual; This includes sales via WhatsApp and Telegram. ‘Pix virus’ was submitted as FAAS (Fraud as a Service) on CriminalFUN.

What is GoatRAT?

GoatRAT is a malware that includes a keylogger and CSV script with orange PIX accounts to spew collected money after infecting and robbing victims.

GoatRAT malware, known to act as a malicious remote access tool, was recently enhanced to act as an Automated Transport System (ATS). This means that the virus can perform unauthorized financial transfers on infected devices.

In this way, GoatRAT joins the family of malware that, among other things, is capable of stealing PIX transfers from mobile phones with Brazilian accounts. Such software includes BrasDEX.

ATS is an application, a framework that facilitates the automation of transfer processes on a device.

Here is how the malware works: First, the malware launches a partition called “Server”. It serves to communicate with Command Control (C&C) to access the PIX key used in the scheme. Shortly thereafter, the virus requests Accessibility services to publish and overlay permission; in this case, overlay targeting Nubank, Banco Inter or PagBank.

Malicious overlay is when malware simulates a fake page or message by embedding a legitimate application to steal credentials or perform other fraudulent actions.

The ATS is then performed through a series of four steps (which can be seen in detail here). Once the identifications, banking layer and accessibility performed by the system are released, the cybercriminal gains the ability to include in the legitimate application the amount of money he wants to transfer via PIX, and does all this without alerting the victim.

It is important to note that GoatRAT is a harmful malware: here in Brazil, it may lead to the emergence of a new generation of banking trojans that bypass security techniques such as 2FA, the second factor of authentication. There is no need to steal codes received via SMS or a third-party app (e.g. Microsoft Authenticator) to access accounts and perform fraudulent transactions. In other words, it is like the first grass.

How do you protect yourself?

Does this mean you should abandon the second authentication factor and all is lost? Definitely not.

In the case of GoatRAT, you need to perform other steps in addition to these:

• Install apps only via Google Play Store; Avoid installing unofficial APKs
• Antivirus program is active on the device
• Always use biometric resources to unlock
• Avoid clicking on offer links, can’t-miss promotions or alarming information in your email and SMS
• Check if Google Play Protection is enabled on the device