DCRat Attacking Users In Latin America To Steal Banking Credentials

A sophisticated malware campaign targeting Latin American users has emerged as a significant threat to the region’s banking sector, with cybercriminals deploying the DCRat banking trojan through elaborate phishing schemes designed to steal financial credentials.

The malicious operations, which have intensified throughout 2024 and into 2025, represent a growing concern for cybersecurity professionals across Colombia and neighboring countries as threat actors exploit trusted institutional communications to deliver their payloads.

DCRat, a Malware-as-a-Service offering that has been circulating since at least 2018, has gained considerable traction in underground cybercrime forums where it is advertised for approximately seven dollars for a two-month subscription.

The malware’s accessibility and comprehensive feature set have made it an attractive option for financially motivated threat actors seeking to establish persistent access to victim systems and harvest sensitive banking information from unsuspecting users across the region.

IBM analysts recently identified that the threat group Hive0131, believed to originate from South America, has been orchestrating these campaigns with particular focus on Colombian users through highly convincing email impersonation techniques.

The group has demonstrated remarkable sophistication in their social engineering approaches, crafting messages that appear to originate from legitimate Colombian judicial institutions, specifically mimicking correspondence from The Judiciary of Colombia and the Civil Circuit of Bogota to create compelling lures for potential victims.

The current campaign represents a notable evolution in the threat landscape, as attackers have refined their delivery mechanisms to incorporate multiple infection vectors that bypass traditional security measures.

Unlike previous campaigns observed in 2024 that relied heavily on password-protected RAR archives containing NSIS installers, the current operations utilize a more sophisticated approach involving obfuscated JavaScript files and specialized loaders designed to evade detection by security software and analysis environments.

Advanced Infection Mechanisms and Detection Evasion

The technical sophistication of these attacks centers around a custom malware loader dubbed VMDetectLoader, which serves as the primary delivery mechanism for the DCRat payload.

IBM researchers discovered that this loader, identified by the hash 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7, is based on an open-source project designed specifically for virtual machine detection and evasion.

The loader employs multiple sophisticated techniques to determine whether it is operating within a sandbox or analysis environment before proceeding with payload deployment.

VMDetectLoader demonstrates remarkable technical complexity through its multi-stage execution process, which begins with environment fingerprinting and proceeds through careful payload retrieval and injection.

The malware queries system information including motherboard details, searching for indicators of virtualization technologies such as VMware, QEMU, VirtualBox, and Microsoft Hyper-V before determining whether to proceed with the infection chain.

When the loader determines it is operating in a safe environment, it initiates a process hollowing injection technique, creating a suspended MSBuild.exe process and replacing its memory contents with the DCRat payload using a sequence of Windows API calls including CreateProcess(), ZwUnmapViewOfSection(), VirtualAllocEx(), and WriteProcessMemory().

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests