Matrix Banker Malware

A new piece of malware called “Matrix Banker” was recently discovered spreading across financial institutions in Latin America, specifically Mexico and Peru. The name Matrix Banker originated from its command and control (C2) login panel. Since this new malware is believed to still be in a development stage, it is difficult to know its full capability and any additional targets. Most banking Trojans eventually spread across multiple regions and Matrix Banker is unlikely to remain contained in Latin America in the forthcoming weeks and months.

Matrix Banker injects a DLL file into Chrome, Firefox, Explorer or Edge browsers for the purpose of Man-in-the-Middle (MitM) attacks. The end result of this web injection attack will redirect users to a phishing page hosted on “llinea[.]com”, impersonating the targeted financial institutions. Attackers will collect a victim’s banking credentials if they do not notice the redirect once the browser visits a targeted URL. Malware authors are always implementing different methods of communicating back to the control servers to conduct information theft. Always practice Defense in Depth, not relying on single security mechanisms. Responses from the C2 are hex encoded and encrypted using the Salsa20 crypto algorithm, which makes Matrix Banker the first malware family that uses this algorithm.