Brazil is known for being the center of banking malware operations around the world. The Water Saci or Augmented Marauder cybercrime operation has been a main focus for this group for a number of years. The goal is to get rid of Casbaneiro, a classic banking Trojan that starts working when people go to online cryptocurrency or financial service providers.

It has a long list of targets, including big banks like Santander and Banco do Brasil in Central and South America, as well as payment and cryptocurrency platforms like Binance. The malware uses an overlay to make users think they're logging onto a real site, and then it records their keystrokes to steal their login information. The most important thing is how the victims get that email about the court summons in the first place.

People are more likely to click on phishing emails that come from trusted sources. And it's smart because it makes it harder to figure out where the breach really started. Elkins says, "It's interesting that they are still obsessed with these old banking Trojans.

Newer threat actors are more interested in getting into networks and stealing data than stealing money with malware." Elkins thinks they have become easier to find and less effective today, even though they worked well in the past. He says, "They're being found more often" because of strong, modern cybersecurity measures. This is why we often don't see it all the way through to the customer's environment in my research.

He says, "It usually gets stopped at the email stage."

He goes on to say, "I mean, Windows Defender has a lot of rule sets that are made just for finding and stopping AutoIt executables used by Water Saci." "We don't always see it [malware]," he says.