GoPix is a highly sophisticated banking Trojan of Brazilian origin that targets financial institutions and cryptocurrency users. It employs advanced techniques typically seen in APT campaigns, such as memory-only implants, multi-stage obfuscated PowerShell scripts, and malvertising via Google Ads. The malware functions as a Living-off-the-Land Binary (LOLBin), prioritizing stealth by minimizing its disk footprint and rotating Command and Control (C2) servers frequently to evade detection.
A standout feature of GoPix is its unique man-in-the-middle (MITM) attack methodology. It utilizes Proxy AutoConfig (PAC) files and injects a trusted root certificate directly into the browser's memory to intercept and manipulate encrypted HTTPS traffic. Beyond standard banking credentials, the malware monitors clipboard activity to hijack Pix transactions, Boleto payments, and cryptocurrency wallet addresses. Its ability to check for specific security software like Avast and adjust its infection vector accordingly underscores its high level of technical evolution.
Top comments (0)