Vadokrist

Vadokrist is a banking Trojan active in Latin America, a region that is often plagued by newly released Trojans that go after financial data and login credentials. According to security researchers, Vadokrist's campaigns may date back to 2018, and the majority of this Trojan's victims are in Brazil. The threat shares features with other Trojans from the same region, but it is highly unlikely that the same group of con artists are behind these projects.

Delphi is the programming language chosen by Vadokrist's creators, and it seems that they have implemented a lot of fake functions and junk code in the corrupted executable. This was likely done to slow down automatic malware analysis tools, as well as to make the job of cybersecurity experts more difficult as they would have to search through thousands of lines of code to find the few lines that actually do anything. When the Vadokrist infiltrates a system successfully, it will gather some basic data about the infected computer – usually the version of the operating system and the computer's name and username. After this, it ensures persistence by dropping a shortcut 'LNK' in the startup folder and editing the Windows Registry.

This banking Trojan may enable the criminals to gain almost complete control over the infected system. It can simulate mouse clicks and keyboard input, as well as power down or restart the computer. In addition to this, the criminals can use a keylogger to monitor the victim's input, as well as grab screenshots of the desktop or active windows. Last but not least, the Vadokrist enables its operators to prevent the victim from accessing certain websites and manage running processes.

Vadokrist is very similar to Grandoreiro and the Mekotio Trojan, other banking Trojans popular in the region. All of these threats' attacks are preventable by using up-to-date anti-virus software at all times.