Full Report
A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Fortinet's FortiGuard Labs identified the campaign in May 2026. It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image. The goal is the usual one: steal banking logins and take
Analysis Summary
# Tool/Technique: Ousaban (Javali) Banking Trojan
## Overview
Ousaban (also known as Javali) is a specialized banking trojan originating from Brazil. It is part of the "Tetrade" malware group (which includes Grandoreiro, Guildma, and Melcoz). Its primary objective is to compromise Windows users' banking sessions to facilitate financial theft. The malware is characterized by its heavy use of country-specific targeting and steganography to evade detection.
## Technical Details
- **Type:** Malware Family (Banking Trojan)
- **Platform:** Windows
- **Capabilities:** Credential theft via keylogging and screen capture, clipboard manipulation, remote access (RAT), and session hijacking.
- **First Seen:** Identified as part of the "Tetrade" group in 2020; the specific Iberian campaign was identified in May 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.001 - Phishing: Spearphishing Attachment] (Malicious PDF lures)
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0005 - Defense Evasion]**
- [T1027.003 - Obfuscation: Steganography] (Hiding ZIP in image files)
- [T1497.001 - Virtualization/Sandbox Evasion: System Checks] (Screen size, fonts, and IP screening)
- **[TA0009 - Collection]**
- [T1056.001 - Input Capture: Keylogging]
- [T1113 - Screen Capture]
- [T1115 - Clipboard Data]
## Functionality
### Core Capabilities
- **Information Stealing:** Monitors for specific banking URLs (e.g., Santander, BBVA) to trigger data collection.
- **Credential Capture:** Records keystrokes and takes screenshots when the user interacts with banking portals.
- **Clipboard Tampering:** Monitors the clipboard to intercept and modify sensitive data like account numbers or cryptocurrency addresses.
- **Persistence:** Establishes a registry key named `Financeiro` to ensure the malware executes upon system reboot.
### Advanced Features
- **Geofencing & Sandbox Evasion:** Performs server-side screening of IP addresses, time zones, and system artifacts (fonts, screen resolution) to ensure the target is a real user in Spain or Portugal rather than a security researcher.
- **Steganography:** Uses image files that appear to be legitimate PDF icons but contain encrypted ZIP archives as payloads.
- **Dynamic C2 Resolution:** Uses a Domain Generation Algorithm (DGA) based on the current date and a secret seed to locate its Command and Control server, making simple IP/domain blocking ineffective.
## Indicators of Compromise
- **File Names:** `Financeiro` (Registry Key Name)
- **Registry Keys:** `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Financeiro`
- **Network Indicators:**
- `pastebin[.]com` (Initial decoy/config link)
- `google[.]com` (Used to fetch current date for DGA)
- [Dynamic CC URLs generated daily - Defanged]
- **Behavioral Indicators:**
- Unexpected outbound connections from Windows system processes.
- Scripts (JavaScript) executing from PDF readers to launch browser windows.
## Associated Threat Actors
- **Tetrade Group:** A collective of Brazilian malware operators.
- **Javali Operators:** Specifically linked to the Ousaban/Javali variants.
## Detection Methods
- **Behavioral Detection:** Monitoring for unusual registry modifications in the "Run" keys and identifying PDF readers spawning web browsers or script interpreters (wscript.exe, cscript.exe).
- **Network Monitoring:** Alerting on high volumes of traffic to Pastebin or unusual DGA-like domain requests.
- **Endpoint Analysis:** Scanning for "Financeiro" registry keys or files utilizing steganography (discrepancies between file extension and actual file headers).
## Mitigation Strategies
- **Email Security:** Implement robust email filtering to block suspicious PDF attachments, especially those claiming to be "corrupted" or requiring updates.
- **User Training:** Educate employees and customers on "ClickFix" scams and the dangers of pasting commands into terminal windows or clicking "Update" within PDF documents.
- **Geoblocking:** If an organization does not conduct business in the Iberian region, consider blocking traffic from identified malicious infrastructure in those zones.
- **Endpoint Hardening:** Disable unnecessary script interpreters and strictly control administrative permissions to prevent unauthorized registry changes.
## Related Tools/Techniques
- **Grandoreiro:** A closely related Brazilian banking trojan with shared infrastructure and tactics.
- **Casbaneiro:** Shares a custom string encryption scheme with Ousaban.
- **ClickFix:** A social engineering technique frequently used by these groups to bypass automated security.