Brazilian Malware Kingpin Is a 20-Yr Old Student

Researchers at security firm Trend Micro have identified the creator of a malware and Trojan creator to be a 20 year old college student from Tocantins, Brazil. The malware creator has allegedly developed and distributed over a hundred Trojans already, according to a blog post on Trend Micro’s website.

His shenanigans include:

  • Developing and distributing over a hundred Trojans, each of which cost roughly around $320 on average.
  • Creating over a hundred banking Trojans in just two years, from 2013.
  • Banks targeted were numerous, including Caixa, HSBC Brasil, Banco de Brasil and more.
  • Offering free versions of the banking malware which was limited to 4 banks.
  • Seeking payment for the complete malware package which contained more financial institutions as targets.

Trend Micro posted a screen-shot taken directly from the hacker’s Facebook page, showing a large quantity of local Brazilian currency.

The malware

Once of the malware creations, known as TSPY_BANKER.NJH was a Trojan which infiltrated users by identifying any of the targeted bank’s URL typed into a browser, specifically Google’s Chrome. The Trojan would then manipulate the browser by displaying an error message before seamlessly opening a fake phishing window. If the unsuspecting user enters their bank details into the spoofed, faux window, the same information is then sent to the attacker through a quick email.

Additionally, the malware also terminates GbpSV.exe, a security process inherently used by multiple Brazilian banks in order to keep customer data safe while transacting online.

With nearly half of all financial transactions being conducted online throughout the country, Brazil is a lucrative hot-bed for cybercriminal activity. The young student is one among several cybercriminals who have taken to malware as a business enterprise.

Despite the clear threat, Trend Micro add that cybersecurity and pouring resources into tackling digital crimes haven’t been a priority for the nation’s law-enforcement authorities. This is primarily due to concerns such as security in the lead up to last year’s World Cup and intense riots in several favelas in Rio de Janeiro.


The computer science student went by the underground hacker-name Lordfenix.

“Lordfenix is a Computer Science student from Tocantins, Brazil. We were able to trace his activity back to April 2013,” highlighted the researchers at Trend Micro.

“Based on our research, Lordfenix has created more than 100 different banking Trojans, not including his other malicious tools, since April 2013. With each Trojan costing around R$1,000 (roughly $320), this young cybercriminal channeled his talent in programming into a lucrative, illegal venture,” Trend Micro added.

Apparently, the student first began toying with malicious code by posting and interacting in hacker forums in seeking programming assistance for creating Trojans. Over time however, the student had “grown quite confident in his skills,” confirmed researchers at Trend Micro.

“In cybercrime, it doesn’t matter if the criminal is a veteran or a newbie. The result remains the same: ordinary users become victims,” concluded Trend Micro.