On October 24, 2023, Kaspersky researchers released a report on several cyber threats, including the GoPIX infostealer malware campaign, which they assess has been active since December 2022.
According to Kaspersky:
“GoPIX is a typical clipboard stealer malware that steals PIX “transactions” used to identify payment requests and replaces them with a malicious (attacker controlled) one which is retrieved from the C2. The malware also supports substituting Bitcoin and Ethereum wallet addresses. However, these are hardcoded in the malware and not retrieved from the C2. GoPIX can also receive C2 commands, but these are only related to removing the malware from the machine.”
Retail, hospitality, and travel organizations conducting business operations in Brazil are encouraged to determine whether they leverage PIX as part of their operations and, if so to ingest the indicators of compromise (IOCs) included here, as well as taking other defensive measures such as reviewing activity records related to PIX transactions and scanning systems that interact with PIX.
Kaspersky researchers provided the following IOCs: