Brazilian data leak hides malware [Exclusivo]

Journalists, activists, hackers, researchers, analysts, law enforcement and government officials or just curious people, everyone who downloaded the file containing the personal information of 223 million Brazilians was possibly exposed to a highly dangerous trojan. There is no way to list how many downloads have been made, let alone how many citizens have been exposed.

On January 11, an unprecedented leak in Brazil exposed confidential information to 223 million citizens. The case scared many people due to the amount of information that was exposed, which facilitated the application of scams and fraud. The Federal Police said, on Wednesday (04), that they are already investigating the case; Meanwhile, Minister Alexandre Moraes, of the Supreme Federal Court (STF), also added the case to the fake news, which has been underway at the STF since last year.

The leak data is not completely new, it is not part of the same company and there is a potential ransomware in the file

In the early hours of today (05), the case took a turnaround: the data in the leak is not entirely new, it is not part of the same company and there is a potential ransomware loaded by possibly legitimate modified software, infecting the people who downloaded it the files.

According to an anonymous source linked to the TecMundo, which operates in the cybersecurity area, the malicious software present in the data leak file is a trojan that, at some future time defined by the cybercriminal who developed it, will release software with greater destructive capacity. In this case, according to the source, we are possibly talking about ransomware.

Ransomware is a type of virus that, when it invades a computer or smartphone, it encrypts all files and requires a cash amount to be released. There is no guarantee that, if payment is made, the files will be released.

  • How it all began: the new chapter of this story started to unfold yesterday (04) at 18h50, when the security researcher Rodrigo Laneth approached the TecMundo about a possible suspect executable present in the leak. Laneth had just published “Vazou”, a website that alerted the user if their data was present in the mega leak. After contacting other anonymous sources cited in the report, the investigation ended at around 3:00 am on Friday (05).

leak“Legitimate” executable that has been modified.

How to infect many people with a high degree of cyber knowledge at once?

Security researcher Rodrigo Laneth, in an analysis of the files published by the primary source, noticed a suspect executable that simulated a legitimate action. However, this was nothing more than malware capable of passing under the radar of different types of antivirus.

This leak occurred in the form of five forum topics that comprised data from people, vehicles and companies. To carry out the purchase of information, the cybercriminal placed a program in the file, such as a “good organized Samaritan”, which allowed the interested party to select the specific information about the leak and place the purchase order with a maximum value of US $ 900. Everything was a big “Trojan horse”: the ordering software was just malware.


To make it more credible, the cybercriminal offered a free sample of the commercialized data, indicating what the buyer would find. It was possible to view names, dates of birth, e-mail and home addresses, telephone numbers, credit score, education level, participation in companies, etc. People apparently chosen at random by the author of the leak ,.

“I noticed that the leak included an executable file and decided to submit it to sandbox services (automated tools that help experts study how malicious software works). Thus, it was possible to identify several suspicious behaviors, such as, for example, the detection of virtualization, a technique commonly used in malware to make analysis difficult ”, said Laneth.

Malware evasion mechanisms allow them to change their own behavior to make it difficult for experts to analyze it and not be recognized by defense software, antivirus. It is worth noting that the cybercriminal was still sending VirusTotal prints to indicate that there were no problems in the download.

leakAnalysis II

How to invade Troia?

According to a new anonymous source who contacted the TecMundo and quoted at the beginning of this article, the executable that researcher Rodrigo Laneth cites is called “JustBR”. “JustBR” is supposed to be legitimate software used by Serasa Experian to manage data from Mosaic, the company’s product line.

The anonymous source reported that, between December 2020 and January 2021, “the JustBR source code was passed on to forums. Someone there hesitated, they must have left it open on GitHub, I don’t know ”. In this way, the cybercriminal took the software and included an alleged ransomware in his code.

According to the source, the code “smells, tastes and sounds like ransomware”, but there is no way to stick it because there is no time for further analysis. There are three binds in the program: the first one checks the encryption of the machine’s hard disk, verifying that it is in a virtual machine and also adds some “tricks” – it adds to the Windows COPY (ctrl + v) the singer’s Instagram page Justin Bieber and a page of GIFs from Reddit; the second does a Windows date check; and the third and last bind is unknown.


Several points prior to the malware discovered indicated that the leak could be a “Trojan horse” in the broadest sense of the term. First, it was offered for $ 900, a ridiculous amount for leaks of that caliber. Subsequently, free subsets and free samples served to whet potential buyers.

It should also be noted that, despite the company Serasa Experian being “in the eye of the hurricane” as the main target of the investigations, many reports state that the company “is not completely at fault”.

Data leaks happen systematically

According to the same anonymous source linked to the TecMundo who made the previous analysis, it is possible to say that “only” 40 million personal data out of the 223 million leaked would be from Serasa. The remainder comes from old leaks, leaks involving government systems or other companies that happened in recent years – the source in question cited that even customer data from operator Vivo and DataPrev would be in the files. Serasa’s “fault” lies in the leaked data regarding the Mosaic service, which would have been accessed improperly between 2019 and mid-2020.

On this, we will spend the next few weeks analyzing the archive to find out all those responsible for the leak.

leakJustin Bieber’s Instagram.

And my defense?

Data leaks happen systematically and, it seems, what we are experiencing is more of a mix of information leaked over the last few years, but that also does not mean that there is some new data and we should not take the weight of what it represents. There is probably no single body or company to blame for what happened.

Many reports on Twitter show users who checked their information on the basis of 223 million and noticed very old home addresses, for example.

Over the past few days, we have seen several independent researchers, such as Allan Fernando and Rodrigo Laneth – mentioned in this article – develop websites or tools for checking on the common user. The attitude is commendable, however, we have enough basis for the government to develop verification tools, to work in a public cybersecurity service.

leakAnalysis III.

How to make a complaint to TecMundo?

THE TecMundo supports the work of ethical hackers. If you can’t get any resolution for failure or vulnerability due to difficulty in contacting a company, agency or institution, talk to us. Our reporting channels are:

Leave a Comment