Attackers deliver the Trojan using generic Portuguese language phishing emails and are currently targeting seven Brazilian banks. Once delivered, Escelar has multiple installation stages where malware is downloaded using direct connections to multiple Microsoft SQL servers. These SQL servers are also used for command and control (C2) functionality.
Escelaris is designed to steal online banking authentication credentials and further compromise the accounts of victims. Even worse, Escelar is capable of manipulating the victim’s banking web session, and also executing fraudulent transactions. Also, Escelar forces the user to connect to the Internet via Internet Explorer (IE). If the victim attempts to use other browsers (e.g. Google Chrome) to access online banking accounts, Escelar generates a false error code which makes the victim return to IE.
The most recently discovered Microsoft SQL server being used as Escalar infrastructure contained records of 1660 infections that all connected in a two-day time frame.
Escelar is distributed almost exclusively through phishing emails. Organizations should monitor their networks for unexpected outbound Microsoft SQL traffic (App-ID mssql) that may indicate an Escalar infection.