GoPIX Malware Removal Guide: Protecting Your Pix Transactions

GoPIX is a malicious program targeting the Pix instant payment platform in Brazil. It operates as a clipper designed to reroute Pix and cryptocurrency transactions, posing significant financial and privacy risks. In this comprehensive removal guide, we will explore the threat type, detection names, distribution methods, and the steps to remove GoPIX from your system.

Threat Type

GoPIX is classified as a Trojan, specifically a clipper, which replaces data in the clipboard to reroute transactions and steal information.

A Trojan, often referred to as a “Trojan horse,” is a type of malicious software (malware) that disguises itself as a legitimate and benign program or file to deceive users and gain unauthorized access to their computer systems. The name “Trojan horse” is derived from Greek mythology, where the Greeks used a large wooden horse to infiltrate the city of Troy. Similarly, a Trojan malware disguises its true malicious intent to infiltrate a computer or network.

Here are key characteristics of a Trojan:

• Deception: Trojans are designed to trick users into believing they are harmless or useful software. They often masquerade as legitimate programs, games, or files that users might willingly download or execute.
• Malicious Intent: Once a Trojan gains access to a system, it can carry out a wide range of harmful actions, depending on its specific type and purpose. Common actions include stealing sensitive data, providing remote access to attackers, damaging files, installing other malware, or creating backdoors for future attacks.
• Non-Self-Replicating: Unlike computer viruses, Trojans do not self-replicate or spread on their own. They rely on human actions, such as downloading and executing a file, to propagate.
• Diverse Types: There are numerous types of Trojans, each designed for specific purposes. Some common types include remote access Trojans (RATs), keyloggers, banking Trojans, and spyware.
• Payload: The “payload” of a Trojan is the specific malicious action it carries out. Trojans can have various payloads, including data theft, system damage, or serving as a delivery mechanism for other malware.
• Stealth: Trojans often attempt to hide their presence on a system by evading detection from antivirus and security software.
• Delivery Methods: Trojans can be distributed through various means, such as email attachments, software downloads, fake software updates, or malicious websites.

Detection Names

Antivirus programs use various detection names to identify GoPIX:

1. Avast: BV:Obfuscated-P [Cryp]
2. Combo Cleaner: Trojan.GenericKD.68470536
3. ESET-NOD32: PowerShell/TrojanDownloader.Agent.HNA
4. Kaspersky: HEUR:Trojan.BAT.GoPIX.gen
5. Microsoft: Trojan:Win32/Rastreio.RPZ!MTB

Distribution Methods

GoPIX infections typically originate from malicious websites promoted through malvertising. Two sources for downloading GoPIX are used, depending on whether the victim’s device has port 27275 open:

• No Avast Software: An NSIS installer package is downloaded, which includes PowerShell scripts and triggers the infection chain leading to GoPIX.
• Avast Software Present: A ZIP archive is downloaded, containing an LNK file with a PowerShell script to further the infection chain.

Damage Caused by GoPIX

GoPIX causes significant damage to systems, including:

• Rerouting Pix transactions: GoPIX scans for Pix transfers and replaces payment requests with the cybercriminal’s information, effectively rerouting transactions.
• Replacing cryptocurrency wallet addresses: GoPIX operates as a cryptowallet address replacing clipper for Bitcoin and Ethereum addresses. The attacker’s wallet addresses are predetermined.
• Privacy issues: The malware can steal sensitive information, leading to privacy breaches.
• Financial losses: GoPIX can lead to financial losses through fraudulent transactions and cryptocurrency theft.

Removal Guide for GoPIX

Before you begin the removal process, create a backup of your important data to prevent data loss.

• Disconnect from the Internet: Disable your internet connection to prevent further communication with the C&C server.
• Boot in Safe Mode: Restart your computer in Safe Mode to minimize GoPIX’s active processes.
• Identify and Isolate Suspicious Processes: Open the Task Manager (Ctrl+Shift+Esc) and identify any suspicious processes related to GoPIX. Terminate these processes.
• Uninstall Suspicious Applications: Go to your Control Panel (Windows) or Applications (Mac) and uninstall any suspicious applications related to GoPIX.
• Remove Browser Extensions: In your web browsers, remove any suspicious extensions or add-ons related to GoPIX.
• Clear Browser Data: Clear your browser’s cache, cookies, and browsing history to eliminate any traces of GoPIX.
• Use Anti-Malware Software: Install reputable anti-malware software and perform a full system scan to detect and remove GoPIX and any residual files.
• Reset Clipboard Data: Manually reset your clipboard data to prevent GoPIX from affecting future transactions.
• Reboot Your System: Restart your computer in normal mode and reconnect to the internet.

Conclusion

GoPIX is a Trojan clipper that poses significant risks to your Pix transactions and cryptocurrency activities. By following this removal guide and using anti-malware software, you can effectively eliminate GoPIX and protect your system from its malicious activities. Stay vigilant and practice good cybersecurity to safeguard your financial and personal information.