Most ChePro samples are downloaders which need other files to complete the infection. Usually they install banking malware that will take screenshots, capture keyboard strokes, and read the content of the clipboard.
Malware in this family can be used to attack virtually any Internet banking service. This malware implements new techniques for the purpose of avoiding detection for as long as possible.
Several Trojans use geolocation or query the operating system for the user’s timezone and Microsoft Windows version. The Trojans will not attempt to complete an infection if the computer’s IP address is not Brazilian, the operating system is set to a timezone that is outside of Brazil, or the system language is not Portuguese (Brazil).
Geographical distribution of attacks by the Trojan-Banker.Win32.ChePro family
Geographical distribution of detections during the period from 20 November 2014 to 20 November 2015
Top 10 countries with most attacked users (% of total attacks)
* Percentage of all unique Kaspersky users attacked by this malware