Bizarro banking malware attacks South American and European Banks

Cyber criminals have published a previously unknown banking Trojan that can steal login credentials from customers of 70 banks across Europe and South America.


Kaspersky’s researchers have called the banking Trojan “Bizarro” because it uses affiliates or money mules to launch attacks, cash out, or simply help with transactions.


The campaign involves the ability to trick users into entering two-factor authentication codes in fake pop-up windows, which are then sent to the attackers.


Social engineering tactics are also used in the campaign to persuade visitors to banking websites to download a malicious smartphone app.


Also read: Android banking malware-Teabot exploited in the wild


Bizarro is spread through MSI packages downloaded from dubious links in spam emails.


The malware is hosted on compromised WordPress, Amazon, and Azure servers. The package downloads a ZIP archive containing a Delphi-written DLL, and then injects the heavily abstracted implant.


You might also like: These Billing Fraud Apps have infected over 700,000 Android Users


The backdoor’s main module is set to remain idle until a link to one of the hard-coded online banking systems is detected.


Bizarro, Bizarro malware, Bizarro banking malware, Computer Security, cyber attacks, cyber news, cyber security news, cyber security news today, cyber security updates, cyber updates, cybersecurity news, darkside, darkside hacker group, darkside ransomware, darkside ransomware group, data breach, Data leak, hacker news, hacking news, information security, InfoSe, network security, new Bizarro ransomware, ransomware, ransomware attack, ransomware gang, ransomware group, ransomware malware, RCE, recent ransomware attacks 2021, Remote Code Execution, remove Bizarro ransomware, rootkit, Security, software vulnerability, Vulnerability,  android, banking malware, banking malware app, android banking trojan, android malware, android trojan app, banking trojan 2020, banking trojan, banking trojan github, banking trojan Cerberus, banking trojan iphone, banking trojan android, banking trojan Amavaldo, banking trojan 2019, banking trojan admin panel, BRATA banking trojan, emotet banking trojan, Guildma banking trojan, icedid banking trojan, Javali banking trojan, trickbot banking trojan, Grandoreiro banking trojan, kronos banking trojan, anubis banking trojan, android banking trojan, banking trojans 2019, Ghimob, Tetrade,
Source: Securelist



Bizarro begins by destroying all browser processes in order to terminate any current sessions with online banking websites, according to the researchers.


When a user restarts their browsers, the malware will force them to re-enter their bank account credentials, which it will catch.


You might also like: Insurance firm AXA hit by Avaddon ransomware gang


In order to get the most credentials, Bizarro often disables autocomplete in a browser.


The banking Trojan’s primary purpose is to capture and exfiltrate banking credentials, while the backdoor is built to run 100 commands from a remote server, allowing it to gather a variety of data from Windows machines, monitor the victim’s mouse and keyboard, log keystrokes, capture screenshots, and even restrict Windows functionality.


Bizarro is the most recent example of how Brazilian banking Trojans are gradually affecting Windows and Android devices, joining malware like Guildma, Javali, Melcoz, Grandoreiro (collectively known as the Tetrade), Amavaldo, Ghimob, and BRATA, and simultaneously spreading their attacks throughout South America and Europe.


You might also like: 167 Fake Android and iOS trading and cryptocurrency apps: Sophos


The attacks behind this campaign, according to the researchers, are employing a variety of technical process to make malware analysis and detection more difficult, as well as social engineering techniques to persuade victims to provide sensitive banking information.



Please connect NuNewsIndustry on Twitter to catch more content.