Cyber criminals have published a previously unknown banking Trojan that can steal login credentials from customers of 70 banks across Europe and South America.
Kaspersky’s researchers have called the banking Trojan “Bizarro” because it uses affiliates or money mules to launch attacks, cash out, or simply help with transactions.
The campaign involves the ability to trick users into entering two-factor authentication codes in fake pop-up windows, which are then sent to the attackers.
Social engineering tactics are also used in the campaign to persuade visitors to banking websites to download a malicious smartphone app.
Bizarro is spread through MSI packages downloaded from dubious links in spam emails.
The malware is hosted on compromised WordPress, Amazon, and Azure servers. The package downloads a ZIP archive containing a Delphi-written DLL, and then injects the heavily abstracted implant.
You might also like: These Billing Fraud Apps have infected over 700,000 Android Users
The backdoor’s main module is set to remain idle until a link to one of the hard-coded online banking systems is detected.
Bizarro begins by destroying all browser processes in order to terminate any current sessions with online banking websites, according to the researchers.
When a user restarts their browsers, the malware will force them to re-enter their bank account credentials, which it will catch.
You might also like: Insurance firm AXA hit by Avaddon ransomware gang
In order to get the most credentials, Bizarro often disables autocomplete in a browser.
The banking Trojan’s primary purpose is to capture and exfiltrate banking credentials, while the backdoor is built to run 100 commands from a remote server, allowing it to gather a variety of data from Windows machines, monitor the victim’s mouse and keyboard, log keystrokes, capture screenshots, and even restrict Windows functionality.
Bizarro is the most recent example of how Brazilian banking Trojans are gradually affecting Windows and Android devices, joining malware like Guildma, Javali, Melcoz, Grandoreiro (collectively known as the Tetrade), Amavaldo, Ghimob, and BRATA, and simultaneously spreading their attacks throughout South America and Europe.
You might also like: 167 Fake Android and iOS trading and cryptocurrency apps: Sophos
The attacks behind this campaign, according to the researchers, are employing a variety of technical process to make malware analysis and detection more difficult, as well as social engineering techniques to persuade victims to provide sensitive banking information.
Please connect NuNewsIndustry on Twitter to catch more content.