Cyber criminals have released a previously undocumented banking trojan that can steal credentials from customers of 70 banks located in various European and South American countries.
The banking trojan dubbed “Bizarro” by Kaspersky researchers is using affiliates or recruiting money mules to initiate their attacks, cashing out or simply to help with transfers.
The campaign consists of multiple moving parts, which includes the ability to trick users into entering two-factor authentication codes in fake pop-up windows which are then sent to the attackers. The campaign also relies on social engineering techniques to convince visitors of banking websites into downloading a malicious smartphone app.
Bizarro, which uses compromised WordPress, Amazon, and Azure servers to host the malware, is distributed via MSI packages downloaded by victims from sketchy links in spam emails. The package downloads a ZIP archive that contains a DLL written in Delphi, which subsequently injects the heavily obfuscated implant. The main module of the backdoor is configured to remain idle until it detects a connection to one of the hardcoded online banking systems.
The researchers stated that when Bizarro starts, it first kills all the browser processes to terminate any existing sessions with online banking websites. Then when a user restarts the browsers, they will be forced to re-enter the bank account credentials, which will be captured by the malware. Bizarro also disables autocomplete in a browser in order to get maximum credentials.
The primary function of the trojan is to capture and exfiltrate banking credentials, whereas the backdoor is designed to execute 100 commands from a remote server that helps it to gather all kinds of information from Windows machines, control the victim’s mouse and keyboard, log keystrokes, capture screenshots, and even limit the functionality of Windows.
Bizarro is one of the latest example of how Brazilian banking trojans are increasingly affecting Windows and Android devices, joining the likes of malware such as Guildma, Javali, Melcoz, Grandoreiro (collectively called the Tetrade), Amavaldo, Ghimob, and BRATA, and also expanding their attacks across South America and Europe simultaneously.
The researchers added that the attacks behind this campaign are using various technical methods to complicate malware analysis and detection, as well as social engineering tricks that can help convince victims to provide their sensitive banking details.