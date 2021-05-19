



The Bizarro banking Trojan targets at least 70 bank customers as it travels from its Brazilian base to Europe.

This week, Kaspersky researchers said Brazilian Trojan variants are attacking users with banking customers not only in Brazil, but also in Argentina, Chile, Spain, Portugal, France and Italy. .. it was. In these areas, we try to pass account credentials for the purpose of money theft.

However, the attack chain is not purely digital. After a successful compromise, you can use a money mule to cash money or send stolen money.

Banking Trojans, likened to the “Tetrade” family of four strains that are widespread throughout Brazil, are distributed via spam emails that include the MSI installer package.

Social engineering is performed to trick potential victims into accepting and running the installer. This includes messages disguised as tax notifications and alerts.

Launching the installer downloads the .ZIP archive obtained from the compromised website or server. Researchers have discovered the Azure and AWS servers used to host malware, along with the hijacked WordPress domain.

The archive contains a malicious .DLL written in Delphi, an AutoHotkey script runner executable, and a script that calls a function exported from the .DLL. This obfuscated function contains the malicious code needed to trigger a banking Trojan.

At startup, Bizarro kills existing browser processes, including active sessions with online banking services. As soon as the victim resumes the session, the malware silently captures the bank credentials and sends them to the attacker’s command and control (C2) server.

To increase the chances of capturing this valuable data, Bizarro also disables the browser’s autocomplete feature.

Fake pop-ups are also displayed to users, some of which have been tuned to appear as messages from online banking services warning of security updates or PC violations. These popups may freeze your PC, hide the taskbar, and at the same time require the client to confirm your identity.

This is where the second phase of the attack begins. This message asks the victim to download a malicious smartphone app and attempts to scan the QR code and send a two-factor authentication (2FA) code to the victim for “authentication” purposes (this security measure). If is enabled).

The malware captures operating system information, performs screen captures, keyloggers, and monitors the cryptocurrency wallet address on the clipboard.

If either is detected, the wallet address will be replaced with an address owned by the threat actor, hoping that the victim can unknowingly transfer the cryptocurrency.

As a Trojan horse, Bizarro also includes a backdoor feature that manages C2 connections.

This is not the only banking Trojan from Brazil that has expanded to other regions. Currently, operators participating in Guildoma, Javali, Melcoz, Grand Reiro, etc. are expected to not only continue to attack targets in multiple countries, but also to improve malware in the long run.

