A new banking trojan named the Bizarro Banking Trojan targets customers of 70 banks scattered throughout Europe and South America.
- Bizarro Banking Trojan has attempted to steal credentials from customers of 70 banks from different European and South American countries.
- Bizarro has 64 modules and can trick users into entering two-factor authentication codes in fake pop-ups.
A new banking trojan named the Bizarro Banking Trojan targets customers of 70 banks scattered throughout Europe and South America.
Experts have discovered infections in Brazil, France, Argentina, Germany, Chile, Spain, Portugal, and Italy.
Bizarro has 64 modules; the malicious code enables tricking victims into entering two-factor authentication codes in fake pop-ups. Experts indicated that it also leverages social engineering to deceive victims into downloading a mobile app.
It is circulated via Microsoft Installer packages downloaded by victims from links in spam messages. Experts also noted that the malware is also installed through a trojanized app.
“Once launched, Bizarro downloads a ZIP archive from a compromised website. While writing this article, we saw it hacked WordPress, Azure and Amazon servers to store archives. The MSI installer has two embedded links – which one is chosen depends on the victim’s processor architecture, ” states the analysis published by Kaspersky.
Once installed, the malware kills all running browser processes to terminate any existing sessions with online banking websites. Thus when a user tries to restart the mobile banking session, they have to sign back in, allowing the malware to harvest the credentials. To maximize its success, Bizarro disables autocomplete features in the browser and even surfaces fake pop-ups to snatch two-factor authentication codes, researchers added.
Bizarro gathers system info, including computer name, default browser name, OS version, installed antivirus software.
“Bizarro initializes the screen capturing module. It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function,” states the analysis. “With its help, the trojan can capture the screen of a user and also continuously monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.”
According to the analysis, the core component of Bizarro has a backdoor that is capable of carrying more than 100 commands.
The core component of the backdoor only begins when the Bizarro Trojan observes a connection to one of the hardcoded online banking systems.
The commands assisted by the backdoor could be grouped in the following categories:
- Commands that allow the command-and-control (C2) operators to collect data about the victim and manage the connection status;
- Commands allow attackers to search for and steal the files located on the victim’s hard drive and those that allow adversaries to install files on the victim device.
- Commands that allow attackers to control the user’s keyboard and mouse.
- Commands that log keystrokes.
- Commands that would enable the attackers to control the backdoor operation, restart, shut down, or destroy the operating system, and limit the functionality of Windows.
- Commands that enable custom messages.
“The custom messages that Bizarro may show are messages that freeze the victim’s machine, thus allowing the attackers to gain some time,” continues the analysis. “When a command to display a message like this is received, the taskbar is hidden, the screen is greyed out, and the message itself is displayed. While the message is shown, the user is unable to close it or open Task Manager. The message itself tells the user either that the system is compromised and needs to be updated or that security and browser performance components are being installed. This type of message also contains a progress bar that changes over time.”
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?