A financially motivated cybercrime gang has unleashed a previously undocumented banking trojan, which can steal credentials from customers of 70 banks located in various European and South American countries.
Dubbed "Bizarro" by Kaspersky researchers, the Windows malware is "using affiliates or recruiting money mules to operationalize their attacks, cashing out or simply to helping [sic] with transfers."
The campaign consists of multiple moving parts, chief among them being the ability to trick users into entering two-factor authentication codes in fake pop-up windows that are then sent to the attackers, as well as its reliance on social engineering lures to convince visitors of banking websites into downloading a malicious smartphone app.
Bizarro, which uses compromised WordPress, Amazon, and Azure servers to host the malware, is distributed via MSI packages downloaded by victims from sketchy links in spam emails. Launching the package downloads a ZIP archive that contains a DLL written in Delphi, which subsequently injects the heavily obfuscated implant. What's more, the main module of the backdoor is configured to remain idle until it detects a connection to one of the hardcoded online banking systems.
"When Bizarro starts, it first kills all the browser processes to terminate any existing sessions with online banking websites," the researchers said. "When a user restarts the browsers, they will be forced to re-enter the bank account credentials, which will be captured by the malware. Another step Bizarro takes in order to get as many credentials as possible is to disable autocomplete in a browser."
While the trojan's primary function is to capture and exfiltrate banking credentials, the backdoor is designed to execute 100 commands from a remote server that enables it to harvest all kinds of information from Windows machines, control the victim's mouse and keyboard, log keystrokes, capture screenshots, and even limit the functionality of Windows.
Bizarro is only the latest example of how Brazilian banking trojans are increasingly affecting Windows and Android devices, joining the likes of malware such as Guildma, Javali, Melcoz, Grandoreiro (collectively called the Tetrade), Amavaldo, Ghimob, and BRATA, while simultaneously expanding their victimology footprint across South America and Europe.
"The threat actors behind this campaign are adopting various technical methods to complicate malware analysis and detection, as well as social engineering tricks that can help convince victims to provide personal data related to their online banking accounts," the researchers said.