Cyber Crime

Bizarro banking Trojan targets banks in Brazil and abroad

Bizarro is a new sophisticated Brazilian banking trojan that is targeting customers of tens of banks in Europe and South America.

Researchers from Kaspersky have spotted a new sophisticated Brazilian banking trojan dubbed Bizarro that is targeting customers of tens of 70 banks in Europe and South America.

Bizarro banking Trojan allows to capture online banking credentials and hijacking Bitcoin wallets from the victims.

Experts have detected infections in Brazil, Argentina, Chile, Germany, Spain, Portugal, France and Italy, like the Tetrade malware, Bizarro leverages affiliates or recruiting money mules for its attacks. 

Bizarro has x64 modules, the malicious code allows to trick victims into entering two-factor authentication codes in fake pop-ups. Experts pointed out that it also leverages social engineering to trick victims into downloading a mobile app.

It is distributed via Microsoft Installer packages which are downloaded by victims from links that are included in spam messages. Experts also noticed that the malware is also installed via a trojanized app.

“Once launched, Bizarro downloads a ZIP archive from a compromised website. While writing this article, we saw hacked WordPress, Amazon and Azure servers used for storing archives. The MSI installer has two embedded links – which one is chosen depends on the victim’s processor architecture.” reads the analysis published by Kaspersky.

The ZIP archive contains a malicious DLL written in Delphi, a legitimate executable that is an AutoHotkey script runner, and a small script that calls an exported function from the malicious DLL.

Upon executing Bizarro, the malware kills all running browser processes to terminate any existing sessions with online banking websites. Then, when the victim will restart the browser and attempt to access the home banking service they will be forced to re-enter the credentials, which will be captured by the malware. In order to force the victims into re-entering their credentials the malware disables the autocomplete feature in a browser.

Bizarro gathers system info, including computer name, OS version, default browser name, installed antivirus software.

“Bizarro initializes the screen capturing module. It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function,” continues the analysis. “With its help, the trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.”

The core component of Bizarro is a backdoor that supports more than 100 commands.

The core component of the backdoor only starts when the Bizarro Trojan detects a connection to one of the hardcoded online banking systems.

The commands supported by the backdoor could be grouped in the following categories:

  • Commands that allow the C2 operators to get data about the victim and manage the connection status;
  • Commands that allow attackers to control the files located on the victim’s hard drive;
  • Commands that allow attackers to control the user’s mouse and keyboard;
  • Commands that allow the attackers to control the backdoor operation, shut down, restart or destroy the operating system and limit the functionality of Windows;
  • Commands that log keystrokes;
  • Commands that perform social engineering attacks;
  • Commands that enable custom messages.

“The first type of custom messages that Bizarro may show are messages that freeze the victim’s machine, thus allowing the attackers to gain some time,” continues the analysis. “When a command to display a message like this is received, the taskbar is hidden, the screen is greyed out and the message itself is displayed. While the message is shown, the user is unable to close it or open Task Manager. The message itself tells the user either that the system is compromised and thus needs to be updated or that security and browser performance components are being installed. This type of message also contains a progress bar that changes over time.”

Bizarro demonstrates the ability of Brazilian threat actors to target banking users around the globe.

“Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern.”concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Bizarro)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

9 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

13 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

18 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

21 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.