Researchers from Kaspersky have spotted a new sophisticated Brazilian banking trojan dubbed Bizarro that is targeting customers of tens of 70 banks in Europe and South America.
Bizarro banking Trojan allows to capture online banking credentials and hijacking Bitcoin wallets from the victims.
Experts have detected infections in Brazil, Argentina, Chile, Germany, Spain, Portugal, France and Italy, like the Tetrade malware, Bizarro leverages affiliates or recruiting money mules for its attacks.
Bizarro has x64 modules, the malicious code allows to trick victims into entering two-factor authentication codes in fake pop-ups. Experts pointed out that it also leverages social engineering to trick victims into downloading a mobile app.
It is distributed via Microsoft Installer packages which are downloaded by victims from links that are included in spam messages. Experts also noticed that the malware is also installed via a trojanized app.
“Once launched, Bizarro downloads a ZIP archive from a compromised website. While writing this article, we saw hacked WordPress, Amazon and Azure servers used for storing archives. The MSI installer has two embedded links – which one is chosen depends on the victim’s processor architecture.” reads the analysis published by Kaspersky.
The ZIP archive contains a malicious DLL written in Delphi, a legitimate executable that is an AutoHotkey script runner, and a small script that calls an exported function from the malicious DLL.
Upon executing Bizarro, the malware kills all running browser processes to terminate any existing sessions with online banking websites. Then, when the victim will restart the browser and attempt to access the home banking service they will be forced to re-enter the credentials, which will be captured by the malware. In order to force the victims into re-entering their credentials the malware disables the autocomplete feature in a browser.
Bizarro gathers system info, including computer name, OS version, default browser name, installed antivirus software.
“Bizarro initializes the screen capturing module. It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function,” continues the analysis. “With its help, the trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.”
The core component of Bizarro is a backdoor that supports more than 100 commands.
The core component of the backdoor only starts when the Bizarro Trojan detects a connection to one of the hardcoded online banking systems.
The commands supported by the backdoor could be grouped in the following categories:
“The first type of custom messages that Bizarro may show are messages that freeze the victim’s machine, thus allowing the attackers to gain some time,” continues the analysis. “When a command to display a message like this is received, the taskbar is hidden, the screen is greyed out and the message itself is displayed. While the message is shown, the user is unable to close it or open Task Manager. The message itself tells the user either that the system is compromised and thus needs to be updated or that security and browser performance components are being installed. This type of message also contains a progress bar that changes over time.”
Bizarro demonstrates the ability of Brazilian threat actors to target banking users around the globe.
“Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern.”concludes the report.
(SecurityAffairs – hacking, Bizarro)