Bizarro Banking Malware
Reading Time: 2 minutes

Bizarro Banking Malware has 70 European and South American Banks under its grip. A financially motivated hacker gang unleashes this previously undocumented banking trojan to disrupt banking services in these regions.

According to researchers at Kaspersky, Bizarro banking malware uses “affiliate or recruiting money moles to operationalize their attacks, cashing out or simply to help [sic] with transfers.”

The campaign is agile and has the ability to trick users into entering two factor authentication codes. It achieves this via fake pop-up windows that are sent to the attackers along with social engineering lures. These convince the visitors of the banking websites to download the malicious smartphone app.

According to the researcher it uses compromised WordPress, Amazon, and Azure servers to host the malware. It is then distributed via MSI packages downloaded by victims from sketchy links in spam emails. The package downloads the ZIP archive containing a DLL written in Delphi on launching itself and subsequently injects the obscure implant. All the while the main module of the backdoor remains idle until it detects a connection to one of the hardcoded online banking systems.

Kaspersky researchers said, “When Bizarro starts, it first kills all the browser processes to terminate any existing sessions with online banking websites. When a user restarts the browsers, they will be forced to re-enter the bank account credentials, which will be captured by the malware. Another step Bizarro takes in order to get as many credentials as possible is to disable autocomplete in a browser.”

Though the primary function of the trojan is only to capture and infiltrate banking credentials, the backdoor is designed to execute 100 commands from a remote server. This enables it to harvest all kinds of information from Windows machines. It can control the victim’s mouse and keyboard, log keystrokes, capture screenshots, and also limit the functionality of Windows.

There is a rise in the number of Brazillian banking trojan incidents affecting Windows and Android devices. It joins the list of other dreaded malware such as Guildma, Javali, Melcoz, Grandoreiro, Amavaldo, Ghimob, and BRATA, while simultaneously expanding their victimology footprint across South America and Europe.

The researchers further added, “The threat actors behind this campaign are adopting various technical methods to complicate malware analysis and detection, as well as social engineering tricks that can help convince victims to provide personal data related to their online banking accounts.”

Related Articles:

New Chinese Malware Targets Russia’s Largest Nuclear Submarine Designer
10 Tips to Keep your online bank account Safe
Dridex Banking Trojan Sabotages American Relief Plan of $4,000 for COVID-19 relief