Kaspersky discovers new Brazilian banking Trojan going global
Last year, Kaspersky researchers saw several banking Trojans from South America (Guildma, Javali, Melcoz and Grandoreiro) expanding their operations all over the globe. Collectively recognized as “the Tétrade,” these families employed a variety of new, innovative and sophisticated techniques. 2021 has seen a continuation of this trend, as a new local player, Bizarro, goes global.
Bizarro is a new banking Trojan family, originating in Brazil, that is now also in other countries, such as Argentina, Chile, Germany, Spain, Portugal, France, and Italy. Just like Tétrade, Bizarro is using affiliates or recruiting money mules to operationalize their attacks, perform cashouts or simply help with translations. The cybercriminals behind this malware family are also adopting various technical methods to complicate malware analysis and detection, as well as using social engineering tricks that help convince targets to give out their online banking credentials.
Bizarro is distributed via MSI (Microsoft Installer) packages downloaded by victims from links in spam emails. Once launched, Bizarro downloads a ZIP archive from a compromised website to implement its further malicious functions. Having sent the data to the telemetry server, Bizarro initializes the screen capturing module. So far, Kaspersky experts have seen Bizarro using hosted servers on Azure, Amazon and compromised WordPress servers to store the malware and collect telemetry.
Kaspersky researchers highlight that the backdoor is the core component of Bizarro. It contains more than 100 commands and most of them are used to display fake pop-up messages to users. Some of them are even trying to mimic online banking systems.
An example of Bizarro blocking a bank login page and telling the user that security updates are being installed
“Cybercriminals are constantly looking for new ways to spread malware that steals credentials for e-payment and online banking systems,” said Fabio Assolini, security expert at Kaspersky. “Today, we witness a game-changing trend in banking malware distribution – regional actors actively attack users, not only in their region but also around the globe. Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern.”
Learn more about the technical features of Bizarro on Securelist.com.
To protect financial institutions from banking Trojans such as Bizarro (and others), Kaspersky experts recommend:
- Provide your SOC team with access to the latest threat intelligence to keep them up-to-date on new tools and techniques used by cybercriminals. For example, Kaspersky Financial Threat Intelligence Reportingcontains IoCs, Yara rules and hashes for these threats.
- Upskill your SOC team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
- Educate your customers on possible dangers and tricks malefactors may use. Regularly send them information on how to identify fraud and how to respond.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Sawyer Van Horn