Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Bizarro Banking Trojan Sports Sophisticated Backdoor
#1
Quote:The advanced Brazilian malware has gone global, harvesting bank logins from Android mobile users.

A never-before-documented Brazilian banking trojan, dubbed Bizarro, is targeting customers of 70 banks scattered throughout Europe and South America, researchers said.

According to an analysis from Kaspersky released Monday, Bizarro is a mobile malware, aimed at capturing online-banking credentials and hijacking Bitcoin wallets from Android users. It spreads via Microsoft Installer packages, which are either downloaded directly by victims from links in spam emails or installed via a trojanized app, according to the analysis.

Once installed, it kills all running browser processes to terminate any existing sessions with online banking websites — so, when a user initiates a mobile banking session, they have to sign back in, allowing the malware to harvest the details. To maximize its success, Bizarro disables autocomplete in the browser, and even surfaces fake popups to snatch two-factor authentication codes, researchers added.

Bizarro also has a screen-capturing module.

“It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function,” explained Kaspersky researchers. “With its help, the trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.”

And finally, Bizarro also has a main backdoor module that is capable of carrying out more than 100 commands, according to the analysis.

A Fully Functional Backdoor
“The core component of the backdoor doesn’t start until Bizarro detects a connection to one of the hardcoded online banking systems,” researchers explained. “The malware does this by enumerating all the windows, collecting their names. Whitespace characters, letters with accents (such as ñ or á) and non-letter symbols such as dashes are removed from the window name strings. If a window name matches one of the hardcoded strings, the backdoor continues starting up.”

The commands fall into a few main camps:

Commands that allow the command-and-control (C2) operators to get data about the victim and manage the connection status; for instance, one asks for Bizarro’s version, OS name, computer name, Bizarro’s unique identifier, installed antivirus software and the codename used for the bank that has been accessed.
Commands that allow attackers to search for and steal the files located on the victim’s hard drive, and those that allow adversaries to install files on the victim device.
Commands that allow attackers to control the user’s mouse and keyboard.
Commands that allow the attackers to control the backdoor operation, shut down, restart or destroy the operating system, and limit the functionality of Windows.
Commands that log keystrokes.
Commands that display various messages that trick users into giving attackers access to bank accounts, including fake popup windows (i.e., messages like “the data entered is incorrect, please try again”; error messages asking the user to enter a confirmation code; and those that tell the user that their computer needs to be restarted in order to finish a security-related operation).
Commands that enable Bizarro to mimic online banking systems. According to Kaspersky, “To display such messages, Bizarro needs to download a JPEG image that contains the bank logo and instructions the victim needs to follow. These images are stored in the user profile directory in an encrypted form. Before an image is used in a message, it is decrypted with a multi-byte XOR algorithm. As the messages are downloaded from the C2 server, they can be found only on the victims’ machines.”
Commands that enable custom messages.

“The custom messages that Bizarro may show are messages that freeze the victim’s machine, thus allowing the attackers to gain some time,” according to the analysis. “When a command to display a message like this is received, the taskbar is hidden, the screen is greyed out and the message itself is displayed. While the message is shown, the user is unable to close it or open Task Manager. The message itself tells the user either that the system is compromised and thus needs to be updated or that security and browser performance components are being installed. This type of message also contains a progress bar that changes over time.”

Source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Coyote: A multi-stage banking Trojan abusing the Squirrel installer mrtrout 0 703 02-13-2024 , 03:37 AM
Last Post: mrtrout
  Android malware BrazKing returns as a stealthier banking trojan mrtrout 0 560 11-19-2021 , 10:08 AM
Last Post: mrtrout
  New SideWalk Backdoor Targeting U.S. Computer Retailers mrtrout 0 1,348 08-27-2021 , 01:22 AM
Last Post: mrtrout
  New Variant of IcedID Banking Trojan Spreading Wildely mrtrout 0 994 06-29-2021 , 11:24 PM
Last Post: mrtrout
  Researchers Warn of Facefish Backdoor Spreading Linux Rootkits mrtrout 0 779 05-28-2021 , 10:58 PM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)