Banking Trojan 'Bizarro' Expands to EuropeSpear-Phishing Campaign Aims to Steal Credentials
A previously uncovered banking Trojan dubbed "Bizarro" is now targeting European banking customers through a spear-phishing campaign that attempts to steal credentials, according to the security firm Kaspersky.
The campaign, which began in Brazil, has since spread to Europe, targeting customers in Spain, Portugal, France and Italy, Kaspersky says. The malware has targeted customers of 70 banks, but it's not clear how many have been victimized or who's behind the campaign, it adds.
The attackers use affiliates or money mules for cashing out or to help with transfer of exfiltrated money, Kaspersky reports. In addition to phishing, the attackers are spreading the malware as a malicious app, the company adds.
The spear-phishing emails use a variety of lures, including a fake tax notification that contains an attachment with malicious Microsoft installer packets. When the victims click malicious links within the Microsoft installer, another ZIP file is downloaded.
The ZIP file contains a Dynamic Link Library, or DLL, file, which executes the malware. The Trojan follows two steps to exfiltrate banking credentials. The first involves killing the browser processes and forcing the victims to reenter the banking credentials, which are then captured, Kaspersky says.
"Another step Bizarro takes in order to get as many credentials as possible is to disable autocomplete in a browser," the security firm notes.
The malware captures banking credentials by calling for a command called LMAimwc, which displays an error message that appears to come from legitimate banks, requesting that the victim enter their credentials. When this message is displayed, the victim's computer is frozen, allowing the attackers to capture banking credentials and device information.
At the same time, the victim is tricked into believing that the device is frozen due to a security update. And if the malware identifies a bitcoin wallet address on the targeted device, "it is replaced with a wallet belonging to the malware developers," Kaspersky notes.
Kaspersky says Bizarro's command-and-control server contains more than 100 commands, including those that allow the hackers to control the compromised device connections, files located on the hard drive, the mouse and the keyboards.
The attackers also use legitimate-looking messages in an attempt to convince the victim to install a malicious app on their smartphone, Kaspersky notes. "If the victim chooses Android, the C2 server will send a link with a malicious application to the client. The client will make a QR code out of it with the help of the Google Charts API," the company notes.
The attackers use these advanced social engineering tricks to help lure the victims into provide personal data related to their online banking accounts, Kaspersky adds.
Earlier this month, security firm Cleafy uncovered an Android Trojan campaign called TeaBot that targeted bank customers in Europe to steal sensitive credentials and SMS texts for financial fraud (see: Android Trojan Targets European Bank Customers).