Cyber analysts from Kaspersky described a new Brazilian banking Trojan Bizarro that attackers use to steal online banking credentials and crypto wallets from customers of 70 banks in Europe and South America.
An analysis from Kaspersky released on Monday, describes Bizarro as a mobile credential stealer that hijacks Bitcoin wallets from Android devices. Attackers spread it via Microsoft Installer packages, which are distributed in spam emails or a trojanized app.
Once installed, the malware kills all running browser processes to terminate any existing sessions with online banking websites, forcing the user to sign back in. Bizarro disables autocomplete in the victim’s browser and even can show fake popups to steal two-factor authentication codes.
Bizarro also has a screen-capturing module.
“It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function,” explained Kaspersky researchers. “With its help, the Trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.”
Bizarro ultimately deploys its main backdoor module in which arsenal there is more than 100 commands, the analysis says.
“The core component of the backdoor doesn’t start until Bizarro detects a connection to one of the hardcoded online banking systems,” researchers explained. “The malware does this by enumerating all the windows, collecting their names… If a window name matches one of the hardcoded strings, the backdoor continues starting up.”
Researchers say Bizarro operators employ an interesting technique, in which they gain time by freezing the victim’s device.
“The custom messages that Bizarro may show are messages that freeze the victim’s machine, thus allowing the attackers to gain some time,” according to the analysis. “When a command to display a message like this is received, the taskbar is hidden, the screen is greyed out and the message itself is displayed. While the message is shown, the user is unable to close it or open Task Manager..”
Bizarro’s victims were located mostly in Argentina, Chile, Germany, France, Italy, Portugal, and Spain. This collection of countries is typical for a group of banking malware strains originating in Brazil, known as “the Tétrade,” researchers say and conclude with a warning:
“Cybercriminals are constantly looking for new ways to spread malware that steals credentials for e-payment and online banking systems,” said Fabio Assolini, security expert at Kaspersky, in a statement. “Today, we witness a game-changing trend in banking malware distribution – regional actors actively attack users, not only in their region but also around the globe. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern.”
