A banking Trojan that initially focused on Brazilian targets has now been observed in Europe and evolved from using pornography to phishing emails as its distribution channel. It is tracked by ESET and Kaspersky under different names, and is one of four major banking Trojans in Brazil, alongside Guildma, Grandoreiro, and Melcoz.
Active since 2018, the Trojan is written in Delphi, a coding language commonly employed for Trojans in South America. It is called “bold” because of its using pornographic imagery as a lure for victims. However, Ousaban has moved away from porn imagery and has now adopted phishing emails as his distribution vector.
In another, more complicated distribution method, attackers tampered with the legitimate app so that it fetched an encrypted injector. The injector then obtained a URL containing remote configuration files for a command-and-control (C2) server address and port.
Ousaban can install backdoors, perform keylogging, take screenshots, simulate mouse and keyboard, and steal user data.
When victims visit websites of banking institutions, the malware tries to harvest account credentials by showing screen overlays. Ousaban would also attempt to steal email client account usernames and passwords by using the mentioned overlay technique.
ESET says the Trojan’s obfuscation capabilities rely on using Themida or Enigma binary obfuscation to hide its executable files; it will also inflate their sizes to about 400MB in a bid to evade detection.
Kasperksky says that Javali/Ousaban has expanded to Europe in the past year or so; however, ESET has not confirmed its presence in Europe.