A never-before-documented Brazilian banking trojan, dubbed Bizarro, is targeting customers of 70 banks scattered throughout Europe and South America, researchers said.
According to an analysis from Kaspersky released Monday, Bizarro is a mobile malware, aimed at capturing online-banking credentials and hijacking Bitcoin wallets from Android users. It spreads via Microsoft Installer packages, which are either downloaded directly by victims from links in spam emails or installed via a trojanized app, according to the analysis.
Once installed, it kills all running browser processes to terminate any existing sessions with online banking websites — so, when a user initiates a mobile banking session, they have to sign back in, allowing the malware to harvest the details. To maximize its success, Bizarro disables autocomplete in the browser, and even surfaces fake popups to snatch two-factor authentication codes, researchers added.
Bizarro also has a screen-capturing module.
“It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function,” explained Kaspersky researchers. “With its help, the trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.”
And finally, Bizarro also has a main backdoor module that is capable of carrying out more than 100 commands, according to the analysis.
A Fully Functional Backdoor
“The core component of the backdoor doesn’t start until Bizarro detects a connection to one of the hardcoded online banking systems,” researchers explained. “The malware does this by enumerating all the windows, collecting their names. Whitespace characters, letters with accents (such as ñ or á) and non-letter symbols such as dashes are removed from the window name strings. If a window name matches one of the hardcoded strings, the backdoor continues starting up.”
The commands fall into a few main camps:
“The custom messages that Bizarro may show are messages that freeze the victim’s machine, thus allowing the attackers to gain some time,” according to the analysis. “When a command to display a message like this is received, the taskbar is hidden, the screen is greyed out and the message itself is displayed. While the message is shown, the user is unable to close it or open Task Manager. The message itself tells the user either that the system is compromised and thus needs to be updated or that security and browser performance components are being installed. This type of message also contains a progress bar that changes over time.”
Joining the Tétrade, Going Global
Bizarro is active in Argentina, Chile, France, Germany, Italy, Portugal and Spain, researchers said. This global spread is typical of a group of banking malware strains originating in Brazil, consisting of Grandoreiro, Guildma, Javali and Melcoz.
Collectively known as “the Tétrade” (translated as “a group of four”) these families employ a range of innovative and sophisticated techniques on the technical side as well. Bizarro is the latest to join the club (which, incidentally, makes the collective group name a bit of a misnomer).
Source: Kaspersky
Researchers said that Bizarro is supported by a fairly extensive operation, which includes using affiliates and recruiting money mules to perform a variety of functions. The various duties include carrying out initial attacks to gain a foothold on victim devices; helping with cashouts to launder ill-gotten funds; and even translation help.
“Cybercriminals are constantly looking for new ways to spread malware that steals credentials for e-payment and online banking systems,” said Fabio Assolini, security expert at Kaspersky, in a statement. “Today, we witness a game-changing trend in banking malware distribution – regional actors actively attack users, not only in their region but also around the globe. Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern.”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!