Home > Cyber News > Beware: Bizarro Banking Trojan Can Steal Login Credentials for 70 Banks

Beware: Bizarro Banking Trojan Can Steal Login Credentials for 70 Banks


Cybersecurity researchers just revealed a new dangerous banking trojan originating from Brazil and targeting Android users in Spain, Portugal, France, and Italy.

Called Bizarro, the trojan is attempting to steal login credentials from customers of 70 banks. “Following in the footsteps of Tetrade, Bizarro is using affiliates or recruiting money mules to operationalize their attacks, cashing out or simply to helping with transfers,” SecureList by Kaspersky shared in their report.

What Is Bizarro Banking Trojan?

Bizarro’s operators are using affiliates or recruiting money mules to make their attacks operational, thus cashing out or aiding the transfers. The trojan uses various components, obfuscation techniques, and is being distributed via clever social engineering tactics.

According to Kaspersky’s findings, Bizarro has x64 modules and is capable of tricking users into sharing their 2FA codes in fake pop-up windows. The trojan uses other tricks to persuade victims to download a smartphone app.

“It may also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro uses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and collect telemetry,” the report revealed.

What Happens Once Bizarro Trojan Is Installed on a Device?

Once installed, the trojan is designed to kill all running browser processes and terminate existing sessions with online banking sites. By doing this, the trojan reassures that when a user opens a mobile banking session, they will have to sign in again, enabling the malware to steal the login credentials. Furthermore, Bizarro also disables the autocomplete function in the browser and uses fake pop-ups to harvest 2FA codes. To top that off, the malware features a screen-capturing module.

[Bizarro] loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function. With its help, the trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers, Kaspersky explained.

However, the most dangerous component of the Bizarro trojan is its main backdoor module, capable of performing more than 100 commands.

How Does Bizarro’s Backdoor Component Work?

First of all, the backdoor won’t start until the trojan detects a connection to one of the hardcoded online banking systems. Once a connection is established, the trojan can perform any of its commands.

Some of Bizarro’s main commands are the following:

  • Commands allowing the command-and-control server operators to get data about the victim and manage the connection status;
  • Commands enabling attackers to control the files located on the victim’s hard drive;
  • Commands allowing attackers to control the user’s mouse and keyboard;
  • Commands enabling the attackers to control the backdoor operation, shut down, restart or destroy the operating system and limit the functionality of Windows;
  • Commands that log keystrokes;
  • Commands that perform social engineering attacks.

In conclusion: Bizarro’s Trojan Operation

Kaspersky researchers also shared that they have been observing a number of banking trojans from South America, that expand their operations mainly to European countries. Bizarro’s operators are quickly adopting various advanced technical tricks to convolute malware analysis and detection. Adding the smartly crafted social engineering tactics, the trojan appears to be fully capable of convincing victims to willingly provide their personal financial details.

What Other Malware Is Endangering Android Users?

Some of the latest malware samples from the Android threat landscape include the Flubot spyware, a wormable malware masqueraded as a Netflix app called FlixOnline, and the Ghimob banking trojan.

The Ghimob banker, in particular, appears to have been developed by the same cybercriminals who coded the Astaroth Windows malware. It’s noteworthy that hackers didn’t use the official Google Play Store as a distribution channel. For this purpose, the hackers deployed malicious Android apps on sites and servers previously deployed by Astaroth.

Finally, in late December 2020, security researchers reported a new obfuscation-as-a-service platform for Android, enabling cybercriminals to improve their detection evasion mechanisms. Long story short, it turns out that hackers succeeded in developing a fully automated service platform that protects mobile malware Android Packet Kits (APKs) from AV detection. The service is available as a one-off payment or a recurring monthly subscription. It is translated into English and Russian, hinting at its origin.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree