Cybersecurity researchers just revealed a new dangerous banking trojan originating from Brazil and targeting Android users in Spain, Portugal, France, and Italy.
Called Bizarro, the trojan is attempting to steal login credentials from customers of 70 banks. “Following in the footsteps of Tetrade, Bizarro is using affiliates or recruiting money mules to operationalize their attacks, cashing out or simply to helping with transfers,” SecureList by Kaspersky shared in their report.
What Is Bizarro Banking Trojan?
Bizarro’s operators are using affiliates or recruiting money mules to make their attacks operational, thus cashing out or aiding the transfers. The trojan uses various components, obfuscation techniques, and is being distributed via clever social engineering tactics.
According to Kaspersky’s findings, Bizarro has x64 modules and is capable of tricking users into sharing their 2FA codes in fake pop-up windows. The trojan uses other tricks to persuade victims to download a smartphone app.
“It may also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro uses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and collect telemetry,” the report revealed.
What Happens Once Bizarro Trojan Is Installed on a Device?
Once installed, the trojan is designed to kill all running browser processes and terminate existing sessions with online banking sites. By doing this, the trojan reassures that when a user opens a mobile banking session, they will have to sign in again, enabling the malware to steal the login credentials. Furthermore, Bizarro also disables the autocomplete function in the browser and uses fake pop-ups to harvest 2FA codes. To top that off, the malware features a screen-capturing module.
[Bizarro] loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function. With its help, the trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers, Kaspersky explained.
However, the most dangerous component of the Bizarro trojan is its main backdoor module, capable of performing more than 100 commands.
How Does Bizarro’s Backdoor Component Work?
First of all, the backdoor won’t start until the trojan detects a connection to one of the hardcoded online banking systems. Once a connection is established, the trojan can perform any of its commands.
Some of Bizarro’s main commands are the following:
- Commands allowing the command-and-control server operators to get data about the victim and manage the connection status;
- Commands enabling attackers to control the files located on the victim’s hard drive;
- Commands allowing attackers to control the user’s mouse and keyboard;
- Commands enabling the attackers to control the backdoor operation, shut down, restart or destroy the operating system and limit the functionality of Windows;
- Commands that log keystrokes;
- Commands that perform social engineering attacks.
In conclusion: Bizarro’s Trojan Operation
Kaspersky researchers also shared that they have been observing a number of banking trojans from South America, that expand their operations mainly to European countries. Bizarro’s operators are quickly adopting various advanced technical tricks to convolute malware analysis and detection. Adding the smartly crafted social engineering tactics, the trojan appears to be fully capable of convincing victims to willingly provide their personal financial details.
What Other Malware Is Endangering Android Users?
The Ghimob banker, in particular, appears to have been developed by the same cybercriminals who coded the Astaroth Windows malware. It’s noteworthy that hackers didn’t use the official Google Play Store as a distribution channel. For this purpose, the hackers deployed malicious Android apps on sites and servers previously deployed by Astaroth.
Finally, in late December 2020, security researchers reported a new obfuscation-as-a-service platform for Android, enabling cybercriminals to improve their detection evasion mechanisms. Long story short, it turns out that hackers succeeded in developing a fully automated service platform that protects mobile malware Android Packet Kits (APKs) from AV detection. The service is available as a one-off payment or a recurring monthly subscription. It is translated into English and Russian, hinting at its origin.