CamuBot Trojan is a dangerous banking virus that will infect the system at a deep level. It is introduced via a sophisticated social engineering campaign and its end goals are to retrieve sensitive banking account information and private user data. Its modular engine also allows it to deploy other threats. Our article shows how victim users can remove active infections and restore their computers.
|Short Description||CamuBot Trojan is an advanced and modular virus that is programmed to spy on the users in real-time and acquire their banking account credentials.|
|Symptoms||The victims may not experience any apparent symptoms of infection.|
|Distribution Method||Freeware Installations, Bundled Packages, Scripts and others.|
|Detection Tool|| See If Your System Has Been Affected by CamuBot Trojan |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss CamuBot Trojan.|
CamuBot Trojan – Distribution Methods
The CamuBot Trojan infections have been observed to spread through highly-directed large-scale attack campaigns. At this moment the identity of the hacker or criminal collective behind it is not known. The criminals depend largely on the social engineering premises that they can trick the victim users in various payloads into interacting with a element that will ultimately lead to the virus infection.
As always there are several main methods that are used to spread the executable file. The hackers can employ email messages containing elements taken from legitimate banking services such as text, images and design layouts. The Trojan files can be either directly attached or linked in the body contents.
To help facilitate the high number of infections the criminals can also create fake download sites that mimic the real-world login gateways of online banks. Similar sounding domain names and security certificates are used to create an impression that the victim users have accessed a legitimate address.
The goals of the hackers is to create an impression that the victims are downloading and using a legitimate applications. As such the usual strategy of placing it in a malicious payload carrier (documents and app installers) is not used so much.
When running the application the user interface will be similar to the legitimate apps typically offered by online banks and financial institutions.
A sophisticated phishing tactic is used to deliver the CamuBot Trojan:
- The hacking group chooses a target bank which will be the focus of the attack campaign. Using a premade scenario they will initiate calls to people and pose as bank employees in an attempt to extract information about their accounts.
- The victims will be directed to an online site by manipulating them into performing a “security check”. The address will feature legitimate elements taken from the target bank.
- Information you provide
The prompts on the site will coerce the users the victim users into downloading a “new security module” which are the CamuBot Trojan files. The latest attack campaign has been spotted in August 2018 targeting business users in Brazil. According to the available information the following victims are chosen: public sector organizations, trade companies, institutions and small businesses.
CamuBot Trojan – Detailed Description
The CamuBot Trojan infection unfold in several steps. The first stage of its behavior is the addition of two files to the Program Data service folder used by the operating system. Interestingly the name of the executable files are changed at every attack — this is done in order to prevent some types of signature scans to detect the virus instances.
The stealth protection module is started afterwards — it will look for signs of installed anti-virus tools and bypasses their real-time engines. It has also been found to modify the built-in Firewall rules and adding itself as a “trusted” application. This allows the Trojan to make both incoming and outgoing network connections without any blocks.
The CamuBot Trojan will then start to write dynamic files in the system folders and will create a secure connection to a hacker-controlled site. It will also set up a proxy server setting which means that all Internet traffic will be forwarded through а hacker server. This means that they will be able to spy on the users activities in real time. The Trojan server connection itself is used to take over control of the machines at any given time and deploy other threats. Banking Trojans like this one are usually used to look out for user actions related to access to banks. Whenever this is done the threat will automatically relay the entered credentials to the operators.
Following the active infection a pop-up window will be spawned which displays a phishing site. In most cases it will be the target bank chosen by the hackers during the campaign planning. One of the dangerous characteristics attributed to it is the fact that its engine can bypass biometric authentication — they are popularly used as a two-factor authentication mechanism. They are deemed as a reliable method and preferred over other methods. This virus proves the fact that no method is secure by itself and that weaknesses can always be found.
The security analysts note that the route of infection is not traditional as compared to other threats. While most of the banking Trojans attempt to install themselves in a silent way an avoid discovery this one is presented as an legitimate application.
When the criminals have acquired access to the online banking services they will be able to carry out a variety of tasks:
- Monitor Transactions
- Modify Values
- Create New Transactions
- Modify Account Credentials
- Modify Settings
As the Trojan has been found to contain a modular engine it can also be programmed to carry out other actions such as the following:
- Carry out Information Gathering — The engine can be programmed into harvesting information about the users, hardware and operating system by looking out for specific strings. The criminals can use the acquired information to carry out identity theft and financial abuse of the user’s data. The data harvesting component can collect information including the following: their name, address, phone number, interests, location and account credentials. Other valuable information that can be acquired includes a report on the installed hardware components, user settings and operating system values.
- Deploy Additional Threats — Installed CamuBot Trojan strains can be used as payloads for other virus infections.
- System Changes — The CamuBot Trojan can modify essential Windows settings such as the Registry. This can have a lasting impact on the overall performance, it can also disable certain functions.
Remove CamuBot Trojan
If your computer system got infected with the CamuBot Trojan, you should have a bit of experience in removing malware. You should get rid of this Trojan, as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the Trojan, and follow the step-by-step instructions guide provided below.