CamuBot Trojan is a dangerous banking virus that will infect the system at a deep level. It is introduced via a sophisticated social engineering campaign and its end goals are to retrieve sensitive banking account information and private user data. Its modular engine also allows it to deploy other threats. Our article shows how victim users can remove active infections and restore their computers.
|Short Description||CamuBot Trojan is an advanced and modular virus that is programmed to spy on the users in real-time and acquire their banking account credentials.|
|Symptoms||The victims may not experience any apparent symptoms of infection.|
|Distribution Method||Freeware Installations, Bundled Packages, Scripts and others.|
See If Your System Has Been Affected by malware
Malware Removal Tool
|User Experience||Join Our Forum to Discuss CamuBot Trojan.|
February 2020 Brazil Campaign
The CamuBot Trojan has once again resurfaced with another dangerous attack campaign once again targeting Brazil. This comes a lot of time after the previous version has been detected. This particular attack is using a combination of two methods — manipulating the victims via social engineering and by directing malware infections in potential weak spots.
Of particular notice is the configuration of the attack campaign to be very target-specific. Coupled with the fact that the Trojan contains unique code means that it can potentially produce income for the hacking group behind it. The strategy used in the latest attack is to conceal the Trojan executable as a security application. Common ways how this can be done include the following tactics:
- Email Messages Preparation — The email messages which are sent to the victims will include advertising, notifications and various other kind of content that can mimic or impersonate well-known software.
- Fake Websites — With the aim of making the fake CamuBot-carrier files seem more legitimate the hacking group can create numerous landing pages, download portals and other types of typical sites that are used to spread such apps. They can be hosted on domains that sound very similar to well-known examples of security solutions and also contain self-signed security certificates.
The CamuBot Trojan in its latest attacks appears to be designed to keep a low profile by individually attempting to target the individual hosts. Most of the victims to date are small business which are likely to use banking applications and services in their day-to-day activities.
An analysis of the behavior of the virus samples shows that the attackers will first investigate the victims by acquiring open-source information. They can also come in contact with them by performing social engineering calls and attempting to build trust. The attackers will attempt to instruct the victims into installing the fake security program containing the CamuBot Trojan.
When the victims reach a crafted page the visitors will see a prompt that will ask for login credentials — this faked step has been embedded in order to appear more trustworthy. The CamuBot will be downloaded via the security application, the hackers have even prepared two versions — 32 and 64 bit editions. The fake applicator will ask for their mobile phone number in order to acquire information about it. A very non-standard approach is that the app will also request that the mobile device to be connected to the computer. This is used in order to view any SMS authorization tokens which are used to enter into online banking services.
The CamuBot Trojan will continue with its usual activity attempting to hijack financial funds, personal information and data from the host computers.
CamuBot Trojan – Distribution Methods
The CamuBot Trojan infections have been observed to spread through highly-directed large-scale attack campaigns. At this moment the identity of the hacker or criminal collective behind it is not known. The criminals depend largely on the social engineering premises that they can trick the victim users in various payloads into interacting with a element that will ultimately lead to the virus infection.
As always there are several main methods that are used to spread the executable file. The hackers can employ email messages containing elements taken from legitimate banking services such as text, images and design layouts. The Trojan files can be either directly attached or linked in the body contents.
To help facilitate the high number of infections the criminals can also create fake download sites that mimic the real-world login gateways of online banks. Similar sounding domain names and security certificates are used to create an impression that the victim users have accessed a legitimate address.
The goals of the hackers is to create an impression that the victims are downloading and using a legitimate applications. As such the usual strategy of placing it in a malicious payload carrier (documents and app installers) is not used so much.
When running the application the user interface will be similar to the legitimate apps typically offered by online banks and financial institutions.
A sophisticated phishing tactic is used to deliver the CamuBot Trojan:
- The hacking group chooses a target bank which will be the focus of the attack campaign. Using a premade scenario they will initiate calls to people and pose as bank employees in an attempt to extract information about their accounts.
- The victims will be directed to an online site by manipulating them into performing a “security check”. The address will feature legitimate elements taken from the target bank.
- Information you provide
The prompts on the site will coerce the users the victim users into downloading a “new security module” which are the CamuBot Trojan files. The latest attack campaign has been spotted in August 2018 targeting business users in Brazil. According to the available information the following victims are chosen: public sector organizations, trade companies, institutions and small businesses.
CamuBot Trojan – Detailed Description
The CamuBot Trojan infection unfold in several steps. The first stage of its behavior is the addition of two files to the Program Data service folder used by the operating system. Interestingly the name of the executable files are changed at every attack — this is done in order to prevent some types of signature scans to detect the virus instances.
The stealth protection module is started afterwards — it will look for signs of installed anti-virus tools and bypasses their real-time engines. It has also been found to modify the built-in Firewall rules and adding itself as a “trusted” application. This allows the Trojan to make both incoming and outgoing network connections without any blocks.
The CamuBot Trojan will then start to write dynamic files in the system folders and will create a secure connection to a hacker-controlled site. It will also set up a proxy server setting which means that all Internet traffic will be forwarded through а hacker server. This means that they will be able to spy on the users activities in real time. The Trojan server connection itself is used to take over control of the machines at any given time and deploy other threats. Banking Trojans like this one are usually used to look out for user actions related to access to banks. Whenever this is done the threat will automatically relay the entered credentials to the operators.
Following the active infection a pop-up window will be spawned which displays a phishing site. In most cases it will be the target bank chosen by the hackers during the campaign planning. One of the dangerous characteristics attributed to it is the fact that its engine can bypass biometric authentication — they are popularly used as a two-factor authentication mechanism. They are deemed as a reliable method and preferred over other methods. This virus proves the fact that no method is secure by itself and that weaknesses can always be found.
The security analysts note that the route of infection is not traditional as compared to other threats. While most of the banking Trojans attempt to install themselves in a silent way an avoid discovery this one is presented as an legitimate application.
When the criminals have acquired access to the online banking services they will be able to carry out a variety of tasks:
- Monitor Transactions
- Modify Values
- Create New Transactions
- Modify Account Credentials
- Modify Settings
As the Trojan has been found to contain a modular engine it can also be programmed to carry out other actions such as the following:
- Carry out Information Gathering — The engine can be programmed into harvesting information about the users, hardware and operating system by looking out for specific strings. The criminals can use the acquired information to carry out identity theft and financial abuse of the user’s data. The data harvesting component can collect information including the following: their name, address, phone number, interests, location and account credentials. Other valuable information that can be acquired includes a report on the installed hardware components, user settings and operating system values.
- Deploy Additional Threats — Installed CamuBot Trojan strains can be used as payloads for other virus infections.
- System Changes — The CamuBot Trojan can modify essential Windows settings such as the Registry. This can have a lasting impact on the overall performance, it can also disable certain functions.
Remove CamuBot Trojan
If your computer system got infected with the CamuBot Trojan, you should have a bit of experience in removing malware. You should get rid of this Trojan, as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the Trojan, and follow the step-by-step instructions guide provided below.
- Guide 1: How to Remove CamuBot Trojan from Windows.
- Guide 2: Get rid of CamuBot Trojan on Mac OS X.
- Guide 3: Remove CamuBot Trojan in Google Chrome.
- Guide 4: Erase CamuBot Trojan from Mozilla Firefox.
- Guide 5: Uninstall CamuBot Trojan from Microsoft Edge.
- Guide 6: Remove CamuBot Trojan from Safari.
- Guide 7: Eliminate CamuBot Trojan from Internet Explorer.
- Guide 8: Disable CamuBot Trojan Push Notifications in Your Browsers.
How to Remove CamuBot Trojan from Windows.
Step 1: Boot Your PC In Safe Mode to isolate and remove CamuBot Trojan
Step 2: Uninstall CamuBot Trojan and related software from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it.
Step 3: Clean any registries, created by CamuBot Trojan on your computer.
The usually targeted registries of Windows machines are the following:
You can access them by opening the Windows registry editor and deleting any values, created by CamuBot Trojan there. This can happen by following the steps underneath:
Get rid of CamuBot Trojan from Mac OS X.
Step 1: Uninstall CamuBot Trojan and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove CamuBot Trojan via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
You can repeat the same procedure with the following other Library directories:
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Scan for and remove CamuBot Trojan files from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as CamuBot Trojan, the recommended way of eliminating the threat is by using an anti-malware program. SpyHunter for Mac offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Remove CamuBot Trojan from Google Chrome.
Step 1: Start Google Chrome and open the drop menu
Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"
Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.
Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.
Erase CamuBot Trojan from Mozilla Firefox.
Step 1: Start Mozilla Firefox. Open the menu window
Step 2: Select the "Add-ons" icon from the menu.
Step 3: Select the unwanted extension and click "Remove"
Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.
Uninstall CamuBot Trojan from Microsoft Edge.
Step 1: Start Edge browser.
Step 2: Open the drop menu by clicking on the icon at the top right corner.
Step 3: From the drop menu select "Extensions".
Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.
Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.
Remove CamuBot Trojan from Safari.
Step 1: Start the Safari app.
Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.
Step 3: From the menu, click on "Preferences".
Step 4: After that, select the 'Extensions' Tab.
Step 5: Click once on the extension you want to remove.
Step 6: Click 'Uninstall'.
A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the CamuBot Trojan will be removed.
Eliminate CamuBot Trojan from Internet Explorer.
Step 1: Start Internet Explorer.
Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'
Step 3: In the 'Manage Add-ons' window.
Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.
Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.
Remove Push Notifications caused by CamuBot Trojan from Your Browsers.
Turn Off Push Notifications from Google Chrome
To disable any Push Notices from Google Chrome browser, please follow the steps below:
Step 1: Go to Settings in Chrome.
Step 2: In Settings, select “Advanced Settings”:
Step 3: Click “Content Settings”:
Step 4: Open “Notifications”:
Step 5: Click the three dots and choose Block, Edit or Remove options:
Remove Push Notifications on Firefox
Step 1: Go to Firefox Options.
Step 2: Go to “Settings”, type “notifications” in the search bar and click "Settings":
Step 3: Click “Remove” on any site you wish notifications gone and click “Save Changes”
Stop Push Notifications on Opera
Step 1: In Opera, press ALT+P to go to Settings
Step 2: In Setting search, type “Content” to go to Content Settings.
Step 3: Open Notifications:
Step 4: Do the same as you did with Google Chrome (explained below):
Eliminate Push Notifications on Safari
Step 1: Open Safari Preferences.
Step 2: Choose the domain from where you like push pop-ups gone and change to "Deny" from "Allow".