Brazilian malware on the rise: Kaspersky discovers new local banking Trojan is going global
May 2021 by Kaspersky
Kaspersky researchers have discovered a new banking malware from Brazil, named Bizarro, targeting 70 banks from different European and South American countries. Last year, Kaspersky researchers saw several banking trojans from South America (Guildma, Javali, Melcoz and Grandoreiro), expanding their operations all over the globe. Collectively recognised as “the Tétrade”, these families employed a variety of new, innovative and sophisticated techniques. 2021 has seen a continuation of this trend – as a new local player, Bizarro, goes global.
Bizarro is a new banking Trojan family originating in Brazil, that is now also in other countries, such as Argentina, Chile, Germany, Spain, Portugal, France, and Italy. Just like Tétrade, Bizarro is using affiliates or recruiting money mules to operationalize their attacks, doing the cash out or simply helping with translations. At the same time, cybercriminals behind this malware family are adopting various technical methods to complicate malware analysis and detection, as well as social engineering tricks that help convince targets to give out their online banking credentials.
Bizarro is distributed via MSI (Microsoft Installer) packages downloaded by victims from links in spam emails. Once launched, Bizarro downloads a ZIP archive from a compromised website to implement its further malicious functions. Having sent the data to the telemetry server, Bizarro initialises the screen capturing module. So far, Kaspersky experts have seen Bizarro using hosted servers on Azure, Amazon and compromised WordPress servers to store the malware and collect telemetry.
Kaspersky researchers highlight that the backdoor is the core component of Bizarro. It contains more than 100 commands and most of them are used to display fake pop-up messages to users. Some of them are even trying to mimic online banking systems.
An example of Bizarro blocking a bank login page and telling the user that security updates are being installed
“Cybercriminals are constantly looking for new ways to spread malware that steals credentials for e-payment and online banking systems. Today, we witness a game-changing trend in banking malware distribution – regional actors actively attack users, not only in their region but also around the globe. Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern”, comments Fabio Assolini, security expert at Kaspersky.
Learn more about the technical features of Bizarro on Securelist.com.
To protect financial institutions from banking Trojans such as Bizarro (and others), Kaspersky experts recommend:
Provide your SOC team with access to the latest threat intelligence to keep them up-to-date on new tools and techniques used by cybercriminals. For example, Kaspersky Financial Threat Intelligence Reportingcontains IoCs, Yara rules and hashes for these threats.
Upskill your SOC team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
Educate your customers on possible dangers and tricks malefactors may use. Regularly send them information on how to identify fraud and how to act in this situation.