New Brazilian Banking Trojan Hides in Plain Sight

An advanced new Brazilian banking Trojan has been found by safety scientists at IBM X-Force. The Trojan has been titled CamuBot because of its use of concealment to fool workers into running the installer for the malware. Like with other banking Trojans, its aim is to get bank account identifications, even though its method of doing so is different from most of the banking Trojans presently used by threat actors in Brazil.

Most banking Trojans are silent. They are silently connected out of sight, oftentimes through PowerShell scripts or Word macros in malevolent electronic mail attachments. In contrast, CamuBot is very visible.

The cheat begins with the attackers doing some reconnaissance to identify companies that use a particular bank. Workers are then identified who are likely to have access to the firm’s bank account particulars. Those people are got in touch with by telephone and the attacker pretends to be a worker at their bank carrying out a regular safety check.

The workers are directed to visit a specific URL and a scan is carried out to decide whether they have the latest security module installed on their computer. The fake scan returns a result that they have out-of-date safety software and they are told to download a new safety module to make sure all online banking dealings remain safe.

When the safety module is downloaded and executed, a standard installer is shown. The installer contains the bank’s logos and accurate imaging to make it seem genuine. The user is directed to shut down all running programs on their computer and run the installer, which directs them through the installation procedure. During that procedure, the installer generates two files in the %Program Data% folder, determines a proxy module, and adds itself to firewall regulations and antivirus software as a confidential application.

The SSH-based SOCKS proxy is then loaded and establishes port forwarding to generate a tunnel linking the appliance to the attacker’s server. As per IBM X-Force, “The tunnel permits attackers to direct their own traffic via the infected machine and use the victim’s IP address when accessing the compromised bank account.”

The installer then leaves and a popup screen is opened which guides the user to what seems to be the bank’s online portal where they are required to enter their banking identifications. Nevertheless, the site they are directed to is a phishing website that transmits the account details to the attacker.

As soon as the banking identifications have been obtained and their account can be accessed, the attacker verifies that the installation has been successful and ends the call. The victims will be unaware that they have given complete control of their bank account to the attacker.

Some users will have additional verification controls in place, such as an appliance linked to their computer that is required in order for account access to be allowed. In such instances, the attacker will advise the end user that an additional software installation is needed. The malware used in the attack can fetch and connect a driver for that appliance. The attacker tells the end user to run an additional program. When that procedure is finished, the attacker is able to intercept one-time codes sent to that appliance from the bank as part of the verification procedure.

A transaction is then tried, which is tunneled through the user’s IP address to make the transaction seem genuine to the bank. IBM X-Force notes that this attack method also permits the attackers to evade the biometric verification procedure.