Bizarro Banking Trojan: Hitting 70 banks across Europe and South America
Bizarro is a family of Trojans which has been originated from Brazil, and it has already attacked banking entities in various countries around the world. Kaspersky security experts recently discovered a new banking trojan known as “Bizarro,” which steals credentials from customers of 70 banks in Europe and South America. To persuade all of its victims to hand over their banking credentials, this modern banking Trojan employs social engineering techniques. Bizarro is spread by MSI (Microsoft Installer) packages that the victim installs from spam email links. Bizarro automatically shuts down if the victim clicks on the malicious links in the spam emails they got.
When the software is installed, it obfuscates its code to prevent detection and begins tracking computer activities, looking for cryptocurrency transactions and online banking sessions.
Bizzaro Trojan Execution Flow
The trojan has a few unexpected features that make it extremely dangerous. When Bizarro begins, it kills all browser processes in order to end online banking sessions. When a user restarts their browser, they will be prompted to re-enter their banking credentials in order to log in. It also disables window autocomplete, forcing the user to manually type the login credentials.
Bizarro also records what’s on each screen and keeps an eye on the keyboard. When the trojan accesses a bitcoin wallet, it replaces it with one belonging to the hackers. More than 100 commands are supported by the software, allowing attackers to steal banking data, take control of the device, record keystrokes, and even show fake pop-up messages to confuse and delay the user. When a user begins an internet banking session, the malware will detect it and launch a procedure to buy the criminals time to steal money from the victim’s account. This is accomplished by a series of pop-up alerts that appear to be legitimate bank messages informing the user regarding security update. The machine is frozen as these pop-ups appear on the screen. The machine freezes as these pop-ups appear on the device, preventing the victim from accessing other applications, including the online banking session. At the same time, the criminals will use the information stolen from the target device to gain access to the victim’s account.
The pop-up messages often attempt to persuade victims to enter two-factor authentication codes while restricting device access. The criminals will then allow logins and money transfers from the account of the innocent victim. Some of the pop-ups also alert targets their banking sessions that may contain unusual transactions, but they’re all part of a security update.
Bizarro also uses servers hosted on Azure, Amazon (AWS), and even compromised WordPress servers to store malware and collect telemetry data.
Mapping MITRE ATT&CK®
Figure 3 Using Attack Navigator to map raw Data
This malware, like all malware, is spread via phishing and social engineering techniques. Users should be aware to recognize social engineering techniques and must use anti-malware or anti-virus software detect and eliminate malicious software.
Network intrusion prevention systems and systems designed to search and delete malicious downloads can be used to block operation if a user clicks on a link.
Use application security tools like Windows Defender Application Control, AppLocker, or Program Restriction Policies can be implemented to identify and block potentially malicious software that could be performed using this technique.
Disable or delete any shells or interpreters that are no longer in use. Restrict Power Shell execution policy to administrators when Power Shell is needed. Be mindful that, depending on the environment setup, there are ways to get around the Power Shell execution policy.
On Windows 10, use the Anti malware Scan Interface (AMSI) to evaluate commands after they’ve been processed/interpreted.
Keylogging cannot be easily mitigated, it is important to detect it at earlier stage. Keyloggers may take a variety of forms, including modifying the Registry and installing a driver, hooking, and polling to intercept keystrokes. SetWindowsHook, GetKeyState, and GetAsyncKeyState are some of the most commonly used API calls. Check for such changes in the Registry and file system, as well as driver installations and basic keylogging API calls. Check for such changes in the Registry and file system, as well as driver installations and basic keylogging API calls. API calls by themselves do not indicate keylogging, but when combined with other data such as new files written to disk and irregular procedures, they can provide behavioral data that can be useful.
The method used to extract data from the operating system and write output files can determine how to monitor for screen capture activity. Collecting information from irregular processes, using API calls to access image data, and tracking for image files written to disk could be used as detection methods. To detect malicious behavior, sensor data can need to be associated with other events. Depending on the legitimacy of this action within a given network context, sensor data can need to be associated with other events to detect malicious activity.
Consider keeping an eye on process resource use to spot unusual behavior that could indicate malicious hijacking of computer resources including CPU, memory, and graphics processing. Keep an eye out for unusual network activity related to cryptocurrency mining tools. On local systems, look for popular cryptomining software process names and files that could suggest compromise and resource use.
To prevent adversaries from disabling or intervening with vital resources, make sure correct registry permissions are in place. To prevent adversaries from disabling or intervening with essential resources, make sure proper procedure and file permissions are in place.