May 23, 2021

Bizarro Banking Trojan: Hitting 70 banks across Europe and South America

Bizarro is a family of Trojans which has been originated from Brazil, and it has already attacked banking entities in various countries around the world. Kaspersky security experts recently discovered a new banking trojan known as “Bizarro,” which steals credentials from customers of 70 banks in Europe and South America. To persuade all of its victims to hand over their banking credentials, this modern banking Trojan employs social engineering techniques. Bizarro is spread by MSI (Microsoft Installer) packages that the victim installs from spam email links. Bizarro automatically shuts down if the victim clicks on the malicious links in the spam emails they got.

When the software is installed, it obfuscates its code to prevent detection and begins tracking computer activities, looking for cryptocurrency transactions and online banking sessions.

Figure 2 Execution Flow of Bizarro Trojan

Bizzaro Trojan Execution Flow

The trojan has a few unexpected features that make it extremely dangerous. When Bizarro begins, it kills all browser processes in order to end online banking sessions. When a user restarts their browser, they will be prompted to re-enter their banking credentials in order to log in. It also disables window autocomplete, forcing the user to manually type the login credentials.

Bizarro also records what’s on each screen and keeps an eye on the keyboard. When the trojan accesses a bitcoin wallet, it replaces it with one belonging to the hackers. More than 100 commands are supported by the software, allowing attackers to steal banking data, take control of the device, record keystrokes, and even show fake pop-up messages to confuse and delay the user. When a user begins an internet banking session, the malware will detect it and launch a procedure to buy the criminals time to steal money from the victim’s account. This is accomplished by a series of pop-up alerts that appear to be legitimate bank messages informing the user regarding security update. The machine is frozen as these pop-ups appear on the screen. The machine freezes as these pop-ups appear on the device, preventing the victim from accessing other applications, including the online banking session. At the same time, the criminals will use the information stolen from the target device to gain access to the victim’s account.

The pop-up messages often attempt to persuade victims to enter two-factor authentication codes while restricting device access. The criminals will then allow logins and money transfers from the account of the innocent victim. Some of the pop-ups also alert targets their banking sessions that may contain unusual transactions, but they’re all part of a security update.

 Bizarro also uses servers hosted on Azure, Amazon (AWS), and even compromised WordPress servers to store malware and collect telemetry data.


Figure 3 Using Attack Navigator to map raw Data


Indicator of Compromise

Malicious File Hash