Kaspersky researchers have discovered a new banking malware from Brazil, named Bizarro, targeting 70 banks from different European and South American countries. Last year, Kaspersky researchers saw several banking trojans from South America (Guildma, Javali, Melcoz and Grandoreiro), expanding their operations all over the globe. Collectively recognized as “the Tétrade”, these families employed a variety of new, innovative and sophisticated techniques. 2021 has seen a continuation of this trend – as a new local player, Bizarro, goes global.
Bizarro is a new banking Trojan family originating in Brazil, that is now also in other countries, such as Argentina, Chile, Germany, Spain, Portugal, France, and Italy. Just like Tétrade, Bizarro is using affiliates or recruiting money mules to operationalize their attacks, doing the cashout or simply helping with translations. At the same time, cybercriminals behind this malware family are adopting various technical methods to complicate malware analysis and detection, as well as social engineering tricks that help convince targets to give out their online banking credentials.
Bizarro is distributed via MSI (Microsoft Installer) packages downloaded by victims from links in spam emails. Once launched, Bizarro downloads a ZIP archive from a compromised website to implement its further malicious functions. Having sent the data to the telemetry server, Bizarro initializes the screen capturing module. So far, Kaspersky experts have seen Bizarro using hosted servers on Azure, Amazon and compromised WordPress servers to store the malware and collect telemetry.
Kaspersky researchers highlight that the backdoor is the core component of Bizarro. It contains more than 100 commands and most of them are used to display fake pop-up messages to users. Some of them are even trying to mimic online banking systems.
An example of Bizarro blocking a bank login page and telling the user that security updates are being installed
“Cybercriminals are constantly looking for new ways to spread malware that steals credentials for e-payment and online banking systems. Today, we witness a game-changing trend in banking malware distribution – regional actors actively attack users, not only in their region but also around the globe. Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this.It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern”, comments Fabio Assolini, security expert at Kaspersky.
Learn more about the technical features of Bizarro on Securelist.com.
To protect financial institutions from banking Trojans such as Bizarro (and others), Kaspersky experts recommend:
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.