An innovative new Brazilian banking Trojan has been detected by security researchers at IBM X-Force. The Trojan has been named CamuBot due to its use of camouflage to fool employees into running the installer for the malware. As with other banking Trojans, its purpose is to obtain bank account credentials, although its method of doing so is different from most of the banking Trojans currently used by threat actors in Brazil.
Most banking Trojans are stealthy. They are silently installed out of sight, oftentimes through PowerShell scripts or Word macros in malicious email attachments. In contrast, CamuBot is very visible.
The scam starts with the attackers performing some reconnaissance to identify businesses that use a specific bank. Employees are then identified who are likely to have access to the company’s bank account details. Those individuals are contacted by telephone and the attacker pretends to be an employee at their bank conducting a routine security check.
The employees are instructed to visit a particular URL and a scan is conducted to determine whether they have an up-to-date security module installed on their computer. The mock scan returns a result that they have out-of-date security software and they are told to download a new security module to ensure all online banking transactions remain secure.
Once the security module is downloaded and executed, a standard installer is displayed. The installer includes the bank’s logos and correct imaging to make it appear legitimate. The user is advised to shut down all running programs on their computer and run the installer, which guides them through the installation process. During that process, the installer creates two files in the %Program Data% folder, establishes a proxy module, and adds itself to firewall rules and antivirus software as a trusted application.
The SSH-based SOCKS proxy is then loaded and establishes port forwarding to create a tunnel connecting the device to the attacker’s server. According to IBM X-Force, “The tunnel allows attackers to direct their own traffic through the infected machine and use the victim’s IP address when accessing the compromised bank account.”
The installer then exits and a popup screen is launched which directs the user to what appears to be the bank’s online portal where they are required to enter their banking credentials. However, the site they are directed to is a phishing website that sends the account details to the attacker.
Once the banking credentials have been obtained and their account can be accessed, the attacker confirms that the installation has been successful and terminates the call. The victim will be unaware the they have given full control of their bank account to the attacker.
Some users will have additional authentication controls in place, such as a device connected to their computer that is required in order for account access to be granted. In such cases, the attacker will advise the end user that a further software installation is required. The malware used in the attack can fetch and install a driver for that device. The attacker tells the end user to run a further program. Once that process is completed, the attacker is able to intercept one-time codes sent to that device from the bank as part of the authentication process.
A transaction is then attempted, which is tunneled through the user’s IP address to make the transaction appear legitimate to the bank. IBM X-Force notes that this attack method also allows the attackers to bypass the biometric authentication process.