Kaspersky researchers have discovered a new banking malware from Brazil, named Bizarro, targeting 70 banks from different European and South American countries. Last year, Kaspersky researchers saw several banking trojans from South America (Guildma, Javali, Melcoz and Grandoreiro), expanding their operations all over the globe. Collectively recognised as ‘the Tétrade’, these families employed a variety of new, innovative and sophisticated techniques. 2021 has seen a continuation of this trend – as a new local player, Bizarro, goes global.
Bizarro is a new banking Trojan family originating in Brazil, that is now also in other countries, such as Argentina, Chile, Germany, Spain, Portugal, France and Italy. Just like Tétrade, Bizarro is using affiliates or recruiting money mules to operationalise their attacks, doing the cash out or simply helping with translations. At the same time, cybercriminals behind this malware family are adopting various technical methods to complicate malware analysis and detection, as well as social engineering tricks that help convince targets to give out their online banking credentials.
Bizarro is distributed via MSI (Microsoft Installer) packages downloaded by victims from links in spam emails. Once launched, Bizarro downloads a ZIP archive from a compromised website to implement its further malicious functions. Having sent the data to the telemetry server, Bizarro initialises the screen capturing module. So far, Kaspersky experts have seen Bizarro using hosted servers on Azure, Amazon and compromised WordPress servers to store the malware and collect telemetry.
Kaspersky researchers highlight that the backdoor is the core component of Bizarro. It contains more than 100 commands and most of them are used to display fake pop-up messages to users. Some of them are even trying to mimic online banking systems.
“Cybercriminals are constantly looking for new ways to spread malware that steals credentials for e-payment and online banking systems. Today, we witness a game-changing trend in banking malware distribution – regional actors actively attack users, not only in their region but also around the globe. Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern,” said Fabio Assolini, Security Expert at Kaspersky.