Security News > 2021 > May > Bizarro Banking Trojan Sports Sophisticated Backdoor

A never-before-documented Brazilian banking trojan, dubbed Bizarro, is targeting customers of 70 banks scattered throughout Europe and South America, researchers said.

Once installed, it kills all running browser processes to terminate any existing sessions with online banking websites - so, when a user initiates a mobile banking session, they have to sign back in, allowing the malware to harvest the details.

"The core component of the backdoor doesn't start until Bizarro detects a connection to one of the hardcoded online banking systems," researchers explained.

According to Kaspersky, "To display such messages, Bizarro needs to download a JPEG image that contains the bank logo and instructions the victim needs to follow. These images are stored in the user profile directory in an encrypted form. Before an image is used in a message, it is decrypted with a multi-byte XOR algorithm. As the messages are downloaded from the C2 server, they can be found only on the victims' machines."

"The custom messages that Bizarro may show are messages that freeze the victim's machine, thus allowing the attackers to gain some time," according to the analysis.

"Today, we witness a game-changing trend in banking malware distribution - regional actors actively attack users, not only in their region but also around the globe. Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern."

News URL

https://threatpost.com/bizarro-banking-trojan-backdoor/166211/