Bizarro, a financial trojan that originated from Brazil, has been detected and observed to target clients and customers of over 70 banks across Europe and South America.
The malware initially landed on Windows systems which forces the victims into entering their banking credentials. It also uses social engineering tactics to steal 2FA authentication codes.
The Bizarro malware is constantly evolving while the malware author keeps expanding its list of supporting banks. More modifications are also observed on newer versions that improve its ability to evade software analysis detection.
A cybersecurity firm showed a report that Bizarro’s targets are currently clients of banks located in Europe, including Germany, Portugal, France, Italy and Spain, and South American countries such as Chile, Argentina and Brazil.
The method of spreading the malware is via phishing emails crafted as official tax-related notification message that informs the victims that they have outstanding tax obligations. A link will be presented on the email to download an MSI package containing the Bizarro malware. Once launched, the malware will download additional components from hacker-controlled WordPress, Amazon and Azure servers a ZIP file with the malicious scripts needed for an attack.
Once a workstation is infected, Bizarro will terminate all sessions related to online banking by killing browser processes. Once the browser is relaunched, the victim is lured to re-enter their banking credentials which the malware collects. This malware also disables the browser’s auto-complete function, so the victim is forced to enter their login credential manually.
The malware on an infected computer can receive the following commands from its C2C server:
- Fetch user data and manage session connections
- Controlling files on the local drive
- Controlling mouse and keyboard
- Shutdown, restart and destroy the OS can also limit the Windows’ functionalities, such as using the task manager
- Act as keylogger
- Commands to make social engineering attacks successful
The backdoor component of Bizarro can let operators trick or force users into providing their bank account info by showing login windows asking for their login data and two-factor authentication code while taking control of their victim’s computer.
Bizarro is not the only financial trojan from South America that expanded its target victims to Europe. The malwares Guildma, Javali, Melcoz, Grandoreiro and Amalvado also too the same path. All of them started, created, developed and were initially spread in Brazil.