A new Brazilian banking trojan, named Bizarro, is engaged in a global campaign targeting customers of over 70 banks scattered through Europe, North America, and South America. According to a report from Kaspersky, which was released this week, Bizarro banking trojan is mobile malware whose chief aim is to capture online banking credentials and hijack cryptocurrency wallets from Android users. The trojan is sophisticated, and once installed, it immediately gets to work to ensure its success. Bizarro will immediately end all running browser processes to terminate any banking sessions happening. So, when the user starts a mobile banking session again, they are forced to sign back in, leaving the door open for Bizarro.
To further increase its chances of success, the trojan disables autocomplete in the browser, so the target must re-enter their details fully. The malware was designed with 2FA in mind – Researchers noted that it could spring fake pop-ups to snatch the authentication codes.
Bizarro spreads via Microsoft Installer Packages, which are distributed mostly via phishing emails, but can also be installed via a trojanized app.
The malware also has a screen-capturing module.
“It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function,” explained Kaspersky researchers. “With its help, the trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.”
Perhaps Bizarro’s most impressive feature is its extensive backdoor module. According to the analysis, the trojan is capable of carrying out more than 100 commands.
“The core component of the backdoor doesn’t start until Bizarro detects a connection to one of the hardcoded online banking systems,” researchers explained. “The malware does this by enumerating all the windows, collecting their names. Whitespace characters, letters with accents (such as ñ or á) and non-letter symbols such as dashes are removed from the window name strings. If a window name matches one of the hardcoded strings, the backdoor continues starting up.”
According to Threatpost, the commands fall into a few main categories:
- Commands that allow the command-and-control (C2) operators to get data about the victim and manage the connection status; for instance, one asks for Bizarro’s version, OS name, computer name, Bizarro’s unique identifier, installed antivirus software and the codename used for the bank that has been accessed.
- Commands that allow attackers to search for and steal the files located on the victim’s hard drive, and those that allow adversaries to install files on the victim device.
- Commands that allow attackers to control the user’s mouse and keyboard.
- Commands that allow the attackers to control the backdoor operation, shut down, restart or destroy the operating system, and limit the functionality of Windows.
- Commands that log keystrokes.
- Commands that display various messages that trick users into giving attackers access to bank accounts, including fake popup windows (i.e., messages like “the data entered is incorrect, please try again”; error messages asking the user to enter a confirmation code; and those that tell the user that their computer needs to be restarted in order to finish a security-related operation).
- Commands that enable Bizarro to mimic online banking systems. According to Kaspersky, “To display such messages, Bizarro needs to download a JPEG image that contains the bank logo and instructions the victim needs to follow. These images are stored in the user profile directory in an encrypted form. Before an image is used in a message, it is decrypted with a multi-byte XOR algorithm. As the messages are downloaded from the C2 server, they can be found only on the victims’ machines.”
- Commands that enable custom messages.
“The custom messages that Bizarro may show are messages that freeze the victim’s machine, thus allowing the attackers to gain some time,” according to the analysis. “When a command to display a message like this is received, the taskbar is hidden, the screen is greyed out and the message itself is displayed. While the message is shown, the user is unable to close it or open Task Manager. The message itself tells the user either that the system is compromised and thus needs to be updated or that security and browser performance components are being installed. This type of message also contains a progress bar that changes over time.”
South America is a hotspot for banking trojans, and the sector is primarily dominated by four banking malware strains: Grandoreiro, Guildma, Javali and Melcoz. Collectively, these are known as the Tétrade, meaning ‘group of four’. The Tétrade has been making strides to go global since 2020. With the Bizarro banking trojan joining the group, they may succeed.
“Cybercriminals are constantly looking for new ways to spread malware that steals credentials for e-payment and online banking systems,” said Fabio Assolini, security expert at Kaspersky, in a statement. “Today, we witness a game-changing trend in banking malware distribution – regional actors actively attack users, not only in their region but also around the globe. Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern.”
Bizarro Trojan Analysis
Note: The Analysis for Bizarro Trojan was carried out by SecureList. Though the trojan is spreading globally, most lab samples present in the hackers’ native Portuguese.
Bizarro downloads a ZIP archive from a compromised website. The MSI installer has two embedded links – which one is chosen depends on the victim’s processor architecture.
The downloaded ZIP archive contains the following files:
- A malicious DLL written in Delphi;
- A legitimate executable that is an AutoHotkey script runner (in some samples AutoIt is used instead of AutoHotkey);
- A small script that calls an exported function from the malicious DLL.
The DLL exports a function that contains the malicious code. The malware developers have used obfuscation to complicate code analysis. The code of the exported functions have been removed by the protector. The bytes that belong to the exported functions are restored by the DLL entry point function at runtime. This entry point function is heavily obfuscated. The tricks used to complicate analysis consist of constant unfolding and junk code insertion. As for the malware developers, they are constantly improving the protection of the binaries. In earlier versions of Bizarro, only the entry point function was protected, while in more recent samples the protector is also used to obscure calls of the imported API functions.
Bizarro gathers the following information about the system on which it is running:
- Computer name;
- Operating system version;
- Default browser name;
- Installed antivirus software name.
Bizarro uses the ‘Mozilla/4.0 (compatible;MSIE 6.0; Windows NT 5.0′ user agent while sending the POST request. This user agent has typos: there should be a space symbol after the compatible; substring and the closing bracket is missing. Our research shows that this mistake has not been fixed in the latest versions. After that, Bizarro creates an empty file in the %userprofile% directory, thus marking the system as infected. The name of the file is the name of the script runner (AutoIt or AutoHotKey) with the .jkl extension appended to it.
Having sent the data to the telemetry server, Bizarro initializes the screen capturing module. It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function. With its help, the Trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.
The first thing the backdoor does is remove the DNS cache by executing the ipconfig /flushdns command. This is done in order to prevent connecting to a blocked IP. After that, the malware resolves the domain name to an IP address, creates a socket and binds it to the resolved address. If the connection was successful, it creates the %userprofile%\bizarro.txt file.
As mentioned earlier, Bizarro trojan has a long list of commands it can execute. These commands display various messages that trick users into giving attackers access to the bank account. The type of messages displayed vary from simple message boxes to well-designed windows with bank logs on them.
The most interesting messages that Bizarro displays are those that try to mimic online banking systems. To display such messages, Bizarro needs to download a JPEG image that contains the bank logo and instructions the victim needs to follow. These images are stored in the user profile directory in an encrypted form. Before an image is used in a message, it is decrypted with a multi-byte XOR algorithm. As the messages are downloaded from the C2 server, they can be found only on the victims’ machines.
The first type of custom messages that Bizarro may show are messages that freeze the victim’s machine, thus allowing the attackers to gain some time. When a command to display a message like this is received, the taskbar is hidden, the screen is greyed out and the message itself is displayed. While the message is shown, the user is unable to close it or open Task Manager. The message itself tells the user either that the system is compromised and thus needs to be updated or that security and browser performance components are being installed. This type of message also contains a progress bar that changes over time.
The following two messages try to convince the victim that their system is compromised. In most of them, Bizarro tells the user not to worry about any transactions that occur during the “security update” as they are only confirming the identity of the client. This makes clients feel more confident about approving all the transactions requested by the attackers.
Bizarro also tries to lure victims into sending two-factor authentication codes to the attackers. Another interesting feature researchers observed entails an attempt to convince the victim to install a malicious app on their smartphone. It uses the following windows to determine the type of mobile operating system:
If the victim chooses Android, the C2 server will send a link with a malicious application to the client. The client will make a QR code out of it with the help of the Google Charts API.
With the help of the commands that the Bizarro developers have included in the Trojan, adversaries may stage an attack with the following scenario:
Though a deadly malware strain, the Bizarro banking trojan is preventable. Much of its infection chain can be avoided by using the correct cybersecurity tools. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.