Brazilian Banking Trojan Horse Bizarro Spreads Around the World

The new malware from Brazil, named Bizarro, has already targeted dozens of banks around the world, including eight French banks.

It comes straight from the eternal country of the future, Brazil. Bizarro, that’s its name, is a new banking Trojan horse. Identified by Kaspersky’s security teams, it has already targeted no less than 70 South American and European banks. The malware, which first raged in a local dimension in a country where cybercriminal underground is very important, has now spread globally.

Did you say “weird”? No, Bizarro!

Bizarro is a new family of banking Trojans from Brazil. It has been identified in Mexico, Peru, Chile, Germany, Spain, Portugal, Brazil obviously. “In banking malware, we are now witnessing a new, game-changing trend: regional players are now actively attacking users not only in their region but also around the world. Thanks to the new techniques employed, Brazilian malware families have proliferated in other continents, and Bizarro, which targets European users, is a perfect example,”explains Fabio Assolini, cybersecurity expert at Kaspersky.

Kaspersky explains to us that like Tétrade’s malware (which brings together four families of trojans, Guildma, Javali, Melcoz and Grandoreiro), Bizarro is based on affiliates and recruits financial mules. These will then contribute to cyber attacks by transferring funds, or just providing translations.

Bizarro is even more disturbing with his ability to hide his tracks. Malware makes it difficult to detect and analyze malware. And he uses clever social engineering techniques to convince his targets and potential victims to reveal bank details.

Malware that uses social engineering to then launch screenshots

To spread, Bizarro fits into the Microsoft Installer installation pack, downloaded by victims by clicking on links found in fraudulent emails. Bizarro then downloads a ZIP archive from a website obviously set up by hackers, in order to then activate all of its malicious functions.

The next step is, for Bizarro, to send the data to the telemetry server, hosted on Azure or AWS (WordPress servers have also served as hosting platforms). Then the Trojan horse launches the screenshot module. According to Kaspersky, Bizarro uses a backdoor that contains over 100 commands. Most of these are used to display fake pop-ups on users’ screens, tricking them into believing that security updates are being installed. All while imitating the messages of online banks.

An example of Bizarro blocking the login page of an online bank and making the user believe that security updates are being installed (© Kaspersky)

Categories: News

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: