IBM X-Force researchers analyzed new financial malware that targets major Brazilian banks through their business banking customers. The malware was dubbed CamuBot because it attempts to camouflage itself as a security module required by the banks it targets.
CamuBot emerged in Brazil in August 2018 in what appeared to be targeted attacks against business banking users. According to X-Force’s findings, the malware’s operators are actively using it to target companies and public sector organizations, mixing social engineering and malware tactics to bypass strong authentication and security controls.
A Brazilian Standout
Unlike other malware operated in Brazil, CamuBot is a defined new code. Very different from typical banking Trojans, CamuBot does not hide its deployment. On the contrary, it is very visible, using bank logos and overall brand imaging to appear like a security application. It thus gains victims’ trust and leads them to install it without realizing they are running an installation wizard for a Trojan horse.
CamuBot is more sophisticated than the remote-overlay type malware commonly used in fraud schemes targeting users in Brazil. Instead of simplistic fake screens and a remote access tool, CamuBot tactics resemble those used by Eastern European-made malware such as TrickBot, Dridex and QakBot, each of which focuses on business banking and blends social engineering with malware-assisted account and device takeover.
Hello, It’s a Phish Calling
CamuBot’s fraud method is a mix of elements that are designed to lure potential victims into installing the malware on their device and then walk them through unknowingly authorizing a fraudulent transaction.
To carry out their attacks, CamuBot operators begin with some basic reconnaissance to find businesses that bank with a certain financial institution. They then initiate a phone call to the person who would likely have the business’s bank account credentials.
The attackers identify themselves as bank employees and instruct the victim to browse to a certain URL to check whether his or her security module is up to date. Of course, the validity check comes up negative, and the attackers trick the victim to install a “new” security module for his or her online banking activity.
Those lured into downloading the module are advised to close all running programs and run the installation with a Windows administrator profile.
Figure 1: CamuBot, disguised as fake app, asks for minimum requirements before installation
At this point, a fake application that features the bank’s logos starts downloading. Behind the scenes, CamuBot is fetched and executed on the victim’s device. The name of the file and the URL from which it is downloaded change in every attack.
Figure 2: CamuBot, disguised as fake app, completes installation
As part of its simplistic infection routine, CamuBot writes two files to the %ProgramData% Windows folder to establish a proxy module on the device. The executable’s name is not static and changes in every attack. Then it adds itself to the firewall’s rules to appear trusted. It does the same for the antivirus:
C:\Windows\System32\netsh.exe” firewall add allowedprogram “<malware_dropper_directory>” Anti-Virus ENABLE
Figure 3: CamuBot edits Windows Firewall settings to appears trusted
To communicate with the infected device, CamuBot establishes a Secure Shell (SSH)-based SOCKS proxy. According to X-Force’s analysis, the SSH module’s dynamic link library (DLL) is a free tool that was obtained via GitHub. The DLL file is named “%TEMP%\Renci.SshNet.dll.”
The proxy module is loaded and establishes port forwarding. This feature is generally used in a two-way tunneling of application ports from the client’s device to the server. In CamuBot’s case, the tunnel allows attackers to direct their own traffic through the infected machine and use the victim’s IP address when accessing the compromised bank account.
After installation completes, a pop-up screen redirects the victim to a phishing site purporting to be their bank’s online banking portal. The victim is asked to log into his or her account, thereby unknowingly sending the credentials to the attacker.
At this point, if the credentials are sufficient for an account takeover, the attacker hangs up.
Can CamuBot Beat Biometric Authentication?
In cases where CamuBot’s operators run into a strong authentication device that’s attached to the endpoint, the malware can fetch and install a driver for that device. The victim is then asked to enable sharing it remotely. Trusting that they are speaking to a bank representative, the victim may authorize the access, not knowing that by sharing access to the connected device, they can allow the attacker to intercept one-time passwords generated for authentication purposes.
Figure 4: CamuBot fetches and installs a driver for a connected device used in strong authentication
With the one-time code in hand, the criminals can attempt a fraudulent transaction, tunneling it through their IP address to make the session seem legitimate on the bank’s side.
According to X-Force researchers, a more concerning possibility was that the device driver deployed by CamuBot was similar to other devices supplied by the same vendor, some of which are used for biometric authentication. If the same remote sharing is authorized by a duped user, he or she could unknowingly compromise the biometric authentication process.
Distribution and Targets
The delivery of CamuBot is personalized. Since the malware’s operators target businesses in Brazil, it is very possible that they gather information from local phone books, search engines or professional social networks to get to people who own a business or would have the business’s bank account credentials.
At this time, CamuBot targets business account holders in Brazil. X-Force researchers have not seen CamuBot used in other geographies, but that may change over time. Keep up to date on CamuBot on X-Force Exchange.
Some CamuBot Samples Observed
The post CamuBot: New Financial Malware Targets Brazilian Banking Customers appeared first on Security Intelligence.
Read more: securityintelligence.com