A new financial malware, pretending to be a security application, is targeting business banking customers in Brazil. Dubbed CamuBot, the malware uses bank logos and brand imaging to appear like a security module required by the banks it targets, finds researchers at IBM X-Force.
The CamuBot is different from other banking Trojans which hide their deployment. It gains the trust of victims to install the security application without knowing that they are running an installation wizard for a Trojan horse.
According to the findings of IBM X-Force, CamuBot emerged in Brazil in August this year. The operators of this malware use it to attack companies and public-sector organizations to bypass strong authentications and security controls.
The malware operators find the businesses that bank with a certain financial institution. They make phone calls to the person who might be having the credentials to business bank account credentials. The attackers identify themselves as bank employees, and the purpose of the call as to check whether his security module is up to date.
The attackers provide a URL to browse for checking the update status, which of course shows negative result. Then they ask the victim to install a new security module for online banking activities. While downloading the module, they also advise the person to close all running programs and run installation with a Windows administrator profile.
At the back-end, the malware gets executed on the device of victim, and two files are written to the Program Data Windows folder. This establishes a proxy module on the device for appearing CamuBot as trusted to the firewall rules and antivirus.
After the completion of installation, the victim is redirected to a phishing website that seems like the online portal of their bank. The victim is asked for bank login details, and the biggest mistake happens. The banking credentials are unknowingly sent to the attackers.
The attackers disconnect the call if they successfully take over the account.
In case the victim is using a strong authenticated device asking for OTP, then the attackers install a driver for that device for remote sharing. Since the victim is assuming that he is talking to a bank executive, he may authorize the access. Thus, the attackers intercept the OTPs as well for authentication purposes.
Furthermore, the installed drivers can help attackers to gain the biometric authentication as well.
Researchers believe that the malware operators collect contact information from local phone books, search engines, and social networks to connect with people owning the business or the person who would be having bank account details.
Currently, the CamuBot is targeting the bank business accounts in Brazil but researchers it may reach other geographies as well.