European and South American banks under Bizarro's attack: the banking virus that comes from Brazil

Read this post in a different language:
Author Alessandro 20 May 2021
Blog Cover

A few days after the appearance of Teabot, a banking trojan for Android devices discovered by the Threat Intelligence and Incident Response ​​team (TIR), banks are shaking again for Bizarro, a new banking malware which comes from Brazil and has hit 70 banks in various South American and European countries.

Bizarro, the banking virus strikes Europe

The new Bizarro banking virus , which originated in Brazil, first spread to Argentina and Chile and quickly reached Germany, Spain, Portugal, France and Italy.

How the virus spreads

Mobile users are persuaded to download a smartphone app that contains the virus. Once the app has been installed, Bizarro causes users to enter two-factor authentication codes, which are thus sent to the attackers, through fake pop-up windows structured to appear the same as notifications sent by real online banking systems. The spread on desktop systems takes place through attachments and links contained in spam emails: with a click on the attachment, link or infected file, the malware starts and automatically downloads a .zip folder from a hacked site to implement its malicious functionality.

How data theft happens

In both cases when Bizarro starts, it terminates all browser processes, closing any existing session with home banking websites, clears saved passwords and disables auto-completion. Once the user restarts the browser, they are prompted to re-enter their bank account credentials , which are then captured by the malware. Moreover Bizarro is able to execute 100 commands from a remote server which allows hackers to collect a lot of other information about the user.

Why it is so dangerous

Bizarro, like the aforementioned Teabot, it is just the latest among many banking malware, among the most recent and dangerous cyber threats. The main security problem created by the Bizarro virus lies in its detection difficulty . In fact, according to what the researchers revealed, the virus belongs to a new family of Trojans that adopts different methods to prevent its analysis and detection and that uses backdoors and compromised servers hosted on Amazon, WordPress e Azure to overcome antivirus.

Why there are so many banking Trojans

Cybercriminals are continually developing new techniques to spread credential-stealing malware for electronic payment and online banking systems - this phenomenon is spreading more and more globally. According to experts, we are seeing a revolution in the distribution of banking malware . This is especially true when you think about the geographic level: hackers now actively attack users not only in their region of origin but also around the world. By implementing new techniques, families of malware, especially Brazilian ones, are also distributed to other continents. Like Bizarro, which not only targets Latin American users, but also European ones.

What is a banking Trojan

A trojan is a type of computer virus that attempts - and often succeeds - to install itself on computer systems without being detected by security systems.

Trojan viruses owe theirs names to Ulysses' Trojan horse
Trojan viruses owe theirs names to Ulysses' Trojan horse

Trojan viruses owe theirs names to Trojan horse , the famous Ulysse’s stratagem used to enter the city of Troy, considered impregnable, through the enormous wooden sculpture left by Greeks at the gates of tTroy, in false sign of surrender. When Trojans saw the horse, they believed that the Greeks had surrendered and carried it inside the city. During the night, following the celebrations for the alleged victory, when the soldiers were all drunk and asleep, Ulysses and his men, hidden inside the horse, went out opening the gates of the city and thus allowing the rest of the Greek army to penetrate and secure victory.

Trojans use the same trick: they hide the threat, often inoculating it into the computer by installing free software or by camouflaging themselves in email (which are called phishing) as an attachment designed to capture the attention of the unsuspecting user and make him download the virus. Once installed, the trojan is able to create a backdoor in the victim’s device, connect to servers defined by the hacker and download the virus that will be used to steal money from the online bank account. The banking Trojan is in fact only the beginning of the attack. Its function, like the Trojan horse, is to open the doors of the computer to the actual malware to allow it to install itself on the system.

Typical stages of a trojan banking attack

Typical stages of a trojan banking attack
Typical stages of a trojan banking attack
  • the user downloads the infected app from an unsafe source or clicks on the attachment containing the trojan
  • the user opens the e-banking app
  • the trojan detects the e-banking app used by the user and replaces its interface with an almost identical one
  • the user enters the credentials in the fraudulent interface, which sends them to the hacker
  • the hacker uses the credentials to access the victim’s account and request a transaction
  • the ebanking app requires the second verification step by sending an SMS or email to the user with a momentary password.
  • the Trojan intercepts the security code in the SMS or email and sends it to the hacker. The victim does not receive the message and does not realize anything
  • the hacker enters the security code stealing money from the victim

Security tips for online bank accounts

It is clear that two-step verification is not enough to prevent this type of attack . As just shown, most of the latest generation banking Trojans are in fact able to bypass the obstacle of two-step verification, because both authentication factors can be found by the hacker with the same virus and on the same terminal as the victim.

What users can do against banking viruses

The human factor is the weak element of any security system. Consequently, the user who must pay particular attention to:

  • do not download unsafe apps and programs . Download apps for smartphones and tablets only from official stores (App Store for iOS devices, Play Store for Android, Microsoft Store for Windows Phone). Even when using official stores, always check user reviews before downloading an app,
  • do not download files from untrusted sites
  • pay attention to emails and SMS links and attachments . Do not open emails attachments from senders you don’t know personally. Among Bizzarro’s favorite fake senders are WordPress, Amazon and other services used by the user, to make the user trust the message received.
  • when you connect to the browser enter the website address of your bank personally .
  • install an antivirus for desktop and smartphone
  • if available use biometric authentication factors : apply the app lock with password or fingerprint to your e-banking app.
  • if your bank allows it, use a security token .
  • create a strong password for your e-banking account and change it once a month.
  • set the automatic update of the operating system of your device to take advantage of the latest security patches.
  • do not enter personal and banking data if you are not sure that the communications come from official accounts . Your bank already has your personal datas and account login credentials. If you receive a message asking to verify them, it is almost certainly a fraudulent email.
  • pay attention to the websites you consult: addresses starting with http:// are less secure than those starting with https://

What banks can do against banking viruses

Against these growing threats, banking companies are recommended to constantly update their security teams by taking them to appropriate refresher courses and implementing anti-fraud solutions that can detect even the most sophisticated attacks.

But the invitation is above all to educate and inform customers about the tricks that could be used by the attackers for the theft of accounts and money, through the regular sending of indications on how to identify frauds and advice on how to act in case of attack.

Trojan horse image: Luigi Ricca

Share on
follow us in feedly