Bizarro Banking Trojan Looks for Victims in Latin America and Europe

Metamorfo Banking Trojan

Bizarro Banking Trojan, sometimes called Bizzaro, is a threat, which first emerged in South America. However, just after a few months of activity in the region, its operators opted to expand their operation by going after victims in Europe. The latest iteration of the Bizarro Banking Trojan is able to target over 70 unique banks and financial institutions active in both regions.

Although many of the banking Trojans active in Latin America are exclusive for Android, the Bizarro Banking Trojan is different. Windows systems are its primary focus, but the malware also tries to deliver malicious Android software via fake pop-ups – probably in an attempt to compromise the victim's mobile device and gain access to two-factor authentication codes.

Typically, the first contact between the attackers and their victims occurs via a malicious email message, which contains a file attachment. The criminals have not made any effort to mask the payload – it comes as an MSI installer, which poses as a legitimate app. Typically, in such campaigns, the criminals rely on Microsoft Office files that pack a malicious script.

Bizarro Checks for Virtual Environments and Particular Security Software

Once executed, the Bizarro Banking Trojan will gather basic system details such as the presence of antivirus software, default Web browser, Windows version, and the name of the computer. In order to prepare the compromised system for the attack, it will close all running browsers and terminate the connection to all supported banking portals. Not only this, but it will also disable the browser's autofill feature. This way, the malware ensures that the victim will need to re-enter their username and password when they want to access their online bank account.

The criminals are able to send over 100 unique commands to the active implant. These serve various purpose such as:

  • Displaying fake errors, warnings, and alerts.
  • Displaying a fake two-factor authentication overlay.
  • Spawn a fake prompt to download and install an Android app, which promises to 'enhance security' – it is a malicious tool meant to extract two-factor authentication codes.
  • Control the mouse and keyboard.
  • Upload/download and run files.
  • Log keystrokes.
  • Restart or shut down the computer, damage Windows, and more.

Another interesting feature of the Bizarro Banking Trojan is its ability to monitor the clipboard in case the user copies a Bitcoin address. If it detects a string that is a valid Bitcoin address, the Trojan will replace it with a wallet owned by the attackers. This way, they can silently redirect Bitcoin transactions.

The Bizarro Banking Trojan uses very sophisticated social-engineering strategies to gain the user's trust and trick them into performing actions that their bank would never ask them to do. Banking Trojan operators are becoming stealthier and stealthier with their attacks, and users must stay one step ahead of them by investing in reputable anti-malware software.

May 18, 2021