Brazilian Bizarro Banking Trojan Reaches Across the Atlantic

The Bizarro banking trojan, originating in Brazil, has now made its way across the ocean and is targeting victims based in Europe, according to cyber security researchers.

Bizarro is one of the four big banking Trojans that have been plaguing South American countries for a while now. The four are collectively known as the Tetrade, and Bizarro is one of the more prominent members of that notorious group.

After initially spreading across South America and starting to target victims in countries adjacent to Brazil, such as Chile and Argentina, the banking Trojan is now making its way across the pond and infecting victims in Portugal, Spain, France and Italy.

Bizarro employs clever social engineering tricks to try and lure its victims into installing the malware unwittingly. The usual distribution chain includes malicious spam emails that contain an MSI installer package. The emails pretend to originate from tax authorities and contain important messages that create a sense of urgency in the victim and lures them into opening any attached files.

The installer, once executed, grabs a compressed file off a previously compromised website, usually Amazon Web Services or Azure servers. Bizarro has also used compromised WordPress domains to fetch its payload from.

There are several components inside the .zip file that carries the payload. Those include a Delphi .dll file and a script that can call a malicious function that is extracted from the .dll file.

Once it has been deployed, the banking Trojan does something very conspicuous but regular users might not yet be aware that something is going on. Bizarro would terminate all browser processes it finds and force the user to restart the session. Once this happens and the user re-logs into their banking service, the malware captures their credentials.

A curious little detail is that Bizarro actually disables all form autocomplete functions in any browser, so that the user is forced to fully type out their login credentials and feed the full strings into the malware, which then sends them to its command and control server.

Bizarro has a fearsome range of malicious capabilities that include clipboard monitoring and replacement for redirecting cryptocurrency transfers, remote control of both mouse and keyboard inputs as well as creating fake pop-up notifications.

Whether the spread of the Trojan will continue on the old continent remains to be seen.

May 19, 2021