A new trojan malware specifically goes after online banking users. The Bizarro virus deploys multiple techniques including social engineering to steal login credentials to a bank.
Originated in South America, Bizarro appears to have significantly expanded its scope. The banking trojan is now actively targeting e-banking users in Europe (Germany, Spain, Portugal, France, Italy) and South America (Chile, Argentina, Brazil).
New banking trojan malware virus targeting Windows and Android to steal credentials:
Bizarro is currently targeting customers of 70 banks in Europe and South America. Its creators are constantly developing and improving the malware to include more banking institutions.
Once the malware lands on a Windows 10 PC, it can force users into entering banking credentials. It also uses social engineering to steal two-factor authentication codes.
The malware campaign happens through cleverly crafted phishing emails. These messages appear as official-looking tax-related instructions informing online banking users of outstanding obligations. The emails contain a download link that retrieves Bizarro as an MSI package.
— BleepingComputer (@BleepinComputer) May 22, 2021
If a victim launches the package, assuming the email is authentic, the malware downloads malicious components from hacked WordPress, Amazon, and Azure servers. The payload is a ZIP archive that executes the attack.
Kaspersky researchers note that Bizarro’s core component is its backdoor functionality. The malware has several commands to access multiple backdoor components.
The malware’s operators can trick users into providing the bank account login information by showing them message boxes or windows asking for login data or two-factor authentication codes.
70 European and South American Banks Under Attack By Bizarro Banking Malware – Tricks users into entering two-factor authentication codes in fake pop-up windows as well as its reliance on social engineering.https://t.co/tqfcPNZcxh #CyberSecurity #Banking #FinancialServices
— Daniel Brody (@BrodyIllusive) May 22, 2021
Victims may see a variety of fake messages such as notifications requesting the details again or asking to enter a confirmation code. The virus can also display a bogus Windows 10 error informing that the system needs a restart to complete a security-related operation.
Bizarro creators have also created JPEG images containing a target bank’s logo and instructions for the victim. These messages sometimes block access to the entire screen and even hide the taskbar.
How does Bizarro banking malware trick users into giving up e-banking login credentials?
The creators of the malware have ensured that Bizarro becomes active only after it enumerates all windows to check for a connection to one of the supported banking sites. Simply put, the malware makes sure the victim is accessing his bank’s online portal before commencing the attack.
Once confirmed, Bizarro terminates any existing e-banking sessions by killing all browser processes. Unsuspecting online banking users then re-enter the bank account credentials, allowing the malware to collect them.
Online banking portals often offer virtual keyboard functions to shield from keyloggers. The malware may fail if users stick to this system of clicking each letter and number.
We've made additions, and minor updates, to the vx-underground samples collection. Listed under 'Exotic Malware' are samples for:
* Fritz Frog
* Silver Sparrow
— vx-underground (@vxunderground) May 19, 2021
However, internet users often store their login credentials in their favorite web browser. The Bizarro malware disables this auto-complete function in a web browser to force users to reenter the login credentials, stealing the information in the process.
Since such attacks can work on any web browser, the creators of Bizarro have reportedly expanded to the Android smartphone operating system as well.