This malware variant targets Brazilian banking institutions clients
A large numbers of customers from different Brazilian banks are being warned about a malware known as CamuBot, hidden in plain sight and presented to the victim as a security module required for the final user provided by the bank. This malware even includes logos from banks that make it look as part of a real security application. In some cases, malware can also hijack unique-use passwords used for biometric authentication.
Ethical hacking experts responsible for analyzing the behavior of this malware mention that CamuBot was first detected in August 2018, during an attack directed against business class banking clients. The name CamuBot is due to its ability to camouflage appearing to be a legitimate application.
“The hackers behind this campaign are actively using CamuBot to target public sector companies and private organizations, using a combination of social engineering and malware tactics to bypass strong authentication and security controls”, the ethical hacking experts mentioned in recent days.
It is believed that the malware distribution is deployed in a very individualized way; it is possible that hackers collect information about potential victims of local phone guides, search engines, or social networks such as LinkedIn to identify potential users of bank account credentials. Once a victim is defined, hackers impersonate bank employees to phone call the victims and ask them to visit a URL to verify that their “Security module” is updated. The fake verification site will indicate a “required update” for the so-called security software. Finally, the victim is asked to close all running programs, and download and install malicious software using the Windows Admin profile.
Along with downloading the fake bank application, CamuBot stealthy begins to run on the victim’s computer. The name of the file and the URL from which it is downloaded changes in each attack.
While the attacker is on the phone with the victim, an emergent screen redirects the victim to a phishing site pretending to be the bank website and victims receive instructions to log into their account through the fake site. Once this has been done, the victim has shared his bank credentials with the attacker.
Bypassing hardware/biometric protection measures
Under some circumstances, such as the presence of biometric authentication or other authentication hardware connected to the victim’s PC, CamuBot raises the bet, as malware can search for a driver for a security device and install it.
To perform this type of authentication, hackers take advantage of advanced malware features. CamuBot is capable of creating new firewall and antivirus rules to make appear the malware as a reliable program. The communication is then established with the attacker via an SSH-based proxy. Subsequently, port forwarding is enabled and used in a bidirectional tunnel of application ports from the client’s device to the attacker’s server. This tunnel allows attackers to direct their own traffic through the infected machine and use the victim’s IP address when accessing the compromised bank account.
Ethical hacking specialists from the International Institute of Cyber Security consider that the mode of operation of CamuBot is more sophisticated than that of any common banking malware, which makes it a much more serious threat to its potential victims.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.