A few days ago, security experts from IBM X-Force spotted a new strain of malware, tracked under the name CamuBot and targeting Brazilian bank customers. The malicious code immediately caught the attention of the researchers because it attempts to bypass biometric account protections.
The Brazilian underground is characterized by its offering of banking Trojans. Many forms of malware designed by Brazilian VXers target internal banking users and implement several techniques to steal victims’ credentials. Brazil ranks in the top counties worldwide in terms of online banking fraud and malware infections.
The criminals behind the CamuBot malware use social engineering techniques to deceive the victims. The malicious code, in fact, presents itself as a security module provided by a bank.
The name CamuBot comes from the camouflage ability of the malware. Experts have observed that the user interface of the module is designed with the appearance of the victim’s banking software.
Researchers from IBM X-Force spotted the threat in August 2018 when it was used in a targeted campaign against business-class banking customers.
“CamuBot emerged in Brazil in August 2018 in what appeared to be targeted attacks against business banking users. According to X-Force’s findings, the malware’s operators are actively using it to target companies and public sector organizations, mixing social engineering and malware tactics to bypass strong authentication and security controls,” reads the analysis published by IBM.
CamuBot is quite different from the other malware in the Brazilian threat landscape. Its code it completely new, doesn’t hide its deployment and is more sophisticated than the remote-overlay type malware commonly used in fraud schemes targeting users in Brazil.
CamuBot doesn’t display victims with fake overlay screens. Instead, it implements the attack scheme used by other banking malware such as TrickBot, Dridex and QakBot.
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pierluigi Paganini. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/6lYxp-nHu0o/