Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. We have considered consumers being targeted in Spain, Portugal, France and Italy. Try have now been made to steal credentials from clients of 70 banks from different European and South American countries. Following in the footsteps of Tetrade, Bizarro is using affiliates or recruiting fund mules to operationalize their attacks, cashing out or simply to helping with transfers. In this article we analyse the technological the specific characteristics of the Trojan’s ingredients, devoting a more detailed description of obfuscation techniques, the infection process and subsequent functions, as well as the social engineering tactics used by the cybercriminals to convince their victims to give away their personal online banking details.
Bizarro has x64 modules and is able to trick customers into entering two-factor authentication codes in sham pop-ups. It are also welcome to use social engineering to convince victims to download a smartphone app. The group behind Bizzaro applies servers hosted on Azure and Amazon( AWS) and compromised WordPress servers to store the malware and accumulate telemetry.
Bizarro is distributed via MSI packages downloaded by victims from connects in spam emails. Once launched, Bizarro downloads a ZIP archive from a compromised website. While writing this article, we ensure hacked WordPress, Amazon and Azure servers used for storing archives. The MSI installer has two embedded links- which one is chosen depends on the victim’s processor architecture.
Typical malicious message is sending out Bizarro operators
The downloaded ZIP archive contains the following files 😛 TAGEND
A malicious DLL written in Delphi; A legitimate executable that is an AutoHotkey script runner( in some samples AutoIt is used instead of AutoHotkey ); A small script that calls an exported function from the malicious DLL.
The DLL exports a function that contains the malicious code. The malware developers have utilized obfuscation to complicate code analysis. The code of the exported roles have been removed by the protector. The bytes that belong to the exported functions are restored by the DLL entry point function at runtime. This entry degree role is heavily obfuscated. The tricks used to complicate analysis consist of constant unfolding and junk code insertion. As for the malware developers, they are constantly improving the protection of the binaries. In earlier versions of Bizarro, only the entering point role was protected, while in recently completed samples the protector is also used to obscure calls of the importation of the API functions.
When Bizarro starts, it first kills all the browser procedures to terminate any existing sessions with online banking websites. When a customer restarts the browsers, they will be forced to re-enter the bank account credentials, which will be captured by the malware. Another stair Bizarro takes in order to get as many credentials as possible is to disable autocomplete in a browser.
Bizarro gleans the following information about the system on which it is running 😛 TAGEND
Bizarro uses the’ Mozilla/ 4.0( compatible; MSIE 6.0; Windows NT 5.0′ consumer agent while mailing the POST request. This user agent has typos: there should be a space symbol after the compatible; substring and the closing bracket is missing. Our research shows that this mistake has not been fixed in the latest versions. After that, Bizarro creates an empty file in the% userprofile% directory, thus differentiating the system as infected. The name of the file is the name of the script runner( AutoIt or AutoHotKey) with the. jkl expansion appended to it.
Having sent the data to the telemetry server, Bizarro initializes the screen capturing module. It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function. With its assistance, the Trojan can capture the screen of a user and also constantly monitor the system clipboard, looking forward to a Bitcoin wallet address. If it acquires one, it is replaced with a wallet belonging to the malware developers.
The backdoor is the core component of Bizarro: it contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages to users. The core component of the backdoor doesn’t start until Bizarro detects a connection to one of the hardcoded online banking systems. The malware does this by enumerating all the windows, accumulating their names. Whitespace characters, letters with accents( such as n or a) and non-letter symbols such as dashes are removed from the window name strings. If a window name matches one of the hardcoded strings, the backdoor continues starting up.
The first thing the backdoor does is remove the DNS cache by executing the ipconfig/ flushdns command. This is done in order to prevent connecting to a blocked IP. After that, the malware resolves the domain name to an IP address, creates a socket and binds it to the resolved address. If the connection was successful, it creates the% userprofile %\ bizarro.txt file.
The Backdoor and its C2
The commands that Bizarro receives from its C2 can be divided into the following categories 😛 TAGEND
Commands that allow the C2 operators to get data about the victim and oversee the connection status
The <| PT |> command mails the environment information to the C2: Bizarro’s version, OS name, computer epithet, Bizarro’s unique identifier, installed antivirus software and the codename used for the bank that has been accessed. The codenames are bank epithets written in leetspeak.
The <| DownloadFile |> command downloads files to the victim’s computer, while the <|UploadFile|> command allows attackers to retrieve files from the client machine. The <|Folder|> and <|File|> commands allow the attackers to search for folders and files which have a given mask.
Commands that allow attackers to control the user’s mouse and keyboard
The <| SuaykRJ |> command performs a left mouse button click at the designated location. The <|SuaykJI|> command performs a double click at the given location, while the <|IXjzwtR|> command performs a right mouse button click. The <|ztUjzwtR|> command moves the mouse to a designated location. The syntax of these three commands is <|command name|> x coordinate <|> y coordinate <<|.
Bizarro can also manipulate the user’s keyboard (what the user actually types) with the help of the carmena command.
The LkingWajuGhkzwu command shuts the backdoor down
Commands that log keystrokes
Bizarro supports two commands that are responsible for keylogging. The COZUMEL command starts the logging process
Commands that perform social engineering attacks
These commands display various messages that trick users into giving attackers access to the bank account. The type of messages displayed vary from simple message boxes to well-designed windows with bank logs on them.
We will first describe commands that show Windows message boxes. The dkxqdpdv command displays an error message with the text: “”Los datos ingresados son incorrectos
Bizarro shows a message telling the user to enter the requested data again
The vanessa command displays an error message which tells the user to enter confirmation information. To further convince the user that all operations are legitimate
Error message asking the user to enter a confirmation code
The LMAimwc command displays another error message. This time it tells the user that their computer needs to be restarted in order to finish a security-related operation. Bizarro displays the following text:
Error message telling the user that the operating system will be restarted
The most interesting messages that Bizarro displays are those that try to mimic online banking systems. To display such messages
The first type of custom messages that Bizarro may show are messages that freeze the victim’s machine
The images below show what these messages look like on the screens of victims
Bizarro blocking a bank login page and telling the user that security updates are being installed
Bizarro also tries to lure victims into sending two-factor authentication codes to the attackers. Another interesting feature we have seen entails an attempt to convince the victim to install a malicious app on their smartphone. It uses the following windows to determine the type of mobile operating system:
If the victim chooses Android x
The procured QR code is then shown in a window with the following text 😛 TAGEND
Bizarro asking the user to scan the QR code
Infection scheme used by Bizarro
According to the list of supported banks, the threat actor behind Bizarro is targeting clients of various banks from Europe and South America. Based on our telemetry, we’ve seen victims of Bizarro in different countries, including Brazil, Argentina, Chile, Germany, Spain, Portugal, France and Italy. These statistics again prove the facts of the case that Bizarro’s operators have expanded their interest from Brazil to other countries in South America and Europe.
Distribution of Bizarro detections in the last 12 months
We’ve recently determined several banking Trojans from South America( such as Guildma, Javali, Melcoz, Grandoreiro and Amavaldo) expanding their operations to other regions, principally Europe. Bizarro is yet another example of this. The menace actors behind this campaign are adopting various technological methods to complicate malware analysis and detection, as well as social engineering tricks that can help convince victims to provide personal data related to their online banking accounts.
Kaspersky products see this family as Trojan-Banker.Win3 2. Bizarro or Trojan-Banker.Win6 4. Bizarro. All more detailed information, IoCs, MITRE ATT& CK Framework data, Yara rules and hashes relating to this threat are available to users of our Financial Threat Intel services. To learn more about threat hunting and malware analysis from Kaspersky’s GReAT experts, check out http :// xtraining.kaspersky.com
Indicators of compromise
Reference MD5 hashes
e6c 337 d504b2d7d80d706899d964ab45 daf0 28 ddae0edbd 3d7946bb26cf05fbf 5184776f72962859b704f7cc370460ea 73472698fe41df730682977c8e751a3e 7a1ce2f8f714367f92a31da1519a3de3 0403d605e6418cbdf8e946736d1497ad d6e 4236 aaade8c 9036696 6d59e735568 a0 83 d5ff976347f1cd5ba1d9e3a7a4b3 b0d 0990 beefa1 1c9a78c701e2aa46f87 38003677bfaa1c6729f7fa00da5c9109