CamuBot Brazilian banking trojan puts new spin on phishing attacks

News by Robert Abel

A new financial malware camouflaged as a security module and dubbed "CamuBot" is targeting Brazilian Banking customers.

A new financial malware camouflaged as a security module and dubbed "CamuBot" is targeting Brazilian Banking customers.

The malware was first spotted in Brazil in August 2018 in a series of targeted attacks against business banking users and has been since been actively used to target companies and public sector organisations using social engineering and malware tactics to bypass authentication and security controls, IBM X-Force researchers said in a 4 September blog post.

Researchers noted CamuBot's code is significantly different than typical banking trojans as it doesn't look to hide its deployment and is very overt in its use of bank logos and overall branding to mimic that of a security application.

The malware then tricks the victim into downloading it without even realising they are running an installation wizard for a trojan horse. Researchers said CamuBot's tactics are similar to those used by Eastern European-made malware that focuses on business banking such as TrickBot, Dridex, and QakBot,

Its methods are designed to lure potential victims into installing the malware on their device and then walk them through unknowingly authorising a fraudulent transaction.

After conducting basic reconnaissance, the threat actors initiate a phone call to their victim who likely has access to the business's bank account credentials. The threat actors will then identify themselves as bank employees and instruct the victim to visit a malicious URL "to check whether his or her security module is up to date."

The validity of the check will come up as negative and the threat actor will then trick the victim into installing a "new" security module for their online banking activity.

"Those lured into downloading the module are advised to close all running programs and run the installation with a Windows administrator profile," researchers said in the post. "At this point, a fake application that features the bank's logos starts downloading."

Meanwhile, in the background, CamuBot is downloaded and executed on the victim's device.

OneSpan Director of Security Solutions Will LaSala noted that history repeats itself and that there have been several instances of attacks on USBs and external connected devices adding the CamuBot attack combines those methods with newer and targeted potential threats.

"CamuBot is a unique and sophisticated overlay attack with advanced features that adds new dangerous components to an already dangerous attack," LaSala said. "We are seeing some banks starting to roll out connected devices that help provide easy to use authentication systems that combine One Time Passwords (OTP) with biometrics connected via USB to the PC."

LaSala said that by using social engineering and targeting specific users, this attack attempts to fool users in the open.

"Banks and users must be vigilant. Training users on what to listen for and what they should or should not do over the phone is very important in a security portfolio," he said, adding, "Beyond training the end user, ensuring that full end to end encryption is used, such as Secure Communication, can help reduce the effectiveness of this attack. When the PC sends the transaction to the user, and the bank provides encrypted results that only the connected device can read and display, it makes it much harder for the attacker to compromise the system and trick the user into performing a transaction. Biometrics and OTP by themselves are forms of strong authentication, it is important to leverage additional application security layers when designing and rolling out new financial applications in today's threat rich landscape."

Experts agree. Ryan Wilk, vice president of customer success for NuData Security, said CamuBot gives cyber-criminals a new way to trick banking customers into giving up their credentials and even bypass one-time passwords. In addition, he pointed out, the attack is basically a phishing scheme.

"The bad actor targets a victim and gathers as much information from the victim as she can before contacting and luring the victim into a fake bank URL to download the malware, pretending it is a security update," Wilk said. "With this sophisticated scam, the hacker has access to the user's bank account and can transfer money freely. This problem, which is affecting major financial institutions, is a perfect example of why passive biometrics and behavioural analytics need to be part of a layered security solution so that customers can be identified beyond their credentials, which may have been stolen with a similar scheme as this one."

Wilk went on to note that financial institutions already using passive biometrics technology can look for inherent user behavioural patterns and can detect if the user behind the device is legitimate or just a fraudster with stolen credentials leading to more informed decision on online transactions.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews