CamuBot Banking Trojan Return To Target Attacks Against Brazilian Banking Customers
The severe banking trojan is back again and targets the Brazilian banking customers. However, this time ditching the desktop attack and opting for mobile app authorization.
CamuBot malware previously attacked the Brazilian bank customers in 2018 that infected the user’s system and made use of victims’ credentials(username and password) to login to their bank accounts. Thus conducting fraud transactions, however the recent attack campaign is a more personalized one. With the start of 2020, the CamuBot targets victims via their mobile banking apps to escape any further detection, alerts of authentication codes during the fraud transaction.
The Researchers said “Some observations from the campaigns are that the adversary operating CamuBot handpicks potential victims and remains as targeted as possible, likely to keep the attack’s [tactics, techniques and procedures] TTPs on low profile and their team from attracting the attention of local law enforcement,” said IBM X-Force researchers Chen Nahman and Limor Kessem, in an analysis this week.
The CamuBot malware uses the same TTPs that are often used by other cyber attack groups like TrickBot or Ursnif. These also targets the banking sector that controls the device along with various tricky social engineering ways.
The New Attack Campaign
“What stood out to us in more recent activity… is the fact that the attackers do not always take over the account by connecting to the victim’s infected desktop device as they did before,” said the researchers. “Rather, we have been seeing that business accounts are being accessed through the bank’s mobile application.”
The CamuBot Trojan firstly infects the targeted computer and then the attackers communicates the victim over the phone to get the authorization of a mobile application via their phone number.
The attackers now have the credentials of the online banking account, “the attacker in this case wants the victim to authorize activity from the app on the mobile device,” researchers added. “Victims are being asked to enable that through the desktop website.”
The stolen credentials are used to log in to the mobile app and the attackers momentarily change the mobile number to other controllable ones. The reason behind this is to get robust control over the account and avoid any alerts or authentication codes to the number from the bank.
The researchers also said that, in some cases, the attackers performed a SIM swap which is a fraud to be used to bypass the two-factor authentication codes sent to the numbers and break through the online banking accounts.
The attackers also have control of the victim’s desktop, so in this case, “the most likely scenario here is that the attacker is hoping to preserve their access and be able to monitor the account over time until they can plan for a large fraudulent transfer,” they said. “By having the account coupled with a phone number they have access to two-factor authentication (2FA), or verification calls from the bank will end up reaching the criminal and possibly enable them to complete the fraudulent operation.”