ESET specialists have studied the new Casbaneiro family of banking Trojans (also known as Metamorfo). Malvar is hunting for cryptocurrency of Brazilian and Mexican users.
Researchers write that Casbaneiro’s functionality is very similar to another family of banking malvari, Amavaldo. Malicious programs use the same cryptographic algorithm and distribute a similar malicious utility for mail.
Like Amavaldo, the Casbaneiro Trojan uses pop-ups and forms to trick its victims. Such methods of social engineering are aimed at primary emotions – a person is urgently, without hesitation forced to make a decision. The reason may be a software update, credit card verification, or a request from a bank.
After infection, Casbaneiro restricts access to various banking sites, and also monitors keystrokes, emulates keystrokes, can download and execute other executable files, and also takes screenshots. In addition, the trojan monitors the user's clipboard – if the malware sees the data of the cryptocurrency wallet, it replaces the recipient address with the wallet of the malvari operators.
The Casbaneiro family uses many sophisticated algorithms to mask code, decrypt downloaded components, and configuration data. The main way Casbaniero is distributed is through malicious phishing emails, like Amavaldo.
A feature of the Trojan was that Casbaneiro operators tried to carefully hide the domain and port of their management server. He was hidden in a variety of places – in fake DNS records, in Google Docs online documents, and even on fake websites of various institutions. It is interesting that sometimes attackers managed to hide the traces of the managing server on legitimate sites, as well as in video descriptions on YouTube.
Researchers found two different YouTube accounts (one focused on cooking recipes and the other on football) used for this purpose. Each video on these channels contains a description, at the end of which there is a link to the fake URL of Facebook or Instagram. The domain of the control server of the attackers is stored in this link: the key is placed at the beginning of the encrypted data, and the port is hard-coded in the binary.