Spam or junk email may be the primary method of sharing delivering banking Trojans, however there are many other ways of convincing employees to download and install malware on their computers.
The CamuBot Trojan the method used is vishing. Vishing is the voice equivalent of phishing – the use of the telephone to trick people, either by convincing them to reveal sensitive information or to take some other steps such as downloading malware or making fraudulent bank transfers.
Vishing is regularly used in tech support scams where people are convinced to install fake security software to delete fictitious viruses on their computers. The campaign used to install the CamuBot Trojan is a different type of malware was identified by IBM X-Force researchers.
The attack begins with some reconnaissance. The hackers identify a business that uses a specific bank. Individuals within that group are then identified that are likely to have access the bank accounts used by the business – payroll staff for example. Those people are then contacted by telephone.
The hackers tell people that they are calling from the bank and are completing a check of security software on the user’s computer. The user is told to visit a webpage where a program will run a scan to find out if they have an up-to-date security module downloaded on their computer.
The fake scan is finished, and the user is informed that their security module is an out of date version. The caller then tells them that they must download the latest version of the security module and install it on their device.
Once the file is installed and executed, it runs just like any standard software installer. The user is told about the minimum system requirements required for the security module to work and the installer includes the bank’s logo and color scheme to make it appear authentic.
The user is taken through the installation process, which first requires them to disable certain processes that are running on their computer. The installer shows the progress of the fake installation, but in the background, the CamuBot Trojan is being downloaded. Once the process is finished, it connects to its C2 server.
The user is then brought to what appears to be the login portal for their bank where they must enter their login credentials. The portal is a phishing webpage, and the details to access the users bank account are recorded by the hacker.
Many banks ask a second factor for authentication. If such a security measure is in place, the hackers will instruct the user that a further installation is needed for the security module to work. They will be talked through the installation of a driver that enables a hardware-based authentication device to be remotely shared with the hacker. Once that has been installed and approved, the attackers are able to intercept any one-time passwords that are broadcasted from the bank to the user’s device, allowing the attackers to take full control of the bank account and permit transactions.
The CamuBot Trojan indicates that malware does not need to be stealthy to be successful. Social engineering methods can be just a effective at getting staff members to install malware.
The CambuBot Trojan campaign is mainly being carried out in Brazil, but the campaign could be rolled out and used in attacks in other countries. The methods used in this campaign are not new and have been used in several malware campaigns previously.