According to Kaspersky researchers, Bizarro uses affiliates or recruiting money mules to operationalize attacks, cashing out or simply helping with transfers. And so far, mostly people located in Spain, Portugal, France and Italy are targeted, with attempts made at stealing credentials from customers of about 70 banks from the different European countries.
The threat actors behind Bizzaro employs servers hosted on Azure and Amazon (AWS) with compromised WordPress servers to store malware and collect telemetry.
How Bizarro Spreads and Steals Banking Credentials?
Bizarro spreads via Microsoft Installer (MSI) packages and sources identified so far are spam emails, while the attackers also use social engineering to lure victims into downloading malicious apps. The major infections have been detected in South American countries of Brazil, Argentina, and Chile; with European countries like Germany, Spain, Portugal, France, and Italy also making up the numbers.
The Trojan starts by first killing all browser processes in order to terminate existing sessions with online banking sites, and once a user restarts the browsers, the malware will force re-entering of the banking credentials, which it then captures. Bizarro also takes other steps to get more banking details by disabling autocomplete in the browser.
Once Bizarro initializes the screen capturing module, it loads the magnification.dll library to get the address of the deprecated MagSetImageScalingCallback API function. And with its help, it can capture the screen and also constantly monitor the system clipboard, looking for not only banking details, but also Bitcoin wallet addresses, which it replaces with a wallet belonging to the malware authors.
Bizarro, like other banking Trojans such as Ghimob, focuses on stealing credentials from customers of banks and when a victim gets the malware on their system, it uses money mules to operationalize the attacks, cashing out, or simply to help with transfers.
How to Detect and Mitigate against Bizarro Banking Trojan?
Threat actors continue to adopt various evasive techniques to complicate malware analysis and detection, with social engineering tricks that lure victims to give up their online banking data, getting more pervasive.
Therefore, the most important advice is for users not to click on links that come from any unknown source. Also, always double check the destination bitcoin addresses before sending out funds, albeit this isn’t the only malware that employs the clipboard to replace bitcoin addresses, there are certainly no do-overs with bitcoin.