Bizarro, the banking Trojan family originating from Brazil has targeted customers of at least 70 banks as it moves from its Brazilian base to Europe.

According to Kaspersky’s cyberthreat research, the Trojan now striking users not only in Brazil, but Argentina, Chile, Spain, Portugal, France, and Italy, with customers of banks in these areas being lured into handing over their account credentials for the purposes of financial theft. 

Bizarro has x64 modules and is able to trick users into entering two-factor authentication codes in fake pop-ups. It may also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro uses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and collect telemetry.

Bizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, Bizarro downloads a ZIP archive from a compromised website. The researchers have found Azure and AWS servers that were used to host the malware, alongside hijacked WordPress domains. 

The archive contains a malicious .DLL, written in Delphi, a AutoHotkey script runner executable, and a script that calls an exported function from the .DLL. This function, which is obfuscated, contains the malicious code required to trigger the banking Trojan. 

On startup, Bizarro will kill existing browser processes, including any active sessions with online banking services. As soon as the victim restarts their session, bank credentials are quietly captured by the malware and sent to an attacker’s command-and-control (C2) server. 

READ
Major Data Leak Exposes Personal Information of Over 200,000 Tech Job Seekers

To improve the chances of capturing this valuable data, Bizarro also disables autocomplete functionality in a browser. 

Fake pop-ups are also shown to users, some of which are tailored to appear as messages from online banking services warning of security updates or PC compromise. These pop-ups may freeze PCs and hide taskbars, while at the same time, requesting identity checks by the client. 

This is where a second-stage attack comes into play. The messages will try and lure victims into submitting two-factor authentication (2FA) codes — when this security measure is enabled — by asking them to download a malicious smartphone app and scanning a QR code for ‘authentication’ purposes. 

The malware will capture operating system information and is also able to perform screen captures, keylogging, and will monitor clipboards for cryptocurrency wallet addresses.