Brazilian banks and their respective clients need to be alert of a new malware named, as it pretends to be a login security check during a Bank login procedure if the PC is infected with it. It copies the bank logos and pretends to be a legitimate security check mostly seen on banking websites. “The malware’s operators are actively using [CamuBot] to target companies and public-sector organizations, mixing social engineering and malware tactics to bypass strong authentication and security controls,” explained Limor Kessem, IBM X-Force’s global executive security advisor.
CamuBot is closely related to a phishing attack, as it pretends to be something that it isn’t like being a part of a bank’s login page. “It is very possible that [the threat actors] gather information [on potential targets] from local phone books, search engines or professional social networks to get to people who own a business or would have the business’ bank account credentials,” Kessam further emphasized.
Scammers define who will be the victim, they will then attempt a phone call pretending to be a bank staff and try to persuade the victim to enter specific bank details in the Bank’s website (a fake one) for verification purposes. They will also instruct the unsuspecting depositor to install a program in order to “verify their bank info” to their bank account. “At this point, a fake application that features the bank’s logos starts downloading. Behind the scenes, CamuBot gets fetched and executed on the victim’s device. The name of the file and the URL it is downloaded from change in every attack. pop-up screen redirects the victim to a phishing site purporting to be their bank’s online banking portal,” concluded Kessam.
The fake “security program” will install an application and create Windows Registry keys that will enable itself to communicate to the attackers remotely. It will bypass the Windows Firewall, establishing an SSH-based communication with the virus authors. The moment the user enters his bank credentials in the fake website, enough login credential is captured that enable the attackers to transfer money without the user’s permission.
This attack can only be prevented if the bank uses a two-factor authentication procedure for their customers. A two-factor authenticator can prevent login by any third party by demanding for a “second” password in order to authenticate the credential being legitimate. Not all banks implement such a system, and people are urged to only choose a bank service that offers such security methodology when logging in.
“The proxy module is loaded and establishes port forwarding. This feature is generally used in a two-way tunneling of application ports from the client’s device to the server. In CamuBot’s case, the tunnel allows attackers to direct their own traffic through the infected machine and use the victim’s IP address when accessing the compromised bank account. After installation completes, a pop-up screen redirects the victim to a phishing site purporting to be their bank’s online banking portal. The victim is asked to log into his or her account, thereby unknowingly sending the credentials to the attacker,” explained an IBM representative.
The silver lining of CamuBot is it is currently only targeting Brazilian banks, and it never ventured to infect computers outside Brazil. It is debated by researchers if such limited action was due to the malware not yet ready for a massive infection or the virus authors are still in the testing and adjustment stage of their CamuBot development.