ESET discovers Casbaneiro banking trojan stealing cryptocurrency in Latin America and abusing YouTube for its C&C
Created: 2019-10-03 00:00:00
BRATISLAVA - ESET, a global leader in cybersecurity, continues to unravel the TTPs – tactics, techniques, and procedures - of the Latin American banking trojans, and in the process discovered the Casbaneiro family. As part of the research project that identified the Amavaldo malware family, the ESET research team also found Casbaneiro to share related functionality – both malware families use the same cryptographic algorithm and have been distributing a similar-looking email tool.
The Casbaneiro family also makes use of social engineering to fool victims, mimicking Amavaldo’s use of fake pop-up windows and forms. These attacks are usually centered on persuading the victim to take purportedly urgent or necessary action, such as install a software update, or verify a credit card or bank account information.
Once it has infiltrated a victim’s device, Casbaneiro utilizes backdoor commands to take screenshots, restrict access to various banking websites, and log keystrokes. Additionally, Casbaneiro is used to steal cryptocurrency via a technique that monitors clipboard content for cryptocurrency wallet data. If such data are found, the malware replaces the data with the attacker’s own cryptocurrency wallet.
The Casbaneiro malware family can be characterized by its use of multiple cryptographic algorithms, used to obscure strings within its executables and for decrypting downloaded payloads and configuration data. Casbaniero's initial vector is a malicious email, which is the same method used by Amavaldo.
One of the most interesting aspects of Casbaneiro is the operators’ efforts to hide the C&C server domain and port. The C&C server has been hidden in a variety of places, including in fake DNS entries, embedded in online documents stored on Google Docs, or embedded in fake websites that mimic legitimate institutions. In some cases, the C&C server domains have been encrypted and hidden in legitimate websites, most notably in the descriptions of several videos stored on YouTube.
Casbaneiro has primarily targeted Brazilian and Mexican banking applications.
To find out more about Casbaneiro read, “Casbaneiro: Dangerous cooking with a secret ingredient” on WeLiveSecurity.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.