Security Week 21: Bizarro, the universal banking Trojan
The screenshot above shows spam being sent to potential victims. The infection process is trivial: users are persuaded to run an installer that downloads malicious code. The Trojan horse is hosted on hacked WordPress blogs or on Azure and AWS servers. The key element of the attack – a universal backdoor – is not launched until the user opens the bank’s website from the specified database. Although the main functions of Bizarro are aimed at stealing money from accounts, the Trojan also has side hobbies, for example, substituting the identifiers of bitcoin wallets in the clipboard for those belonging to cybercriminals.
How does Bizarro work:
The user is forced to re-login in his personal account by various tricks: they forcefully close the browser, disable autocomplete so that the username and password have to be re-entered. The keylogger intercepts and sends credentials to the attackers’ server, and the user sees a fake window for entering two-factor authentication codes. The code is also checked, and if successful, an error message is displayed on the victim’s screen, blocking access to any programs – this is how the cybercriminals are trying to gain time. In parallel with this, an attempt is made to transfer money from the account. But the possibilities of malware are not limited to this. In addition to the aforementioned clipboard spying and standard screenshots, the user may also be prompted to install malware on a mobile phone, ostensibly for security purposes. To do this, a QR code generated by the standard Google API is displayed on the screen:
Thus, Bizarro offers the most automated mechanism for stealing data from bank accounts, but also allows manual control of the backdoor, up to analyzing specific files on the hard disk, launching programs or clicking on specified coordinates. Bizarro is far from the only cybercriminal campaign with Brazilian roots entering the global market. In total, Kaspersky Lab detected at least five such operations. Last year, the Trojan was examined in detail Tetrade, similar in functionality, but implemented differently.
What else happened
Study security of mobile applications with sad results: Check Point discovered serious vulnerabilities in the backend of popular Android applications. Specific applications are not named, but among the 23 problematic applications, almost half have 10 million or more users. Two common flaws are a vulnerable database and keys embedded in the application code to access servers.
Researchers continue to search for unnatural methods of exploiting Apple AirTags with potential privacy concerns. In fresh review the method of indirect tracking is shown for such a scenario: we put a tag in the victim’s house and monitor its detection. AirTag, switched to loss mode, reports not only its coordinates through someone else’s iPhone, but also the time elapsed since the last contact. In this case, the location of the tag is known, but the detection time helps determine when the victim is out of the house.
Pen Test Partners hacked an entertainment system on a Boeing 747 (discussion on Habré). The hacking was carried out on outdated and obsolete hardware running Windows NT4. An interesting point: modern tools for searching for vulnerabilities no longer support such outdated software – the authors of the study had to search for suitable vulnerabilities manually.
Wired magazine published history a high-profile 2011 RSA hack that compromised SecureID keys for two-factor authentication.
May Android patch pack shut down zero-day vulnerabilities in graphics code. SOC Qualcomm and devices with Arm Mali graphics are prone to bugs.
Microsoft will stop Internet Explorer browser support in June 2022.
The initial infection of computers, which made possible an attack on a Florida water treatment plant in February of this year, occurred through an infected website.
