After Flubot now Bizarro: 7 tips on how to protect yourself from banking Trojans!

It's no secret that cyberattacks are becoming more sophisticated and cyberthreats are becoming more severe. Hackers are challenging IT security with a wide variety of methods. A particularly perfidious trend in the field of malware has now spilled over to us from Brazil. The Bizarro banking Trojan is a malware program that uses sophisticated social engineering to steal access data for online banking. Bizarro is not the only banking Trojan whose spread is increasing sharply in the first half of 2021. The malware is flanked by Flubot - another malware that targets smartphones and tablets. We show you the ways in which the current banking Trojans want to get your data and give you 7 tips on how to protect yourself from the cyberthreats.

Banking Trojans - A brief overview

Back in 2015, global IT security became aware of the Guildma malware. This banking Trojan relied on phishing to gain access to computers and networks to grab credit and banking information. Guildma was flanked from 2017 at the latest by Javali, a multi-stage malware that also used phishing emails to spread. In addition to these "generalists" in banking Trojans, true specialists have also emerged. For example, Grandoreiro, a Trojan that has been active since 2016. Grandoreiro relies on spear phishing and compromised websites - and is available as a MaaS (malware-as-a-service) service on the darknet. And then there's Amavaldo, which uses overlay techniques to grab banking data. Amavaldo's specialty here is its focus on Latin America. The cyberthreats mentioned so far target end users who have Windows PCs in use. But cyberattacks using banking Trojans do not stop at Android mobile devices, of course. For example, anyone who has clicked on an email on their smartphone purporting to contain information about alleged debts has in all likelihood caught Ghimob. Ghimob has been known since 2021 and can tap data, manipulate screen content or even gain full remote access to the end device if required. BRata, another Android malware, is also aimed at tapping banking access data. However, it has a special feature: BRata is designed to loot crypto wallets.

"Your package will be delivered shortly" - just in a different way than you'd imagine

In 2021, a banking Trojan called Flubot is attracting attention, relying on a technique called "smishing." Smishing is a portmanteau of SMS and phishing - and describes the procedure of this malware. The recipient is notified via SMS that a package has been sent - in the name of large online stores or parcel service providers. The SMS contains a link that leads to an Android app. The app pretends to be a delivery notification app, as known from DHL, for example. Flubot can also disguise itself as a browser or app of an online shipping company. Once nested on the smartphone or tablet, Flubot can do quite a bit of damage. In addition to grabbing credit card data, the malware also makes off with contact information, which is then used for new smishing cyberattacks. Flubot can delete applications, disable Google Play Protect via Android's access feature, and create a list of apps installed on the device.

From Brazil to the whole world - Bizarro becomes a global problem

Bizarro is a new banking Trojan whose origins IT Security locates in Brazil. This malware also relies on phishing as a gateway, but unlike Flubot, Bizarro directs its cyberattacks at Windows PCs. Via email, the selected victim first receives a link with a request to download a Microsoft Installer (MSI) package. Microsoft Installer is actually a runtime environment for installation routines. MSI can install software and configure it automatically - actually a convenient and practical solution. Actually, because Bizarro exploits exactly this convenience feature. If the malware is activated by clicking on the link - the user is prompted to do so via sophisticated social engineering methods in the mail - it downloads a ZIP archive from a Wordpress domain or Azure and AWS servers that have been compromised in advance. In addition to a malicious DLL file and an AutoHotkey script, the ZIP archive contains an additional script that calls a function of the DLL. This function then contains the malicious code that finally brings the banking Trojan onto the system. However, this is when the malware party of cyber attacks really gets started.

The Trojan first terminates all active processes in the web browser, i.e. closes Firefox, Chrome, Edge and Co. The unsuspecting victims think it is a malfunction, restart the session - and enable the malware to grab the relevant login data in the background and immediately forward it to a server controlled by cybercriminals. If you think you are on the safe side with two-factor authentication, you are mistaken! Because the malware supports the cyberattack with pop-ups, which can optionally look like they come from your own bank or like warnings recommending the download of a missing security patch. Even the request to download additional apps to the smartphone can be expected from Bizarro. And if that still wasn't sneaky enough, the banking Trojan can also record keystrokes, take screenshots or get crypto wallet addresses via the clipboard.

"The trend could become such a game-changer in the spread of malware"

Fabio Assolini, a security expert at Kaspersky, sees Bizarro and its ilk as a "trend that could become a game-changer in the spread of banking malware." The game-changer the security expert identifies here is in the way the cybercriminals operate. While it used to be the norm for attackers to target their victims in their home region, the new generation of hackers is going global. Brazil, Argentina, Germany or Spain - the current generation of malware no longer cares about national borders.

How to identify banking Trojans

The malware aims to operate as long as possible and as inconspicuously as possible. Therefore, it is primarily the users who are asked to watch out for suspicious changes.

Indications that could point to a system compromised by Trojans include:

- Online banking reacts differently than usual
- The connection to the bank's website breaks off after entering a TAN.
- During the online session, pop-ups prompt you to enter passwords or TANs
- After entering a password or TAN, an error message appears asking for the data to be re-entered
- Online banking no longer runs via a secure connection (recognizable by http instead of https or an open lock in the browser input bar)

If you suspect that malware has spread on your system, you should immediately:

- Change the personal identification number of your online account.
- Immediately check all account transactions
- Inform your bank about the suspicion
- Permanently ban the Trojan from your system.

Attention: Trojans are masters at hiding. If you are not experienced in using such software yourself, please contact an expert!

With these simple behaviors, most cyber threats can be eliminated before they cause damage. Financial institutions don't have to sit idly by and watch the new form of cyberthreat either! The latest thread intelligence in the Security Operations Center (SOC) and powerful anti-fraud solutions are reliable measures for IT security to stay one step ahead of the attackers.