A new malware called CamuBot has been uncovered with its first attack centered on Brazilian bank customers.
The malware hides in plain sight, acting as if it’s the user’s bank-required end-user security module and mimicking the bank’s online persona all the way down to the bank’s logo.
According to researchers with IBM’s X-Force team, CamuBot was first discovered on August 28 after showing up in an attack on business-class banking customers in Brazil. It was IBM that dubbed the malware CamuBot.
“CamuBot is more sophisticated than the remote-overlay type malware commonly used in fraud schemes,” wrote Limor Kessem, an Executive Security Advisor with ITM.
“Instead of simplistic fake screens and a remote access tool, CamuBot tactics...focuses on business banking and blends social engineering with malware-assisted account and device takeover.”
Kessem went on to say that the malware appears to be focusing on Brazilian banks in its first series of raids and that business banking customers carry the most risk.
How does CamuBot differ from other malware?
“The delivery of CamuBot is personalized,” said Kessem. “Since the malware’s operators target businesses in Brazil, it is very possible that they gather information from local phone books, search engines or professional social networks to get to people who own a business or would have the business’s bank account credentials.”
In the financial world, malware-driven theft is on the rise. In January, ConsumerAffairs reported on “Jackspotting,” a scheme in which malware took control of automatic teller machines (ATM).
CamuBot’s game is to lay low for as long as possible so it can become part of what the end-user perceives as a typical component of their online banking. Once the malware thinks it’s considered part of the norm, it goes after things like online credentials and keystrokes. ThreatPost reported that, in some cases, the malware can also hijack one-time passwords used for biometric authentication.
Once the bot has gotten what it came for, the data is sent to a command-and-control (C&C) server that threat actors have set up as the headquarters for their cyber theft ring. Once the data heist is completed, the information is then used to ransack bank accounts, orchestrate identity theft, or packaged up for sale on the Dark Web.
Cybercriminals recently proved how crucial it is for financial institutions to keep their systems as vigilant as possible when threat actors were able to nab $13.5 million from Cosmos, India’s oldest bank.