Financial attackers are behind it Casbaneiro Banking malware family is known as User Account Control (UAC) gaining full administrative privileges on a machine is a sign attackers are evolving their tactics to evade detection and execute malicious code on compromised assets.
“While they remain focused on Latin American financial institutions, the change in their methodology also represents a significant risk for multi-regional financial institutions,” Signia said. Said said in a statement shared with HackerNews.
Casbaneiro, also known as Metamorfo and Ponteiro, is best known as a banking Trojan that first appeared in 2018 in a mass email spam campaign targeting the financial sector in Latin America.
The infection chain typically begins with a phishing email that points to a booby-trapped attachment that, when launched, launches a series of steps that lead to the deployment of banking malware, alongside scripts that leverage Living-off-the-land (LotL) techniques to fingerprint the host and gather system metadata.
This stage also downloads a binary called Horabot. It is designed to spread the infection internally to other unsuspecting employees of the compromised organization.
In its previous report, published in April 2022, the cybersecurity firm said, “The lack of obvious anomalies in the email headers (suspicious external domains) further increases the credibility of the emails sent, which is typically what triggers the behavior and mitigation of email security solutions. The emails contain the same PDF attachments used to compromise the previous victim host, thus running the chain again.”
What has changed in the recent wave of attacks is that attacks are launched by spear-phishing emails containing embedded links to HTML files that redirect the target to download a RAR file. This is different from using malicious PDF attachments that contain download links to ZIP files.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
Sygnia also said it observed Casbaneiro attackers creating mock folders on C:\Windows[space]It uses \system32 to copy the fodhelper.exe executable, but the specially crafted path is said to never be used for compromise.
“Attackers may have deployed the mock folder to bypass AV detection or utilize it to sideload DLLs containing Microsoft-signed binaries for UAC bypass,” the company said.
This development marks the third time the pseudo-trust folder technique has been detected in the wild in recent months, and it has been used in campaigns distributing a malware loader called DBatLoader and remote access Trojans such as Warzone RAT (aka Ave Maria).