July 25, 2023THNMoreMalware/Cyberthreat

Financial attackers are behind it Casbaneiro Banking malware family is known as User Account Control (UAC) gaining full administrative privileges on a machine is a sign attackers are evolving their tactics to evade detection and execute malicious code on compromised assets.

“While they remain focused on Latin American financial institutions, the change in their methodology also represents a significant risk for multi-regional financial institutions,” Signia said. Said said in a statement shared with HackerNews.

Casbaneiro, also known as Metamorfo and Ponteiro, is best known as a banking Trojan that first appeared in 2018 in a mass email spam campaign targeting the financial sector in Latin America.

The infection chain typically begins with a phishing email that points to a booby-trapped attachment that, when launched, launches a series of steps that lead to the deployment of banking malware, alongside scripts that leverage Living-off-the-land (LotL) techniques to fingerprint the host and gather system metadata.

This stage also downloads a binary called Horabot. It is designed to spread the infection internally to other unsuspecting employees of the compromised organization.

In its previous report, published in April 2022, the cybersecurity firm said, “The lack of obvious anomalies in the email headers (suspicious external domains) further increases the credibility of the emails sent, which is typically what triggers the behavior and mitigation of email security solutions. The emails contain the same PDF attachments used to compromise the previous victim host, thus running the chain again.”

What has changed in the recent wave of attacks is that attacks are launched by spear-phishing emails containing embedded links to HTML files that redirect the target to download a RAR file. This is different from using malicious PDF attachments that contain download links to ZIP files.

upcoming webinars

Shielding Against Insider Threats: Mastering SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.

join today

The second major change in the method is fodhelper.exe to achieve UAC Bypass Provides high integrity level execution.

Sygnia also said it observed Casbaneiro attackers creating mock folders on C:\Windows[space]It uses \system32 to copy the fodhelper.exe executable, but the specially crafted path is said to never be used for compromise.

“Attackers may have deployed the mock folder to bypass AV detection or utilize it to sideload DLLs containing Microsoft-signed binaries for UAC bypass,” the company said.

This development marks the third time the pseudo-trust folder technique has been detected in the wild in recent months, and it has been used in campaigns distributing a malware loader called DBatLoader and remote access Trojans such as Warzone RAT (aka Ave Maria).

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog