This wave is related to the banking Trojan that Kaspersky has baptized as Gallant. Among the affected countries we find Spain, Portugal, France and Italy. There are also some Latin American countries affected, being Brazil one of the great objectives.
Use real websites that have previously been hacked
The malware campaign has several dynamic parts. The most important is to trick users into entering two-step verification codes on fake websites that are actually under the control of the attackers. They also take advantage of social engineering so that users download a malicious app on their terminals, for which they are contacted by email.
To host the malware, Bizarro uses servers WordPress, Amazon and Azure whose control they have taken by hacking, so that they can use “real” websites to offer their malicious files and bypass the controls of Google Safe Browsing. The malware goes in MSI packages, which, when opened, download a ZIP containing a DLL that injects the final payload. The main module of the malware is configured to remain inactive until it detects a connection to one of the 70 online banks that it can impersonate.
When it is detected that the user has accessed a bank’s website, the malware closes all browser processes to close all tabs with the actual bank link. When the user reopens the browser, they have to re-enter bank credentials, which are captured by the malware. The malware disables the autocomplete function, so the user is forced to enter them by hand, and therefore the keylogger of malware registers them.
They steal credentials and money
In this process, an alert page is usually displayed saying that “Our system has detected that the security of your access device may be compromised”, and that the device is going to be analyzed. In this process, they open programs and can perform Bank transactions, where they say that they do it to “confirm the ownership of the account”, when what they are doing is withdrawing money from the account.
In addition to keylogging, the malware collects all kinds of information from the computer, including mouse control, screenshots, and even limiting Windows functionalities. Its design is increasingly sophisticated and difficult to detect, since being inactive makes it difficult to detect with antivirus. This is coupled with a more refined use of social engineering techniques, and the specification of the attack by detecting more than 70 different entities.
Therefore, it is always advisable in these cases not to open suspicious links in our email, and if any notification is sent to us, we have to manually enter the address of our bank and check if there we have any message or notification in this regard.