CamuBot: New banking Trojan disguises itself as security module, can bypass biometric authentication

• IBM X-Force researchers said the banking malware does not hide its deployment and is, instead, very visible.
• Camubot's behavior resembles that of sophisticated Eastern European-linked malware such as Dridex, TrickBot and QakBot, researchers said.

Security researchers have spotted a unique banking Trojan targeting major Brazilian bank customers that disguises itself as a 'necessary' security module required by the targeted bank for online banking. According to IBM X-Force researchers, the malware dubbed Camubot first emerged in August 2018 and utilizes a mixed bag of techniques to slip past strong security and authentication controls.

The authors behind Camubot have been leveraging the new malware strain in targeted attacks against companies and public sector organizations using social engineering techniques.

"Unlike other malware operated in Brazil, CamuBot is a defined new code. Very different from typical banking Trojans, CamuBot does not hide its deployment," Limor Kessem, a global executive security advisor with IBM Security, wrote. "On the contrary, it is very visible, using bank logos and overall brand imaging to appear like a security application. It thus gains victims’ trust and leads them to install it without realizing they are running an installation wizard for a Trojan horse."

Researchers noted that the malware does not rely on fake screens or a remote access tool as seen in other banking malware campaigns or fraud schemes. Rather, Camubot's behavior resembles that of sophisticated Eastern European-linked malware such as Dridex, TrickBot and QakBot. These malware strains primarily focus on business banking and combine social engineering techniques with malware to infiltrate accounts and devices.

Modus Operandi

The distribution of the malware is highly personalized. The threat actors first identify businesses that bank with a targeted financial institution and gather information on people who own it or would have the businesses' bank account credentials via local phone books, search engines or professional social networks.

Once the target has been identified, the attackers pose as a bank employee and initiate a phone call to the individual. The victim is instructed to browse to a certain URL and check whether their "security module" is up-to-date. After the validity check turns out to be negative, the attackers trick the victim into installing a "new" update for the security module to continue their online banking activities.

The victims are then asked to close all running apps, download and run the installation of the malicious software with a Windows administrator profile.

"At this point, a fake application that features the bank’s logos starts downloading," the researcher explains. "Behind the scenes, CamuBot is fetched and executed on the victim’s device. The name of the file and the URL from which it is downloaded change in every attack."

Camubot edits and adds itself to the Windows firewall's and antivirus rules to appear trusted. It also establishes as a Secure Shell (SSH)-based SOCKS proxy to communicate with the infected device and establish port forwarding.

"This feature is generally used in a two-way tunneling of application ports from the client’s device to the server," Kessem explains. "In CamuBot’s case, the tunnel allows attackers to direct their own traffic through the infected machine and use the victim’s IP address when accessing the compromised bank account.

"After installation completes, a pop-up screen redirects the victim to a phishing site purporting to be their bank’s online banking portal. The victim is asked to log into his or her account, thereby unknowingly sending the credentials to the attacker."

If the credentials acquired are enough for an account takeover, the attacker simply hangs up.

CamuBot vs. Biometric protections

Financial institutions are increasingly implementing biometric authentication measures to protect customers and bank accounts. However, according to IBM researchers, CamuBot attempts to bypass these strong protections as well.

If CamuBot happens to encounter a strong authentication device attached to the targeted PC, the malware can fetch and install a driver for that device. In such an instance, the victim is asked to enable remote sharing. This allows the threat actors to intercept and steal one-time passwords that are generated for authentication.

"A more concerning possibility was that the device driver deployed by CamuBot was similar to other devices supplied by the same vendor, some of which are used for biometric authentication," Kessem notes. "If the same remote sharing is authorized by a duped user, he or she could unknowingly compromise the biometric authentication process."

Camubot is currently targeting business account holders in Brazil and not infections have been spotted in other countries. However, researchers note that this could change over time.