ESET is unravelling the tactics, techniques, and procedures (TTPs) of the Latin American banking trojans, and in the process discovered the Casbaneiro family.
As part of the research project that identified the Amavado malware family, the ESET research team also found Casbaneiro to share related functionality – both malware families use the same cryptographic algorithm and have been distributing a similar-looking email too.
The Casbaneiro family also makes use of social engineering to fool victims, mimicking Amavado’s use of fake pop-up windows and forms. These attacks are usually centred on persuading the victim to take purportedly urgent or necessary action, such as install a software update, or verify a credit card or bank account information.
Once it has infiltrated a victim’s device, Casbaneiro utilises backdoor commands to take screenshots, restrict access to various banking websites, and log keystrokes.
Additionally, Casbaneiro is used to steal cryptocurrency via a technique that monitors clipboard content for cryptocurrency wallet data. If such data are found, the malware replaces the data with the attacker’s own cryptocurrency wallet.
The Casbaneiro malware family can be characterised by its use of multiple cryptographic algorithms, used to obscure strings within its executables and for decrypting downloaded payloads and configuration data. Casbaneiros’ initial vector is a malicious email, which is the same method used for Amavado.
One of the most interesting aspects of Casbaneiro is the operators’ efforts to hide C&C server domain and port. The C&C has been hidden in a variety of places, including in fake DNS entries, embedded in online documents stored on Google Docs, or embedded in fake websites that mimic legitimate institutions.
In some cases, the C&C server domains have been encrypted and hidden in legitimate websites, most notably in the descriptions of several video’s stored on YouTube.
Casbaneiro has primarily targeted Brazilian and Mexican banking applications.