Banking malware, including Trojans which steal your online credentials and screen grabbers, usually place heavy emphasis on remaining undetected for as long a period of time as possible.
The majority of these malware variants will deploy on victim machines in order to gather information and steal credentials, of which will then be sent to a command-and-control (C&C) server controlled by threat actors.
Once data relevant to a financial account is stolen and transferred, this information will be used to plunder bank accounts and conduct identity theft, or will be prepared for sale on the Dark Web.
A new financial malware bucks the trend and rather than employ heavy stealth techniques to stay hidden, instead, camouflages itself as a legitimate bank security system.
Dubbed CamuBot, IBM X-Force researchers said on Tuesday that the financial malware is masquerading as security modules required by target banks for online business banking.
The malware appears to be focusing on Brazilian banks at present. Limor Kessem, Global Executive Security Advisor at IBM Security says that business banking customers are most at risk of being targeted.
CamuBot first came on the radar in August. The new malware strain was spotted by IBM due to a slew of sophisticated, targeted attacks against companies and public sector organizations which rely on social engineering.
The operators behind the malware begin by performing basic reconnaissance to find businesses which are connected to a bank of interest. A phone call is then made to someone from the business which is likely to know the information required to access a business bank account.
While masquerading as a bank employee, a criminal involved in the scheme then attempts to direct the victim to an online domain in order to 'check the status' of a security module.
Naturally, this 'check' will show the module -- which uses bank logos and a color scheme which makes it appear to be legitimate security software -- needs an update.
The victim is then directed to install a "new" security module, which is, in fact, an installation wizard for the CamuBot Trojan.
A fake Windows application, which features the target bank's logo, will then execute. CamuBot then writes dynamic files to the Windows folder to establish an SSH-based SOCKS proxy module, as well as add itself to the Windows Firewall to appear trusted.
The victim is then redirected to a phishing website where they are asked to log in with their bank credentials. This domain then sends the account information to the threat actors behind CamuBot.
"The proxy module is loaded and establishes port-forwarding," IBM says. "This feature is generally used in a two-way tunneling of application ports from the client's device to the server. In CamuBot's case, the tunnel allows attackers to direct their own traffic through the infected machine and use the victim's IP address when accessing the compromised bank account."
Having patiently ran through the infection chain with the victim on the phone, if the credentials are deemed enough, the threat actor then hangs up.
Biometric authentication, which is being used fairly often to protect bank accounts online, can also be compromised.
According to IBM, the malware is able to fetch and install drivers for authentication devices and operators may ask victims to enable remote sharing. This, in turn, allows the cyberattackers to intercept and steal one-time passwords generated for authentication.
The cybersecurity researchers say that the majority of attacks are taking place in Brazil, and while no CamuBot infections have been detected in other countries, this may change in the future.
Last month, cybercriminals highlighted how important it is for financial institutions to maintain good levels of cybersecurity protection. In a bold bank heist, unknown threat actors managed to steal $13.5 million from India's oldest bank, Cosmos.
In a two-stage attack, fraudulent SWIFT transactions were made across multiple countries alongside a wave of debit card transactions across India. Some of the funds were transferred to Hong Kong.
The attack has been connected to Lazarus, a state-sponsored threat group believed to originate in North Korea.