CASBANEIRO Hackers Target Latin American Bank Executives

Cybersecurity researchers recently discovered that the Casbaneiro malware family, a group of cybercriminals known for targeting the banking sector in Latin America, has been utilizing a method to bypass the Windows operating system’s User Account Control (UAC) in order to gain full administrative privileges.

According to a report by Sygnia, the criminals are still primarily focused on Latin American financial institutions, but their new methods pose a significant risk for financial organizations in other countries as well.

CASBANEIRO, also known as Metamorfo and Ponteiro, is a banking Trojan that first emerged in mass spam emails targeting the Latin American financial sector in 2018.

In the recent waves of attacks, the infection starts with a phishing email containing a link to a malicious HTML file, which then redirects the victim to download a malicious RAR archive. Previously, the attackers used PDF files that loaded ZIP archives in the background.

The second significant change in their techniques involves the use of a tool called “fodhelper.exe” to gain administrator privileges. According to Sygnia, in the latest attacks, the attackers have also created a fake directory called “C:WindowsSystem32” (with extra gaps in the path) to copy the executable file Fodhelper.exe.

Researchers at Sygnia speculate that the attackers may have created this fake directory to evade antivirus detection or to utilize Dll Sideloading along with a Microsoft-signed library.

This marks the third known case in recent months where attackers have used the method of simulating trusted directories in real-world attacks. Hackers have previously employed this technique when distributing the Dbatloader bootloader and various remote access trojans, such as Warzone Rat.

/Reports, release notes, official announcements.