Researchers have uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders.
The new malware variant, dubbed Vizom by IBM, is being utilized in an active campaign across Brazil designed to compromise bank accounts via online financial services.
On Tuesday, IBM security researchers Chen Nahman, Ofir Ozer, and Limor Kessem said the malware uses interesting tactics to stay hidden and to compromise user devices in real-time — namely, remote overlay techniques and DLL hijacking.
Vizom spreads through spam-based phishing campaigns and disguises itself as popular videoconferencing software, tools that have become crucial to businesses and social events due to the coronavirus pandemic.
Once the malware has landed on a vulnerable Windows PC, Vizom will first strike the AppData directory to begin the infection chain. By harnessing DLL hijacking, the malware will attempt to force the loading of malicious DLLs by naming its own Delphi-based variants with names expected by the legitimate software in their directories.
By hijacking a system’s “inherent logic,” IBM says the operating system is tricked into loading Vizom malware as a child process of a legitimate videoconferencing file. The DLL is named Cmmlib.dll, a file associated with Zoom.
“To make sure that the malicious code is executed from “Cmmlib.dll,” the malware’s author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address — the malicious code’s address space,” the researchers say.
A dropper will then launch zTscoder.exe via command prompt and a second payload, a Remote Access Trojan (RAT), is extracted from a remote server — with the same hijacking trick performed on the Vivaldi Internet browser.
To establish persistence, browser shortcuts are tampered with and no matter what browser a user attempts to run, the malicious Vivaldi/Vizom code will run in the background.
The malware will then quietly wait for any indication that an online banking service is being accessed. If a webpage’s title name matches Vizom’s target list, operators are alerted and can connect remotely to the compromised PC.
As Vizom has already deployed RAT capabilities, attackers can take over a compromised session and overlay content to trick victims into submitting access and account credentials for their bank accounts.
Remote control capabilities also abuse Windows API functions, such as moving a mouse cursor, initiating keyboard input, and emulating clicks. Vizom can also grab screenshots through Windows print and magnifier functions.
In order to create convincing overlays, the malware generates HTML files and then loads them in Vivaldi in application mode. A keylogger is then launched, with input encrypted, packaged, and whisked away to the attacker’s command-and-control (C2) server.
“The remote overlay malware class has gained tremendous momentum in the Latin American cybercrime arena through the past decade making it the top offender in the region,” IBM says. “At this time, Vizom focuses on large Brazilian banks, however, the same tactics are known to be used against users across South America and has already been observed targeting banks in Europe as well.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0