ESET discovers Casbaneiro banking trojan stealing cryptocurrency in Latin America and abusing YouTube for its C&C

BRATISLAVA – ESET, a global leader in cybersecurity, continues to unravel the TTPs – tactics, techniques, and procedures – of the Latin American banking trojans, and in the process discovered the Casbaneiro family. As part of the research project that identified the Amavaldo malware family, the ESET research team also found Casbaneiro to share related functionality – both malware families use the same cryptographic algorithm and have been distributing a similar-looking email tool.

The Casbaneiro family also makes use of social engineering to fool victims, mimicking Amavaldo’s use of fake pop-up windows and forms. These attacks are usually centered on persuading the victim to take purportedly urgent or necessary action, such as install a software update, or verify a credit card or bank account information.

Once it has infiltrated a victim’s device, Casbaneiro utilizes backdoor commands to take screenshots, restrict access to various banking websites, and log keystrokes. Additionally, Casbaneiro is used to steal cryptocurrency via a technique that monitors clipboard content for cryptocurrency wallet data. If such data are found, the malware replaces the data with the attacker’s own cryptocurrency wallet.

The Casbaneiro malware family can be characterized by its use of multiple cryptographic algorithms, used to obscure strings within its executables and for decrypting downloaded payloads and configuration data. Casbaniero’s initial vector is a malicious email, which is the same method used by Amavaldo.

One of the most interesting aspects of Casbaneiro is the operators’ efforts to hide the C&C server domain and port. The C&C server has been hidden in a variety of places, including in fake DNS entries, embedded in online documents stored on Google Docs, or embedded in fake websites that mimic legitimate institutions. In some cases, the C&C server domains have been encrypted and hidden in legitimate websites, most notably in the descriptions of several videos stored on YouTube.

Casbaneiro has primarily targeted Brazilian and Mexican banking applications.

To find out more about Casbaneiro read, “Casbaneiro: Dangerous cooking with a secret ingredient” on WeLiveSecurity.