Casbaneiro Banking Trojan Strikes Financial Institutions for Credential Theft

Category: Malware Campaign | Industry: Financial | Source: Sygnia

Phishing campaigns distributing the Casbaneiro banking Trojan have been active since 2018, targeting financial institutions in Latin America to gather credentials. Recent data from VirusTotal submissions suggests the campaign has expanded to encompass North and South America. While tracking the campaign, Sygnia discovered a new UAC bypass technique employed by threat actors, allowing them to avoid user UAC prompts. The typical Casbaneiro attack chain involves a phishing email with a malicious HTML attachment, leading to the download of an archive file containing a dropper script. Although PowerShell scripts are commonly used, batch files have also been observed.

The UAC technique involves executing the Windows Fodhelper executable, fodhelper.exe, after creating registry keys under the path HKCU:\Software\Classes\ms-settings\shell\open\. "Once fodhelper.exe is executed, either manually or by navigating to “Manage Optional Features” in Windows, it executes the command line with high integrity execution, thus bypassing the UAC prompt," reports Sygnia. Additionally, the threat actors mimic system32 with slight discrepancies in folder names, such as an extra space to hide the copied Fodhelper executable.