Malware analysis

CamuBot Banking Malware Stands out for Its Ability to Bypass Biometric Authentication

Pierluigi Paganini
November 1, 2018 by
Pierluigi Paganini

A few days ago, security experts from IBM X-Force spotted a new strain of malware, tracked under the name CamuBot and targeting Brazilian bank customers. The malicious code immediately caught the attention of the researchers because it attempts to bypass biometric account protections.

The Brazilian underground is characterized by its offering of banking Trojans. Many forms of malware designed by Brazilian VXers target internal banking users and implement several techniques to steal victims’ credentials. Brazil ranks in the top counties worldwide in terms of online banking fraud and malware infections.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

The criminals behind the CamuBot malware use social engineering techniques to deceive the victims. The malicious code, in fact, presents itself as a security module provided by a bank.

The name CamuBot comes from the camouflage ability of the malware. Experts have observed that the user interface of the module is designed with the appearance of the victim's banking software.

Researchers from IBM X-Force spotted the threat in August 2018 when it was used in a targeted campaign against business-class banking customers.

“CamuBot emerged in Brazil in August 2018 in what appeared to be targeted attacks against business banking users. According to X-Force’s findings, the malware’s operators are actively using it to target companies and public sector organizations, mixing social engineering and malware tactics to bypass strong authentication and security controls,” reads the analysis published by IBM.

CamuBot is quite different from the other malware in the Brazilian threat landscape. Its code it completely new, doesn’t hide its deployment and is more sophisticated than the remote-overlay type malware commonly used in fraud schemes targeting users in Brazil.

CamuBot doesn’t display victims with fake overlay screens. Instead, it implements the attack scheme used by other banking malware such as TrickBot, Dridex and QakBot.

CamuBot is more sophisticated than the remote-overlay type malware commonly used in fraud schemes targeting users in Brazil,” say experts.

“CamuBot’s fraud method is a mix of elements that are designed to lure potential victims into installing the malware on their device and then walk them through unknowingly authorizing a fraudulent transaction.”

The operators are actively targeting companies and public-sector organizations with a mix of social engineering techniques and malware tactics to bypass strong authentication mechanisms and security controls implemented by the targeted banks.

The attackers first carry out a reconnaissance phase to collect information used in the attack. The experts believe operators distribute the malware through targeted techniques that leverage on the information gathered in reconnaissance phase (e.g., data from local phone books, search engines or professional social networks).

Once the attackers have chosen a victim and have collected the necessary information about it, they approach it via phone calls. Attackers posing as bank IT support instruct victims to visit a specific URL to verify that their “security module” is up-to-date.

Of course, the verification will urge the victim to install the fake update used to spread the malware. Then the attackers instruct victims to close all running programs and to download and install the malicious software using the Windows admin profile.

While the fake software featuring the bank’s look and feel starts downloading, the CamuBot is fetched and executed on the victim’s device.

Expert noticed that the attackers used a different name of the file and a unique URL for each attack.

Figure 1 - Malicious software posing as a legitimate security component

The communication with the infected device is established by the malware through a Secure Shell (SSH)-based SOCKS proxy. The SSH module’s dynamic link library (“%TEMP%Renci.SshNet.dll.”) is a free tool that was obtained via GitHub.

“The proxy module is loaded and establishes port forwarding. This feature is generally used in a two-way tunneling of application ports from the client’s device to the server,” continues the analysis.

“In CamuBot’s case, the tunnel allows attackers to direct their own traffic through the infected machine and use the victim’s IP address when accessing the compromised bank account.”

The interaction between the attackers and the victim is a key feature of the CamuBot attack. While the attacker is on the phone with the victim, a pop-up screen redirects the victim to a phishing site purporting to be legitimate online banking portal.

The bogus website is used to collect the credential provided by the victims that are instructed to log into their account by the attacker via phone.

Using this trick, the hackers can obtain the credentials from the victims. However, in some cases they are not enough to take over the bank account because it is protected by biometric authentication or other authentication hardware attached to the targeted PC.

In this scenario, the authors of the CamuBot have found a way to bypass the biometric authentication by fetching and installing the driver for the specific device used in the authentication process.

Figure 2 - CamuBot fetches and installs a driver for a connected the device used in authentication process

The hackers ask the victim to enable sharing the device remotely. In this way, the attackers can intercept one-time passwords generated for the authentication process.

“The tunnel allows attackers to direct their own traffic through the infected machine and use the victim’s IP address when accessing the compromised bank account,” say experts.

“With the one-time code in hand, the criminals can attempt a fraudulent transaction, tunneling it through their IP address to make the session seem legitimate on the bank’s side.”

At the time of the analysis, the CamuBot malware only targeted bank customers in Brazil, but we cannot exclude the possibility that the threat actors will start using it to target banks worldwide. Of course, this will require a significant effort to manage the phone calls with victims in other countries.



CamuBot: New Financial Malware Targets Brazilian Banking Customers, SecurityIntelligence

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.