Trojan

Casbaneiro banking Trojan used YouTube to steal cryptocurrency

Eset studied the new Casbaneiro family of banking Trojans. A malicious program hunted for cryptocurrency from Brazilian and Mexican users and used YouTube to hide traces in the video descriptions.

During the study, Eset experts found that Casbaneiro has functionality similar to another family of banking Trojans – Amavaldo. Malicious programs use the same cryptographic algorithm and distribute a similar malicious email utility.

Like Amavaldo, the Casbaneiro Trojan uses pop-ups and forms to trick victims. Such methods of social engineering are aimed at primary emotions – a person is urgently, without hesitation forced to make a decision. The reason may be a software update, credit card verification, or a request from a bank.

“One method observed is having the C2 address embedded in an online document (Google Docs). The file is filled with useless text but also contains the name of the domain in encrypted form. The start and the end of the string are marked by an exclamation point and it is encoded in hexadecimal”, — report ESET researchers.

After infection, Casbaneiro restricts access to various banking sites, as well as monitors keystrokes and takes screenshots. In addition, the Trojan monitors the clipboard – if the malware sees the personal data of a cryptocurrency wallet, it replaces the recipient’s address with the scammer’s wallet.

The Casbaneiro family uses many sophisticated algorithms to mask code, decrypt downloaded components, and configuration data. The main way Casbaniero is distributed is through malicious phishing emails, like Amavaldo.

Read also: Trojan Varenyky spies on porn sites users

A feature of the Trojan was that Casbaneiro operators carefully tried to hide the domain and port of the C&C server. He was hidden in a variety of places – in fake DNS records, in Google Docs online documents, and even on fake websites of various institutions. It is interesting that sometimes attackers managed to hide the traces of the managing server on official sites, as well as in video descriptions on YouTube.

Connecting to YouTube is no cause for concern because it is normal traffic. Even taking a look at the video gives no clue and the link at the end of the description is easily missed, the researchers say.

Although the malware is not sophiticated, its capabilities are extensive enough to generate multiple revenue streams for its operators or to enable them to switch to different money-driven attacks.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove News-bpudepi.today Pop-up Ads

About News-bpudepi.today News-bpudepi.today pop-ups can not launch out of the blue. If you have actually…

1 day ago

Remove Doguhtam.xyz Pop-up Ads

About Doguhtam.xyz Doguhtam.xyz pop-ups can not expose out of nowhere. If you have clicked some…

1 day ago

Remove News-xlixoti.com Pop-up Ads

About News-xlixoti.com News-xlixoti.com pop-ups can not introduce out of nowhere. If you have actually clicked…

1 day ago

Remove Ducesousightion.com Pop-up Ads

About Ducesousightion.com Ducesousightion.com pop-ups can not introduce out of the blue. If you have actually…

1 day ago

Remove News-xlabica.live Pop-up Ads

About News-xlabica.live News-xlabica.live pop-ups can not launch out of the blue. If you have actually…

1 day ago

Remove Mergechain.co.in Pop-up Ads

About Mergechain.co.in Mergechain.co.in pop-ups can not expose out of the blue. If you have clicked…

1 day ago