Antivirus software provider ESET recently discovered a widely spread banking trojan.  The trojan is very sophisticated and not only goes after fiat, but after crypto as well.

It has been nicknamed “Metamorfo” and/or “Casbaneiro”. As its nickname suggests, the banking trojan’s victims are mostly located in Latin America.

The banking trojan is focused mainly in Latin America

According to the available information, Brazil and Mexico are the trojan’s most likely targets. It primarily focuses on crypto and banking services.

ESET’s report goes in a little further in Casbainero’s design. It’s highlighted that the banking trojan is not unique as it uses a well-known method with fake pop-up windows.

The pop-ups don’t beat around the bush and attempt to lure the victims to share any sensitive information. If they are successful, the information is instantly stolen.

Casbainero follows the same steps typical for Latin American banking trojans as it takes screenshots and sends them back to its C&C server. It also simulates mouse and keyboard actions to capture passwords and is able to download and install various updates on itself. Like most other trojans, Casbainero also attempts to restrict access to various websites and downloads and executes many executables.

The information collected by Casbainero is also standard for most trojans:

  • All the system’s installed antivirus and anti-malware products
  • The OS version
  • The username
  • The computer’s name
  • Special attention if specific applications are installed:Trusteer and Diebold Warsaw GAS Technologia (this app is used to protect online bank access)

 

There have so far been 4 different variants of this banking trojan. It’s quite difficult, even for the experts in ESET to separate them due to some of the variants using the same decryption key and the same mechanisms in different variants.

Casbainero is also after crypto wallets as it can monitor the content of the clipboard and replace the crypto wallet of the victims with an address which belongs the attacker.

You can also check out:

Share This