ESET discovers Casbaneiro banking trojan stealing cryptocurrency in Latin America and abusing YouTube for its C&C

Next story

BRATISLAVA - ESET, a global leader in cybersecurity, continues to unravel the TTPs – tactics, techniques, and procedures - of the Latin American banking trojans, and in the process discovered the Casbaneiro family. As part of the research project that identified the Amavaldo malware family, the ESET research team also found Casbaneiro to share related functionality – both malware families use the same cryptographic algorithm and have been distributing a similar-looking email tool.

The Casbaneiro family also makes use of social engineering to fool victims, mimicking Amavaldo’s use of fake pop-up windows and forms. These attacks are usually centered on persuading the victim to take purportedly urgent or necessary action, such as install a software update, or verify a credit card or bank account information.

Once it has infiltrated a victim’s device, Casbaneiro utilizes backdoor commands to take screenshots, restrict access to various banking websites, and log keystrokes. Additionally, Casbaneiro is used to steal cryptocurrency via a technique that monitors clipboard content for cryptocurrency wallet data. If such data are found, the malware replaces the data with the attacker’s own cryptocurrency wallet.

The Casbaneiro malware family can be characterized by its use of multiple cryptographic algorithms, used to obscure strings within its executables and for decrypting downloaded payloads and configuration data. Casbaniero's initial vector is a malicious email, which is the same method used by Amavaldo.

One of the most interesting aspects of Casbaneiro is the operators’ efforts to hide the C&C server domain and port. The C&C server has been hidden in a variety of places, including in fake DNS entries, embedded in online documents stored on Google Docs, or embedded in fake websites that mimic legitimate institutions. In some cases, the C&C server domains have been encrypted and hidden in legitimate websites, most notably in the descriptions of several videos stored on YouTube.

Casbaneiro has primarily targeted Brazilian and Mexican banking applications.

To find out more about Casbaneiro read, “Casbaneiro: Dangerous cooking with a secret ingredient” on WeLiveSecurity.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit or follow us on LinkedInFacebook and Twitter.