ESET discovers Casbaneiro banking trojan stealing cryptocurrency in Latin America and abusing YouTube for its C&C

Next story

BRATISLAVA, October 03, 2019- ESET, a global leader in cybersecurity, continues to unravel the TTPs – tactics, techniques, and procedures - of the Latin American banking trojans, and in the process discovered the Casbaneiro family. As part of the research project that identified the Amavaldo malware family, the ESET research team also found Casbaneiro to share related functionality – both malware families use the same cryptographic algorithm and have been distributing a similar-looking email tool.

The Casbaneiro family also makes use of social engineering to fool victims, mimicking Amavaldo’s use of fake pop-up windows and forms. These attacks are usually centered on persuading the victim to take purportedly urgent or necessary action, such as install a software update, or verify credit card and bank account information.

Once it has infiltrated a victim’s device, Casbaneiro utilizes backdoor commands to take screenshots, restrict access to various banking websites, and log keystrokes. Additionally, Casbaneiro is used to steal cryptocurrency via a technique that monitors clipboard content for cryptocurrency wallet data. If such data is found, the malware replaces the data with the attacker’s own cryptocurrency wallet.

The Casbaneiro malware family can be characterized by its use of multiple cryptographic algorithms, used to obscure strings within its executables and for decrypting downloaded payloads and configuration data. Casbaniero's initial vector is a malicious email, which is the same method used by Amavaldo.

One of the most interesting aspects of Casbaneiro is the operators’ efforts to hide the C&C server domain and port. The C&C server has been hidden in a variety of places, including in fake DNS entries, embedded in online documents stored on Google Docs, or embedded in fake websites that mimic legitimate institutions. In some cases, the C&C server domains have been encrypted and hidden in legitimate websites, most notably in the descriptions of several videos stored on YouTube.

Casbaneiro has primarily targeted Brazilian and Mexican banking applications.

To find out more about Casbaneiro read, “Casbaneiro: Dangerous cooking with a secret ingredient” on WeLiveSecurity and follow ESET research on Twitter.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single ‘in-the-wild’ malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedInFacebook and Twitter.

MENUCLOSE
ESET Smart Security Premium box

Ultimate
protection

ESET Smart Security Premium

Advanced
protection

ESET Internet Security

Essential
protection

ESET NOD32 Antivirus

Small and Home  office protection

Easy-to-use device security with advanced privacy features

ESET Mobile Security for Android

Keep your Android device safe. Wherever you go

ESET Parental Control for Android

Protect your children online with confidence

ESET Smart TV Security box

ESET Smart TV Security

Internet of Things security starts with your TV

Renew my license

Renew, upgrade or add devices to your license

Existing
 customer?

Manage your license, update date and more

Download

Install your protection or try ESET free for 30 days

Download

Install your business protection or request a free trail

Why ESET?

Superior technology

Learn more about our unified cybersecurity platform

Industry recognition

ESET cybersecurity solutions are recognized and industry-wide.

Corporate blog

Cybersecurity news from ESET's award-winning researches.

Customer zone

Existing
customer?

Manage your license, update billing information and more

Live chat

Need help purchasing, renewing a license or have product questions?

Business sales

for business customers

For business sales call:

1-844-824-3738

MONDAY - FRIDAY, 6AM - 5PM PT