Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. We have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries. Following in the footsteps of Tetrade, Bizarro is using affiliates or recruiting money mules to operationalize their attacks, cashing out or simply to helping with transfers. In this article we analyse the technical features of the Trojan’s components, giving a detailed overview of obfuscation techniques, the infection process and subsequent functions, as well as the social engineering tactics used by the cybercriminals to convince their victims to give away their personal online banking details.
Bizarro has x64 modules and is able to trick users into entering two-factor authentication codes in fake pop-ups. It may also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro uses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and collect telemetry.
Bizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, Bizarro downloads a ZIP archive from a compromised website. While writing this article, we saw hacked WordPress, Amazon and Azure servers used for storing archives. The MSI installer has two embedded links – which one is chosen depends on the victim’s processor architecture.
Typical malicious message sent by Bizarro operators
The downloaded ZIP archive contains the following files:
- A malicious DLL written in Delphi;
- A legitimate executable that is an AutoHotkey script runner (in some samples AutoIt is used instead of AutoHotkey);
- A small script that calls an exported function from the malicious DLL.
The DLL exports a function that contains the malicious code. The malware developers have used obfuscation to complicate code analysis. The code of the exported functions have been removed by the protector. The bytes that belong to the exported functions are restored by the DLL entry point function at runtime. This entry point function is heavily obfuscated. The tricks used to complicate analysis consist of constant unfolding and junk code insertion. As for the malware developers, they are constantly improving the protection of the binaries. In earlier versions of Bizarro, only the entry point function was protected, while in more recent samples the protector is also used to obscure calls of the imported API functions.
When Bizarro starts, it first kills all the browser processes to terminate any existing sessions with online banking websites. When a user restarts the browsers, they will be forced to re-enter the bank account credentials, which will be captured by the malware. Another step Bizarro takes in order to get as many credentials as possible is to disable autocomplete in a browser.
Bizarro gathers the following information about the system on which it is running:
- Computer name;
- Operating system version;
- Default browser name;
- Installed antivirus software name.
Bizarro uses the ‘Mozilla/4.0 (compatible;MSIE 6.0; Windows NT 5.0′ user agent while sending the POST request. This user agent has typos: there should be a space symbol after the compatible; substring and the closing bracket is missing. Our research shows that this mistake has not been fixed in the latest versions. After that, Bizarro creates an empty file in the %userprofile% directory, thus marking the system as infected. The name of the file is the name of the script runner (AutoIt or AutoHotKey) with the .jkl extension appended to it.
Having sent the data to the telemetry server, Bizarro initializes the screen capturing module. It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function. With its help, the Trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.
The backdoor is the core component of Bizarro: it contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages to users. The core component of the backdoor doesn’t start until Bizarro detects a connection to one of the hardcoded online banking systems. The malware does this by enumerating all the windows, collecting their names. Whitespace characters, letters with accents (such as ñ or á) and non-letter symbols such as dashes are removed from the window name strings. If a window name matches one of the hardcoded strings, the backdoor continues starting up.
The first thing the backdoor does is remove the DNS cache by executing the ipconfig /flushdns command. This is done in order to prevent connecting to a blocked IP. After that, the malware resolves the domain name to an IP address, creates a socket and binds it to the resolved address. If the connection was successful, it creates the %userprofile%bizarro.txt file.
The Backdoor and its C2
The commands that Bizarro receives from its C2 can be divided into the following categories:
Commands that allow the C2 operators to get data about the victim and manage the connection status
The command sends the environment information to the C2: Bizarro’s version, OS name, computer name, Bizarro’s unique identifier, installed antivirus software and the codename used for the bank that has been accessed. The codenames are bank names written in leetspeak.
Commands that allow attackers to control the files located on the victim’s hard drive
The command downloads files to the victim’s computer, while the command allows attackers to fetch files from the client machine. The and commands allow the attackers to search for folders and files which have a given mask.
Commands that allow attackers to control the user’s mouse and keyboard
The command performs a left mouse button click at the designated location. The command performs a double click at the given location, while the command performs a right mouse button click. The command moves the mouse to a designated location. The syntax of these three commands is x coordinatey coordinate