Casbaneiro hackers go over the heads of Latin American banks

Cybersecurity researchers recently discovered that the cybercriminals behind the Casbaneiro malware family, which is actively used to spy on the banking sector in Latin America, have been seen using a method to bypass UAC (UAC) to obtain full administrative privileges on computers running the Windows operating system.

“Criminals continue to focus on Latin American financial institutions, but changes in their methods pose a significant risk to financial institutions in other countries,” reads the today’s report companies Sygnia.

Casbaneiro, also known as Metamorfo and Ponteiro, is primarily a banking Trojan that first appeared in massive email spam campaigns targeting the Latin American financial sector in 2018.

In the latest waves of attacks, infection begins with a phishing email with a link to HTML-file that redirects the victim to download a malicious RAR archive. Previously, the same group of attackers used PDF– attachments with background loading of ZIP archives.

The second important change concerns the use of the pentester tool ” fodhelper.exe » to bypass UAC and stealthily obtain administrator privileges.

According to Sygnia, in the latest wave of attacks, the attackers also created an “imaginary” directory “C:\Windows\system32” in the system partition (the path contains an extra space) to copy the fodhelper.exe executable file.

“It is possible that the attackers deployed an imaginary directory in order to bypass antivirus detection or use it to apply DLL Sideloading in conjunction with a Microsoft digitally signed library to bypass UAC,” explained the Sygnia researchers.

In recent months, this is already the third well-known case of using the method of imitating trusted directories in real attacks by attackers. Previously, hackers used this technique to distribute the DBatLoader loader and various remote access trojans such as Warzone RAT.