The malware discussed in this blog saw input from X-Force researchers Andre Piva and Ofir Ozer. It was initially described in a blog post by X-Force’s Maor Wiesen and Limor Kessem.
The IBM Trusteer cybercrime research labs specialize in the detection and counteraction of the crimeware and attacks operated by organized cybercrime gangs. In one of our recent analyses, we encountered a new campaign of malware that we previously discovered and named “CamuBot.”
The first time CamuBot emerged was in August 2018 in Brazil. During that time, its operators targeted business accounts of some of the major banks in Brazil. The adversary behind the malware used a combination of malware and social engineering tactics to bypass the victimized organizations’ strong authentication challenges. These tactics are familiar from other parts of the globe where Trojans are used in high-stakes bank fraud that relies on complex social engineering to defraud victims. After that initial campaign in 2018, CamuBot went into a dormant period of inactivity for an entire year.
Recent CamuBot activity resurfaced exactly one year after we made the initial discovery of this malware. What strikes us as interesting about the attacks are their Brazil-centric tactics, a very targeted attack strategy, and the fact that the attackers’ TTPs cross different channels to eventually take over business accounts.
Unlike most malware we encounter in the Brazilian financial threat arena, CamuBot differs by using a unique code base. It also stands out in its operators’ brazen way of interacting with potential victims, and instead of concealing the malware, it poses as a security application that banks supposedly require they install. Further setting it apart from other, more generic codes used by cybercriminals in Brazil, CamuBot tactics are in line with TTPs used by organized cybercrime groups that operate Trojans, such as TrickBot, IcedID and Ursnif, each of which focuses on business banking and blends social engineering with malware-assisted account and device takeover.
A Resurgence of More Targeted Attacks
In 2019, our team detected the resurgence of CamuBot, once again in campaigns of targeted attacks in Brazil. The first new campaign stretched from mid-August to mid-September 2019. A second campaign started at the beginning of October and stretched to November 2019. As we move into 2020, we continue to see a lower level of continued CamuBot activity as of the time of this writing.
Some observations from the campaigns are that the adversary operating CamuBot handpicks potential victims and remains as targeted as possible, likely to keep the attack’s TTPs on low profile and their team from attracting the attention of local law enforcement.
Victims are most often small business account holders who bank with the larger banks in Brazil. The attack kill chain features the following top-level TTPs:
- The adversary extensively gathers intelligence on the potential target. They look up open-source information and make several phone calls to people in the organization to map out the hierarchy and get familiar with the more collaborative parties. The attacker “grooms” the potential contact to build trust over a few conversations and asks them to perform various actions in their account.
- The actual attack begins when someone from the attacker’s side phones the victim and instructs them over the phone to browse to an infection page that hosts the CamuBot Trojan.
When they get to this stage, victims are instructed to enter their login credentials into the fake page in order to download a supposed security application.
Figure 1: CamuBot version download depends on the victim’s Windows architecture (32-bit or 64-bit) (Source: IBM X-Force)
Figure 2: Fake screens leading victims to download CamuBot under the guise of a security application (Source: IBM X-Force)
After the victim downloads and runs CamuBot on their device, the attacker gains remote-access capabilities to their computer.
In the 2018 campaigns, the CamuBot infection would be eventually followed by a fraudulent transaction. In some cases, the transaction involved keeping the victim engaged to lure them to provide strong authentication codes to authorize a transaction. In other cases, the codes were accessed over the network via a driver that enabled the attacker to access a token code generator attached to the infected employee’s computer.
The 2019 and 2020 campaigns have seen some cases where the flow of events was modified and included access via the bank’s mobile banking app.
Cross-Channel Fraud via Mobile Banking
We covered the technical aspects of CamuBot’s installation in our original post about this malware. What stood out to us in more recent activity, however, is the fact that the attackers do not always take over the account by connecting to the victim’s infected desktop device as they did before. Rather, we have been seeing that business accounts are being accessed through the bank’s mobile application.
CamuBot is still being used for some monitoring of the victim’s account on their desktop, instructing them to authorize access to a mobile device.
Figure 3: CamuBot’s social engineering screens convince victims to submit their mobile number (Source: IBM X-Force)
After an online account has been “coupled” with the victim’s mobile phone, attaching the two authorizes additional functionality from the mobile app, and this trust can be abused by the attackers to perform fraudulent transactions in the account from a mobile device.
Figure 4: CamuBot’s operators’ typical fraud kill chain (Source: IBM X-Force)
In some cases, the fraudsters successfully coupled compromised accounts with phone numbers they control, which would also mean that they could potentially receive second-factor token codes sent from the bank, if any are sent. In other cases, the criminals used the victim’s own phone number and likely performed a SIM swap to defraud the account later down the line.
Of note, the banking apps the criminals used were specifically for iOS devices or a matching mobile emulator.
Actor ATO Infrastructure setup
Figure 5: CamuBot’s operators’ infrastructure setup in attacks analyzed by our team (Source: IBM X-Force)
Go Mobile for Recurring Fraud
Why would an attacker with access to a compromised device change their tactics and defraud the account via the mobile banking channel?
The most likely scenario here is that the attacker is hoping to preserve their access and be able to monitor the account over time until they can plan for a large fraudulent transfer. By having the account coupled with a phone number they have access to, two-factor authentication (2FA) or verification calls from the bank will end up reaching the criminal and possibly enable them to complete the fraudulent operation.
Cross-Channel Attacks on the Rise in Latin America
CamuBot’s cross-channel attack is an interesting case because of the recon and build-up elements of its targeted attacks, as well as the potential for long-term access to compromised accounts. These tactics are not common to most other malware and fraudster factions in Brazil, who more traditionally use remote overlay Trojans to facilitate device takeover and consumer account fraud.
Is CamuBot a canary of sorts? The overall concept of cross-channel fraud is a rising trend in the Latin American region, in which banks and their customers are increasingly reporting fraud attacks that end up with account takeover through mobile banking applications.
The anatomy of these attacks is more complex, includes more elements and combines a variety of skill sets, from the use of technical tools like phishing kits, desktop malware and mobile emulators, to the softer skills of social engineering. X-Force research expects to see this trend strengthen in 2020, with more targeted attacks in the region and likely additional CamuBot campaigns in the months to come.
Indicators of Compromise (IoCs)
Some of the IoCs we worked with when writing this blog can be used to detect CamuBot:
MD5:
- E0EB6840DA0A24F8F67102417BFDF408 (suporte.exe)
Phishing domain used by the CamuBot fraudsters to host their malware downloads:
Examples of URLs that were used in the attacks/fraudster’s control panels:
- hxxps://empresas[.]suporteoperador[.]com/
- hxxps://office[.]suporteoperador[.]com/empresas/
Security Threat Researcher, IBM Security (Trusteer)
Principal Consultant, X-Force Cyber Crisis Management, IBM