The malware discussed in this blog saw input from X-Force researchers Andre Piva and Ofir Ozer. It was initially described in a blog post by X-Force’s Maor Wiesen and Limor Kessem.

The IBM Trusteer cybercrime research labs specialize in the detection and counteraction of the crimeware and attacks operated by organized cybercrime gangs. In one of our recent analyses, we encountered a new campaign of malware that we previously discovered and named “CamuBot.”

The first time CamuBot emerged was in August 2018 in Brazil. During that time, its operators targeted business accounts of some of the major banks in Brazil. The adversary behind the malware used a combination of malware and social engineering tactics to bypass the victimized organizations’ strong authentication challenges. These tactics are familiar from other parts of the globe where Trojans are used in high-stakes bank fraud that relies on complex social engineering to defraud victims. After that initial campaign in 2018, CamuBot went into a dormant period of inactivity for an entire year.

Recent CamuBot activity resurfaced exactly one year after we made the initial discovery of this malware. What strikes us as interesting about the attacks are their Brazil-centric tactics, a very targeted attack strategy, and the fact that the attackers’ TTPs cross different channels to eventually take over business accounts.

Unlike most malware we encounter in the Brazilian financial threat arena, CamuBot differs by using a unique code base. It also stands out in its operators’ brazen way of interacting with potential victims, and instead of concealing the malware, it poses as a security application that banks supposedly require they install. Further setting it apart from other, more generic codes used by cybercriminals in Brazil, CamuBot tactics are in line with TTPs used by organized cybercrime groups that operate Trojans, such as TrickBot, IcedID and Ursnif, each of which focuses on business banking and blends social engineering with malware-assisted account and device takeover.

A Resurgence of More Targeted Attacks

In 2019, our team detected the resurgence of CamuBot, once again in campaigns of targeted attacks in Brazil. The first new campaign stretched from mid-August to mid-September 2019. A second campaign started at the beginning of October and stretched to November 2019. As we move into 2020, we continue to see a lower level of continued CamuBot activity as of the time of this writing.

Some observations from the campaigns are that the adversary operating CamuBot handpicks potential victims and remains as targeted as possible, likely to keep the attack’s TTPs on low profile and their team from attracting the attention of local law enforcement.

Victims are most often small business account holders who bank with the larger banks in Brazil. The attack kill chain features the following top-level TTPs:

  • The adversary extensively gathers intelligence on the potential target. They look up open-source information and make several phone calls to people in the organization to map out the hierarchy and get familiar with the more collaborative parties. The attacker “grooms” the potential contact to build trust over a few conversations and asks them to perform various actions in their account.
  • The actual attack begins when someone from the attacker’s side phones the victim and instructs them over the phone to browse to an infection page that hosts the CamuBot Trojan.

When they get to this stage, victims are instructed to enter their login credentials into the fake page in order to download a supposed security application.

Figure 1: CamuBot version download depends on the victim’s Windows architecture (32-bit or 64-bit) (Source: IBM X-Force)

Figure 2: Fake screens leading victims to download CamuBot under the guise of a security application (Source: IBM X-Force)

After the victim downloads and runs CamuBot on their device, the attacker gains remote-access capabilities to their computer.

In the 2018 campaigns, the CamuBot infection would be eventually followed by a fraudulent transaction. In some cases, the transaction involved keeping the victim engaged to lure them to provide strong authentication codes to authorize a transaction. In other cases, the codes were accessed over the network via a driver that enabled the attacker to access a token code generator attached to the infected employee’s computer.

The 2019 and 2020 campaigns have seen some cases where the flow of events was modified and included access via the bank’s mobile banking app.

Cross-Channel Fraud via Mobile Banking

We covered the technical aspects of CamuBot’s installation in our original post about this malware. What stood out to us in more recent activity, however, is the fact that the attackers do not always take over the account by connecting to the victim’s infected desktop device as they did before. Rather, we have been seeing that business accounts are being accessed through the bank’s mobile application.

CamuBot is still being used for some monitoring of the victim’s account on their desktop, instructing them to authorize access to a mobile device.

Figure 3: CamuBot’s social engineering screens convince victims to submit their mobile number (Source: IBM X-Force)

After an online account has been “coupled” with the victim’s mobile phone, attaching the two authorizes additional functionality from the mobile app, and this trust can be abused by the attackers to perform fraudulent transactions in the account from a mobile device.

Figure 4: CamuBot’s operators’ typical fraud kill chain (Source: IBM X-Force)

In some cases, the fraudsters successfully coupled compromised accounts with phone numbers they control, which would also mean that they could potentially receive second-factor token codes sent from the bank, if any are sent. In other cases, the criminals used the victim’s own phone number and likely performed a SIM swap to defraud the account later down the line.

Of note, the banking apps the criminals used were specifically for iOS devices or a matching mobile emulator.

Actor ATO Infrastructure setup

Figure 5: CamuBot’s operators’ infrastructure setup in attacks analyzed by our team (Source: IBM X-Force)

Go Mobile for Recurring Fraud

Why would an attacker with access to a compromised device change their tactics and defraud the account via the mobile banking channel?

The most likely scenario here is that the attacker is hoping to preserve their access and be able to monitor the account over time until they can plan for a large fraudulent transfer. By having the account coupled with a phone number they have access to, two-factor authentication (2FA) or verification calls from the bank will end up reaching the criminal and possibly enable them to complete the fraudulent operation.

Cross-Channel Attacks on the Rise in Latin America

CamuBot’s cross-channel attack is an interesting case because of the recon and build-up elements of its targeted attacks, as well as the potential for long-term access to compromised accounts. These tactics are not common to most other malware and fraudster factions in Brazil, who more traditionally use remote overlay Trojans to facilitate device takeover and consumer account fraud.

Is CamuBot a canary of sorts? The overall concept of cross-channel fraud is a rising trend in the Latin American region, in which banks and their customers are increasingly reporting fraud attacks that end up with account takeover through mobile banking applications.

The anatomy of these attacks is more complex, includes more elements and combines a variety of skill sets, from the use of technical tools like phishing kits, desktop malware and mobile emulators, to the softer skills of social engineering. X-Force research expects to see this trend strengthen in 2020, with more targeted attacks in the region and likely additional CamuBot campaigns in the months to come.

Indicators of Compromise (IoCs)

Some of the IoCs we worked with when writing this blog can be used to detect CamuBot:


  • E0EB6840DA0A24F8F67102417BFDF408 (suporte.exe)

Phishing domain used by the CamuBot fraudsters to host their malware downloads:

  • suporteoperador[.]com

Examples of URLs that were used in the attacks/fraudster’s control panels:

  • hxxps://empresas[.]suporteoperador[.]com/
  • hxxps://office[.]suporteoperador[.]com/empresas/

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…