Cryptolaemus cybersecurity experts: The malware distribution process is the same used to distribute BazarLoader.
Kaspersky: Bizarro targets customers of 70 banks in Europe and South America. The malware attacks Germany, Spain, Portugal, France, Italy, Chile, Argentina and Brazil
Bizarro is targeting customers of 70 banks in Europe and South America. It has been discovered by Kaspersky cybersecurity experts. The malware, a banking trojan originating from Brazil, in the first case attacked targets in Germany, Spain, Portugal, France and Italy. In the second one, in Chile, Argentina and Brazil. It has x64 modules and is able to trick users into entering two-factor authentication codes in fake pop-ups. It may also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro uses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and collect telemetry. Furthermore, it is using affiliates or recruiting money mules to operationalize their attacks, cashing out or simply to helping with transfers.
The cybersecurity experts: How the banking trojan infection chain works
According the cybersecurity experts, Bizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, the malware downloads a ZIP archive from a compromised website. While writing the article, Kaspersky saw hacked WordPress, Amazon and Azure servers used for storing archives. The MSI installer has two embedded links – which one is chosen depends on the victim’s processor architecture. The downloaded ZIP archive contains a malicious DLL written in Delphi, a legitimate executable that is an AutoHotkey script runner (in some samples AutoIt is used instead of AutoHotkey), and a small script that calls an exported function from the malicious DLL. The DLL exports a function that contains the malicious code.