David García Oct 28, 2019 10 min read

Analyzing a Biometric Banking Malware: Camubot

We know that today there is malware related to all kinds of malicious activities. This includes banking malware, which is designed to rob banking credentials. This type of malware can be found in almost all platforms and operating systems, whether desktop or mobile.

In recent years, different security measures and protections have been developed in the fight against banking malware that try to hinder both the theft of credentials and their subsequent use.

One of the most common security measures is single-use passwords (usually received by SMS) to authorize transactions and also access the bank account via the internet. However, this is not the only security measure available to the user to protect their account and, at present, many security measures are advancing towards the use of the user's biometric data for authentication and transaction authorization. Biometric authentication is expected to gain popularity in the future and become one of the main security measures, while technology advances to provide the user with the means necessary to use it.

From the technological standpoint a great advance has been made and, today, most mobile devices include a fingerprint reader, which allows banking applications to perform authentication in their systems with this biometric information.

It is clear that the use of biometric information is the future in terms of protection measures for user authentication, but is your biometric data safe? Can malware get around biometric authentication?

Banking malware designed to avoid biometric authentication

Although biometric authentication is still a young measure and needs some more time to fully establish itself in the banking sector and be available for use by a larger number of entities, the reality is that malicious software specially designed to evade authentication based on biometric user identification has already been detected.

Publicly, the only known malware designed to evade this type of authentication was discovered in September 2018 and is known as 'CamuBot'. This banking Trojan affected financial institutions in Brazil, and according to the IBM researchers who detected it, it was used to carry out an attack aimed at company and public sector workers.

To achieve infection, the attacker posed as a bank employee and provided the victim with a link that, supposedly, served to download software for verifying the status of the security modules.

This software was actually the 'CamuBot' Trojan, which when executed opened a false window with the logo of the Brazilian banking entity and informed the user that a security module should be installed.

This “module” is really the malware, which, when completely installed, consists of two components:

  • An executable with the malicious code and a non-malicious DLL that provides functionality to connect to the control server by SSH. These two elements are stored in the system's temporary directory (% TEMP%) with the names 'protecao.exe' and 'Renci.SshNet.dll'.
  • The ‘USB over Network’ software. This software is legitimate and is used to share USB devices over a network, so that a computer can work with the USB device as if it were connected to the USB port.

Once the installation is completed, the malicious installer opens a web page using the infected computer’s browser. This website tries to get the user to connect the biometric authentication devices while the Trojan is running in the background.

If the user connects the biometric authentication devices via USB, the Trojan will communicate it to the control server, which will respond with the commands needed to use the device and authenticate the user in the attacker's control server, providing it with access to the victim's bank account..


Main function of the Trojan

As we can see in the above image, the malware's main function is responsible for downloading and installing the legitimate software to share USB devices over the network.

Main function of the Trojan

Once the 'USB over Network' installer has been downloaded, it is executed to begin the installation. After installation, the next thing this malicious software will do is call the 'cmdUSB' function, which executes the 'USB over Network' binary by passing the desired commands as a parameter.

The 'tcpport 3940' command tells 'USB over Network' that it must use the 3940 TCP port to share USB devices over the network. Meanwhile, the 'list' command obtains the list of devices connected to the system. After the execution of each command, the result of the execution is sent to the control server, so the 'list' command will send the list of connected devices to the control server.

Command execution

Sending of the command execution result

After making a list of the devices connected to the equipment and sending it to the control server, the next step, as we can see in the Trojan's main function, is to obtain the device chosen by the control server for network sharing, sharing it using the 'share' command.

The server should have a list of compatible devices to perform the biometric authentication, and if any of them is connected to the computer, the computer will respond with the authentication device so it will be the shared device.

Once the device is ready for network sharing, the last step is performed. This consists of creating an SSH tunnel with the control server so that the attacker can use the shared USB device through it.

Creation of the SSH tunnel with the control server

From this moment on, the attacker has access to the USB devices shared through the network, and can thus perform the biometric authentication on their system and gain access to the victim's bank account.


Malware specially designed to get around biometric authentication exists, as we have seen. Although there is only public information about one banking Trojan of this type, there may be others that have not yet been detected.

Biometric authentication is being introduced or has already been introduced for access and operation in most current digital services, not only in the banking sector. It is increasingly difficult to find new models of smartphones that do not have some kind of functionality related to biometrics. The most popular is fingerprint authentication, or Apple's Face ID.

If forecasts are eventually confirmed, malware will begin to adapt to overcome this type of authentication and achieve its objectives. Therefore, we must be prepared to detect and protect the user from these new attacks.


David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.