David Morán Jul 26, 2021 2 min read

Bizarro: Infected Through Malicious Macros

Bizarro is a banking trojan whose main targets are Latin American banking entities, although in the last year it has begun to take an interest in European entities, mainly Spanish and Italian.

The system is infected through spam emails that include attached files that are Microsoft Word files with malicious macros or script files for Windows. Both types of files fulfill a dropper function, which consists of downloading the malicious ZIP with the DLL and the legitimate executable file to be exploited, to finally decompress and run the malware.

After execution, this banking trojan waits for the victim to access their bank's website, at which point it initiates communication with the control server. In this way the attacker, or in an automated way the control server, would be in charge of giving the necessary instructions to the trojan to steal the user's data and, if necessary, show any of the windows with forms.

Along with the theft of bank credentials, this banker also includes a functionality to monitor the system's clipboard and detect if a Bitcoin address has been copied. If this is the case, it will replace said address with the attacker's address, thus managing to potentially send a transfer of Bitcoins to the attacker, without the victim even realizing it.

Although no new major developments have been introduced in the years that this family of malware has been operating, we have been able to observe a progressive increase in the number of affected entities where, in the last year, European entities have been added to the list in addition to the usual Latin American ones.

Download the full report here.


David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.