Malware Report

Bizarro: Infected through Malicious Macros

Bizarro is a banking trojan whose main targets are Latin American banking entities, although in the last year it has begun to take an interest in European entities, mainly Spanish and Italian.

The system is infected through spam emails that include attached files that are Microsoft Word files with malicious macros or script files for Windows. Both types of files fulfill a dropper function, which consists of downloading the malicious ZIP with the DLL and the legitimate executable file to be exploited, to finally decompress and run the malware.

After execution, this banking trojan waits for the victim to access their bank's website, at which point it initiates communication with the control server. In this way the attacker, or in an automated way the control server, would be in charge of giving the necessary instructions to the trojan to steal the user's data and, if necessary, show any of the windows with forms.

Along with the theft of bank credentials, this banker also includes a functionality to monitor the system's clipboard and detect if a Bitcoin address has been copied. If this is the case, it will replace said address with the attacker's address, thus managing to potentially send a transfer of Bitcoins to the attacker, without the victim even realizing it.

Although no new major developments have been introduced in the years that this family of malware has been operating, we have been able to observe a progressive increase in the number of affected entities where, in the last year, European entities have been added to the list in addition to the usual Latin American ones.