"Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique"
The financially motivated threat actors responsible for the Casbaneiro banking malware family have been observed applying a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine. This indicates that the threat actor is developing tactics to evade detection and run malicious code on compromised assets. Sygnia noted that despite the threat actors' continued focus on Latin American financial institutions, the alterations in their techniques pose a significant threat to multi-regional financial institutions. Casbaneiro, also known as Metamorfo and Ponteiro, is best known for its banking trojan, which emerged in 2018 due to mass email spam campaigns targeting the Latin American financial sector. Infection chains typically begin with a phishing email pointing to a booby-trapped attachment that, when opened, triggers a series of steps that culminate in the deployment of banking malware, along with scripts that use living-off-the-land (LotL) techniques to fingerprint the host and collect system metadata. Horabot, a binary designed to spread the infection to other unaware employees of the compromised organization, is also downloaded during this phase. This article continues to discuss what has changed in recent Casbaneiro attack waves.
THN reports "Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique"