Windows User Account Control can no longer hold back the onslaught of cunning criminals.
Cybersecurity researchers recently discovered that the cybercriminals behind the Casbaneiro malware family, which is heavily used to spy on the banking sector in Latin America, have been seen using a User Account Control (UAC) bypass method to gain full administrative privileges on computers running the Windows operating system.
"Criminals remain focused on Latin American financial institutions, but changes in their methods pose a significant risk to financial institutions in other countries," Sygnia said in a report today.
Casbaneiro, also known as Metamorfo and Ponteiro, is primarily a banking Trojan that first appeared in massive email spam campaigns targeting the Latin American financial sector in 2018.
In recent waves of attacks, infection begins with a phishing email with a link to an HTML file that redirects the victim to download a malicious RAR archive. Previously, the same group of attackers used PDF attachments with background download of ZIP archives.
The second major change concerns the use of the fodhelper.exe pentester tool to bypass UAC and stealthily obtain administrator privileges.
According to Sygnia, in the latest wave of attacks, the attackers also created an “imaginary” directory “C:\Windows\system32” in the system partition (the path contains an extra space) to copy the fodhelper.exe executable file.
“It is possible that attackers deployed an imaginary directory to bypass antivirus detection or use it to use the Sideloading DLL in conjunction with a Microsoft digitally signed library to bypass UAC,” Sygnia researchers explained.
In recent months, this is already the third well-known case of using the method of imitating trusted directories in real attacks by attackers. Previously, hackers used this technique to distribute the DBatLoader loader and various remote access trojans such as Warzone RAT.
Cybersecurity researchers recently discovered that the cybercriminals behind the Casbaneiro malware family, which is heavily used to spy on the banking sector in Latin America, have been seen using a User Account Control (UAC) bypass method to gain full administrative privileges on computers running the Windows operating system.
"Criminals remain focused on Latin American financial institutions, but changes in their methods pose a significant risk to financial institutions in other countries," Sygnia said in a report today.
Casbaneiro, also known as Metamorfo and Ponteiro, is primarily a banking Trojan that first appeared in massive email spam campaigns targeting the Latin American financial sector in 2018.
In recent waves of attacks, infection begins with a phishing email with a link to an HTML file that redirects the victim to download a malicious RAR archive. Previously, the same group of attackers used PDF attachments with background download of ZIP archives.
The second major change concerns the use of the fodhelper.exe pentester tool to bypass UAC and stealthily obtain administrator privileges.
According to Sygnia, in the latest wave of attacks, the attackers also created an “imaginary” directory “C:\Windows\system32” in the system partition (the path contains an extra space) to copy the fodhelper.exe executable file.
“It is possible that attackers deployed an imaginary directory to bypass antivirus detection or use it to use the Sideloading DLL in conjunction with a Microsoft digitally signed library to bypass UAC,” Sygnia researchers explained.
In recent months, this is already the third well-known case of using the method of imitating trusted directories in real attacks by attackers. Previously, hackers used this technique to distribute the DBatLoader loader and various remote access trojans such as Warzone RAT.
