Malware Camouflages Itself To Get Business Banking Credentials

Social engineering is a broad term. It can encompass anything from an attacker pretending to be a printer repair person who convinces someone to let him into the office to very specialized targeted methodologies such as cyberstalking. The latter can lead to very effective spear-phishing and appears to be how a recently found malware is deployed. The malware, called CamuBot camouflages itself as legitimate security software and targets companies and public sector organizations. It is distributed in a highly individualized way and researchers at IBM believe information is gathered on very specific targets that are in the bullseye of the bad actors; even from information that may be found in a phone book!

What CamuBot does is pose as an employee of a bank, for example, via the telephone and instruct the victims to go to a URL to “verify” their security products. Then, the victims are asked to apply updates. After that they are instructed to close all programs that are running at the time and download and install an “update.” If this all goes to the attacker’s plan, the malware has access to the Windows administrator profile...and that is never a good thing.

Another tricky part is that the attacker’s use the organization’s actual logos and the name of the file that is downloaded during this process is different every time. This makes it difficult to detect with security tools or with the human eye. They also make it seem more authentic by using the telephone. It’s a bit of a more personal connection. After the malware is installed, the victims are asked to log into a fake site, which looks very real, to what they think is their business banking account. At that point, those credentials are lifted by the attacker and that's all the criminals need as CamuBot can get around two-factor authentication.

There is even more to this process that includes the victim being tricked into giving remote access to who they think is a bank employee.

To avoid this, consider what you post on social media and business networking websites, such as LinkedIn. While phone books are a rarity in the U.S., people put a lot of information online that an attacker could use in such a campaign as this one. Try using more generic terminology so that it is more difficult for someone who may want to conduct phishing to use the information against you or your organization.

Also, keep anti-virus software updated at all times. Although malware sometimes does bypass it, this is still a great way to block most of it. Just be sure to have a legitimate product and if you are asked to update anything on your work devices, verify separately with your manager before doing anything. This is particularly important if you receive an incoming call. To reach technical support or other assistance, use phone numbers and email addresses that you know are trusted. Phishing email messages often list a phone number where you can get “help,” but that just sends you right to the attackers.

CamuBot is very sophisticated. Fortunately, it hasn’t been seen in the U.S... yet. It does resemble some familiar names, however: TrickBot, Dridex, and QakBot. And you can bet that it will show up on the shores at some point. Likely, some form of it will show up sooner than later.

Stickley on Security
Published September 6, 2018