Description of Campaign
Bizarro is a banking Trojan targeting customers of multiple banks located mainly in South America and Europe. The threat actor behind the backdoor uses AWS and compromised WordPress sites to host the malware and store data stolen from the infected systems. Phishing emails with malicious links are used as the initial infection vector. Data collected and exfiltrated includes system information, default browser name, and what security software is installed. The malicious software contains over 100 commands and attempts to convince victims to install a malicious app on their smartphones.
The McAfee Enterprise ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.
This campaign was researched by Kaspersky and shared publicly .
{APOLLOHOW.EN_US}
This Knowledge Base article discusses a specific threat that is being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.
Campaign IOC
| Type |
Value |
| SHA256 |
8C30D08EF7A407FC32E721DD8D8F49260FAF0451B41D7BE5D61DD89361FB5D03 |
| SHA256 |
F57FC4857A76FE66CB8EB0BBC9E88D9E70F9DE2135D4802C7C18F89BD92060A9 |
| SHA256 |
261B9E4B576B1D2A1C4CE44A4B48CD776981E392615C8EE5556C066B82AECA21 |
| SHA256 |
5BEFBE89A10D72164CC746A7DC30B8CFE0BD5C8182B0677E009CC654FDE10165 |
| SHA256 |
684E6BDCED0521344B38A3DBD0EE159A0691CA47A766A3F0EA8CA5578ED0816D |
| SHA256 |
E13FE434EB19987EE1239CAAE2ECA96DF2CD2D78DEC0F8D414E04B856BCF2B2E |
| SHA256 |
E3483974D1EEB589C9757F438DEB9EBFF59F8817679609CA846450188F394DD1 |
| SHA256 |
9E533C9F14375CA958FADC504B80DD89569A33B70275362BB1B6B6F9F27D03B8 |
| SHA256 |
202EE8B14AC2DFF31910820FED613252D813AEA22B015179975988308C0F1C85 |
| SHA256 |
07E1ED9C60EF84688CB35923166762CFF3325E058DFF59A65549EFCD22297436 |
Minimum Content Versions:
| Content Type |
Version |
| V2 DAT (VirusScan Enterprise) |
9689 |
| V3 DAT (Endpoint Security) |
4141 |
Detection Summary
| IOC |
Scanner |
Detection |
| 8C30D08EF7A407FC32E721DD8D8F49260FAF0451B41D7BE5D61DD89361FB5D03 |
AVEngine V2 |
GenericRXLF-ZU!0403D605E641 |
| AVEngine V3 |
GenericRXLF-ZU!0403D605E641 |
| JTI (ATP Rules) |
JTI/Suspect.196612!0403d605e641 |
| RP Static |
- |
| RP Dynamic |
- |
| IOC |
Scanner |
Detection |
| F57FC4857A76FE66CB8EB0BBC9E88D9E70F9DE2135D4802C7C18F89BD92060A9 |
AVEngine V2 |
GenericRXLF-ZU!BA5619955EA6 |
| AVEngine V3 |
GenericRXLF-ZU!BA5619955EA6 |
| JTI (ATP Rules) |
- |
| RP Static |
- |
| RP Dynamic |
- |
| IOC |
Scanner |
Detection |
| 261B9E4B576B1D2A1C4CE44A4B48CD776981E392615C8EE5556C066B82AECA21 |
AVEngine V2 |
GenericRXLF-ZU!BA5619955EA6 |
| AVEngine V3 |
GenericRXLF-ZU!BA5619955EA6 |
| JTI (ATP Rules) |
- |
| RP Static |
- |
| RP Dynamic |
- |
| IOC |
Scanner |
Detection |
| 5BEFBE89A10D72164CC746A7DC30B8CFE0BD5C8182B0677E009CC654FDE10165 |
AVEngine V2 |
GenericRXLF-ZU!73472698FE41 |
| AVEngine V3 |
GenericRXLF-ZU!73472698FE41 |
| JTI (ATP Rules) |
JTI/Suspect.196612!73472698fe41 |
| RP Static |
- |
| RP Dynamic |
- |
| IOC |
Scanner |
Detection |
| 684E6BDCED0521344B38A3DBD0EE159A0691CA47A766A3F0EA8CA5578ED0816D |
AVEngine V2 |
GenericRXLF-ZU!7A1CE2F8F714 |
| AVEngine V3 |
GenericRXLF-ZU!7A1CE2F8F714 |
| JTI (ATP Rules) |
JTI/Suspect.196612!7a1ce2f8f714 |
| RP Static |
- |
| RP Dynamic |
- |
| IOC |
Scanner |
Detection |
| E13FE434EB19987EE1239CAAE2ECA96DF2CD2D78DEC0F8D414E04B856BCF2B2E |
AVEngine V2 |
GenericRXLF-ZU!BA5619955EA6 |
| AVEngine V3 |
GenericRXLF-ZU!BA5619955EA6 |
| JTI (ATP Rules) |
- |
| RP Static |
- |
| RP Dynamic |
- |
| IOC |
Scanner |
Detection |
| E3483974D1EEB589C9757F438DEB9EBFF59F8817679609CA846450188F394DD1 |
AVEngine V2 |
GenericRXLF-ZU!1E2C277985FD |
| AVEngine V3 |
GenericRXLF-ZU!1E2C277985FD |
| JTI (ATP Rules) |
- |
| RP Static |
- |
| RP Dynamic |
- |
| IOC |
Scanner |
Detection |
| 9E533C9F14375CA958FADC504B80DD89569A33B70275362BB1B6B6F9F27D03B8 |
AVEngine V2 |
GenericRXLF-ZU!F6E6082D095D |
| AVEngine V3 |
GenericRXLF-ZU!F6E6082D095D |
| JTI (ATP Rules) |
- |
| RP Static |
- |
| RP Dynamic |
- |
| IOC |
Scanner |
Detection |
| 202EE8B14AC2DFF31910820FED613252D813AEA22B015179975988308C0F1C85 |
AVEngine V2 |
GenericRXLF-ZU!CC9CF6609F16 |
| AVEngine V3 |
GenericRXLF-ZU!CC9CF6609F16 |
| JTI (ATP Rules) |
- |
| RP Static |
- |
| RP Dynamic |
- |
| IOC |
Scanner |
Detection |
| 07E1ED9C60EF84688CB35923166762CFF3325E058DFF59A65549EFCD22297436 |
AVEngine V2 |
GenericRXLF-ZU!E6C337D504B2 |
| AVEngine V3 |
GenericRXLF-ZU!E6C337D504B2 |
| JTI (ATP Rules) |
JTI/Suspect.196612!e6c337d504b2 |
| RP Static |
- |
| RP Dynamic |
- |
Minimum set of Manual Rules to improve protection to block this campaign
{INSIGHTSWARNING.EN_US}
Endpoint Security - Advanced Threat Protection:
Rule ID: 4 Use GTI file reputation to identify trusted or malicious files
Aggressive set of Manual Rules to improve protection to block this campaign
{INSIGHTSWARNING.EN_US}
Host Intrusion Prevention:
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 6010 Generic Application Hooking Protection
