Severity
High
Analysis Summary
A new malware package is discovered being used against banking customers in Brazil that has been dubbed “Vizom”. The attack vector for the malware is DLL hijacking. It uses two legitimate applications delivered in the payload, a video conferencing software package and an Internet browser named Vivaldi, to side-load the malicious DLLs. The malware typically is delivered via spam emails, where the user must be tricked into downloading Vizom. Once installed, the malware copies its own malicious DLLs in the directories where the legitimate DLLs would be loaded. The malware uses familiar remote overlay attack tactics to take over user devices in real time, as the intended victim logs in, and then initiates fraudulent transactions from their bank account. Owing to COVID, since everyone is using videoconferencing software to replace in-person meetings with both friends and colleagues, Vizom uses the binaries of a popular videoconferencing software to pave its way into new devices.
Impact
- Account Takeover
- Financial Theft
- Unauthorized Code Execution
Indicators of Compromise
MD5
- 808ed13b13d31e116244e1db46082015
- a555654f89aaf0d90a36c17e16014300
SHA-256
- f2c5fce0d32b050204c503f9a6adfe92f43b6aba0d2cc983a9a1c918b228b490
- 2afcedaf4913fd25f2133036916f3fc51957c9ea21104f4ce5ddfcdc69d2ccb2
SHA1
- f74abc5a2e2fb9f9389c1c6305c8efef87b088e5
- 41897b8a7baa8a718145297ed14019e057739906
Source IP
- 18[.]234[.]42[.]30
URL
- hxxps[:]//galinhaborabora[.]s3[.]amazonaws[.]com/felicidadeviver[.]zip
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Keep all systems and software updated to latest patched versions against known vulnerabilities.