‘CamuBot’ Disguises as Security Software in Order to Raid Bank Accounts


Ted McKendall

 A new piece of malware has stepped up Banking Trojan tactics for infiltrating customer accounts.

Our usual understanding of banking malware – such as Trojans – is that they aim to go undetected for as long as possible in order to carry out their attacks. Trickbot, Emotet and Backswap are just some of examples of banking malware that operate this way, in order to steal users’ online credentials and sensitive information.

However, a newly discovered malware dubbed ‘CamuBot’ has stepped up the Trojan game. Rather than employing stealth techniques in order to avoid detection, CamuBot hides in plain sight, camouflaging (hence its name) as a legitimate end-user security module provided by a bank. In a report by IBM X-Force, researchers said Camubot was first spotted in August 2018, with attacks mostly taking place against business banking customers of Brazilian banks.


Malware Plus Social Engineering Equals a Problem

Deployment of the the CamuBot malware is relatively low tech, and relies on old fashioned customer trust. Attackers identify a customer account connected to the bank (in most cases, a business account, presumably expected to have higher monetary value) and call that customer, with the attacker posing as a bank employee who directs the unsuspecting target to a URL where s/he can verify that his/her ‘security module’ is up to date.

Of course, this ‘check’ then shows that the module (which uses the bank’s logo and color scheme that disguise it as legitimate security software), needs to be updated. You can probably see where this is going – the victim is then told to install a ‘new’ module that is, in actuality, an installation wizard for the CamuBot Trojan.

Next, a fake Windows application (once again featuring the target bank’s logo), presents itself. From here, CamuBot gets to work – writing dynamic files to the Windows folder to establish an SSH-based SOCKS proxy module, and adding itself to the Windows Firewall as a trusted app. The targets are then directed to a phishing website and instructed to log in with their bank credentials, and the account information is sent to the criminals.

Perhaps most worryingly, having rewritten the antivirus rules and established itself on the device as trusted software, this cunning malware can now fetch and install drivers to bypass authentication measures, such as biometrics or one-time-passwords.


How Can Banks Protect Against New Trojan Threats?

The discovery of CamuBot is significant for two reasons. First, it provides yet another example of how Banking Trojans are continuing to increase in both volume and number of variants. As we have previously discussed, malware creators are finding increasingly innovative approaches to breach banks’ defenses and compromise customer credentials.

Second, this is a malware strain that, by simply disguising itself as security software, highlights the flaws with traditional endpoint protection. Historically, banks have put the onus of security on customers, asking them to download antivirus or other specialized software to protect their devices. One issue with this approach is that the antivirus technology banks ask customers to rely on are actually ill-equipped to handle advanced malware threats and zero day attacks. The bigger issue is that adoption rates are notoriously low. Either out of ignorance of the threat, suspicion of downloading an unknown software, or just apathy, customers neglect to install the software even though the banks are paying for it.

The irony of the Camubot malware is that those who neglect to follow the ‘bank’ security advice are actually inadvertently protecting themselves. This is evidence of a third flaw with relying on endpoint security – the ease of which cyber criminals could impersonate it and actually dupe the conscientious people into becoming victims.

Trusted Knight, on the other hand, provides enterprises with a solution that removes the flaws of traditional endpoint solutions and prevents fraud seamlessly without putting the responsibility for security on its customers. Our patented Protector Air product is the only unified solution that protects online transactions starting with unmanaged customer endpoints through to the web application. This cloud-based, agentless approach means that all customers are protected, without them having to do anything. Moving endpoint protection to this next agentless stage means that malware such as CamuBot will be defeated systematically without any human intervention.

Click one of the links below to find out more.


Request a Free Trial Download Whitepaper Now