“They are still heavily focused on Latin American financial institutions, but changes in their technologies represent a significant risk to multi-regional financial organizations as well,” Signia said.
Casabaneiro, also known as Metamorpho and Ponteiro, is known for its banking Trojan, which first emerged in 2018 in large email spam campaigns targeting the Latin American financial sector.
The infection chain typically begins with a phishing email pointing to a booby-trapped attachment that, when launched, activates a series of steps that result in the deployment of banking malware, as well as scripts that take advantage of living-of-the-land (LOTL) techniques to fingerprint the host and collect system metadata.
This phase also downloaded a binary called Horabot, which is designed to spread the infection internally to other vulnerable employees of the breached organization.
In a previous report published in April 2022, the cyber security company said, “This adds credibility to the email sent, as there are no obvious anomalies in the email headers (suspicious external domains) that would normally trigger email security solutions to take action and mitigate.”
What has changed in recent attack waves is that the attack is initiated by an embedded spear-phishing email with a link to an HTML file, which redirects the target to download a RAR file, a deviation from the use of malicious PDF attachments with a download link to a ZIP file.
The second major change in methodology is related to the use of fodhelper.exe to achieve UAC bypass and higher integrity level performance.
Signia said they also observed the Casabanero attackers creating a fake folder at C:\Windows[space]\system32 to copy the fodhelper.exe executable, although the specifically crafted path was never said to be employed in the intrusion.
“It is possible that an attacker may have deployed the spoofed folder to bypass AV detection or take advantage of that folder to side-load DLLs with Microsoft-signed binaries to bypass UAC,” the company said.
The development is the third time the fake trusted folder approach has been detected in recent months, including a malware loader called DBatLoader as well as a method used in campaigns providing remote access trojans such as the Warzone RAT (aka Ave Maria).
