This is how the Bizarro Trojan works that seeks to access data from Spanish banks through Microsoft Installer

A new banking Trojan has been discovered that they have named Bizarro and that according to Kaspersky is a family of Trojans originating in Brazil that It has already attacked banking entities in several countries of the world such as Spain, Portugal, France and Italy. It is known that has tried to steal the credentials of clients of 70 banks from different European and South American countries.

He uses social engineering techniques to convince his victims to hand over their personal and banking details online. Bizarro is distributed through MSI (Microsoft Installer) packages that the victim downloads from links in spam emails. Once launched, Bizarro downloads a ZIP file from a compromised website.

Kaspersky spokesmen say they have witnessed in their investigation the operation of this malware from hacked WordPress, Amazon and Azure servers and that were used to store the files.

No Spanish bank has discussed this issue, so there is no concrete information yet on which banks have been affected or the scope of the attack or whether it was a success or failure by the attackers.

Ransomware: what it is, how it infects and how to protect yourself

How this malware works

In the following image there is an example of the message that the malware sent to the clients of banking entities in Spain, according to information from the security company. A client enters his bank's page and finds that it is blocked (this is already Bizarro's doing). The web alerts the user that security updates are being installed but you can advance by pressing a button.


Bizarro tells the user that don't worry about transactions that occur during the "security update"as they are only confirming the identity of the customer. This makes clients feel more secure to approve the next transactions requested by the attacker, as explained from Kaspersky.

At that time, a security problem was allegedly detected. A notice appears to the client informing him that the module is being updated to allow access to the page safely. They tell the user not to shut down or restart the device while supposedly their bank is doing updates and not to press keys or use the mouse either.

Firefox Iqtyokm27d

There are several ways in which you obtain information. You can ask the victims at that point to submit their two-step authentication passwords which will be passed on to the attackers. Another interesting feature that has been seen or involves an attempt to convince the victim to install a malicious app on their smartphone.

For the latter, Bizarro asks the user to choose which is the operating system of his smartphone. If the victim chooses Android, the server C2 will send a link with a malicious application to the client. The customer will create a QR code with the help of the Google Charts API. The obtained QR code is displayed in a window with the following text:

Firefox Jviehxwmzo

© Best Of Giz India. All rights reserved. Distributed by . Distributed by