A new banking Trojan named “Bizarro Trojan has been exposed recently. Originated in Brazil, this malware can produce bank account logins from Android mobile users. This Trojan has targeted banking customers of almost 70 banks located in South America mainly Brazil and Europe (i.e. Italy, France, Spain, and Portugal)

How does this Trojan Spread?

The Bizarro Trojan spreads through MSI (Microsoft Installer). The attackers use spam emails and social engineering to persuade victims to download a smartphone application. The Bizarro malware uses Azure servers, compromised servers, and Amazon to host Microsoft Installer packages that victims are tracked to download. The specialist has noticed infections in Germany, Brazil, Spain, Argentina, Portugal, Chile, Italy, and France.

What has occurred?

Based on the investigation done by Kaspersky, Bizarro Trojan is a mobile malware that aspires to whip online banking credentials. It also hijacks Bitcoin wallets from Android users.

  1. It circulates through MSI, which are assumed to be downloaded directly by victims from malicious links sent thru spam emails or are installed via a trojanized application.
  2. Once it is installed, it terminates all browser processes to end existing sessions with online banking websites. This compels the users to log in again, thereby permitting the malware to yield information.
  3. To increase the success rates, the Bizarro malware disables the autocomplete option in the web browser and also displays fake pop-ups to steal 2FA codes.
  4. It is capable of capturing the user’s screen and frequently monitors the system’s clipboard, hunting for a Bitcoin wallet address. If it identifies any, it is exchanged with a malware developer’s wallet.

Discovery and Mitigation

The most critical advice as always is to avoid clicking on links that come from an unknown source. Also, watch out for unusual behavior on your system. Particularly when it comes to banking, it’s better to act upon unusual behavior than to just assume that it is Windows that is acting up. Before transferring funds, double-check the Bitcoin addresses.

Below files are present in the downloaded zip archive 

  • A lawful executable, which is an AutoHotkey/AutoIt script runner.
  • A Delphi, written malicious DLL.
  • A tiny script, which calls an exported function from the malicious DLL.

The DLL is discovered by the Malware bytes’ machine learning unit. Learn More


Bizarro Trojan is being used in a wide range of operations that compromises affiliates and recruitment of money mules to perform a diversity of tasks. Additionally, Bizarro is now spreading rapidly in various regions. Hence, it is extremely crucial for banking customers to be cautious and use anti-malware solutions to safeguard their smartphones.

The security approach taken by WeSecureApp in Banking Sector is reliable and robust. As a trusted cybersecurity partner, our team works round the clock to achieve all your compliance needs, finds, and removes the threats at the nascence. Learn More


The post Bizarro: A Banking Trojan Stealing Information appeared first on WeSecureApp :: Simplifying Enterprise Security!.

By admin