CamuBot was first seen in August 2018 acting as a security module required by targeted banks for online business banking. The malware is currently targeting Brazilian banks, with business banking customers having the highest chance of being attacked. The malware was discovered because of its sophisticated targeted attacks against companies and public sector organizations, and relies on social engineering. The attackers perform “basic reconnaissance” to find businesses that are connected to a bank of interest. Once a target is selected, the attacker makes a phone call to the victim, acting as an employee from the business. The attacker then makes an attempt to direct the victim to an online domain to “check the status” of a security module. If the victim does this, they will be directed to install a new security module which is an installation wizard for the malware. A fake Windows application is then executed. Following this, CamuBot writes dynamic files to the Windows folder. This establishes an SSH-based SOCKS proxy module and adds itself to the Windows Firewall. The victim is then redirected to a phishing page and asked to enter their banking credentials. This domain sends the credentials to the attackers. Once the attackers have the credentials, they can use the proxy to access the victim’s bank account from an IP address already known to log into the account.
