The financially motivated threat actors behind the
Casbaneiro banking malware family have been observed making use of a User Account Control (
UAC) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets.
"They are still heavily focused on Latin American financial institutions, but the changes in their techniques represent a significant risk to multi-regional financial organizations as well," Sygnia
said in a statement shared with The Hacker News.
Infection chains typically begin with a phishing email pointing to a booby-trapped attachment that, when launched, activates a series of steps that culminate in the deployment of the banking malware, alongside scripts that leverage living-off-the-land (LotL) techniques to fingerprint the host and gather system metadata.
Also downloaded at this stage is a binary called
Horabot that's designed to propagate the infection internally to other unsuspecting employees of the breached organization.
"This adds credibility to the email sent, as there are no obvious anomalies in the email headers (suspicious external domains), which would typically trigger email security solutions to act and mitigate," the cybersecurity company
said in a previous report published in April 2022. "The emails include the same PDF attachment used to compromise the previous victim hosts, and so the chain is executed once more."
