Cybersecurity experts have recently made a concerning discovery regarding the Casbaneiro malware family, notorious for spying on Latin American banks. These cybercriminals have found a way to bypass account control (UAC) on Windows computers, granting them full administrative privileges.
In their latest report, Sygnia warned that while the criminals’ focus remains on Latin American financial institutions, their evolving tactics pose a significant threat to financial organizations worldwide.
Casbaneiro, also known as Metamorfo and Ponteiro, was first identified as a banking trojan back in 2018, originating from mass email spam attacks targeting the Latin American financial sector.
Casbaneiro‘s Evolving Tactics: Bypassing UAC with Deceptive Tricks
The new infection strategy, including Casbaneiro, involves a phishing email containing a link to an HTML file, which then redirects victims to download a malicious RAR archive. Previously, the same attackers relied on PDF attachments with background ZIP archive downloads.
The attackers have now adopted the use of the “fodhelper.exe” pentester tool to effectively bypass UAC and gain stealthy administrator privileges.
Sygnia’s findings reveal that during the recent wave of attacks, the cybercriminals created a deceptive “sham” directory named “C:Windows \system32” (notice the extra space) in the system partition. They utilized this directory to copy the fodhelper.exe executable file.
The purpose behind the “sham” directory might be twofold: either to avoid antivirus detection or to apply Sideloading DLL in conjunction with Microsoft’s digitally signed library to effectively bypass UAC.
This marks the third publicly known instance in recent months where attackers have leveraged the trusted directory impersonation technique in real attacks. Prior to this, hackers used the same method to distribute the DBatLoader downloader and various remote access Trojans, such as Warzone RAT.