Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Evolution of Casbaneiro Banking Threat

July 26, 2023
Reading Time: 2 mins read
in Alerts
Evolution of Casbaneiro Banking Threat

 

The financially motivated threat actors behind the notorious Casbaneiro banking malware family are evolving their tactics to enhance their stealth and impact. Recent observations reveal their use of a User Account Control (UAC) bypass technique, enabling them to gain full administrative privileges on targeted machines and execute malicious code undetected.

While their primary focus remains on Latin American financial institutions, the shift in techniques poses a significant risk to multi-regional financial organizations. Spear-phishing emails now contain links to HTML files, leading victims to download RAR files, deviating from the previous method of using malicious PDF attachments with ZIP file download links. Additionally, the attackers employ fodhelper.exe for UAC bypass and high integrity level execution, further complicating detection and mitigation efforts.

Casbaneiro, also known as Metamorfo and Ponteiro, first emerged in 2018 through mass email spam campaigns specifically targeting the Latin American financial sector. The infection chains start with phishing emails containing booby-trapped attachments that, when activated, initiate a series of steps culminating in the deployment of the banking malware. The attack leverages living-off-the-land (LotL) techniques to gather system metadata and fingerprint the host.

Further complicating detection, a binary named Horabot is downloaded to propagate the infection internally to other unsuspecting employees within the targeted organization, adding credibility to the malicious emails.

The recent change in tactics introduces spear-phishing emails with embedded links to HTML files that redirect victims to download RAR files instead of using the traditional malicious PDF attachments with ZIP file download links. Additionally, the attackers use fodhelper.exe for UAC bypass, granting them elevated privileges and enabling the successful execution of the malware.

Furthermore, the attackers create a mock folder on C:\Windows[space]\system32 to copy the fodhelper.exe executable, which has been identified in the wild several times. This approach is employed to bypass antivirus detections and potentially sideload DLLs with Microsoft-signed binaries for additional UAC bypass capabilities. The continued evolution of Casbaneiro’s techniques underscores the importance of robust cybersecurity measures for financial institutions and highlights the need for vigilance against emerging threats.

Reference:
  • BREAKING DOWN THE CASBANEIRO INFECTION CHAIN – PART II
Tags: bankingCasbaneiroCyber AlertCyber Alerts 2023CybersecurityJuly 2023Malware
ADVERTISEMENT

Related Posts

Scattered Spider Hits ESXi Servers

Scattered Spider Hits ESXi Servers

July 28, 2025
Scattered Spider Hits ESXi Servers

Malware Hides in Fake Dating Apps

July 28, 2025
Scattered Spider Hits ESXi Servers

Post SMTP Bug Exposes 200K Sites

July 28, 2025
Infostealer Hidden in Steam Game

Sophos, SonicWall Patch Critical RCE Bugs

July 25, 2025
Infostealer Hidden in Steam Game

CastleLoader Uses Clickfix on Windows

July 25, 2025
Infostealer Hidden in Steam Game

Koske Malware Hides in Panda Images

July 25, 2025

Latest Alerts

Post SMTP Bug Exposes 200K Sites

Malware Hides in Fake Dating Apps

Scattered Spider Hits ESXi Servers

CastleLoader Uses Clickfix on Windows

Sophos, SonicWall Patch Critical RCE Bugs

Koske Malware Hides in Panda Images

Subscribe to our newsletter

    Latest Incidents

    Cyberattack Hits French Naval Group

    Tea App Leak Exposes 13K Women Users

    Allianz Life Data Breach Hits Majority

    Hackers Target Amazon’s AI Code Bot

    Infostealer Hidden in Steam Game

    APTs Use Fake Dalai Lama Apps to Spy

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial