The financially motivated threat actors behind the notorious Casbaneiro banking malware family are evolving their tactics to enhance their stealth and impact. Recent observations reveal their use of a User Account Control (UAC) bypass technique, enabling them to gain full administrative privileges on targeted machines and execute malicious code undetected.
While their primary focus remains on Latin American financial institutions, the shift in techniques poses a significant risk to multi-regional financial organizations. Spear-phishing emails now contain links to HTML files, leading victims to download RAR files, deviating from the previous method of using malicious PDF attachments with ZIP file download links. Additionally, the attackers employ fodhelper.exe for UAC bypass and high integrity level execution, further complicating detection and mitigation efforts.
Casbaneiro, also known as Metamorfo and Ponteiro, first emerged in 2018 through mass email spam campaigns specifically targeting the Latin American financial sector. The infection chains start with phishing emails containing booby-trapped attachments that, when activated, initiate a series of steps culminating in the deployment of the banking malware. The attack leverages living-off-the-land (LotL) techniques to gather system metadata and fingerprint the host.
Further complicating detection, a binary named Horabot is downloaded to propagate the infection internally to other unsuspecting employees within the targeted organization, adding credibility to the malicious emails.
The recent change in tactics introduces spear-phishing emails with embedded links to HTML files that redirect victims to download RAR files instead of using the traditional malicious PDF attachments with ZIP file download links. Additionally, the attackers use fodhelper.exe for UAC bypass, granting them elevated privileges and enabling the successful execution of the malware.
Furthermore, the attackers create a mock folder on C:\Windows[space]\system32 to copy the fodhelper.exe executable, which has been identified in the wild several times. This approach is employed to bypass antivirus detections and potentially sideload DLLs with Microsoft-signed binaries for additional UAC bypass capabilities. The continued evolution of Casbaneiro’s techniques underscores the importance of robust cybersecurity measures for financial institutions and highlights the need for vigilance against emerging threats.
