Country Focus

Casbaneiro is a threat to cryptocurrency in Latin America

A new malware that can steal cryptocurrency has been uncovered. It’s called ‘Casbaneiro’ and is a threat for users in Latin America – particularly in Brazil and Mexico.

The virus was discovered by ESET, a Slovak software developer specialising in antivirus.

What exactly is Casbaneiro?

Casbaneiro, also called Metamorfo, is a malware family member belonging to banking Trojans, quite typical to Latin America. The virus targets banks and can also track data from crypto wallets. It’s focused on bank and payment services mainly in Mexico and Brazil. 

That doesn’t mean that the rest of the world is safe, though. The virus is likely to expand to other countries in Latin America and even outside the continent. 

According to ESET, Casbaneiro is similar to another malware virus called Amavaldo. It uses the same techniques to trick users and obtain data necessary to access wallets and steal cryptocurrency

How it works

Casbaneiro follows the traditional course of action of all Trojan malware. It convinces the user to share personal data by using a trick. It uses pop-ups and fake communications to obtain sensitive information from end-users. 

The strategy behind the attack seeks to urge you to take action, such as confirming your bank account information, verifying your credit, or launching a software update.  

Once present on your device, the malware monitors your activity and steals your passwords. Then, it creates fake email addresses and sends the data to the attacker, who will use it to modify transactions. 

The attackers then gain access to your activity inside your wallet and then replace your data with theirs. It only takes a few seconds to transfer your funds to their active wallets. 

The virus takes a series of complex actions and uses backdoor commands to control your device. It can make screenshots and share them with its servers, remember keystrokes, simulate keyboard and mouse action, and even block your access to your banking site.

One of the most intriguing features of this malware family is its ability to hide the C&C server (the attacker’s computer from where the commands to your system arrive). As far as the ESET team could find out, the virus has multiple ways to cover its tracks. It either encrypts the domain and stores it in the data section or embeds the encryption in online documents and external websites. 

Distribution

Usually, Casbaneiro arrives on your device through email. However, the specialists from ESET identified other campaigns designed to spread the virus across devices. 

One campaign includes a phishing message announcing a software update. End-users receive a link that supposedly allows them to download and install an update of their financial management software. Instead, the victims install Casbaneiro, which immediately starts extracting data from the device’s archive while monitoring the user’s activity.  

Another way to get the virus is by using a Re-Loader activator for Windows – a cracking tool that allows users to activate Windows and Microsoft Office. In this case, the victim downloads not only the Re-Loader but also the virus. Casbaneiro is executed before the other tool and starts gathering data right away. 

Malware works outside the blockchain

Malware families targeting cryptocurrency are dangerous. The blockchain is safe, but the virus can attack other areas where your digital assets don’t benefit from the same level of protection. 

Casbaneiro, for instance, is very similar to a legitimate application on your device. You’ll only notice its presence when cryptocurrency starts to go missing from your wallet. And, as transactions on the blockchain are irreversible, you can’t undo them and get your funds back. 

Trojans are dangerous because, once in your computer, they get access to almost everything you do. The virus records every password, private key, or other information that you use to make transactions. Then, it sends them to its server, where attackers gain access to your wallet in seconds. Blockchain’s high-security features can’t protect you from this, as they have no impact on how you protect your digital wallet

Until now, Casbaneiro has been targeting bank applications in Brazil and Mexico, but there’s no guarantee the attackers will stop there. In fact, it’s more likely the virus will spread across Latin America or even further. 

How to avoid a Trojan virus

Prevention is still the most effective way to fight against Trojans. So, never download or install any software from unknown sources (or sources that you don’t trust). Moreover, if someone uses email to send a programme, don’t open the attachment without checking with the sender. 

Another way to protect yourself from Trojans is by keeping all your apps and software up to date. It slows down the virus from taking complete control of your computer.    

As you may already know by now, you also need an internet security solution (antivirus) to protect your device. Many have features specially created to block Trojan malware. These are necessary when using your device for financial operations of any kind. 

Last but not least, don’t let yourself be tricked by the idea that it won’t happen to you. Casbaneiro and its cousin Amavaldo aren’t the only viruses targeting cryptocurrency. Cyberattackers are developing Trojans in all parts of the world, from India to Europe and the US, so it pays to develop good cyber hygiene habits.

Christina Comben

Christina is a fintech and cryptocurrency writer with a passion for technology and starting important conversations. She draws on her years of experience as a business reporter and interviewer to bring you the most salient issues and latest developments in the cryptosphere.

Disqus Comments Loading...

Recent Posts

The surge of Bitcoin NFTs: Everything you should know about Bitcoin ordinals

From digital art to real-estate assets, NFTs have become a significant attraction for investors who…

3 weeks ago

MEXC Partners with Aptos to Launch Events Featuring a 1.5 Million USDT Prize Pool

Singapore, Singapore, 21st October 2024, Chainwire

3 weeks ago