Rewterz Threat Alert – Bank Customers Targeted By Vizom

Severity

High

Analysis Summary

A new malware package is discovered being used against banking customers in Brazil that has been dubbed “Vizom”. The attack vector for the malware is DLL hijacking. It uses two legitimate applications delivered in the payload, a video conferencing software package and an Internet browser named Vivaldi, to side-load the malicious DLLs. The malware typically is delivered via spam emails, where the user must be tricked into downloading Vizom. Once installed, the malware copies its own malicious DLLs in the directories where the legitimate DLLs would be loaded. The malware uses familiar remote overlay attack tactics to take over user devices in real time, as the intended victim logs in, and then initiates fraudulent transactions from their bank account. Owing to COVID, since everyone is using videoconferencing software to replace in-person meetings with both friends and colleagues, Vizom uses the binaries of a popular videoconferencing software to pave its way into new devices.

Impact

• Account Takeover
• Financial Theft
• Unauthorized Code Execution

Indicators of Compromise

MD5

• 808ed13b13d31e116244e1db46082015
• a555654f89aaf0d90a36c17e16014300

SHA-256

• f2c5fce0d32b050204c503f9a6adfe92f43b6aba0d2cc983a9a1c918b228b490
• 2afcedaf4913fd25f2133036916f3fc51957c9ea21104f4ce5ddfcdc69d2ccb2

SHA1

• f74abc5a2e2fb9f9389c1c6305c8efef87b088e5
• 41897b8a7baa8a718145297ed14019e057739906

Source IP

• 18[.]234[.]42[.]30

URL

• hxxps[:]//galinhaborabora[.]s3[.]amazonaws[.]com/felicidadeviver[.]zip

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.
• Keep all systems and software updated to latest patched versions against known vulnerabilities.