Vizom disguises itself as a popular "videoconferencing software", with meetings all online due to the pandemic.
Researchers have discovered a new form of malware using remote attacks overlay to hit bank account holders in Brazil.
On Tuesday, IBM security researchers Chen Nahman, Ofir Ozer and Limor Kessem said that malware uses interesting tactics to stay hidden and compromise their devices. users in real time - that is, remote overlay and DLL hijacking techniques.
Vizom spreads through spam-based phishing campaigns and disguises itself as popular video conferencing software - tools that have become vital to business and social media. events due to the COVID-19 pandemic.
Once the malware lands on a vulnerable Windows computer, Vizom will first hit the AppData directory to start the chain infection. By utilizing DLL hijacking, the malware will try to force the malicious DLL to load by naming its own Delphi-based variants with names expected from legitimate software in their directories.
By hijacking the "innate logic" of a system, IBM says the operating system is being tricked into loading Vizom software as an affiliate process of a legitimate video conferencing file. The DLL is called Cmmlib.dll, a file associated with Zoom.
Then a dropper will launch zTscoder.exe via the command line and a second payload, a Remote Access Trojan (RAT) will be exported from a remote server - with the same hijacking trick running in the Vivaldi web browser.
To detect persistence, browser shortcuts are violated and regardless of the browser that a user is trying to run, the malicious Vivaldi / Vizom code will run in background.
The malware will wait for any indication that there is access to an online banking service. If the title of a webpage matches the Vizom target list, operators will be notified and will be able to connect remotely to violated computer.
As Vizom has already developed RAT capabilities, intruders can take over a breached session and overlay content to trick victims into giving their bank account credentials.
Source of information: zdnet.com