Casbaneiro wants to steal your cryptocurrency… but not by installing a crypto miner to leach off of your computer power, or demanding a Bitcoin ransom to regain access to your files.

Cybersecurity company ESET has been studying the characteristics of the Casbaneiro malware, which, according to the company’s Virus Radar, was first detected in May 2018.

Casbaneiro is believed to be tied to similar banking malware strains which predominantly target those in the Latin America market, such as Amalvaldo. ESET found evidence of four different variants which shared almost identical code. All of these variants are designed to steal banking details, funds and virtual assets.

ESET believes that the malware is being distributed through malicious emails. Past research by cybersecurity company FireEye suggested this is the case. According to FireEye, the malicious actors uses HTML attachment which redirects the victim to a cloud storage site, such as Google Drive, Dropbox or GitHub. The victim is then prompted to download a ZIP folder containing a number of malicious files, including the Casbaneiro malware.

In one case, ESET found evidence of a campaign that convinced victims to download an update for legitimate financial software. However, the installer instead installed the malware, which had been made to look like music streaming platform Spotify. Similar cases were found where Casbaneiro had been changed to look like OneDrive or WhatsApp applications.

Detections of the malware are particularly prevalent in Brazil and Mexico. However, there has also been some activity in the United States, Argentina, Peru and Spain.

What does the Casbaneiro malware do?

Upon infection, the malware was found to collect information on its victim, including the antivirus solutions they have installed, operating system version, login username and computer name. The malware also detects whether the infected system has a number of Latin American banking applications installed, as well as online banking security software Diebold Warsaaw GAS Tecnologia and IBM’s Trusteer.

These malware strains monitor the user’s activity and launch spoof pop-up windows if the user visitors a banking-related page.

These pop-ups are designed to appear as if they are legitimate banking pages, and will typically prompt the user to enter sensitive information, such as banking logins or card details.

The malware uses social engineering techniques, such as claiming that the user’s banking application is outdated, or that credit card information needs to be verified. Social engineering is commonly used by cybercriminals to convince their victim that urgent action is required.

The malware is also able to take screenshots and upload them to the malicious actor’s command & control server. Likewise, it can also simulate mouse and keyboard actions, capture keystrokes, install updates, download and execute files and restrict access to certain websites.

An unusual way to steal cryptocurrency

While ransomware was a lucrative exploit for cybercriminals in 2017, its use declined throughout 2018 in line with the decline of Bitcoin’s value. However, the cryptocurrency’s recovery has led cybercriminals to turn back to ransomware in recent months.

3 Things That Will Change the World Today

According to cybersecurity firm McAfee, the number of new ransomware strains deployed grew by 118% in the first quarter of 2019 compared to the last quarter of 2018.

However, the Casbaneiro malware uses a different technique to steal cryptocurrency from its victims.

The malware monitors the content of the system’s clipboard, where copied information is stored. If it detects data that appears to be the address of a cryptocurrency wallet (these are generally long, random strings of letters and numbers), it replaces the copied data with its own Bitcoin wallet address.

The victim subsequently pastes the cybercriminal’s wallet address when attempting to paste their own.

Verdict saw evidence of 52 payments that had been made to the wallet, totalling 1.24 Bitcoin. At Bitcoin’s current value, that equates to approximately $10,200. Approximately 0.5 Bitcoin has already been removed from the wallet, worth around $4,200.

Casbaneiro isn’t the first banking malware to do this. The ClipBanker malware, which was distributed as a Trojan through software hosting platform CNET for almost two years until its discovery in 2018, used a similar technique.


Read more: Meet ‘Norman’, the cryptominer malware that evades detection