Bizarro banking Trojan: Hitting 70 banks across Europe and South America

A Brazil-originated new banking trojan – Bizarro, attacked customers of 70 banks of Brazil and Europe. Kaspersky researchers[1] discovered that Bizarro is stealing online banking credentials as well as hijacking Bitcoin wallets from android mobile users.

The attackers are using money mules for withdrawing funds or to transfer money, Kaspersky reports. In addition to phishing, the attackers are spreading the malware as a malicious app, fake pop-ups to gain access from the victim’s android smartphone.


How Bizarro attacks ?

1. Bizarro trojan spreads through Microsoft Installer packages, which could be downloaded directly by victims trojanized app or the malicious attachment having the trojan link pretending to be tax notifications mail or any other alert mail.

2. Once the packages are installed, it stops all running browsers and processes to terminate the existing sessions with online banking services. Now the victim must re-initiate the sign-in process and gives a lead to implant the malware and captures the credentials to create a backdoor for attackers.

3. Bizzaro goes one step ahead and disables the autocomplete feature in the browser and displays two-factor authentication in fake pop-ups to fetch the codes.

4. This initiates the screen capturing module and monitors the victim’s screen persistently. In order to capture crypto wallet addresses, they collect keystroke loggers, clipboards, operating system information, and banking details and once malware gets it, the attacker replaces the exiting crypto wallet with his own address.

Kaspersky says Bizarro uses servers hosted on Azure, AWS, and compromised WordPress servers which contain more than 100 commands and malware to control the victim’s device connections, file locations, and windows screen.

Like many other banking Trojans such as Tetrade (Guildma, Javali, Grandoreiro, Melcoz), Ghimob, and Amavaldo, the Brazilian Bizarro is increasingly affecting the mobile devices and leaving footprint across Brazil, Argentina, Chile, Germany, Spain, Portugal, France, and Italy.

The most valuable piece of advice is to never click on any links posted by unknown sources. Always maintain a zero-trust security attitude and never dismiss a suspicious behavior because you think it is just the OS behaving strangely.



1. Authors GReAT, GReAT, *, N., Dedola, M. L. G., Sidorina, T. K. T. S. T., & Kaspersky. (n.d.). Bizarro banking Trojan expands its attacks to Europe. Securelist English Global securelistcom.