< Back to Blog

Unmasking Casbaneiro: A Sneaky Cyber Threat and How Votiro Can Stop It

August 15, 2023

In an age where technology is an inextricable part of our daily lives, cybersecurity threats are a growing concern. One particular malware, known as Casbaneiro, or Metamorfo, has caused considerable alarm within cybersecurity circles due to its complex methods and targeted attacks. In this blog post, we delve into the intricacies of Casbaneiro malware, how it operates, and how solutions such as Votiro can effectively guard against it.

What is Casbaneiro?

Casbaneiro is a type of Trojan malware that primarily targets financial institutions, specifically those in Latin America. It is categorized as a banking Trojan due to its specific modus operandi, which focuses on extracting valuable financial information from its victims. While its primary focus has been Latin America, Casbaneiro’s reach has started to expand globally, making it a concern for financial institutions worldwide.

How Does Casbaneiro Work?

Casbaneiro employs an elaborate scheme to trick its victims, using a combination of social engineering, malicious emails, and drive-by downloads. Here’s a general flow of how the Casbaneiro attack progresses:

  1. Inception: The infection usually begins with a phishing or spear-phishing email – a seemingly innocuous email containing a link. These emails are often carefully crafted to appear legitimate, leveraging social engineering techniques to persuade users to click on the embedded link. 
  1. Redirection: Once the victim clicks on the link, they’re redirected to a download page. Here, the user is tricked into downloading and executing a ZIP file under the guise of installing an important or interesting application. Hackers have also begun sending spear-phishing emails with links to an HTML file that redirects victims to download a RAR file.
  1. Installation: When the ZIP file is executed, the Casbaneiro malware is silently installed on the user’s device, often without the user realizing anything malicious is taking place. Casbaneiro may also exploit system vulnerabilities to gain higher privileges and persist across system reboots. For example, it has used fodhelper.exe to achieve a User Account Control bypass technique to get full administrative privileges on a machine.
  1. Data Collection: Once installed, Casbaneiro monitors the victim’s behavior, particularly any interaction with banking or financial services. It logs keystrokes, captures screenshots, and gathers other data, sending it back to the attacker’s server.
  1. Manipulation: Casbaneiro can display fake pop-up windows mimicking those of targeted banks. These pop-ups prompt the user to input sensitive information like their banking login credentials, which are then sent to the attackers. The trojan can also mimic legitimate Windows OS processes, making the attack less likely to be detected by traditional cyber defense platforms.

Layering Link Removal & File Sanitization to Prevent Casbaneiro

Votiro, an advanced cybersecurity solution, reduces the risk of malware threats like Casbaneiro. Its technology uses a preventative approach to neutralize threats before they can cause harm. 

Content Disarm and Reconstruction (CDR): Votiro uses a CDR technology, which assumes all incoming files and emails are untrusted. It breaks down files to their basic components, scrutinizes them for any known or potential threats, and then rebuilds a completely clean, identical version of the file. Votiro prevents malware in a multi-layered approach:

  1. URL removal: sanitizes the malicious URL embedded in the email, effectively removing the threat — if the malicious URL can’t be accessed, then the RAR file can’t be downloaded. 
  2. Prevention of Malicious File Download: If that link is accessible, and the customer has the Votiro Browser plugin deployed, then the RAR download will be blocked.

Zero-Trust File Protection: Unlike traditional antivirus solutions, which rely on known virus signatures, Votiro is designed to protect against zero-day attacks. This means that even if Casbaneiro evolves or modifies its form to become an unknown threat, Votiro’s technology can still neutralize it. It also means that even if the malware uses the name of a legitimate Windows process, there is no chance of evading detection. That’s because, with Votiro’s zero trust approach, no decision has to be made whether to scan, delete, or sandbox the file. Every single file is sanitized.

Email Protection: Casbaneiro primarily propagates via malicious emails, Votiro’s email protection solution automatically scans and sanitizes every attachment and embedded link in an email, thereby eliminating the initial point of infection.

Usability: Votiro’s solution is designed to work seamlessly without interrupting normal workflows. It operates in the background, allowing users to safely open, use, and share any file or document without worrying about potential threats.

As Casbaneiro continues to evolve and threaten financial institutions, it’s essential to stay one step ahead. A cybersecurity solution like Votiro, which uses a proactive approach, can help to neutralize threats like Casbaneiro before they can cause damage. Remember, in the ever-evolving landscape of cyber threats, prevention is always better than response.

Contact us today to learn how Votiro sets the bar for addressing hidden threats in files to keep your organization secure while maintaining compliance. You can also skip right to a free 30-day trial of Votiro Cloud!