This blog was written by an independent guest blogger.
Security researchers working with IBM Security recently uncovered a new malware code that is being used to attack online banking users in Brazil.
Referred to as ‘Vizom’ by the team, the code utilizes remote overlay attacks to siphon sensitive financial data and make fraudulent transactions from victims bank accounts. What’s particularly concerning about Vizom is its use of malicious DLL’s (Dynamic Link Libraries) to trick the victim’s operating system before loading legitimate DLL’s in place.
There has been a drastic increase in malware attacks for 2020 as cybercriminals have been eager to take advantage of the chaos of this year. Even though Vizom is currently mainly being used to target Brazilian-based accounts, there have been a handful of reports of it being used against bank accounts in other South American and European countries as well, so it’s likely to spread further.
In this article, we’ll go into specifics of how Vizom works, what makes it so dangerous, and how the malware authors use DLL hijacking and overlays to their advantage.
What is Vizom malware?
Chen Nahman, Limor Kessem, and Ofir Ozer shocked the world when they announced that the trio had discovered a new malware that attacked people who use video conferencing software.
Spam-based phishing campaigns are the starting point for the spread of the Vizom malware that disguises itself as a popular video conferencing software. Once downloaded, the malware begins work on a vulnerable operating system to begin the infection change. After getting access to an unprotected Windows PC, Vizom will first strike the AppData directory, harnessing DLL hijacking that allows the malware to forcefully download harmful DLLs.
For those of you who aren’t aware, DLL or dynamic link library is a file that contains code for commonly used program functions on a PC. DLL hijacking, on the other hand, is a type of cyberattack that tries to manipulate the Windows search and load algorithm, giving a malicious hacker unauthorized access to inject code into a specific application. This is made possible through disk manipulation because of the hijacking.
DLLs run Microsoft‘s Windows operating systems, putting millions of PC users across the globe at a higher risk of getting duped. Until now, it was only Brazilian bank accounts that had been getting compromised, but as noted previously there are reports of it happening in other countries as well.
What is both ironic and concerning here is that video conferencing software is constantly being updated to amp up security. In fact, the whole idea of adopting DevOps methodologies like Continuous Integration and Delivery was to decrease the growing complexity involved in developing software systems. But even after all these precautions, cyberattackers are still succeeding in finding loopholes and developing new malware to exploit those loopholes. Vizom is just one example.
Vizom creates variants that are expected by legitimate software in their directories
In this case, Vizom names its Delphi-based variants with labels that appear to be legitimate since they are recognized in a software’s directories. IBM officials pointed out that operating systems can get tricked into loading the Vizom malware. The DLL, for example, is named Cmmlib.dll, which is a file associated with Zoom.
How is this made possible? The hacker takes care to copy the real export list of the legitimate DLL (in this case, Cmmlib.dll) – with certain changes. They are also quick to modify the list to have all the functions directed to the same address.
Not only that, but the malware also drops a second payload or a Remote Access Trojan (RAT) that is extracted from a remote server. The problem is the connection code is virtually undetectable and the browser shortcuts are tampered with, which in turn allows the malicious Vizom code to continue running in the background.
As soon as the victim uses an online banking service, the malware will detect it and pass over any information to malicious hackers. Vizom already has a target list, so if the webpage’s title name matches the list, the cyberattacker is alerted immediately, who can then connect remotely to the compromised PC.
As mentioned before, Vizom already has RAT capabilities deployed, which enables attackers to take over any active compromised session and overlay content. Therefore, the victims end up being tricked into giving the hacker unintentional access, as well as account credentials of their bank accounts.
What makes the whole situation even scarier is that remote control capabilities also abuse Windows API functions, including movements, click ambulation, keyboard input initiation, and so on. Windows print and magnifier functions are infected as well.
You might be questioning how users aren’t able to detect the fake overlays, but the simple answer is because they look rather original. Vizom creates HTML files, after which it loads them in Vivaldi application mode. Once this is done, a keylogger is launched, along with all the input convincingly encrypted, packaged, and sent to the attacker's command-and-control server.
Is there a way to stop Vizom malware?
There are steps you can take to both remove Vizom should you become infected as well as to reduce the chances of you becoming infected in the first place.
Here is a step-by-step of a Vizom malware removal process you can use:
- Click Start on the bottom left corner of your Windows PC
- Go to the Control Panel, followed by Programs and Features
- Click on Uninstall a Program
- Perform a quick search for Vizom or any other unfamiliar programs
- Select Uninstall Vizom – or any other suspicious program that you find
Additionally, you can also rely on virtual private networks (VPNs) to hide your IP address and encrypt your data for anonymous browsing. Several VPNs are actually free to use, which is another major benefit. You won’t have to worry about logging in every time you use a platform along with the usual benefits of kill-switch and other security features. At the same time, you also need to be very careful about the free VPNs that you choose to use, because not all are safe.
More good news is the fact that experts believe AI can be useful in making financial services smarter and more secure, which could help protect users from bad agents and their malicious tactics to siphon their bank account information and money.
The fact is that Vizom can hide inside legitimate software and go undetected by operating systems, which in turn run its malicious DLLs.
The ongoing pandemic has certainly had an adverse effect on the economy, and while the availability of advanced tools would have helped reduce this negative effect, cyber attackers have instead resorted to using technology the Vizom to steal money.