Brazilian bank accounts are being hit by a new malware, called Vizom by IBM, that makes use of familiar overlay attack tactics to hijack devices in real time, according to a report by ZDNet.
Disguising itself as a commonly used video conferencing tool, Vizom spreads through phishing campaigns. Once it hits a Windows PC, the malware hijacks the AppData directory to force the loading of malicious DLLs. The DLL is named Cmmlib.dll, a file associated with Zoom.
“To make sure that the malicious code is executed from Cmmlib.dll, the malware’s author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address — the malicious code’s address space,” IBM security researchers Chen Nahman, Ofir Ozer, and Limor Kessem told ZDNet.
To create fool-proof overlays, Vizom generates HTML files and uploads them to the Vivaldi browser. The hijacked browser files work to mask the malware’s activity from operating systems and anti-virus software. Vizom also modifies browser shortcuts to lead its own executable files and continuously runs in the background, regardless of any browser the user tries.
“The remote overlay malware class has gained tremendous momentum in the Latin American cybercrime arena through the past decade making it the top offender in the region,” IBM said, per ZDNet. “At this time, Vizom focuses on large Brazilian banks, however, the same tactics are known to be used against users across South America and has already been observed targeting banks in Europe as well.”
Earlier this month the U.S. Treasury Office of Terrorism and Financial Intelligence issued an alert about the surge in ransomware attacks. Ransomware attacks jumped 37 percent last year, with losses up 46 percent, according to FBI statistics.
Healthcare is especially vulnerable, with one of the country’s biggest hospital chains, Universal Health Services, hit by a major attack.