Novel techniques have been leveraged by attackers behind the Casbaneiro banking malware, which could expand the scope of their attacks to multi-regional financial entities after originally targeting financial organizations in Latin America, The Hacker News reports.
Most recent Casbaneiro attacks involved the use of a spear-phishing email with a link redirecting to an HTML file that later redirects to a RAR file, which is a departure from the operation's original usage of malicious PDF files with ZIP file download links, a Sygnia report revealed. Threat actors have also begun using the fodhelper executable to evade User Account Control, with a mock folder potentially leveraged to bypass antivirus systems or sideload DLLs.
"It is possible that the attacker deployed the mock folder to bypass AV detections or to leverage that folder for side-load DLLs with Microsoft-signed binaries for UAC bypass," said researchers.
Mock folders have been previously observed in the DBatLoader and Warzone RAT malware campaigns.