Casbaneiro, a banking trojan designed to deceive the victims, proposing the display of fake pop-up windows that try to convince the unfortunates to enter sensitive data in order to steal it and use it fraudulently. Specialty of this malware lies in the fact that it uses YouTube to spread the addresses of its C&C servers, hiding itself cooking recipes or related to football. Specifically, each of these video contains a description, at the end of which there is a link to a fake Facebook or Instagram URL where the connection to the C&C server domain is hidden. What makes this technique dangerous is the ease of deceiving the victims without raising any suspicion. The connection to YouTube is not considered unusual and even if the video is examined, the link at the end of the description could easily go unnoticed.
Casbaneiro's backdoor functionalities are those typical of banking Trojans and include the acquisition of screenshots and the sending to its C&C server, simulation of mouse and keyboard actions and recording of keystrokes, as well as downloading and installing its own updates. , restricting access to various websites and spawning other executable. Casbaneiro, also known as Metamorfo, collects a lot of information about its victims including the list of installed antivirus products, the version of the operating system used, the username and the computer targeted.
Casbaneiro can also try to steal the victim's crypto currencies. It does this by checking the contents of the notes and if the data appears to be a crypto currency portfolio, it replaces them with the attacker's. This technique is not new as it has already been used by other malware in the past. Even the infamous BackSwap banking Trojan implemented it in its early stages.