Bank-targeting malware disguises itself as video conferencing software

IBM says the Vizom malware is spreading through spam-based phishing campaigns

Red skull and crossbones atop binary code

IBM Security researchers have discovered a new form of malware targeting online banking users in Brazil.

Dubbed Vizom, the malware disguises itself as popular video conferencing software and uses convincing remote overlays to take over user devices in real-time.

Research shows that hackers are delivering the malware via spam-based phishing email campaigns. According to IBM Security researchers Chen Nahman, Ofir Ozer and Limor Kessem, the new malware also uses remote overlay techniques and DLL hijacking to evade detection. 

Once embedded on a compromised PC, Vizom forms an infection chain through dynamic link library (DLL) hijacking - it force-loads malicious DLLs by naming its Delphi-based variants with unsuspecting file names found in directories of legitimate videoconferencing software. In Brazil’s case, the DLL is Cmmlib.dll, a file associated with Zoom.

What happens next is stealthy and treacherous. During an ongoing online transaction, the malware connects remotely to the compromised PC. It creates potent and believable HTML overlays and loads them in the Vivaldi internet browser in application mode. It then launches a keylogger that logs the user’s every keystroke when accessing their bank account. The malware then ships the acquired information to the attacker's command-and-control (C2) server. 

Vizom can also abuse Windows API functions, simulate mouse clicks and take screenshots.

There are no reports of hijacking in the US, but attacks have been observed across South America and Europe. 

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

22 Apr 2021
What is hacktivism?
hacking

What is hacktivism?

22 Apr 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021

Most Popular

REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Samsung Galaxy S21 Ultra review: Ultra in every sense of the word
Mobile Phones

Samsung Galaxy S21 Ultra review: Ultra in every sense of the word

22 Apr 2021