Researchers have uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders.
The new malware variant, dubbed Vizom by IBM[1], is being utilized in an active campaign across Brazil designed to compromise bank accounts via online financial services.
On Tuesday, IBM security researchers Chen Nahman, Ofir Ozer, and Limor Kessem said the malware uses interesting tactics to stay hidden and to compromise user devices in real-time -- namely, remote overlay techniques and DLL hijacking.
Vizom spreads through spam-based phishing campaigns and disguises itself as popular videoconferencing software, tools that have become crucial to businesses and social events due to the coronavirus pandemic.
Once the malware has landed on a vulnerable Windows PC, Vizom will first strike the AppData directory to begin the infection chain. By harnessing DLL hijacking, the malware will attempt to force the loading of malicious DLLs by naming its own Delphi-based variants with names expected by the legitimate software in their directories.
See also: New Emotet attacks use fake Windows Update lures[2]
By hijacking a system's "inherent logic," IBM says the operating system is tricked into loading Vizom malware as a child process of a legitimate videoconferencing file. The DLL is named Cmmlib.dll, a file associated with Zoom.
"To make sure that the malicious code is executed from "Cmmlib.dll," the malware's author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address -- the malicious code's address space," the researchers say.
A dropper will then launch zTscoder.exe via command prompt and a second payload, a Remote Access Trojan (RAT), is extracted from a remote server -- with the same hijacking trick performed on the