Home Cyber Attack Bizarro Banking Trojan Targets Dozens Of Banks Across Europe, South America

Bizarro Banking Trojan Targets Dozens Of Banks Across Europe, South America

by Abeerah Hashim
Trojan horse

Another threat for the online banking sector has surfaced online. Identified as Bizarro – a typical banking trojan is active in the wild targeting numerous banks. The malware not only aims to steal money but also possesses backdoor functionality.

Bizarro Banking Trojan Being Spread Via Spam Emails

Researchers from Kaspersky Labs have discovered a new malware active in the wild. Analyzing the malware “Bizarro” reveals it as a banking trojan closely similar to the Tetrade trojan family.

As explained, the malware doesn’t limit itself to the digital way only. Rather it leverages money mules at the end of the attack for cashing out.

In brief, the attack begins via spam emails dropping MSI packages. Once downloaded, the malware then downloads a ZIP archive from a phishing website that includes a malicious DLL, a legit AutoHotkey script runner, and another script that calls an exported function from the DLL. The latter makes the DLL export the function with the malicious code.

Upon reaching the victim device, the malware kills existing browser sessions. This will compel the victim user to restart the online banking session that obviously requires entering credentials. That’s what the malware targets.

To ensure stealing the credentials, the malware also disables the auto-complete function of the browsers.

Besides, the malware continues executing other malicious activities, such as monitoring clipboard, screen capture, and other activities to look for more data, such as crypto wallets.

Moreover, the malware also exhibits backdoor capabilities that contain 100 commands for more malicious activities, such as displaying fake pop-ups, stealing 2FA codes, and more.

The researchers have shared the detailed technical analysis of the malware in their post.

Malware campaign Targeted 70 Banks

The researchers observed active Bizarro campaigns in the wild targeting European and South American banks.

The affected regions predominantly include Brazil, Argentina, Chile, Germany, Spain, Portugal, France, and Italy. Whereas, the trojan has targeted around 70 different banks until now.

Given the severity of Bizarro, users must ensure keeping their devices secured with robust antimalware tools.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid