Vizom Malware

Researchers at IBM have uncovered a new malware strain that attempts to collect banking credentials through remote overlay attacks. The name given to this new threat is Vizom, and, at least for now, its main targets are users located in Brazil.

The propagation method of Vizom is through the familiar tactic of sending phishing emails carrying malware-laced attachments. To raise as little suspicion as possible, the hackers behind the campaign disguise their malware creation as popular videoconferencing tools. Such applications have become a necessity in the aftermath of the COVID-19 pandemic, with many non-tech-savvy users having to learn to work with these applications quickly.

Once the unsuspecting victim executes the poisoned email attachments, it drops a mixture of legitimate and corrupted files. The infection chain begins from the AppData directory. Vizom exploits legitimate applications by forcing them to execute its corrupted files in a tactic called DLL hijacking. The hackers designed the threat's DLL files to pose as the real files that the applications expect to find in their directories. The main DLL file of the threat is named 'Cmmlib.dll,' the identical name of a file associated with a popular videoconferencing application.

Vizom then proceeds to the next stage of the attack chain - the delivery of a Remote Access Trojan (RAT) payload. First, it abuses another legitimate process called 'zTscoder.exe' through the command line prompt and forces it to load the second malware threat's dropper. It is contained in a .zip archive that also carries a legitimate copy of the Vivaldi browser that will be used as part of the attack.

Once the RAT is fully deployed, it gives the attacker significant control over the compromised computer. The hackers can take screenshots of the system, monitor specific keystrokes, or activate a keylogger module, control the mouse position and clicks and the keyboard. However, the main threatening activity is the creation of overlays when the targeted user opens specific banking websites. Vizom stays hidden and monitors the compromised user's browsing sessions, waiting for a match to its list of targets to appear. Unlike some more sophisticated remote overlay threats, Vizom performs this process by comparing the window title to the attacker's key targets. The overlay system relies on Vizom generating an HTML file that is then opened by the Vivaldi browser in application mode. The result allows the attacker to bypass the typical UI of the browser and thus not relying on the victim to perform any on-screen actions.

To achieve persistency, Vizom modifies browser shortcuts, so no matter what the particular browser used by the victim is, it will always point to the Vivaldi browser dropped by the threat. To avoid the obvious sign that something is wrong when the user starts their usual browser, but, instead, they see Vivaldi opening up, the attackers set up the default browser to be started as a child process.

Remote overlay attacks had seen a significant increase in the region of Latin America, and while Vizom is deployed against users in Brazil currently, the same tactics can be transferred in campaigns across South America or even Europe easily.