Researchers at IBM have discovered a new malware campaign VIZOME that hijacks bank accounts by the overlay.
It spreads via spam phishing and pretends to be a video conferencing software, much in use in these times.
After enlisting itself in the device, Vizome infiltrates the AppData directory by launching DLL highjacking.
The malware loads it's own DLL files and names it such that seems legitimate. Vimoze then tricks the computer into loading the malware with the video conferencing app. The DLL is termed Cmmlib.dll, a file associated with Zoom.
The malware then installs another playload, a Remote Access Trojan (RAT) which makes remote access and overlay possible.
"To make sure that the malicious code is executed from "Cmmlib.dll," the malware's author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address -- the malicious code's address space," the researchers say.
While in the system, Vizome will wait for a Banking inquiry or search on the browser. When such a banking website is accessed, the attackers hijack the system remotely via RAT (Remote Access Trojan). Vizome through RAT can abuse Windows API functions, such as moving a mouse cursor, take screenshots, initiate keyboard input, and emulate clicks.
"The remote overlay malware class has gained tremendous momentum in the Latin American cybercrime arena through the past decade making it the top offender in the region," IBM says. "At this time, Vizom focuses on large Brazilian banks, however, the same tactics are known to be used against users across South America and has already been observed targeting banks in Europe as well."