{
	"id": "ac43b826-c6cf-4e1f-aa80-84537fbeaedb",
	"created_at": "2026-04-06T00:21:32.128402Z",
	"updated_at": "2026-04-10T03:21:43.122367Z",
	"deleted_at": null,
	"sha1_hash": "914c3ef33fdda6d446a5dddf550c866d815b5963",
	"title": "Bizarro banking Trojan expands its attacks to Europe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1123844,
	"plain_text": "Bizarro banking Trojan expands its attacks to Europe\r\nBy GReAT\r\nPublished: 2021-05-17 · Archived: 2026-04-02 11:37:31 UTC\r\nBizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the\r\nworld. We have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made\r\nto steal credentials from customers of 70 banks from different European and South American countries.\r\nFollowing in the footsteps of Tetrade, Bizarro is using affiliates or recruiting money mules to operationalize their\r\nattacks, cashing out or simply to helping with transfers. In this article we analyse the technical features of the\r\nTrojan’s components, giving a detailed overview of obfuscation techniques, the infection process and subsequent\r\nfunctions, as well as the social engineering tactics used by the cybercriminals to convince their victims to give\r\naway their personal online banking details.\r\nBizarro has x64 modules and is able to trick users into entering two-factor authentication codes in fake pop-ups. It\r\nmay also use social engineering to convince victims to download a smartphone app. The group behind Bizzaro\r\nuses servers hosted on Azure and Amazon (AWS) and compromised WordPress servers to store the malware and\r\ncollect telemetry.\r\nBizarreland\r\nBizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched,\r\nBizarro downloads a ZIP archive from a compromised website. While writing this article, we saw hacked\r\nWordPress, Amazon and Azure servers used for storing archives. The MSI installer has two embedded links –\r\nwhich one is chosen depends on the victim’s processor architecture.\r\nhttps://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nPage 1 of 10\n\nTypical malicious message sent by Bizarro operators\r\nThe downloaded ZIP archive contains the following files:\r\nA malicious DLL written in Delphi;\r\nA legitimate executable that is an AutoHotkey script runner (in some samples AutoIt is used instead of\r\nAutoHotkey);\r\nA small script that calls an exported function from the malicious DLL.\r\nThe DLL exports a function that contains the malicious code. The malware developers have used obfuscation to\r\ncomplicate code analysis. The code of the exported functions have been removed by the protector. The bytes that\r\nbelong to the exported functions are restored by the DLL entry point function at runtime. This entry point function\r\nis heavily obfuscated. The tricks used to complicate analysis consist of constant unfolding and junk code insertion.\r\nAs for the malware developers, they are constantly improving the protection of the binaries. In earlier versions of\r\nBizarro, only the entry point function was protected, while in more recent samples the protector is also used to\r\nobscure calls of the imported API functions.\r\nWhen Bizarro starts, it first kills all the browser processes to terminate any existing sessions with online banking\r\nwebsites. When a user restarts the browsers, they will be forced to re-enter the bank account credentials, which\r\nwill be captured by the malware. Another step Bizarro takes in order to get as many credentials as possible is to\r\ndisable autocomplete in a browser.\r\nBizarro gathers the following information about the system on which it is running:\r\nComputer name;\r\nOperating system version;\r\nDefault browser name;\r\nInstalled antivirus software name.\r\nBizarro uses the ‘Mozilla/4.0 (compatible;MSIE 6.0; Windows NT 5.0′ user agent while sending the POST\r\nrequest. This user agent has typos: there should be a space symbol after the compatible; substring and the closing\r\nbracket is missing. Our research shows that this mistake has not been fixed in the latest versions. After that,\r\nBizarro creates an empty file in the %userprofile% directory, thus marking the system as infected. The name of the\r\nfile is the name of the script runner (AutoIt or AutoHotKey) with the .jkl extension appended to it.\r\nHaving sent the data to the telemetry server, Bizarro initializes the screen capturing module. It loads the\r\nmagnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function.\r\nWith its help, the Trojan can capture the screen of a user and also constantly monitor the system clipboard, looking\r\nfor a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.\r\nThe backdoor is the core component of Bizarro: it contains more than 100 commands and allows the attackers to\r\nsteal online banking account credentials. Most of the commands are used to display fake pop-up messages to\r\nusers. The core component of the backdoor doesn’t start until Bizarro detects a connection to one of the hardcoded\r\nonline banking systems. The malware does this by enumerating all the windows, collecting their names.\r\nWhitespace characters, letters with accents (such as ñ or á) and non-letter symbols such as dashes are removed\r\nhttps://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nPage 2 of 10\n\nfrom the window name strings. If a window name matches one of the hardcoded strings, the backdoor continues\r\nstarting up.\r\nThe first thing the backdoor does is remove the DNS cache by executing the ipconfig /flushdns command. This is\r\ndone in order to prevent connecting to a blocked IP. After that, the malware resolves the domain name to an IP\r\naddress, creates a socket and binds it to the resolved address. If the connection was successful, it creates the\r\n%userprofile%\\bizarro.txt file.\r\nThe Backdoor and its C2\r\nThe commands that Bizarro receives from its C2 can be divided into the following categories:\r\nCommands that allow the C2 operators to get data about the victim and manage the connection\r\nstatus\r\nThe \u003c|PT|\u003e command sends the environment information to the C2: Bizarro’s version, OS name, computer\r\nname, Bizarro’s unique identifier, installed antivirus software and the codename used for the bank that has\r\nbeen accessed. The codenames are bank names written in leetspeak.\r\nCommands that allow attackers to control the files located on the victim’s hard drive\r\nThe \u003c|DownloadFile|\u003e command downloads files to the victim’s computer, while the \u003c|UploadFile|\u003e\r\ncommand allows attackers to fetch files from the client machine. The \u003c|Folder|\u003e and \u003c|File|\u003e commands\r\nallow the attackers to search for folders and files which have a given mask.\r\nCommands that allow attackers to control the user’s mouse and keyboard\r\nThe \u003c|SuaykRJ|\u003e command performs a left mouse button click at the designated location. The\r\n\u003c|SuaykJI|\u003e command performs a double click at the given location, while the \u003c|IXjzwtR|\u003e command\r\nperforms a right mouse button click. The \u003c|ztUjzwtR|\u003e command moves the mouse to a designated\r\nlocation. The syntax of these three commands is \u003c|command name|\u003ex coordinate\u003c|\u003ey coordinate\u003c\u003c|.\r\nBizarro can also manipulate the user’s keyboard (what the user actually types) with the help of the\r\ncarmena command.\r\nCommands that allow the attackers to control the backdoor operation, shut down, restart or destroy\r\nthe operating system and limit the functionality of Windows\r\nThe LkingWajuGhkzwu command shuts the backdoor down, while the vkbAlcvtlY command drops a\r\nBAT file in the working directory. The batch script is responsible for deleting the malware from disk.\r\nCommands that log keystrokes\r\nBizarro supports two commands that are responsible for keylogging. The COZUMEL command starts the\r\nlogging process, while the COZUMARIA command stops it.\r\nCommands that perform social engineering attacks\r\nhttps://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nPage 3 of 10\n\nThese commands display various messages that trick users into giving attackers access to the bank account.\r\nThe type of messages displayed vary from simple message boxes to well-designed windows with bank logs\r\non them.\r\nWe will first describe commands that show Windows message boxes. The dkxqdpdv command displays an\r\nerror message with the text: “Los datos ingresados son incorrectos, por favor intente nuevamente.”\r\n(English: “The data entered is incorrect, please try again.”)\r\nBizarro shows a message telling the user to enter the requested data again\r\nThe vanessa command displays an error message which tells the user to enter confirmation information. To\r\nfurther convince the user that all operations are legitimate, the malware displays the RUT (Rol Único Tributario, a\r\nChilean ID number) and the value that was supplied earlier. The message has the following text:\r\nError message asking the user to enter a confirmation code\r\nThe LMAimwc command displays another error message. This time it tells the user that their computer needs to\r\nbe restarted in order to finish a security-related operation. Bizarro displays the following text:\r\nhttps://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nPage 4 of 10\n\nError message telling the user that the operating system will be restarted\r\nThe most interesting messages that Bizarro displays are those that try to mimic online banking systems. To display\r\nsuch messages, Bizarro needs to download a JPEG image that contains the bank logo and instructions the victim\r\nneeds to follow. These images are stored in the user profile directory in an encrypted form. Before an image is\r\nused in a message, it is decrypted with a multi-byte XOR algorithm. As the messages are downloaded from the C2\r\nserver, they can be found only on the victims’ machines.\r\nThe first type of custom messages that Bizarro may show are messages that freeze the victim’s machine, thus\r\nallowing the attackers to gain some time. When a command to display a message like this is received, the taskbar\r\nis hidden, the screen is greyed out and the message itself is displayed. While the message is shown, the user is\r\nunable to close it or open Task Manager. The message itself tells the user either that the system is compromised\r\nand thus needs to be updated or that security and browser performance components are being installed. This type\r\nof message also contains a progress bar that changes over time.\r\nThe images below show what these messages look like on the screens of victims, with messages written in\r\nSpanish:\r\nhttps://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nPage 5 of 10\n\nBizarro blocking a bank login page and telling the user that security updates are being installed\r\nThe following two messages try to convince the victim that their system is compromised. In most of them, Bizarro\r\ntells the user not to worry about any transactions that occur during the “security update” as they are only\r\nconfirming the identity of the client. This makes clients feel more confident about approving all the transactions\r\nrequested by the attackers.\r\nMessages telling the user that their system is compromised\r\nBizarro also tries to lure victims into sending two-factor authentication codes to the attackers. Another interesting\r\nfeature we have seen entails an attempt to convince the victim to install a malicious app on their smartphone. It\r\nuses the following windows to determine the type of mobile operating system:\r\nBizarro asks the user to choose the operating system of their smartphone\r\nIf the victim chooses Android, the C2 server will send a link with a malicious application to the client. The client\r\nwill make a QR code out of it with the help of the Google Charts API. It sends a request with the following\r\narguments:\r\nhttp://chart.apis.google.com/chart?chs=\u003cQR code width\u003ex\u003cQR code height\u003e\u0026cht=qr\u0026chld=\u003cerror\r\ncorrection level\u003e\u0026chl=\u003clink to the application\u003e\r\nThe obtained QR code is then shown in a window with the following text:\r\nhttps://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nPage 6 of 10\n\nBizarro asking the user to scan the QR code\r\nAttack scenario\r\nWith the help of the commands that the Bizarro developers have included in the Trojan, adversaries may stage an\r\nattack with the following scenario:\r\nInfection scheme used by Bizarro\r\nAccording to the list of supported banks, the threat actor behind Bizarro is targeting clients of various banks from\r\nEurope and South America. Based on our telemetry, we’ve seen victims of Bizarro in different countries,\r\nincluding Brazil, Argentina, Chile, Germany, Spain, Portugal, France and Italy. These statistics again prove the\r\nfact that Bizarro’s operators have expanded their interest from Brazil to other countries in South America and\r\nEurope.\r\nhttps://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nPage 7 of 10\n\nDistribution of Bizarro detections in the last 12 months\r\nConclusion\r\nWe’ve recently seen several banking Trojans from South America (such as Guildma, Javali, Melcoz, Grandoreiro\r\nand Amavaldo) expanding their operations to other regions, mainly Europe. Bizarro is yet another example of this.\r\nThe threat actors behind this campaign are adopting various technical methods to complicate malware analysis\r\nand detection, as well as social engineering tricks that can help convince victims to provide personal data related\r\nto their online banking accounts.\r\nKaspersky products detect this family as Trojan-Banker.Win32.Bizarro or Trojan-Banker.Win64.Bizarro. All\r\nthe details, IoCs, MITRE ATT\u0026CK Framework data, Yara rules and hashes relating to this threat are available to\r\nusers of our Financial Threat Intel services. To learn more about threat hunting and malware analysis from\r\nKaspersky’s GReAT experts, check out http://xtraining.kaspersky.com\r\nhttps://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nPage 8 of 10\n\nIndicators of compromise\r\nReference MD5 hashes\r\ne6c337d504b2d7d80d706899d964ab45\r\ndaf028ddae0edbd3d7946bb26cf05fbf\r\n5184776f72962859b704f7cc370460ea\r\n73472698fe41df730682977c8e751a3e\r\n7a1ce2f8f714367f92a31da1519a3de3\r\n0403d605e6418cbdf8e946736d1497ad\r\nd6e4236aaade8c90366966d59e735568\r\na083d5ff976347f1cd5ba1d9e3a7a4b3\r\nhttps://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nPage 9 of 10\n\nb0d0990beefa11c9a78c701e2aa46f87\r\n38003677bfaa1c6729f7fa00da5c9109\r\nSource: https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nhttps://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/"
	],
	"report_names": [
		"102258"
	],
	"threat_actors": [],
	"ts_created_at": 1775434892,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/914c3ef33fdda6d446a5dddf550c866d815b5963.pdf",
		"text": "https://archive.orkl.eu/914c3ef33fdda6d446a5dddf550c866d815b5963.txt",
		"img": "https://archive.orkl.eu/914c3ef33fdda6d446a5dddf550c866d815b5963.jpg"
	}
}