A sophisticated cyberattack campaign is currently targeting banking customers in Spain and Portugal, utilizing a malware known as Ousaban. This Brazilian banking trojan employs deceptive PDF files and advanced evasion techniques to infiltrate Windows systems and steal sensitive financial information.
The attack initiates when a user opens a phishing PDF that appears to be a corrupted document. The file prompts the user to click an “Atualizar” (Update) button, which redirects them to a malicious webpage masquerading as a legitimate tax document portal. This webpage conducts a series of checks to confirm the user’s location within Spain or Portugal, effectively geofencing the attack to these regions.
Once the location is verified, the webpage delivers a Visual Basic Script (VBS) downloader. This script retrieves an image file that, through steganography, conceals a ZIP archive containing the Ousaban payload. The malware is then extracted and executed, establishing persistence on the system by creating a registry entry named “Financeiro,” the Portuguese term for “finance.”
Upon installation, Ousaban remains dormant until the user accesses one of over two dozen targeted banking websites, including major institutions like Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos. At this point, the malware activates to capture screenshots, log keystrokes, manipulate clipboard data, and display fraudulent on-screen messages, all aimed at facilitating unauthorized access to the user’s banking accounts.
To evade detection and complicate mitigation efforts, Ousaban’s operators employ a dynamic command-and-control infrastructure. The malware generates daily-changing server addresses based on the current date and a predefined secret, ensuring that the control servers are constantly shifting and difficult to track.
Ousaban is part of a group of Brazilian banking trojans, often referred to as the “Tetrade,” which includes Grandoreiro, Guildma, and Melcoz. These malware families have evolved to target users beyond Brazil, extending their reach to Spain and Portugal by adopting sophisticated evasion tactics and sharing code among themselves.
To protect against such threats, users should exercise caution when encountering unexpected PDF files, especially those claiming to be corrupted or requiring updates. It’s crucial to avoid clicking on prompts within these documents and to be wary of unsolicited emails containing attachments or links to unfamiliar websites. Additionally, keeping operating systems and security software up to date can provide an added layer of defense against such malware.
The resurgence of Ousaban underscores the adaptability of cybercriminals and the importance of continuous vigilance. As these threats become more sophisticated, both individuals and organizations must stay informed about emerging attack vectors and implement robust security measures to safeguard sensitive information.