CamuBot is a banking trojan designed as a security application using stolen bank logo and brand imaging. The actors behind the trojan locate businesses that bank with a certain financial institution and call the person at that business who would likely have access to the business' online banking credentials. The caller pretends to be an employee of the financial institution and asks the victim to visit a website which displays to the victim that their software is out of date. The caller convinces the victim to fix the problem by downloading and installing a new module that actually provides the perpetrator administrative privileges. The trojan bypasses antivirus and firewall detection by adding itself to a list of approved programs. CamuBot establishes a two-way communication tunnel with the victim device to allow the actor to use the victim's IP address when accessing the compromised bank account. The trojan launches a fake website spoofing the targeted bank's site and, through phishing, convinces the victim to log in with their credentials. 

Attacks using CamuBot appear to be highly targeted and are targeting businesses in Brazil as of this writing.

Technical Details and Reporting

  • IBM X-Force provides technical details on the CamuBot trojan here.
Trojan VariantsNJCCICcamubot