LIVE · cybersecurity feed
banking trojanhigh

Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula

zeroday.news·7d ago

Researchers have observed a new campaign by the banking Trojan Ousaban, which is actively targeting users in Spain and Portugal. This malware, previously known for its activity in Brazil, is being distributed via a sophisticated phishing scheme that employs geofencing and environmental checks to limit its reach.

The attack begins with a phishing PDF file disguised as corrupted data. This PDF contains deceptive messages prompting users to update the file, leading them to a malicious webpage. The PDF also incorporates JavaScript, which is hex-escaped to evade detection, to display an error message and direct the user to this same webpage.

The malicious webpage acts as a gatekeeper, masquerading as a source for tax documents or system installers. It performs rigorous checks on the user's environment, including IP address, device data, language, and time zone, to ensure the target is within Spain or Portugal. To further prevent circumvention, the page also blocks VPN IP addresses and employs anti-analysis techniques to identify and block automated tools like sandboxes and crawlers by examining browser characteristics.

If a user passes these environmental checks, the webpage downloads a VBS file. This script then downloads a steganographic image that appears to be a PDF icon. The VBS script extracts a ZIP file from this image, which contains the Ousaban payload. Both the image and the ZIP archive are placed in the temporary folder, and the payload is dropped to a specific directory on the victim's system. The script then deletes the temporary files to minimize its footprint.

Once executed, Ousaban establishes persistence by creating a registry value named "Financeiro" (Finance). It also creates an empty file named "maisum.dat," using its creation time as an installation timestamp. The malware then decrypts a list of bank-related strings, which are used to detect when a victim accesses specific banking services. The encryption algorithm used is a custom method common among Latin American banking Trojans, including Casbaneiro.

In this campaign, Ousaban decrypts a Pastebin link that points to configuration data containing a private IP address. However, this Pastebin link appears to be a decoy. The actual command and control (C2) IP address is obtained by resolving a hostname that changes daily. This hostname is part of a dynamically managed domain, with subdomains constructed from a hard-coded string and an MD5 hash derived from a combination of another hard-coded string and the current date. The malware obtains the current date by accessing Google's Automated Queries page.

The communication between Ousaban and the C2 server is largely encrypted using the same custom algorithm. Basic commands include requests for user information, assigning victim IDs, heartbeat signals, screen resolution retrieval, and initiating screenshot capture and remote control capabilities. When the `#Iniciar#` command is received, Ousaban begins capturing screenshots and prepares for further actions like mouse and keyboard control, clipboard injection, keylogging, and generating deceptive messages to trick the victim.

Researchers note that the threat actor is continuously evolving their malware delivery methods. The use of geofencing and environmental checks in this campaign aims to limit exposure to a specific target audience. The reliance on daily changing domains for C2 access and the use of a decoy Pastebin post are further indicators of the actor's efforts to obscure their operations.

banking trojanmalwarephishingcyberespionagecommand and control
← Back to latest

More News

view all →
zeroday.news · 3h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 3h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 3h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 4h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 4h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.

zeroday.news · 4h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.