banking trojan

ClickFix to Cash-Out: Anatomy of a Mexican Banking-Fraud Toolkit
A sophisticated banking fraud operation, dubbed REF6045, utilizes a PowerShell toolkit named SCMBANKER, delivered via fake CAPTCHA pages. Unlike automated attacks, this operation is manually controlled, allowing operators to monitor victim banking sessions, deploy fake warnings, and manipulate browser activity. The toolkit also facilitates the installation of commercial remote access tools for full system takeover. Researchers discovered the operation through exposed directories and archives, revealing the use of AI-generated scripts and operator misconfigurations.

Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula
Cybersecurity researchers have identified a new campaign by the banking Trojan Ousaban, primarily targeting users in Spain and Portugal. The malware, previously active in Brazil, is distributed via a sophisticated phishing PDF that leads victims to a malicious webpage. This page employs environmental and geo-fencing checks to ensure only intended targets download the payload, which includes a VBS script and the Ousaban executable. The Trojan then establishes persistence, decrypts banking-related strings using a custom algorithm, and communicates with command-and-control servers through dynamically generated hostnames.