HomeRisk ManagementsBrazilian Banking Trojan Ousaban Aims at Spain and Portugal

Brazilian Banking Trojan Ousaban Aims at Spain and Portugal

Published on

spot_img

Enhanced Threat: Banking Trojan Ousaban Targets Spain and Portugal

A sophisticated banking trojan, known as Ousaban, has recently transitioned from targeting individuals in Brazil to focusing on banking customers in Spain and Portugal. This shift marks a significant evolution in the way this malware operates, employing advanced techniques like phishing PDFs, steganography, and geofencing to evade security measures and remain hidden from cybersecurity researchers.

According to a detailed analysis conducted by Fortinet’s FortiGuard Labs, the malware has been actively targeting users in both countries since May 2026. This retooled version of Ousaban belongs to the same lineage as the infamous Casbaneiro trojan that has plagued Latin America, but it has been equipped with additional layers of evasion, making it more sophisticated and dangerous.

The Mechanics of the Attack

The initial phase of the attack begins with a phishing PDF designed to mislead victims into believing they are interacting with a legitimate file. Once the victim clicks on an "Update" button within the PDF, they are redirected to a compromised webpage designed to resemble a government tax portal. This webpage serves as a screening mechanism, analyzing each visitor’s details to identify users based in Spain or Portugal before proceeding with the malicious actions.

To ensure that only the targeted victims are compromised, the webpage conducts a server-side check that examines various factors, including language preferences, time zones, and IP addresses. Notably, it blocks VPN connections to thwart anonymity, while also screening out sandbox environments used by security analysts. This meticulous vetting process helps the trojan maintain its effectiveness by filtering out unwanted traffic.

Victims who successfully pass this initial screening are then targeted with a script that downloads an image created to mimic a PDF icon. This image cleverly conceals an appended archive containing the Ousaban payload, utilizing steganography to hide its true intent. Li Zhao, a consultant at application security firm Black Duck, noted, "Ousaban is not a fundamentally new type of attack, but rather a highly optimized evolution of traditional, decade-old Latin American banking trojan strategies." Zhao highlighted that the malware is written in Delphi and utilizes a 2008-era encryption method.

Tracking Financial Credentials

Once Ousaban is executed on a victim’s device, it closely monitors for logins to various targeted banking services. Among the institutions scrutinized are prominent banks such as Santander, BBVA, CaixaBank, Revolut, and Caixa Geral de DepĂłsitos. When Ousaban detects that a user has opened their online banking application, it activates a toolkit equipped with several malicious capabilities, including screenshot capture, keylogging, clipboard injection, and remote control functionalities. To further deceive victims, the trojan presents fake banking screens, tricking users into providing their sensitive financial information.

What sets Ousaban apart from other malware is its innovative approach to communication with its command server. Instead of relying on a static domain, FortiGuard identified that Ousaban resolves a domain name that changes daily. This domain is derived from a hash reflecting the current date, notably pulled from a Google error page. Additionally, Ousaban employs a decoy link pointing to a private IP on Pastebin, which serves to mislead and confuse security analysts attempting to trace the malware’s origins.

Jason Soroko, a senior fellow at certificate-management firm Sectigo, emphasized the significant challenge posed by geofenced malware, which can appear invisible to those outside of the targeted regions. He advised cybersecurity teams to correlate logs from endpoints, email, DNS, and proxy servers rather than relying solely on results from sandbox tests, which may not fully capture the malware’s capabilities.

The Ongoing Threat Landscape

As per Fortinet’s own telemetry data, this campaign is still active, with Ousaban’s credential theft tactics focused on perpetrating bank fraud. With its advanced techniques and the ability to adapt and evade traditional cybersecurity measures, Ousaban represents a growing threat to individuals and financial institutions alike in Spain and Portugal.

In summary, Ousaban’s maturation into a sophisticated banking trojan highlights the continuing evolution of cyber threats, requiring increased vigilance and improved security measures from both individuals and organizations. The malware’s success relies on its sophisticated methodologies and understanding of its targeted environments, necessitating a reassessment of how security is approached in financial transactions and online banking. As the campaign remains live, the urgency for enhanced cybersecurity practices has never been more paramount.

Source link

Latest articles

Cyber Briefing July 1, 2026 – CyberMaterial

Cybersecurity Update: Rising Threats and Regulatory Changes in 2026 In the evolving landscape of cybersecurity,...

Technology Implications of AI in Security Webinar

AI Revolutionizes Cybersecurity: Insights on Agentic Technologies and Digital Identity In an era characterized by...

Chaya_006 Alert: OT Edge Devices Vulnerable to Threats

The Chaya_006 Edge Campaign: Threats Emerge in Operational Technology Forescout Technologies’ Vedere Labs has recently...

Anthropic’s Fable 5 and Mythos 5 Return with Enhanced Security Guardrails

Anthropic Revives Claude Mythos 5 and Claude Fable 5 with Enhanced Security Measures Anthropic has...

More like this

Cyber Briefing July 1, 2026 – CyberMaterial

Cybersecurity Update: Rising Threats and Regulatory Changes in 2026 In the evolving landscape of cybersecurity,...

Technology Implications of AI in Security Webinar

AI Revolutionizes Cybersecurity: Insights on Agentic Technologies and Digital Identity In an era characterized by...

Chaya_006 Alert: OT Edge Devices Vulnerable to Threats

The Chaya_006 Edge Campaign: Threats Emerge in Operational Technology Forescout Technologies’ Vedere Labs has recently...