Fortinet's FortiGuard Labs identified a new banking trojan campaign targeting Spanish and Portuguese bank customers. The malware, called Ousaban, originates from Brazil and primarily affects Windows users.
The attack chain begins with phishing emails delivering PDF attachments masquerading as corrupted files. When opened, these PDFs execute reconnaissance code that verifies the victim's geographic location. The trojan only proceeds if it detects the user is accessing banking services from Spain or Portugal, a geofencing technique that reduces detection by security vendors outside the target region.
Ousaban employs steganography to conceal its payload. The malware hides the actual trojan code inside image files, evading initial inspection by email gateways and endpoint protection systems. Once executed, the trojan focuses on credential theft. It monitors banking sessions, captures login credentials, and harvests sensitive financial data from compromised machines.
The campaign leverages social engineering to maximize infection rates. Users receiving the phishing PDFs often believe they have received a corrupted document, making them more likely to open attachments or follow embedded instructions. This tactic exploits user trust in their banks and payment processors.
Banks operating in the Iberian Peninsula should alert customers about suspicious PDF attachments purporting to be from financial institutions. Users should verify the legitimacy of unexpected emails through official banking channels before opening attachments. Organizations handling customer banking relationships should implement email filtering rules that scrutinize PDFs from untrusted sources and block executable content within image files.
Endpoint detection and response tools benefit from signatures targeting Ousaban's reconnaissance behavior and steganography techniques. Network segmentation limits the damage if a user machine becomes infected, preventing lateral movement toward systems containing sensitive customer data or banking credentials.
The geographic targeting suggests the attackers maintain infrastructure specifically tuned for the Iberian market. Security teams monitoring banking trojans should track
