IBM Warns of 'Invisible' Banking Trojan Targeting Latin American Banks

IBM uncovered a banking trojan that evades standard detection tools. The malware, called UnregStealer, poses as a Chrome browser extension and targets Latin American financial institutions. Senior threat researcher Itzhak Chimino said the trojan is "well-camouflaged" and nearly invisible to sandbox and behavioral detection systems.

Users are tricked into running the malware by a fake security warning. The warning claims the browser needs a mandatory SSL certificate update. Chimino said no such requirement exists – the certificate is fabricated, and the warning is a cover story to get the victim to execute the file.

Once installed, UnregStealer runs a script each time the victim opens a browser. It checks whether the visited site matches one of the targeted banking portals. If it does, the malware steals session cookies. Every time a user clicks a field and enters information, the malware captures passwords, one-time codes, and account numbers.

What makes this campaign different from typical automated malware is the human operator. Chimino said the operator watches each victim session live and manually triggers the data theft. Traditional sandboxes and behavioral detection tools never see the payload activate because the operator decides when to strike.

The infrastructure patterns IBM observed suggest the operator has the ability and motivation to expand beyond Latin America, Chimino said. The malware's design allows it to adapt quickly, and the live operator model makes it harder to spot with automated defenses.

IBM, which has a stock page tracking its cybersecurity and consulting revenue, faces its own exposure from such threats, though the UnregStealer campaign does not directly target IBM systems. The company's threat research group continues to monitor the malware's evolution.