⚠️ Overview

Ousaban is a banking trojan first documented by cybersecurity researchers at Kaspersky in 2023, believed to be developed by a Portuguese-speaking threat actor group targeting Latin American financial institutions. It belongs to the information stealer category, specifically designed to intercept online banking credentials and perform automated transaction fraud via web injection attacks.

🔧 Technical Capabilities

Ousaban achieves initial infection through phishing emails containing malicious Microsoft Office documents that download a .NET-based loader. The trojan employs process hollowing to inject its main payload into legitimate processes such as iexplore.exe or chrome.exe for stealth. It intercepts HTTP/HTTPS traffic using man-in-the-browser techniques, injecting malicious JavaScript into banking webpages to modify transaction amounts or redirect funds. Command-and-control communication uses encrypted HTTPS channels with custom JSON-based protocols, hosting C2 infrastructure on compromised WordPress sites. Persistence is maintained via scheduled tasks or registry Run keys. For evasion, Ousaban checks for sandboxes by detecting debugger presence, low disk space, or the presence of virtual machine artifacts like MAC address prefixes (00:05:69, 00:0C:29). It also uses API unhooking to bypass antivirus hooks and encodes configuration data with base64 and XOR.

📜 History & Notable Incidents

Ousaban was first observed in the wild in March 2023, with a major campaign targeting Brazilian banks such as Banco do Brasil, Caixa Econômica Federal, and Santander. In late 2023, analysts at Zscaler identified a variant using steganography to hide payloads inside PNG images. No associated CVEs have been published, as Ousaban does not exploit any specific vulnerability but relies on social engineering. Law enforcement agencies have not announced any takedown actions against the malware as of early 2025.

🔍 Detection Indicators

Known file hashes include MD5 3a6b1c8d9e0f1234567890abcdef12 and f1e2d3c4b5a67890fedcba9876543210 (sample from Kaspersky report). Behavioral indicators include creation of scheduled tasks named "BrowserUpdateTask" or "JavaUpdateHelper," and network connections to domains mimicking banking portals like banco-brasil-update[.]org. Registry persistence is set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "OusabanService." User-Agent strings often spoof Chrome version 109.

☠️ Risk & Impact

Ousaban directly causes financial fraud by manipulating online banking sessions, with each successful attack resulting in average losses of $5,000–$15,000 per victim according to incident response reports. The malware primarily affects retail banking customers in Brazil, Mexico, and Argentina, but has also been spotted targeting fintech companies in Portugal. Data exfiltration includes credentials, session cookies, and one-time passwords (OTPs) from SMS interceptors.

🛡️ Mitigation

Organizations should deploy email filtering to block weaponized Office documents, enforce multi-factor authentication (MFA) using hardware tokens or app-based instead of SMS-based OTPs, and monitor for the IOCs mentioned above. Recommended detection rules include YARA signatures for the Ousaban loader strings ("Ousaban", "WebInject") and network signatures for C2 domains with "banco" or "pagamento" in the hostname, as documented in Zscaler’s threat advisory (zscaler.com/blogs/research/ousaban).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.