Ousaban Banking Trojan Uses Phishing PDFs to Steal Iberian Banking Credentials
The Ousaban campaign exploits a fundamental gap in end-user security awareness: users are tricked into clicking fake 'Update' buttons embedded in phishing PDFs disguised as corrupted files, initiating a malware infection chain. Once installed, the trojan silently monitors banking sessions and harvests credentials, enabling full account takeover. The malware's use of steganography, geo-blocking, and daily-rotating command-and-control addresses makes it exceptionally difficult for traditional detection tools to flag. This attack matters because it demonstrates how sophisticated social engineering, combined with advanced evasion techniques, can bypass both technical controls and untrained users. Financial institutions and their customers in targeted regions face significant fraud and data breach risk without layered defenses.
Tactical Insight
Immediate actions
- Train all employees and customers to never click 'Update' buttons or links embedded within PDF documents received via email.
- Deploy email gateway filtering with attachment sandboxing to detonate and inspect PDF files before delivery to end users.
- Block execution of files downloaded from PDFs using application whitelisting or endpoint protection policies.
Long-term improvements
- Implement multi-factor authentication (MFA) on all banking and financial portals to limit the impact of stolen credentials.
- Establish a threat intelligence program that subscribes to feeds tracking banking trojans and their evolving C2 infrastructure patterns.
- Conduct regular phishing simulation exercises targeting staff and measure click rates to identify and remediate high-risk user groups.
Detection measures
- Deploy DNS-layer security and network monitoring to detect connections to newly registered or rapidly rotating C2 domains.
- Enable behavioral endpoint detection (EDR) rules to flag steganographic file parsing and anomalous credential-harvesting activity.
- Monitor banking application logs for unusual session patterns, rapid geographic shifts, or concurrent logins that may indicate account takeover.