Win32.Backdoor.Banito.A is acting as a companion, which means that it hijacks executable files larger than zero bytes. Trojan creates a copy of all applications that are running at that point, but removes their executable extension. It then injects its viral code into the original executable file, which allows it to launch whenever the user tries to open the original program. Analysis revealed that the Trojan takes screenshots of the desktop, captures the web-cam feed, and it sends info about the installed drives and operating system.”]
Source: https://www.bitdefender.com/blog/hotforsecurity/exploit-leads-to-remote-code-execution/