Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Banking Malware. Show all posts

TrickMo Android Trojan Abuses Accessibility Services for On-Device Financial Scam

 

Cybersecurity experts discovered a new form of the TrickMo banking trojan, which now includes advanced evasion strategies and the ability to create fraudulent login screens and steal banking credentials. 

This sophisticated malware employs malicious ZIP files and JSONPacker to obstruct analysis and detection efforts. TrickMo, discovered by CERT-Bund in September 2019, has a history of targeting Android smartphones, with a special focus on German users, in order to acquire one-time passwords (OTPs) and other two-factor authentication (2FA) credentials for financial fraud. The trojan is believed to be the work of the now-defunct TrickBot e-crime gang, which is known for constantly enhancing its obfuscation and anti-analysis features. 

Screen recording, keystroke logging, SMS and photo harvesting, remote control for on-device fraud, and exploiting Android's accessibility services API for HTML overlay attacks and device gestures are some of the main capabilities of the TrickMo version. In addition, the malware could automatically accept permissions, handle notifications to steal or conceal login codes, and intercept SMS messages.

A malicious dropper app that mimics the Google Chrome web browser is used to spread the malware. Users are prompted to upgrade Google Play Services upon installation. In the case that the user agrees, an APK with the TrickMo payload is downloaded and set up pretending to be "Google Services." Next, the user is prompted to allow this program to use accessibility features, which gives them full control over the device. 

TrickMo can use accessibility services to disable critical security features, stop system upgrades, and hinder app uninstallation. Misconfigurations in the malware's command-and-control (C2) server made 12 GB of sensitive data, including credentials and photos, available without authentication. 

This exposed data is vulnerable to exploitation by other threat actors for identity theft, unauthorised account access, financial transfers, and fraudulent transactions. The security breakdown highlights a severe operational security failure by the threat actors, increasing the risk to victims. The exposed private data can be utilised to create convincing phishing emails, resulting in additional information disclosure or malicious acts.

SpyNote Strikes: Android Spyware Targets Financial Establishments

 

Since at least October 2022, financial institutions have been targeted by a new version of Android malware called SpyNote, which combines spyware and banking trojan characteristics. 

"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions."

Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank are among the notable institutions impersonated by the malware. SpyNote (aka SpyMax) is feature-rich and comes with a slew of capabilities, including the ability to instal arbitrary apps, collect SMS messages, calls, videos, and audio recordings, track GPS locations, and even thwart attempts to uninstall the app. 

It also mimics the behaviour of other banking malware by requesting access to services to extract two-factor authentication (2FA) codes from Google Authenticator and record keystrokes to steal banking credentials.

SpyNote also includes features for stealing Facebook and Gmail passwords and capturing screen content via Android's MediaProjection API.

According to the Dutch security firm, the most recent SpyNote variant (dubbed SpyNote.C) is the first to target banking apps as well as other well-known apps such as Facebook and WhatsApp.

It's also known to pose as the official Google Play Store service and other generic applications ranging from wallpapers to productivity and gaming. The following is a list of some of the SpyNote artefacts, which are mostly delivered via smishing attacks:
  • Bank of America Confirmation (yps.eton.application)
  • BurlaNubank (com.appser.verapp)
  • Conversations_ (com.appser.verapp )
  • Current Activity (com.willme.topactivity)
  • Deutsche Bank Mobile (com.reporting.efficiency)
  • HSBC UK Mobile Banking (com.employ.mb)
  • Kotak Bank (splash.app.main)
  • Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)
SpyNote.C is approximated to have been bought by 87 different customers between August 2021 and October 2022 after its developer advertised it through a Telegram channel under the name CypherRat.

Nevertheless, the open-source availability of CypherRat in October 2022 has resulted in a significant rise in the number of samples detected in the wild, implying that several criminal groups are using the malware in their own campaigns.

ThreatFabric also stated that the original author has since begun work on a new spyware project codenamed CraxsRat, which will be available as a paid application with similar features.

"This development is not as common within the Android spyware ecosystem, but is extremely dangerous and shows the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and banking malware, due to the power that the abuse of accessibility services gives to criminals," the company said.

The revelations resulted after a group of researchers demonstrated EarSpy, a unique attack against Android devices that allows access to audio conversations, indoor locations, and touchscreen inputs by using the smartphones' built-in motion sensors and ear speakers as a side channel.

Brazilian Banks Place a Priority on A.I. and Cybersecurity

 

According to a new survey, artificial intelligence (AI) and cybersecurity are some of the top concerns for banking institutions in Brazil's technology strategy. Analysis of data and the complexity of data analysis strategies relating to evidence gained through the ongoing Open Finance initiative are also a top priority for 78 percent of participants, according to the yearly basis research published by the Brazilian Banking Federation (Febraban) in collaboration with Deloitte.

"It merely came to our attention at the time." For the past 3 decades, it has been Brazilian banks, not fintech or startups, who are at the forefront and remain to be at the stage of international banking technology. Banks have always been digital, innovative, and sophisticated, but most importantly, safe and dependable. "We are not dedicated to it," says FEBRABAN President Isaac Sidney. 

Other innovations have been cited as vital, in addition to AI and cybersecurity, which were cited as key priorities and main areas of concentration in 2021 and remain so this year. 

Public cloud (94 %), Big Data (94 %), process mining (78 %), IoT (75 %), blockchain (67 %), and quantum computing (50 %) were all highlighted by IT decision-makers as current priorities. 

Other goals mentioned by the CEOs in the report were the creation of super apps or superstores (39%) and data-driven financial counseling (35%) as well as store transformation (30%) and WhatsApp-based transactions (30%). Initiatives focused on boosting customer trust in data sharing (22 percent) and expanding chatbot-based transactions are at the bottom of the list (17 percent ).
 
Other objectives highlighted by CEOs in the research included the construction of mega apps or superstores (39%) and data-driven financial advice (35%), as well as shop transformation (30%) and WhatsApp-based trades (30 percent ). At the bottom of the list are initiatives aimed at increasing trust in data sharing (22%), as well as extending chatbot-based transactions (17%).

For the study, Febraban polled 24 firms via a questionnaire, representing 90% of the Brazilian banking industry. The qualitative study enlisted the participation of 34 executives. During November and December 2021, one of three phases of research was completed. 

Banks are widely regarded as pioneers in digital transformation efforts. "If you look at that market, they have complexity in what they have," EY's Errol Gardner said in a recent interview with TechInformed. "But they are putting tremendous investment into digital and the services which wrap around it ." However, many banks continue to be particularly focused on the conventional, local branch network, methods of operating."

Mekotio Banking Trojan Resurfaces with Tweaked Code

 

On November 3, Check Point Research (CPR) released research on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru, and it's now back with new techniques for evading detection. 

In October, 16 people were arrested across Spain in connection with Mekotio and the Grandoreiro Trojans. The individuals are suspected of sending hundreds of phishing emails to spread the Trojan, which was then used to steal banking and financial information. As per local media sources, 276,470 euros were stolen, but 3,500,000 euros worth of transfer attempts were made, which were luckily blocked. 

According to CPR researchers Arie Olshtein and Abedalla Hadra, the arrests simply delayed the transmission of the malware across Spain, and the malware is still spreading since the group probably partnered with other criminal organisations. Mekotio's developers, suspected of being based in Brazil, quickly rehashed their malware with new characteristics aimed to prevent detection after the arrests were revealed by the Spanish Civil Guard. 

The infection vector of Mekotio has remained the same, including phishing emails containing either links to or malicious code. The payload is contained in a ZIP archive attached. However, an examination of more than 100 recent attacks indicated the use of a simple obfuscation approach and a substitution cypher to avoid detection by antivirus software. 

In addition, the developers have included a redesigned batch file with numerous levels of obfuscation, a new PowerShell script that runs in memory to conduct malicious actions, and the use of Themida to safeguard the final Trojan payload — a legitimate application that prevents cracking or reverse engineering. 

Mekotio attempts to exfiltrate login credentials for banks and financial services once it has been installed on a vulnerable machine and will send them to a command-and-control (C2) server controlled by its operators. 

The researchers stated, "One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection. CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher."

Hydra Malware Targets Germany's Second Largest Bank Customers

 

The Hydra banking trojan has resurfaced to target European e-banking platform users, especially Commerzbank customers, Germany's second-largest financial institution. 

MalwareHunterTeam discovered the two-year-old virus in a fresh dissemination operation that targets German users with a malicious APK called 'Commerzbank Security' with a lookalike icon to the legitimate application. 

This grabbed the attention of Cyble researchers, who sampled the file for a more in-depth study, revealing a sophisticated phishing tool with broad rights access. 

According to Cyble experts, Hydra is still evolving; the variations used in the latest campaign include TeamViewer features, similar to the S.O.V.A. Android banking Trojan, and utilize various encryption methods to avoid detection, as well as Tor for communication. 

The latest version additionally allows to turn off the Play Protect Android security function. The virus demands two very hazardous permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN, according to the experts. 

The Accessibility Service is a background service that assists users with disabilities, and the BIND_ACCESSIBILITY_SERVICE permission permits the app to access it. 

The analysis published by Cyble states, “Malware authors abuse this service to intercept and monitor all activities happening on the device’s screen. For example, using Accessibility Service, malware authors can intercept the credentials entered on another app.” 

“BIND_DEVICE_ADMIN is a permission that allows fake apps to get admin privileges on the infected device. Hydra can abuse this permission to lock the device, modify or reset the screen lock PIN, etc.” 

Other rights are requested by the malware to carry out harmful activities such as accessing SMS content, sending SMSs, making calls, modifying device settings, spying on user activity, and sending bulk SMSs to the victim's contacts: 
  • CHANGE_WIFI_STATE : Modify Device’s Wi-Fi settings 
  • READ_CONTACTS: Access to phone contacts 
  • READ_EXTERNAL_STORAGE: Access device external storage 
  • WRITE_EXTERNAL_STORAGE: Modify device external storage 
  • READ_PHONE_STATE: Access phone state and information 
  • CALL_PHONE: Perform call without user intervention 
  • READ_SMS : Access user’s SMSs stored in the device 
  • REQUEST_INSTALL_PACKAGES : Install applications without user interaction 
  • SEND_SMS: This allows the app to send SMS messages 
  • SYSTEM_ALERT_WINDOW: The display of system alerts over other apps 
The code analysis shows that many classes are missing from the APK file. To avoid signature-based detection, the malicious code uses a custom packer. 

Cyble concluded, “We have also observed that the malware authors of Hydra are incorporating new technology to steal information and money from its victims. Alongside these features, the recent trojans have incorporated sophisticated features. We observed the new variants have TeamViewer or VNC functionality and TOR for communication, which shows that TAs are enhancing their TTPs.” 

“Based on this pattern that we have observed, malware authors are constantly adding new features to the banking trojans to evade detection by security software and to entice cybercriminals to buy the malware. To protect themselves from these threats, users should only install applications from the official Google Play Store.” 

18 million potential targets

Commerzbank has 13 million German clients and another 5 million in Central and Eastern Europe. This amounts to a total of 18 million potential targets, which is always an important factor for malware distributors. 

Typically, threat actors utilise SMS, social media, and forum postings to direct potential victims to malicious landing pages that install the APK on German devices. 

If anyone believes they have already fallen into Hydra's trap, it is suggested that they clean their device with a trustworthy vendor's security tool and then do a factory reset.

Emotet Returns: Here's a Quick Look into new 'Windows Update' attachment

 

Emotet Malware was first discovered by security researchers in the year 2014, but, the threats by Emotet have constantly evolved over the years. At present, the malware is highly active as its developers continue to evolve their strategies, devising more sophisticated tricks and advancements. Recently, it has been noticed to be delivering several malware payloads and is also one of the most active and largest sources of malspam as of now. 
 
The operators behind Emotet are sending spam emails to unsuspected victims to trick them into downloading the malware; botnet has started to employ a new malicious attachment that falsely claims to be a message from Windows Update asking victims to upgrade Microsoft Word. It begins by sending spam email to the victim containing either a download link or a Word document, now when the victim happens to ‘Enable Content’ to let macros run on their system, the Emotet Trojan gets installed. In their previous malspam campaigns, used by the criminals were said to be from Office 365 and Windows 10 Mobile. 
 

How does the malware works? 

 
Once installed, the malware tries to sneak into the victim’s system and acquire personal information and sensitive data. Emotet uses worm-like capabilities that help it spreading itself to other connected PCs. With add-ons to avoid detection by anti-malware software, Emotet has become one of the most expensive and dangerous malware, targeting both governments as well as private sectors. 

The malware keeps updating the way it delivers these malicious attachments as well as their appearances, ensuring prevention against security tools. The subject lines used in a particular malspam campaign are replaced by new ones, the text in the body gets changed and lastly the ‘file attachment type’ and the content of it are timely revised. 
 
Emotet malware has continuously evolved to the levels of technically sophisticated malware that has a major role in the expansion of the cybercrime ecosystem. After a short break, the malware made a comeback with full swing on October 14th and has started a new malspam routine. 
 
Originally discovered as a simple banking Trojan, Emotet’s roots date back to 2014 when it attempted to steal banking credentials from comrpmised machines. As per recent reports, Emotet also delivers third-party payloads such as IcedID, Qbot, The Trick, and Gootkit.

IBM discovers a new banking malware attached to Video Conferencing apps like Zoom

 

Researchers at IBM have discovered a new malware campaign VIZOME that hijacks bank accounts by the overlay.
Researchers Chen Nahman, Ofir Ozer, and Limor Kessem have found that the new malware targeting bank accounts in Brazil uses amusing tricks and tactics to stay hidden and attack devices - that is use of overlay and DLL highjacking. 

 It spreads via spam phishing and pretends to be a video conferencing software, much in use in these times. 

 After enlisting itself in the device, Vizome infiltrates the AppData directory by launching DLL highjacking. 

The malware loads it's own DLL files and names it such that seems legitimate. Vimoze then tricks the computer into loading the malware with the video conferencing app. The DLL is termed Cmmlib.dll, a file associated with Zoom. 

The malware then installs another playload, a Remote Access Trojan (RAT) which makes remote access and overlay possible. 

 "To make sure that the malicious code is executed from "Cmmlib.dll," the malware's author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address -- the malicious code's address space," the researchers say. 

 While in the system, Vizome will wait for a Banking inquiry or search on the browser. When such a banking website is accessed, the attackers hijack the system remotely via RAT (Remote Access Trojan). Vizome through RAT can abuse Windows API functions, such as moving a mouse cursor, take screenshots, initiate keyboard input, and emulate clicks.

 "The remote overlay malware class has gained tremendous momentum in the Latin American cybercrime arena through the past decade making it the top offender in the region," IBM says. "At this time, Vizom focuses on large Brazilian banks, however, the same tactics are known to be used against users across South America and has already been observed targeting banks in Europe as well."

Banking Trojan 'Metamorfo' Now Targeting Online Users' Banking Services


Online banking users are being targeted by a trojan malware campaign going around the globe with the agenda of gaining illegal access to personal information such as credit card details and other sensitive data of users.

The banking trojan which has successfully affected more than 20 online banks goes by the name 'Metamorfo'. Several countries fell prey to the banking trojan including the US, Spain, Peru, Canada, Chile, Mexico, and Ecuador. Reportedly, earlier the attack was limited to Brazil-based banks only, however, the recent times witnessed a rapid increase in the number of these attacks; now encompassing other countries, according to the cybersecurity researchers at Fortinet.

In order to multiply their opportunities for financial gains, Cybercriminals have continued to resort to banking trojans and have refined the apparatus of the malware – in ways that make detection complicated. The latest research indicates that earlier the targeting was limited to the banking sector only but now as the leading banking trojans have expanded their reach, industries other than banking are also vulnerable to the attacks. The likely targets include cloud service providers, online tech stores, warehousing, mobile app stores, and e-commerce, according to the latest findings.

Metamorfo relies on email spoofing to set the attack into motion, it appears to contain information regarding an invoice and directs the victims to download a .ZIP file. As soon as the targeted user downloads and finishes the extraction of the file, it tends to allow Metamorfo to run on a Windows system. After the installation is completed, the malware starts running an Autolt script execution program. Although the scripting language is primarily designed for automating the Windows graphical UI, here the malware employs it to bypass the antivirus detection.

While explaining the functioning of the malware, ZDnet told, "Once running on the compromised Windows system, Metamorfo terminates any running browsers and then prevents any new browser windows from using auto-complete and auto-suggest in data entry fields.

"This prevents the user from using auto-complete functions to enter usernames, passwords, and other information, allowing the malware's keylogger functionality to collect the data the users are thus obliged to retype. It then sends that data back to a command-and-control server run by the attackers."

There are no revelations made about the keywords related to the targeted banks and other financial institutions, however, researchers expect the Metamorfo campaign still being active. To stay on a safer side, users are advised to keep their operating systems and software updated and patched timely.

Hike in Banking Malware Attacks; Mobile Malware A Part of Cyber-Crime Too!



Banking malware is on a rise and the percentage of the wreckage it causes has risen up to 50%.

The viral banking malware usually is on the lookout for payment data, credentials and of course, cash.

Development kits for mobile malware code are easily available on underground portals and hence this issue is relevant.

The creators of mobile bankers henceforth allow the fabrication of new versions of malware that could be distributed on an enormous scale.

Ramnit (28%), Trickbot (21%) and Ursnif (10%) are apparently the most widely known types of the malware.

Mobile malware happens to be pretty difficult to identify and equally so to deal with as they use similar malicious techniques that are applied on computers.

The variants of the malware that were recurrently identified by the anti-virus solutions were Android-bound Triada (30%), Lotoor (11%) and Hidad (7%).

Turning the anti-malware off, using transparent icons with empty application labels, delayed execution to bypass sandboxes, and encrypting the malicious payload are a few of the evasion techniques being employed, per sources.

Trickbot Trojan Gets 'BokBot' Proxy Module to Steal Banking Info.




In 2017, IBM's X-Force team discovered a banking trojan named as 'BokBot', which redirects users to malicious online banking websites or can link victims to a browser procedure in order to insert unauthorized content onto official bank pages, it's also known as IcedID.

The authors of Trickbot trojan have begun to distribute a custom proxy module to the users; Trickbot trojan is a new component originated from BokBot's code for web injection, it works with some of the widely used web browsers.

The new variant came with its separate configuration file, it was detected on an infected system on 5th of July as "shadnewDll".

How does the malware work?

The malicious process begins with an infected Office Word document that downloads the Ursnif trojan after deploying a PowerShell script. Then, a Trickbot version along with the IcedID proxy module is received by the compromised host, it is programmed to intercept and modify web traffic.

After examining the component, Vitali Kremez, security researcher, said that it can be attached to the following web browsers: Microsoft Edge, Mozilla Firefox, Internet Explorer and Google Chrome.

Upon further inspection, the module appeared to be particularly adapted for TrickBot or other fraud bank operations which is based on the installion of this malware and its variants.

Referencing from the research of FireEye, "The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations." 

Cybercriminal Gang behind $100million theft busted









An international cybercrime network that used Russian malware to steal $100 million from tens of thousands of victims have been busted by the joint operation of Unites States and European police.  

The gang used an extremely powerful GozNym banking malware to infect the computers which allowed them to steal the user’s bank login details, it involves "more than 41,000 victims, primarily businesses and their financial institutions," Europol said. 

The malware GozNym is a combination of two other malware — Gozi and Nymaim. According to the IBM X-Force Research team the malware took the most powerful elements of each one. “From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi parts add the banking Trojan’s capabilities to facilitate fraud via infected internet browsers,” the team said, adding: “The end result is a new banking Trojan in the wild.”

The prosecutions have been launched against the gang in Georgia, Moldova, Ukraine and the United States. While five Russians charged in the US remain on the run, the EU police agency Europol said.

Alexander Konovolov, 35, of Tbilisi, Georgia, is a prime accused and the leader of the network, and  is currently being prosecuted in Georgia.


Police in Germany and Bulgaria were also involved.

Banking Malware Being Distributed By Hackers Via Password Protected Zip Files!





Cyber-cons have a new way of wreaking havoc. Hackers have found another unique way to bypass security. Reportedly the infamous BOM technique’s to blame.

The “Byte Order Mark” technique goes about altering the host’s files on the windows system.

The major superpower of the BOM is helping the threat actor group to be under the line of display or detection.

The researchers from a very widely known anti-virus firm noticed a new campaign that majorly worked on spear phishing.

The spear phishing process would help to deliver the infected files to the victim’s system.

The moment the user attempts to open the ZIP file using their default browser, it all crashes and an error sign pops up, saying.

According to the researchers, the legit ZIP files start with “PK” and are of (0x 504B). The BOM have extra three bytes (0x EFBBBF) found within UTF-8 text files.

In some systems the ZIP archive format goes undetected but in some systems it’s recognized as a UTF-8 text file and the malicious payload isn’t extracted.

The same files on the other hand could be opened via third-party functions to name a few 7-Zip & WinRAR.

Once the extraction of the file is done, the malware is executed thence beginning the infection process.

Systems using third party utilities are more susceptible to such malware attacks than the rest.

The malicious executable is just a tool to help load the main payload inserted within the main source section.

The malware originates from a DDL along with a BICDAT function encrypted with the XOR based algorithm.
The library then downloads a second stage of payload, the password protected ZIP file.
The dcyber crownloaded payload material is encrypted using similar functions as the inserted payload.
After having extracted the necessary files the last and final payload is launched, which goes by the name of “Banking RAT malware.”
This RAT scours information like access card codes, dates of birth, account passwords, electronic signature, e-banking passwords and etc from the system.