Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Banking Trojan. Show all posts
TrickMo
Android Banking Trojan lockscreen malware Pin TrickMo

New TrickMo Variants Exploit Fake Lock Screens to Steal Android PINs

 



A perilous new variant of the Android banking malware TrickMo has been discovered, capable of mimicking the Android lock screen and stealing users' PINs. This comes according to the data compiled by the security firm Zimperium, who made a deep analysis of the malware. The firm said that some 40 new variants of TrickMo have been found in the wild. These are associated with 16 dropper applications and 22 different command and control (C2) servers.

The new report follows earlier research by Cleafy, which had already managed to detect some of these, but not all, variants. TrickMo had been observed used in cyberattacks since September 2019, although it wasn't documented until last year by the IBM X-Force group.


How TrickMo Works to Deceive

One such feature in this new version of TrickMo is the fake Android lock screen designed to further dupe the users into handing over their PIN or unlock pattern. The screen seems like a real one. It actually renders in full-screen mode to mimic the prompt from an original Android. Once the user inputs his credentials, malware will capture that and transmit over to a remote server along with its unique identifier. This will provide thieves with access to the device later, often when it is not actively monitored, allowing them to go on and carry out whatever fraudulent activities they want.

In addition, TrickMo has other malicious abilities-the intercepting of one-time passwords, screen recording, exfiltration of data, and even the remote control of the infected device. Thus, TrickMo is another banking trojan, which mainly operates relying on the stealing of login credentials with the presentation of phishing pages of various banks.


The New Generation of Adaptation Malware

New variants of TrickMo malware attempt to exploit the Accessibility Service permission in Android. As a result, the malware would be able to grab greater control over the device and the possibility of automating different actions without even letting the actual user know about such actions. This is an abuse of accessibility features that grants the malware easier ways for interacting with system prompts, such as giving itself further permissions or making phishing pages appear.

Cyber security experts consider the mature and dynamic capabilities to make TrickMo a most dangerous threat. The phishing screens will be more likely to capture the users, and once the credentials are captured, then hackers can carry out unauthorised transactions using their banking apps or log in to other sensitive accounts.


Large-scale Impact on Victims

Zimperium's research showed that at least 13,000 victims from several countries, such as Canada, United Arab Emirates, Turkey, and Germany, have been affected by the TrickMo malware. The real number of attached devices, however, may be much higher as the malware operates through multiple C2 servers.

It targeted most of the banking applications but has since grown to target many more applications such as VPN services, streaming services, online e-commerce websites, and even social media and enterprise-based platforms. More alarming, it threatens because it can compromise user accounts associated with different kinds of services, not just financial services.


Staying Safe from TrickMo

This spreads through misleading the users into downloading the malicious APK files from unknown sources. To avoid infection, users are not encouraged to click on any links whatsoever-those coming through SMS or direct messages from unknown contacts in particular. Enablement of Google Play Protect is likely to prevent known variants of TrickMo from being installed on Android devices.

The sophistication level of malware like TrickMo tends to keep reminding everyone of the importance of maintaining their software up to date and not to interact with any unfamiliar apps or websites. As it continues to morph into even dangerous forms, cybersecurity experts have kept alerting Android users to be on high alert and ensure that such security features like Google Play Protect are turned on in order to provide a first line of defence against such threats.

Zimperium has taken the noble step in releasing TrickMo's C2 infrastructure details on GitHub, thus being in a better position to help cybersecurity experts and organisations ward off the trojan. It is important to note that while saying so, users are advised to be vigilant and take proper measures to ensure their sensitive information will not be compromised by malicious software such as TrickMo.


Read more »
TrickMo
Banking Security Banking Trojan C2 servers Cyberattack Data Breach device access malware Mobile Threats Security TrickMo

TrickMo Banking Trojan Unveils Advanced Threat Capabilities in Latest Variant

Malware Analyst at Zimperium, Aazim Yaswant, has released an in-depth report on the most recent TrickMo samples, highlighting worrisome new functionalities of this banking trojan. Initially reported by Cleafy in September, this new version of TrickMo employs various techniques to avoid detection and scrutiny, such as obfuscation and manipulating zip files. 

Yaswant’s team discovered 40 variants of TrickMo, consisting of 16 droppers and 22 active Command and Control (C2) servers, many of which remain hidden from the broader cybersecurity community.

Although TrickMo primarily focuses on stealing banking credentials, Yaswant's analysis has exposed more sophisticated abilities. "These features allow the malware to access virtually any data on the device," Yaswant stated. TrickMo is capable of intercepting OTPs, recording screens, remotely controlling the device, extracting data, and misusing accessibility services to gain permissions and perform actions without the user’s approval. Additionally, it can display misleading overlays designed to capture login credentials, enabling unauthorized financial transactions.

A particularly concerning discovery in Yaswant's findings is TrickMo’s ability to steal the device’s unlock pattern or PIN. This enables attackers to bypass security measures and access the device while it is locked. The malware achieves this by mimicking the legitimate unlock screen. “Once the user enters their unlock pattern or PIN, the page transmits the captured data, along with a unique device identifier,” Yaswant explained.

Zimperium’s researchers managed to gain entry to several C2 servers, identifying approximately 13,000 unique IP addresses linked to malware victims. The analysis revealed that TrickMo primarily targets regions such as Canada, the UAE, Turkey, and Germany. Yaswant’s investigation also uncovered millions of compromised records, with the stolen data including not only banking credentials but also access to corporate VPNs and internal websites, posing significant risks to organizations by potentially exposing them to larger-scale cyberattacks.
Read more »
South America
Banking Trojan Cyber Security Cyberthreats Digital Fraud Money Scams phishing South America

Global Resurgence of Grandoreiro Banking Trojan Hitting High

 
The cybercriminal group behind the Grandoreiro banking trojan has re-emerged in a global campaign since March 2024, following a significant law enforcement takedown earlier this year. This large-scale phishing operation targets over 1,500 banks across more than 60 countries, spanning Central and South America, Africa, Europe, and the Indo-Pacific, according to IBM X-ForceIBM X-Force. Originally focused on Latin America, Spain, and Portugal, Grandoreiro’s new campaign signifies a strategic shift after Brazilian authorities disrupted its infrastructure. 

Despite a major takedown in January 2024, which saw the Brazilian Federal Police, Interpol, the Spanish National Police, ESET, and Caixa Bank dismantle the operation and arrest five individuals, the malware has returned with significant upgrades. The phishing emails associated with Grandoreiro masquerade as urgent government payment requests, prompting recipients to click on links that download and execute malicious files. 

Once installed, the trojan interacts with banking apps to facilitate fraudulent transactions, logs keystrokes and captures screenshots to steal banking credentials and sensitive data. It also allows remote system manipulation and file operations by threat actors. A key enhancement in the latest version is a module that captures Microsoft Outlook data and uses compromised email accounts to spread spam. 

Grandoreiro employs the Outlook Security Manager tool to bypass security alerts, enabling seamless interaction with the Outlook client. IBM X-Force reports substantial improvements to the malware’s evasion techniques, including a string decryption method using AES CBC encryption with a unique decoder. The domain generation algorithm (DGA) has been upgraded with multiple seeds to enhance command and control (C2) communications. 

The trojan can also disable security alerts in Outlook and send phishing emails using compromised credentials. The updated Grandoreiro evades execution in several countries, including Poland, the Czech Republic, the Netherlands, and Russia. It also blocks operation on Windows 7 systems in the US without an active antivirus program, demonstrating its resilience and increased persistence. 

To combat the threat of Grandoreiro 

Organizations are advised to prioritize user education on phishing tactics. Employees should be trained to recognize suspicious emails, verify sender legitimacy, and avoid clicking on unknown links or opening untrusted attachments. Robust spam filtering systems at the gateway level can intercept many phishing emails, while behavior-based detection techniques in endpoint security systems can identify and stop harmful activities. As phishing attacks rise, protecting organizations becomes crucial. 

Enhancing user awareness is key, and resources like Phishing Tackle offer tools and training to help users recognize and avoid phishing threats. Despite technological defenses, user education remains vital in minimizing the impact of successful attacks. Consulting with experts can provide valuable insights and tools to strengthen defenses against these persistent threats.
Read more »
malware
Banking Trojan Brokewell Browser Chrome Google malware

Banking Malware "Brokewell" Hacks Android Devices, Steals User Data

Banking Malware "Brokewell" Hacks Android Devices

Security experts have uncovered a new Android banking trojan called Brokewell, which can record every event on the device, from touches and information shown to text input and programs launched.

The malware is distributed via a fake Google Chrome update that appears while using the web browser. Brokewell is in ongoing development and offers a combination of broad device takeover and remote control capabilities.

Brokewell information

ThreatFabric researchers discovered Brokewell while examining a bogus Chrome update page that released a payload, which is a common approach for deceiving unwary users into installing malware.

Looking back at previous campaigns, the researchers discovered that Brokewell had previously been used to target "buy now, pay later" financial institutions (such as Klarna) while masquerading as an Austrian digital authentication tool named ID Austria.

Brokewell's key capabilities include data theft and remote control for attackers.

Data theft 

  • Involves mimicking login windows of targeted programs to steal passwords (overlay attacks).
  • Uses its own WebView to track and collect cookies once a user logs into a valid website.
  • Captures the victim's interactions with the device, such as taps, swipes, and text inputs, to steal data displayed or inputted on it.
  • Collects hardware and software information about the device.
  • Retrieves call logs.
  • determines the device's physical position.
  • Captures audio with the device's microphone.

Device Takeover: 

  • The attacker can see the device's screen in real time (screen streaming).
  • Remotely executes touch and swipe gestures on the infected device.
  • Allows remote clicking on specific screen components or coordinates.
  • Allows for remote scrolling within elements and text entry into specific fields.
  • Simulates physical button presses such as Back, Home, and Recents.
  • Remotely activates the device's screen, allowing you to capture any information.
  • Adjusts brightness and volume to zero.

New threat actor and loader

According to ThreatFabric, the developer of Brokewell is a guy who goes by the name Baron Samedit and has been providing tools for verifying stolen accounts for at least two years.

The researchers identified another tool named "Brokewell Android Loader," which was also developed by Samedit. The tool was housed on one of Brokewell's command and control servers and is utilized by several hackers.

Unexpectedly, this loader can circumvent the restrictions Google imposed in Android 13 and later to prevent misuse of the Accessibility Service for side-loaded programs (APKs).

This bypass has been a problem since mid-2022, and it became even more of a problem in late 2023 when dropper-as-a-service (DaaS) operations began offering it as part of their service, as well as malware incorporating the tactics into their bespoke loaders.

As Brokewell shows, loaders that circumvent constraints to prevent Accessibility Service access to APKs downloaded from suspicious sources are now ubiquitous and widely used in the wild.

Security experts warn that device control capabilities, like as those seen in the Brokewell banker for Android, are in high demand among cybercriminals because they allow them to commit fraud from the victim's device, avoiding fraud evaluation and detection technologies.

They anticipate Brokewell being further improved and distributed to other hackers via underground forums as part of a malware-as-a-service (MaaS) operation.

To avoid Android malware infections, avoid downloading apps or app updates from sources other than Google Play, and make sure Play Protect is always turned on.

Read more »
User Privacy
Banking Trojan Data Safety iPhone Users malware User Privacy

Beware, iPhone Users: iOS GoldDigger Trojan can Steal Face ID and Banking Details

 

Numerous people pick iPhones over Android phones because they believe iPhones are more secure. However, this may no longer be the case due to the emergence of a new banking trojan designed explicitly to target iPhone users.

According to a detailed report by the cybersecurity firm Group-IB, the Android trojan GoldDigger has now been successfully repurposed to target iPhone and iPad users. The company claims that this is the first malware designed for iOS, posing a huge threat by collecting facial recognition data, ID documents, and even SMS. 

The malware, discovered for the first time last October, now has a new version dubbed GoldPickaxe that is optimised for iOS and Android devices. When installed on an iPhone or Android phone, GoldPickaxe can collect facial recognition data, ID documents, and intercepted text messages, all with the goal of making it easier to withdraw funds from banks and other financial apps. To make matters worse, this biometric data is utilised to create AI deepfakes, which allow attackers to mimic victims and gain access to their bank accounts. 

It is vital to note that the GoldPickaxe malware is now targeting victims in Vietnam and Thailand. However, as with other malware schemes, if this one succeeds, the cybercriminals behind it may expand their reach to target iPhone and Android users in the United States, Europe, and the rest of the world. 

Android banking trojans are typically propagated via malicious apps and phishing campaigns. It is more difficult to install a trojan on an iPhone since Apple's ecosystem is more locked off than Google's. However, as hackers often do,they've figured out a way. 

Initially, the malware was disseminated via Apple's TestFlight program, which allows developers to deploy beta app versions without going through the App Store's authorization process. However, after Apple removed it from TestFlight, the hackers shifted to a more complicated way employing a Mobile Device Management (MDM) profile, which is generally used to manage enterprise devices. 

Given how successful a banking trojan like GoldDigger or GoldPickaxe can be, especially since it can target both iPhones and Android phones, this is unlikely to be the last time we hear about this spyware or the hackers behind it. As of now, even the most latest versions of iOS and iPadOS appear to be vulnerable to this Trojan. Group-IB has contacted Apple about the flaw, so a solution is likely in the works.
Read more »
Trojan
Banking Trojan cyber attack Cyber Attacks Malicious Activities Mexico Mispadu Stealer Trojan

New Variant of Banking Trojan Discovered Targeting Mexico

In a recent discovery, cybersecurity researchers from Palo Alto Networks Unit 42 have uncovered a new variant of the stealthy banking Trojan known as Mispadu Stealer. This infostealer is specifically designed to target regions and URLs associated with Mexico, posing a significant threat to users in the region. 

The researchers stumbled upon this new variant while conducting investigations into attacks exploiting the Windows SmartScreen bypass vulnerability CVE-2023-36025. This vulnerability has been a prime target for cybercriminals looking to bypass security measures and infiltrate systems. However, it was addressed by Microsoft in November 2023. 

How You Are Being Attacked?

Essentially, attackers exploit a flaw in Windows SmartScreen, a security feature designed to warn users about potentially harmful downloads. By crafting internet shortcut files (.URL) or hyperlinks that point to malicious content, they can evade SmartScreen's defenses. This evasion tactic hinges on including a parameter that points to a network share rather than a standard URL. Inside the manipulated.URL file is a link leading to a network share controlled by the threat actor, housing a dangerous executable file. 

Since August 2022, Mispadu has been behind numerous spam campaigns, resulting in the theft of over 90,000 bank account credentials. This revelation highlights the significant threat Mispadu poses to the financial security of users across Latin America. However, Mispadu is just one member of a larger family of LATAM banking malware. 

Among its notorious counterparts is Grandoreiro, a formidable threat that has plagued users in the region. Recent efforts by law enforcement authorities in Brazil have resulted in the dismantling of Grandoreiro, offering some relief to users. 

Despite this success, cybersecurity experts warn that the danger from Mispadu and similar malware persists. Users are urged to remain vigilant when dealing with unsolicited emails and to bolster their defenses with robust security measures. By staying informed and implementing proactive strategies, users can better protect themselves against potential attacks.
Read more »
User Privacy
Banking Trojan Data Safety malware Malware Family Online Security User Privacy

Qbot: The Ever Expanding Malware Family

 

Given how widespread malware has become, new "families" of each type are being developed. Qbot, a family of malware that is used to steal data, falls under this category. 

Qbot's history 

As is sometimes the case with malware, Qbot (also referred to as Qakbot, Quakbot, or Pinkslipbot) wasn't identified until it was actually spotted in the wild. In the context of cybersecurity, the phrase "in the wild" describes a situation in which malware spreads unintentionally among targeted devices. As a kind of malware, Qbot is suspected to have existed at least as far back as 2007, making it much older than many of the more well-known varieties now in use. 

Simply because they are ineffective against new technology, several types of malware from the 2000s are no longer in use. But Qbot stands out in this case. Qbot has been running for at least 16 years as of the time of writing, an astonishing longevity for malware. 

Although this has also been interrupted by stretches of inactivity, Qbot has been routinely seen in use in the wild since 2007. In any event, cybercriminals continue to favour it as a choice. 

Qbot has changed throughout time and has been utilised by different hackers for a variety of purposes. Qbot started out as a Trojan, a virus that hides itself inside of software that seems to be safe. Data theft and remote access are only two of the many destructive uses for trojans. More precisely, Qbot targets banking credentials. It is regarded as a banking Trojan as a result. Is this still the case, though? How does Qbot function right now?

Modus operandi

The most notable type of the Qbot that is currently being spotted is an infostealer Trojan. Infostealer Trojans are intended to steal valuable data, including financial information, login passwords, and contact information, as their name implies. This particular strain of Qbot malware is mostly used to steal credentials. Variants of Qbot have also been seen engaging in keylogging, process hooking, and even system attacks using backdoors.

Qbot has been altered to have backdoor capabilities since it was first developed in the 2000s, making it an even greater threat. A backdoor is essentially an unauthorised method of accessing a network or system. Backdoors are frequently used by hackers to conduct their assaults because they provide a simpler entry point. This Qbot variation is referred to as "Backdoor.Qbot." 

Initially, the Trojan-like Emotet virus was used to propagate Qbot. Nowadays, malicious email campaigns using attachments are the main way that Qbot is disseminated. Large quantities of spam are sent during such campaigns to hundreds or even thousands of recipients in the hopes that some of the users who are being targeted would respond. 

Qbot has frequently been seen as a.zip file with an XLS dropper that contains macros inside malicious email attachments. Malware can be installed on a recipient's device if they open a malicious attachment, frequently without their awareness. Exploit kits can also be used to propagate Qbot. These are instruments that help cybercriminals spread malware. 

Exploit kits can identify security flaws in a device's construction and then take advantage of such flaws to get unauthorised access. 

However, things continue even after backdoors and password theft. Operators of Qbots have been crucial Initial Access Brokers. These are cybercriminals who offer other hostile actors system access for sale. Access has been allowed to some very large organizations, including the ransomware-as-a-service provider REvil, in the instance of the Qbot perpetrators. In fact, a number of ransomware partners have been seen employing Qbot to get initial access to systems, giving the malware yet another alarming use.

Qbot is used to target a variety of industries and has surfaced in numerous harmful activities. Qbot has targeted manufacturing enterprises, government agencies, banking websites, healthcare organizations, and more. 2020 data from TrendMicro indicated that 28.1% of Qbot's targets are in the healthcare industry. 

In the same analysis, TrendMicro also noted that the US, China, and Thailand had the greatest rates of Qbot detection in 2020. Qbot is obviously a worldwide danger because it was also frequently detected in Australia, Germany, and Japan. 

Mitigation tips

It's crucial that you are aware of the signs of malicious mail because Qbot is frequently disseminated through spam campaigns. 

Starting with the contents, there are many warning signs that an email may be malicious. It's advisable to avoid clicking any links or attachments from new email addresses until you are certain they can be trusted. You may check a URL's validity on a number of link-checking websites to see whether it is safe to click or not. 

The file extensions.pdf,.exe,.doc,.xls, and.scr are among those that are frequently used to propagate malware. Although not the only file extensions used to spread malware, these are among the most popular kinds, so be on the lookout for them when you receive emails with attached files. 

Additionally, you should exercise caution if an email from a new sender carries a sense of urgency. In order to persuade victims to comply, cybercriminals frequently utilise persuasive language in their emails.
Read more »
User Privacy
Android Malware Banking Trojan Crypto Apps data security Mobile Security User Privacy

Beware of this Android Banking Trojan that Steals Banking Credentials

 

A financial trojan called "Godfather" which is capable of stealing account credentials from more than 400 different banking and cryptocurrency apps is presently targeting Android users in 16 other countries. 

According to a recent report from the cybersecurity company Group-IB, the Godfather trojan, which was initially uncovered by ThreatFabric back in March of last year, has been dramatically upgraded and updated since then. 

In a second report, the dark web and cybercrime monitoring company Cyble describes how Godfather is also being disseminated in Turkey through a malicious app that has been downloaded 10 million times and pretends to be a well-known music application. 

Godfather is thought to be the replacement for Anubis, a well-known and widely-used banking Trojan before it lost the capacity to get past updated Android defenses, BleepingComputer reported. 

Banking and cryptocurrency apps on the hit list 

The banking trojan has targeted users of more than 400 apps since it first debuted last year, including 215 banking apps, 94 cryptocurrency wallets, and 110 crypto trading platforms. The malware also targeted 49 banking apps in the US, 31 in Turkey, 30 in Spain, 22 in Canada, 20 in France, 19 in Germany, and 17 in the UK, among other nations. 

Surprisingly, Group-IB discovered a section in Godfather's code that stops the malware from aiming for users from former Soviet Union nations and users in Russia, indicating that its developers speak Russian. The malware checks the system language on an Android device after installation to see if it is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. If so, Godfather shuts down and doesn't attempt to steal any stored cryptocurrency or banking accounts.

Modus operandi 

Godfather attempts to acquire persistence on an Android phone after being installed via a malicious app or file by impersonating Google Protect. Once you download an app from the Google Play Store, this genuine software begins to execute. 

The banking trojan then claims to be "scanning" when, in fact, it is hiding its icon from the list of installed apps and creating a pinned "Google Project" notice. Because of this, malware is more likely to blend into the background and is more challenging to remove. 

A targeted user goes about their normal activities because Godfather's symbol is missing. To steal user passwords and empty their accounts, the malware then applies false overlays to well-known banking and cryptocurrency apps. Additionally, Godfather employs a smart tactic to direct people to phishing websites. It accomplishes this by displaying a fake notification that impersonates one of its smartphone's loaded banking or cryptocurrency apps. 

In addition to stealing credentials, the malware is able to record a user's screen, launch keyloggers to capture their keystrokes, route calls to get around two-factor authentication (2FA), and send SMS messages from infected devices. 

Mitigation Tips 

Installing new apps from a third party other than the Google Play Store or other official app stores like the Amazon App Store or Samsung Galaxy Store puts you at risk for Godfather and other Android malware. While sideloading apps could be alluring, since they are uploaded without any security checks, they may be infected with malware and other viruses. 

Additionally, make sure Google Play Protect is turned on so that it can scan both new and old apps for malware. However, you might also want to download one of the top Android antivirus apps for additional security.
Read more »
Subscribe to: Posts (Atom)