Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Banking Trojans. Show all posts
Phishing Attacks
Banking Trojans Chrome Extensions CyberCartel malware Phishing Attacks

CyberCartel: Latest Banking Trojan Threat in Chrome Extensions


In recent years, Latin America (LATAM) has become a favourite target for threat actors, especially those attacking financial organizations. The recent report by Security Intelligence titled "Unveiling the Latest Banking Threats in LATAM," explains the changing scenario of banking Trojans in the region. This blog covers important findings and results of the report, showing the sophisticated techniques used by threat actors and the immediate need for advanced cybersecurity measures.

Malicious Chrome Extension Rising

The top trend concerning the report is the rise in campaigns that involve Chrome extensions. The extensions, often masked as genuine tools, are made to hack into users' browsers and do various activities. After installing, threat actors can hack login credentials, take screenshots, and deploy malicious scripts into web pages. The report stresses that these extensions are specifically dangerous as they can evade traditional security checks and stay hidden for longer periods.

CyberCartel and its Role

The report also sheds light on the notorious activities of the cybercriminal group known as CyberCartel. The group has been associated with various high-profile attacks on financial organizations and government officials in LATAM. CyberCartel works via the Malware-as-a-Service (MaaS) model, offering other threat actors the tools and infrastructure needed to launch sophisticated attacks. This has allowed amateur cybercriminals to give access and contribute to the frequency and severity of attacks.

Attacking High-Profile Entities

CyberCartel's main targets are high-profile entities like government offices and financial institutions. These forms are lucrative targets because of the sensitive info they manage and the possible financial gain for threat actors. The report mentions various incidents where CyberCartel successfully hacked these organizations, causing reputational and financial damage. The group's potential to adjust and develop its techniques makes it a dangerous adversary for cybersecurity experts.

Advanced Tactics and Techniques

One sophisticated technique is using social engineering to fool users into installing malicious software. Cybercriminals make believable phishing emails and fake websites that impersonate genuine institutions. Hackers access their accounts and launch fraudulent transactions once users are tricked into giving their credentials.

Another sophisticated technique is using polymorphic malware, infamous for changing its code to escape detection by antivirus software. This kind of malware is difficult to address as it requires consistent updates to security systems to keep up with changing threat scenarios. 

Read more »
Zimperium zLabs
Banking Trojans Binance Cash App Cyber Attacks Google Play Store User Privacy VPN Zimperium zLabs

Android Trojans are After Financial Apps With Over a Billion Downloads

 

The exploitation of financial apps by trojans has become prevalent, according to a report by Zimperium, a mobile security firm. Trojans are a type of malware that infects users' devices by posing as legitimate and trustworthy programs. The researchers looked at ten separate trojans that are currently active in the open and discovered that they target 639 financial Android apps when combined. 

Once they've infected a device, they leverage Accessibility services to take actions as the user, overlaying login pages on top of authentic banking and finance apps to steal login details, monitoring notifications to capture OTPs, and even carrying out on-device financial fraud. This is particularly concerning because, according to 2021 studies, three out of four Americans use banking applications to conduct their regular financial activities, offering a large target pool for these trojans.

The Google Play Store has slightly over 1 billion downloads of these mobile banking, investment, payment, and cryptocurrency apps combined. PhonePe, which is immensely popular in India and has 100 million downloads on the Play Store, is the targeted application with the most downloads. 

The popular bitcoin exchange software Binance has received 50 million downloads. Cash App is a mobile payment service that is available in the United States and the United Kingdom, with 50 million downloads on Google Play. Even though they don't provide traditional financial services, some banking Trojans target both of these. BBVA, a worldwide online banking platform with tens of millions of downloads, is the most widely marketed application. Seven of the ten most active banking trojans have been found to target this app. 

Additional trojans which were active during the first half of 2021 include the following: 

  • BianLian is a malware that targets Binance, BBVA, and several Turkish apps.
  • Cabassous is after clients from Barclays, CommBank, Halifax, Lloys, and Santander. 
  • Coper may take over accounts from BBVA, Caixa Bank, CommBank, and Santander. 
  • Barclays, Intensa, BancoPosta, and a slew of other Italian apps are among the targets of EventBot. This one uses Microsoft Word or Adobe Flash to hide its true identity. 
  • PayPal, Binance, Cash App, Barclays, BBVA, and CaixaBank may all be affected by the aforementioned Exobot. 
  • FluBot affected BBVA, Caixa, Santander, and several other Spanish apps. 
  • Medusa was a banking app that targeted BBVA, CaixaBank, Ziraat, and Turkish banks. 
  • Binance, BBVA, and Coinbase were all hit by Sharkbot. 
  • PhonePe, Binance, Barclays, Crypto.com, Postepay, Bank of America, Capital One, Citi Mobile, and Coinbase are among the companies targeted by Teabot. 
  • BBVA and a slew of other EU-specific bank apps are among those targeted by Xenomorph. 
The method utilized by these trojans would be that they each have a small target scope and different types of functionality for diverse goals. Because these trojans are concealed among programs available on Android's official app store, users should be cautious and avoid downloading apps from untrustworthy sources. One may take it a step further by using a provider like ExpressVPN.
Read more »
malware
Banking Trojans Emotet Emotet Trojan malware

Botnet Activity Goes Down; Revived Emotet Suffers Hindrances in Operations by A Vigilante Hacker


An anonymous vigilante hacker has been actively involved in obstructing 2019's most widespread cybercrime operation, Emotet that made a comeback recently. He has been sabotaging the malicious affairs and protecting users from getting affected by removing Emotet payloads and inserting animated GIFs at their places. Acting as an intruder, he replaced Emotet payloads with animated GIFs on certain hacked WordPress sites, meaning when victims would open the infected Office files, the malware would not be downloaded and executed on their computers, saving them from the infection.

Emotet is a banking Trojan that was first spotted in the year 2014 by security researchers, it was primarily designed to sneak onto the victim's computer and mine sensitive data. Later, the banking malware was updated; newer versions came up with spamming and malware delivery functionality. Emotet is equipped with capabilities to escape anti-malware detection, it uses worm-like abilities that help it proliferate through connected systems. Mainly, the infection is spread via malspam, however, it may also be sent through malicious scripts, links, or macro-enabled documents.

Started off casually a few days ago, on the 21st of July, the act of sabotaging the operations has become a major concern for the Emotet authors, affecting a significant fragment of the malware botnet’s revived campaign. Essentially, the sabotage has been possible owing to the fact that Emotet authors are not employing the best web shells in the market, it was noted earlier in 2019 also that the criminals involved in Emotet operations were using open-source scripts and identical password for all the web shells, risking the security of its infrastructure and making it vulnerable to hijacks just by a simple guess of password.

While giving insights on the matter, Kevin Beaumont said in 2019, “The Emotet payload distribution method is super insecure, they deploy an open-source webshell off Github into the WordPress sites they hack, all with the same password, so anybody can change the payloads infected PCs are receiving.
Read more »
ransomware attacks
Banking Trojans malware Online fraud Ransomware ransomware attacks

ProLock Ransomware Operators Join Hands with QakBot Trojan to Infect Victims' Networks


'Human-operated ransomware' has been on a rise with the emergence of ProLock in the month of March, the new ransomware came as a successor to 'PwndLocker', another variant of malware targeting all the major industries from finance, retail to healthcare and governmental organizations as well. Notably, in late April, the attack targeting the largest ATM provider in the United States, Diebold Nixdorf was the first major attack carried by ProLock where the attackers only compromised the company's corporate network while their ATMs and customer networks were left untouched, according to the media reports.

In order to acquire access to targets' networks, ProLock has joined hands with financial malware primarily targeting businesses, QakBot. Since its initial online fraud attacks, the banking trojan has constantly evolved to specialize in SOCKS proxy, anti-research capabilities and to effectively steal victims' online banking credentials. The malware has been upgraded so much so that one of its present variants can even incapacitate securing software functioning at the endpoints. Interestingly, the assistance of QakBot that distinguishes the malware from other ransomware operators further strengthens the operations of ProLock as it helps the malware with credential dumping and anti-detection techniques.

ProLock makes use of RDP and QakBot to set the attack into motion, it assists the threat actors in evading detection and with persistence. Researchers told QBot specializes in bypassing detection as it is programmed to check out for its latest version and replace its current version with the newest one. Meanwhile, in order to acquire persistence in the network, the attackers use authentic accounts for RDP. RDP allows the malware to move laterally across networks and accumulate data, which later is exfiltrated through a command-line tool. Side by side, the files are being encrypted by ProLock that adds a .proLock, .pr0Lock or .proL0ck extension to all the encrypted files and leaves a ransom note demanding a ransom in turn for their data. However, as of now, ProLock doesn't have a website to publish victims' stolen data in case they are denied ransom.

“ProLock uses many similar techniques as other ransomware operators to achieve their goals,” said Oleg Skulkin, senior digital forensics analyst at Group-IB in a recent analysis. “At the same time, however, the group does have its own unique approach. With more and more cybercrime groups showing interest in enterprise ransomware deployment campaigns, some operators may be involved in deploying different ransomware families, so we’ll likely see more overlaps in tactics, techniques, and procedures.”
Read more »
Mobile Banking Malware
Banking Trojans Google Play Store Mobile Banking Malware

Rise of a Mobile Banking Malware Which Steals Personal Financial Information



The federal cybersecurity agency cautions about the rise of a new mobile banking malware called "EventBot", which purportedly steal personal financial information and says it might influence Android phone users in India, in a most recent advisory.

The Trojan infection may "masquerade as a legitimate application such as Microsoft Word, Adobe flash and others using third-party application downloading sites to infiltrate into victim device” as per an alert issued by the (CERT-In) Computer Emergency Response Team of India, the national technology arm to combat cyber-attacks and guard the Indian cyberspace.

“It has been observed that a new Android mobile malware named EventBot is spreading. It is a mobile-banking Trojan and info-stealer that abuses Android's in-built accessibility feature to steal user data from financial applications, read user SMS messages and intercept SMS messages, allowing malware to bypass two-factor authentication," said the CERT-In warning.

As indicated by the CERT-In the virus "to a great extent target financial apps like PayPal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, TransferWise, Coinbase, paysafecard and so on"

The agency said while "EventBot" has not been "seen" on Google Playstore till now, it can "masquerade" as a certified mobile phone application.

The virus further prompts the users to offer access to their device accessibility services. The advisory claimed that the virus is equipped for recovering notifications about other installed applications and read the contents of various applications.

Over time, it can also read Lock Screen and in-app PIN that can give the attacker more privileged access over victim device,"

The cybersecurity agency has proposed certain counter-measures to check the virus infection within the Android phones: "Do not download and install applications from untrusted sources like unknown websites and links on unscrupulous messages; install updated anti-virus solution; prior to downloading or installing apps even from Google Playstore), always review the app details, number of downloads, user reviews, comments and the 'additional information' section”

Lastly, it requested that users abstain from utilizing unsecured, unknown Wi-Fi systems, and for prior affirming of a banking/financial application from the source organization.
Read more »
Spyware
Banking Trojans Cyber Security phishing Phishing Attacks Spyware

The lifespan of Phishing Attacks Recorded a Tremendous Growth in H2 2019


Phishing attacks recorded a remarkable surge in H2 2019, the growth has been alarming with the number of phishing websites blockages soaring by 230 percent per year. Earlier, phishers would terminate the fraudulent campaign once their webpages were blocked, however, now they are immediately mobilizing the phishing attack onto other brands. It serves as the main reason as to why the number grew so rampantly.

As the lifespan of phishing attacks increased tremendously, attackers became specific about their target pool and have increasingly targeted online services and cloud storage providers, the primary reason being the huge chunks of sensitive data stored in them that can be downloaded by the attackers to later threaten the victims for a ransom.

Turning towards a diligent attacking method, phishers have improved upon the ways they choose their campaigns and targets – preferring quantity over quality. Client software, e-commerce, online streaming, and delivery services were some online services that contributed to 29.3 percent of the phishers' targets, cloud storages amounted to 25.4 percent while financial organizations made for a total of 17.6 percent, as per the statistics for the last year.

While spotting and preventing the distribution of threats online, a total of 8,506 phishing web resources were blocked by Group-IB's Computer Emergency Response Team (CERT-GIB).

While providing insights on the matter to Help Net Security, Yaroslav Kargalev, CERT-GIB deputy head said, “Several years ago, creators of phishing pages were likely to have some technical background, they created phishing pages, putting much effort into the launch of their campaigns, preventing them from being detected and relentlessly supporting their sustainability....”

“This industry has changed its face — those pioneers no longer create phishing pages, they create tools for operators of web phishing campaigns who do not necessarily have any programming skills, and last year became the culmination of this trend. Since this new generation of phishers is not that experienced in maintaining the web resources viable, the phishing community’s focus has shifted toward the number of scam resources,” he added.

Banking Trojans and cryptocurrency projects have seen a steep decline in their preference amongst cybercriminals. As the functionality of backdoors has continued to expand, spyware and backdoors have stolen the show to reach the number one spot in the popularity rankings with a whopping 35 percent share.
Read more »
malware
Banking Malware Banking Trojans Email Spoofing malware

Banking Trojan 'Metamorfo' Now Targeting Online Users' Banking Services


Online banking users are being targeted by a trojan malware campaign going around the globe with the agenda of gaining illegal access to personal information such as credit card details and other sensitive data of users.

The banking trojan which has successfully affected more than 20 online banks goes by the name 'Metamorfo'. Several countries fell prey to the banking trojan including the US, Spain, Peru, Canada, Chile, Mexico, and Ecuador. Reportedly, earlier the attack was limited to Brazil-based banks only, however, the recent times witnessed a rapid increase in the number of these attacks; now encompassing other countries, according to the cybersecurity researchers at Fortinet.

In order to multiply their opportunities for financial gains, Cybercriminals have continued to resort to banking trojans and have refined the apparatus of the malware – in ways that make detection complicated. The latest research indicates that earlier the targeting was limited to the banking sector only but now as the leading banking trojans have expanded their reach, industries other than banking are also vulnerable to the attacks. The likely targets include cloud service providers, online tech stores, warehousing, mobile app stores, and e-commerce, according to the latest findings.

Metamorfo relies on email spoofing to set the attack into motion, it appears to contain information regarding an invoice and directs the victims to download a .ZIP file. As soon as the targeted user downloads and finishes the extraction of the file, it tends to allow Metamorfo to run on a Windows system. After the installation is completed, the malware starts running an Autolt script execution program. Although the scripting language is primarily designed for automating the Windows graphical UI, here the malware employs it to bypass the antivirus detection.

While explaining the functioning of the malware, ZDnet told, "Once running on the compromised Windows system, Metamorfo terminates any running browsers and then prevents any new browser windows from using auto-complete and auto-suggest in data entry fields.

"This prevents the user from using auto-complete functions to enter usernames, passwords, and other information, allowing the malware's keylogger functionality to collect the data the users are thus obliged to retype. It then sends that data back to a command-and-control server run by the attackers."

There are no revelations made about the keywords related to the targeted banks and other financial institutions, however, researchers expect the Metamorfo campaign still being active. To stay on a safer side, users are advised to keep their operating systems and software updated and patched timely.
Read more »
malware
Banking Trojans Financial Sector malware

Banking Trojen rises as the Top Security Concern


According to a new research by Blueliv, banking trojans have risen as the biggest threat to the Financial sector second only to mobile malware. A twitter poll conducted by cyberthreat intelligence provider Blueliv, from 11,000 users revealed that a third of respondents were concerned about the impact banking Trojans (31 percent) and mobile malware (28 percent) will have on financial services organizations and their customers in 2020. Tracking these financial threats, Blueliv researchers observed an increase in Trickbot banking trojan (283%) and a 130% increase in Dridex botnets. These Q2 and Q3 botnets are believed to be distributing banking trojans and malware in the financial sector and their customers.


Skill shortage and lack of visibility of threats present as security challenge- According to the poll, the financial sector is suffering from a major skill shortage in building security programs and identifying security threats - the most pressing being a shortage of skills (28 percent), followed by the high volume of threats and alerts (26 percent) and a lack of visibility into cyber threats (20 percent) (by Blueliv). Realwire quotes, "This is hardly surprising: as financial services institutions (FSIs) embrace digital processes and new customer interaction channels, so their attack surface grows, making it harder to keep on top of threats ranging from Point-of-Sale (PoS) to ATM malware, mobile apps malware to card skimmers."

A recent data by (ISC)2 shows that the global skills shortage has crossed 4 million. In Europe alone, the shortage has bypassed 100 percent. Daniel Solís, CEO and founder, Blueliv says, “Organizations in the financial sector face a constantly changing threat landscape. Business priorities have shifted and digital risk management is now central. Because they are such high-value targets for cybercriminal activity, it is imperative that financial services organizations monitor what is happening both inside and outside their networks in real-time to create effective mitigation strategies before, during and after an attack.”

He further commented, “FSI (financial services institutions) security teams can be easily overwhelmed by the number of threat alerts they receive which can very quickly result in alert fatigue and desensitization to real, preventable threats. Threat intelligence can address the cyber skills gap through continuous automated monitoring combined with the human resource to provide context, helping FSIs develop highly-targeted threat detection, prevention, and investigation capabilities.”

Financial organizations are prime suspects for attacks, even after having the most sophisticated cyber defense strategies, weak spots do remain and are being exploited by trojans and malware overlooked by fraud risk assessment teams due to skills shortage and poor threat visibility.
Read more »
Subscribe to: Posts (Atom)