Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label New Banking Trojan. Show all posts

PixPirate: Brand New Brazilian Banking Trojan

A brand new Android banking trojan has attacked Brazilian financial infrastructures to execute financial scams by leveraging the PIX payments platform. Italian cyberthreat Security Company Cleafy identified the malware PixPirate at the end of 2022 and the beginning of 2023. 

PixPirate has advanced features, primarily achieved by abusing Accessibility Services, such as the ability to intercept valid banking credentials and perform ATS attacks on multiple sources, delete SMS messages, prevent uninstallation, disable Google Play Protect, and Malvertising. 

"PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS (Automatic Transfer System), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks," researchers Alessandro Strino and Francesco Iubatti reported to the media. 

Besides compromising credentials and passwords entered by users on banking apps, the malicious actors behind the operation have also leveraged code obfuscation and encryption using a framework known as Auto.js to resist fighting back from the attacked system. 

The findings came to the light more than a month after ThreatFabric disclosed another malware called BrasDex. This malware also comes with ATS features, in addition to abusing PIX to make fraudulent fund transfers. 

"The introduction of ATS capabilities paired with frameworks that will help the development of mobile applications, using flexible and more widespread languages (lowering the learning curve and development time), could lead to more sophisticated malware that, in the future, could be compared with their workstation counterparts," the researchers said. 

Furthermore, the development came to the public when Cyble found a new Android remote access Trojan tracked as Gigabud RAT victimizing users in Thailand, the Philippines, and Peru. 

"The RAT has advanced features such as screen recording and abusing the accessibility services to steal banking credentials," the researchers added. 

As per the reports, Latin American countries recorded the world's highest cybercrime rate with 3x more mobile browser attacks than the global average in the first half of 2020. Along with this, reports also reads that phishing attacks have a high success rate and are utilized by financially motivated threat actors to steal important credentials such as bank logins and other financial data.

Janeleiro a New Banking Trojan Targeting Corporate, Government Targets

 

A banking Trojan has been found out by cybersecurity researchers, which has targeted many organizations across the state of Brazil. An advisory has been released on Tuesday by ESET on the malware that was being developed in 2018. 
According to cyber intelligence, the Trojan named Janeleiro primarily focused on Brazil and launched multiple cyber attacks against corporate giants in various sectors such as engineering, healthcare sector, finance, retail, and manufacturing. Notably, the threat actors who are operating the banking trojan have also made attempts to get access into government systems using the malware.

According to the researchers, the Trojan is similar to other Trojans that are currently being operated across the state, specifically in Grandoreiro, Casbaneiro, and Mekotio, to name a major few. 

Janeleiro enters into smart devices similar to most malware, however, some features are different. First, Phishing emails will be sent in small batches, masked as unpaid invoices of the firm. These emails contain links that compromise servers into the system and download a .zip archive hosted in the cloud. If the target opens the archive file, a Windows-based MSI installer then loads the main Trojan DLL into the system. 

"In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times," ESET says. 

“…This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct." 

Interestingly, the Trojan first checks the geo-location of the targeted system's IP address. If the state code is Brazil and it remains and runs its operation but if it is other than Brazil then the malware will exit automatically. 

Janeleiro is being used to frame fake pop-up windows "on-demand," such as when operators compromised banking-related keywords from its machine. Once the operators get access to the system then they ask for sensitive credentials and banking details from targets.