Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Phising. Show all posts

FakeCall Malware for Android Escalates Threat, Hijacks Outgoing Bank Calls

 

A newly evolved version of the FakeCall malware, a dangerous Android banking trojan, has been discovered hijacking users’ outgoing calls to their financial institutions, redirecting them to phone numbers controlled by attackers. The malware, first identified by Kaspersky in April 2022, focuses on voice phishing (vishing) scams, tricking victims into revealing sensitive banking information. 

The trojan presents a fake call interface that closely mimics Android’s default dialer, convincing victims they are communicating with legitimate bank representatives. 

This makes it challenging for users to discern the deception. When attempting to call their bank, the malware secretly redirects the call to attackers, who impersonate bank officials to steal personal information and money from accounts. A new report from Zimperium reveals that the latest FakeCall variant further enhances its capabilities. 

By tricking users into setting it as the default call handler during installation, the malware gains the ability to intercept both incoming and outgoing calls. In addition, the malware manipulates the Android user interface to show the bank’s actual phone number while connecting the victim to a scammer, deepening the illusion of legitimacy. The updated malware also adds new, though still developing, functionalities. 

It now uses Android’s Accessibility Service to simulate user actions, control the dialer interface, and automatically grant itself permissions. FakeCall’s operators have also introduced a Bluetooth listener and a screen state monitor, indicating ongoing development toward more advanced attack methods. Additional commands integrated into the latest version include capturing live screen content, taking screenshots, and accessing or deleting device images. 

These upgrades demonstrate the malware’s evolving sophistication, as it becomes harder to detect and remove. Security experts recommend avoiding the manual installation of Android apps through APKs, encouraging users to rely on the Google Play Store for app downloads. Though malware can still infiltrate Google Play, the platform’s security measures, such as Google Play Protect, can help identify and remove malicious apps when detected.

Cybercriminals Employ Obfuscation in Invoice Phishing Malware Campaigns

 


An array of cunning cyberattack campaigns utilizing seemingly innocuous invoices to deliver malware attacks have been uncovered by cybersecurity researchers. In this deceptive campaign, malicious Scalable Vector Graphics (SVG) file attachments are embedded in phishing emails that have been crafted to pose as malicious content. 

There is a risk that an intricate infection sequence will unfold once the victim opens the attachment, potentially releasing the victim's computer with various types of malware strains. Using this invoice-themed phishing scheme, FortiGuard Labs at Fortinet, a leading cybersecurity research team, identified a variety of malware. 

The malicious payloads included RATs such as Venom RAT, Remcos RAT, NanoCore RAT, and XWorm, as well as other Remote Access Trojans (RATs) that are known to have been exploited by hackers. Furthermore, the attack arsenal has incorporated a cryptocurrency wallet stealer that allows attackers to steal digital currencies from users without their knowledge of it. 

In a technical report published by Fortinet FortiGuard Labs, a technical report said that the emails include Scalable Vector Graphics files (SVG) that activate infection sequences when clicked. It is of particular note that the modus operandi uses BatCloak's malware obfuscation engine and ScrubCrypt to deliver malware as obfuscated batch scripts via the BatCloak malware obfuscation engine. 

A tool known as BatCloak, which was offered for sale to other threat actors in late 2022, has its roots in Jlaive, a tool that was developed by the organization. Essentially, it serves to load a next-stage payload by circumventing traditional detection mechanisms by loading it in a layered manner. The complexity of the attack lies in its multilayered approach. 

It is the SVG attachments that serve as triggers, initiating the infection process once the target opens them up. The BatCloak malware obfuscation engine is also extensively used to perform obfuscation techniques. In late 2022, cybercriminals were able to purchase a tool called Jlaive, a descendant of another obfuscation tool known as Jlaive, which has been available since then. 

In addition to masking the subsequent stages of malware, BatCloak's main function is to make it difficult for security software to detect the subsequent stages of malware. This variant of the Quasar RAT gives attackers the ability to seize control of compromised systems, collect sensitive data, and execute commands from command and control (C2) servers once they have taken control of a compromised system. 

In addition, it allows a multitude of plugins to be deployed for different kinds of malicious activities, including Remcos RAT, which is distributed via obfuscated VBS scripts, ScrubCrypt, and Guloader PowerShell scripts. The plugin system also allows a stealer module to be deployed to collect information from crypto wallets and applications like Atomic Wallet, Electrum, Ethereum, and others and send that stolen information to a remote server via the plugin system. 

In addition to obfuscating the malware, ScrubCrypt is one more layer that adds to this elaborate attack. It encrypts the malicious code, making it even more difficult to detect and prevent infection from security systems. A malware payload typically arrives in the form of encoded batch scripts as soon as the layers are peeled back. Once the scripts have been downloaded and executed onto the compromised system, the malware payload will be able to be detected. 

According to the cybersecurity firm that analyzed the latest campaign, the SVG file served as a conduit for dropping a ZIP archive which contained a batch script that probably was created using BatCloak. After the ScrubCrypt batch file has been unpacked, the Venom RAT is eventually executed, but not before establishing persistence on the host, bypassing ETW and AMSI protections, and setting up persistence on the host. 

The evolution of the tactics employed by cybercriminals has demonstrated the importance of the evolving threat landscape. A very important aspect of the sophistication of these online threats is the fact that attackers are strategically using readily available obfuscation tools, alongside malware that targets cryptocurrency. 

Researchers have stressed to users the importance of remaining vigilant, especially when it comes to unsolicited email attachments, even when they seem to be invoices or other documents that seem to come from a legitimate source. Several security measures should also be implemented by businesses, including comprehensive email filtering systems in addition to employee training programs targeted at recognizing warning signs of phishing attempts, which are recommended as part of these measures.