Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label device access. Show all posts

TrickMo Banking Trojan Unveils Advanced Threat Capabilities in Latest Variant

Malware Analyst at Zimperium, Aazim Yaswant, has released an in-depth report on the most recent TrickMo samples, highlighting worrisome new functionalities of this banking trojan. Initially reported by Cleafy in September, this new version of TrickMo employs various techniques to avoid detection and scrutiny, such as obfuscation and manipulating zip files. 

Yaswant’s team discovered 40 variants of TrickMo, consisting of 16 droppers and 22 active Command and Control (C2) servers, many of which remain hidden from the broader cybersecurity community.

Although TrickMo primarily focuses on stealing banking credentials, Yaswant's analysis has exposed more sophisticated abilities. "These features allow the malware to access virtually any data on the device," Yaswant stated. TrickMo is capable of intercepting OTPs, recording screens, remotely controlling the device, extracting data, and misusing accessibility services to gain permissions and perform actions without the user’s approval. Additionally, it can display misleading overlays designed to capture login credentials, enabling unauthorized financial transactions.

A particularly concerning discovery in Yaswant's findings is TrickMo’s ability to steal the device’s unlock pattern or PIN. This enables attackers to bypass security measures and access the device while it is locked. The malware achieves this by mimicking the legitimate unlock screen. “Once the user enters their unlock pattern or PIN, the page transmits the captured data, along with a unique device identifier,” Yaswant explained.

Zimperium’s researchers managed to gain entry to several C2 servers, identifying approximately 13,000 unique IP addresses linked to malware victims. The analysis revealed that TrickMo primarily targets regions such as Canada, the UAE, Turkey, and Germany. Yaswant’s investigation also uncovered millions of compromised records, with the stolen data including not only banking credentials but also access to corporate VPNs and internal websites, posing significant risks to organizations by potentially exposing them to larger-scale cyberattacks.