Cellular customers in Brazil are the goal of a brand new malware marketing campaign that delivers a brand new Android banking trojan named Rocinante.
“This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks,” Dutch safety firm ThreatFabric mentioned.
“Finally, it can use all this exfiltrated information to perform device takeover (DTO) of the device, by leveraging the accessibility service privileges to achieve full remote access on the infected device.”
A number of the distinguished targets of the malware embody monetary establishments corresponding to Itaú Store, Santander, with the phony apps masquerading as Bradesco Prime and Correios Celular, amongst others –
- Livelo Pontos (com.resgatelivelo.money)
- Correios Recarga (com.correiosrecarga.android)
- Bratesco Prine (com.resgatelivelo.money)
- Módulo de Segurança (com.viberotion1414.app)
Supply code evaluation of the malware has revealed that Rocinante is being internally referred to as by the operators as Pegasus (or PegasusSpy). It is price noting that the identify Pegasus has no connections to a cross-platform adware developed by business surveillance vendor NSO Group.
That mentioned, Pegasus is assessed to be the work of a risk actor dubbed DukeEugene, who can also be recognized for comparable malware strains corresponding to ERMAC, BlackRock, Hook, and Loot, per a current evaluation by Silent Push.
ThreatFabric mentioned it recognized elements of the Rocinante malware which are immediately influenced by early iterations of ERMAC, though it is believed that the leak of ERMAC’s supply code in 2023 might have performed a task.
“This is the first case in which an original malware family took the code from the leak and implemented just some part of it in their code,” it identified. “It is also possible that these two versions are separate forks of the same initial project.”
Rocinante is especially distributed through phishing websites that goal to trick unsuspecting customers into putting in the counterfeit dropper apps that, as soon as put in, requests for accessibility service privileges to document all actions on the contaminated machine, intercept SMS messages, and serve phishing login pages.
It additionally establishes contact with a command-and-control (C2) server to await additional directions – simulating contact and swipe occasions – to be executed remotely. The harvested private info is exfiltrated to a Telegram bot.
“The bot extracts the useful PII obtained using the bogus login pages posing as the target banks. It then publishes this information, formatted, into a chat that criminals have access to,” ThreatFabric famous.
“The information slightly changes based on which fake login page was used to obtain it, and includes device information such as model and telephone number, CPF number, password, or account number.”
The event comes as Symantec highlighted one other banking trojan malware marketing campaign that exploits the secureserver[.]web area to focus on Spanish and Portuguese-speaking areas.
“The multistage attack begins with malicious URLs leading to an archive containing an obfuscated .hta file,” the Broadcom-owned firm mentioned.
“This file leads to a JavaScript payload that performs multiple AntiVM and AntiAV checks before downloading the final AutoIT payload. This payload is loaded using process injection with the goal of stealing banking information and credentials from the victim’s system and exfiltrating them to a C2 server.”
It additionally follows the emergence of a brand new “extensionware-as-a-service” that is marketed on the market via a brand new model of the Genesis Market, which was shuttered by legislation enforcement in early 2023, and designed to steal delicate info from customers within the Latin American (LATAM) area utilizing malicious internet browser extensions propagated on the Chrome Internet Retailer.
The exercise, lively since mid-2023 and focusing on Mexico and different LATAM nations, has been attributed to an e-crime group named Cybercartel, which provides some of these companies to different cybercriminal crews. The extensions are not obtainable for obtain.
“The malicious Google Chrome extension disguises itself as a legitimate application, tricking users into installing it from compromised websites or phishing campaigns,” safety researchers Ramses Vazquez of Karla Gomez of the Metabase Q Ocelot Menace Intelligence Group mentioned.
“Once the extension is installed, it injects JavaScript code into the web pages that the user visits. This code can intercept and manipulate the content of the pages, as well as capture sensitive data such as login credentials, credit card information, and other user input, depending on the specific campaign and the type of information being targeted.”