Cell customers in Brazil are the goal of a brand new malware marketing campaign that delivers a brand new Android banking trojan named Rocinante.
“This malware household is able to performing keylogging utilizing the Accessibility Service, and can be in a position to steal PII from its victims utilizing phishing screens posing as totally different banks,” Dutch security firm ThreatFabric stated.
“Lastly, it might use all this exfiltrated info to carry out gadget takeover (DTO) of the gadget, by leveraging the accessibility service privileges to attain full distant entry on the contaminated gadget.”
Among the outstanding targets of the malware embody monetary establishments reminiscent of Itaú Store, Santander, with the phony apps masquerading as Bradesco Prime and Correios Celular, amongst others –
- Livelo Pontos (com.resgatelivelo.money)
- Correios Recarga (com.correiosrecarga.android)
- Bratesco Prine (com.resgatelivelo.money)
- Módulo de Segurança (com.viberotion1414.app)
Supply code evaluation of the malware has revealed that Rocinante is being internally referred to as by the operators as Pegasus (or PegasusSpy). It is price noting that the title Pegasus has no connections to a cross-platform adware developed by business surveillance vendor NSO Group.
That stated, Pegasus is assessed to be the work of a menace actor dubbed DukeEugene, who can be identified for comparable malware strains reminiscent of ERMAC, BlackRock, Hook, and Loot, per a latest evaluation by Silent Push.
ThreatFabric stated it recognized elements of the Rocinante malware which might be instantly influenced by early iterations of ERMAC, though it is believed that the leak of ERMAC’s supply code in 2023 could have performed a job.
“That is the primary case through which an unique malware household took the code from the leak and carried out just a few a part of it of their code,” it identified. “Additionally it is potential that these two variations are separate forks of the identical preliminary undertaking.”
Rocinante is principally distributed by way of phishing websites that intention to trick unsuspecting customers into putting in the counterfeit dropper apps that, as soon as put in, requests for accessibility service privileges to report all actions on the contaminated gadget, intercept SMS messages, and serve phishing login pages.
It additionally establishes contact with a command-and-control (C2) server to await additional directions – simulating contact and swipe occasions – to be executed remotely. The harvested private info is exfiltrated to a Telegram bot.
“The bot extracts the helpful PII obtained utilizing the bogus login pages posing because the goal banks. It then publishes this info, formatted, right into a chat that criminals have entry to,” ThreatFabric famous.
“The data barely adjustments primarily based on which faux login web page was used to acquire it, and contains gadget info reminiscent of mannequin and phone quantity, CPF quantity, password, or account quantity.”
The event comes as Symantec highlighted one other banking trojan malware marketing campaign that exploits the secureserver[.]web area to focus on Spanish and Portuguese-speaking areas.
“The multistage assault begins with malicious URLs resulting in an archive containing an obfuscated .hta file,” the Broadcom-owned firm stated.
“This file results in a JavaScript payload that performs a number of AntiVM and AntiAV checks earlier than downloading the ultimate AutoIT payload. This payload is loaded utilizing course of injection with the objective of stealing banking info and credentials from the sufferer’s system and exfiltrating them to a C2 server.”
It additionally follows the emergence of a brand new “extensionware-as-a-service” that is marketed on the market via a brand new model of the Genesis Market, which was shuttered by legislation enforcement in early 2023, and designed to steal delicate info from customers within the Latin American (LATAM) area utilizing malicious internet browser extensions propagated on the Chrome Internet Retailer.
The exercise, lively since mid-2023 and focusing on Mexico and different LATAM nations, has been attributed to an e-crime group named Cybercartel, which presents these kinds of companies to different cybercriminal crews. The extensions are now not out there for obtain.
“The malicious Google Chrome extension disguises itself as a legit software, tricking customers into putting in it from compromised web sites or phishing campaigns,” security researchers Ramses Vazquez of Karla Gomez of the Metabase Q Ocelot Risk Intelligence Workforce stated.
“As soon as the extension is put in, it injects JavaScript code into the online pages that the person visits. This code can intercept and manipulate the content material of the pages, in addition to seize delicate information reminiscent of login credentials, bank card info, and different person enter, relying on the precise marketing campaign and the kind of info being focused.”
