Cellular customers in Brazil are the goal of a brand new malware marketing campaign that delivers a brand new Android banking trojan named Rocinante.
“This malware household is able to performing keylogging utilizing the Accessibility Service, and can also be in a position to steal PII from its victims utilizing phishing screens posing as totally different banks,” Dutch safety firm ThreatFabric mentioned.
“Lastly, it might probably use all this exfiltrated info to carry out gadget takeover (DTO) of the gadget, by leveraging the accessibility service privileges to attain full distant entry on the contaminated gadget.”
A number of the distinguished targets of the malware embody monetary establishments equivalent to Itaú Store, Santander, with the phony apps masquerading as Bradesco Prime and Correios Celular, amongst others –
- Livelo Pontos (com.resgatelivelo.money)
- Correios Recarga (com.correiosrecarga.android)
- Bratesco Prine (com.resgatelivelo.money)
- Módulo de Segurança (com.viberotion1414.app)
Supply code evaluation of the malware has revealed that Rocinante is being internally known as by the operators as Pegasus (or PegasusSpy). It is value noting that the identify Pegasus has no connections to a cross-platform spy ware developed by industrial surveillance vendor NSO Group.
That mentioned, Pegasus is assessed to be the work of a menace actor dubbed DukeEugene, who can also be identified for related malware strains equivalent to ERMAC, BlackRock, Hook, and Loot, per a current evaluation by Silent Push.
ThreatFabric mentioned it recognized components of the Rocinante malware which can be immediately influenced by early iterations of ERMAC, though it is believed that the leak of ERMAC’s supply code in 2023 might have performed a task.
“That is the primary case through which an unique malware household took the code from the leak and applied just a few a part of it of their code,” it identified. “It’s also potential that these two variations are separate forks of the identical preliminary undertaking.”
Rocinante is principally distributed by way of phishing websites that purpose to trick unsuspecting customers into putting in the counterfeit dropper apps that, as soon as put in, requests for accessibility service privileges to file all actions on the contaminated gadget, intercept SMS messages, and serve phishing login pages.
It additionally establishes contact with a command-and-control (C2) server to await additional directions – simulating contact and swipe occasions – to be executed remotely. The harvested private info is exfiltrated to a Telegram bot.
“The bot extracts the helpful PII obtained utilizing the bogus login pages posing because the goal banks. It then publishes this info, formatted, right into a chat that criminals have entry to,” ThreatFabric famous.
“The data barely modifications primarily based on which pretend login web page was used to acquire it, and contains gadget info equivalent to mannequin and phone quantity, CPF quantity, password, or account quantity.”
The event comes as Symantec highlighted one other banking trojan malware marketing campaign that exploits the secureserver[.]web area to focus on Spanish and Portuguese-speaking areas.
“The multistage assault begins with malicious URLs resulting in an archive containing an obfuscated .hta file,” the Broadcom-owned firm mentioned.
“This file results in a JavaScript payload that performs a number of AntiVM and AntiAV checks earlier than downloading the ultimate AutoIT payload. This payload is loaded utilizing course of injection with the purpose of stealing banking info and credentials from the sufferer’s system and exfiltrating them to a C2 server.”
It additionally follows the emergence of a brand new “extensionware-as-a-service” that is marketed on the market by means of a brand new model of the Genesis Market, which was shuttered by regulation enforcement in early 2023, and designed to steal delicate info from customers within the Latin American (LATAM) area utilizing malicious internet browser extensions propagated on the Chrome Internet Retailer.
The exercise, energetic since mid-2023 and concentrating on Mexico and different LATAM nations, has been attributed to an e-crime group named Cybercartel, which provides most of these providers to different cybercriminal crews. The extensions are not obtainable for obtain.
“The malicious Google Chrome extension disguises itself as a respectable software, tricking customers into putting in it from compromised web sites or phishing campaigns,” safety researchers Ramses Vazquez of Karla Gomez of the Metabase Q Ocelot Risk Intelligence Crew mentioned.
“As soon as the extension is put in, it injects JavaScript code into the online pages that the consumer visits. This code can intercept and manipulate the content material of the pages, in addition to seize delicate information equivalent to login credentials, bank card info, and different consumer enter, relying on the particular marketing campaign and the kind of info being focused.”