Mar 13, 2024The Hacker NewsFinancial Fraud / Mobile Security

The threat actors behind the PixPirate Android banking trojan are leveraging a new trick to evade detection on compromised devices and harvest sensitive information from users in Brazil.

The approach allows it to hide the malicious app’s icon from the home screen of the victim’s device, IBM said in a technical report published today.

“Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background,” security researcher Nir Somech said.

PixPirate, which was first documented by Cleafy in February 2023, is known for its abuse of Android’s accessibility services to covertly perform unauthorized fund transfers using the PIX instant payment platform when a targeted banking app is opened.

The constantly mutating malware is also capable of stealing victims’ online banking credentials and credit card information, as well as capturing keystrokes and intercepting SMS messages to access two-factor authentication codes.

Typically distributed via SMS and WhatsApp, the attack flow entails the use of a dropper (aka downloader) app that’s engineered to deploy the main payload (aka droppee) to pull off the financial fraud.

“Usually, the downloader is used to download and install the droppee, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant,” Somech explained.

“In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee but also for running and executing it. The downloader plays an active part in the malicious activities of the droppee as they communicate with each other and send commands to execute.”

The downloader APK app, once launched, prompts the victim to update the app to either retrieve the PixPirate component from an actor-controlled server or install it if it’s embedded within itself.

What’s changed in the latest version of the droppee is the absence of activity with the action “android.intent.action.Main” and the category “android.intent.category.LAUNCHER” that allows a user to launch an app from the home screen by tapping its icon.

Put differently, the infection chain requires both the downloader and the droppee to work in tandem, with the former responsible for running the PixPirate APK by binding to a service exported by the droppee.

“Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it registered,” Somech said. “The receivers are set to be activated based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run.”

“This technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate downloader from their device.”

The development comes as Latin American (LATAM) banks have become the target of a new malware called Fakext that employs a rogue Microsoft Edge extension named SATiD to carry out man-in-the-browser and web injection attacks with the goal of grabbing credentials entered in the targeted bank site.

It’s worth noting that SAT ID is a service offered by Mexico’s Tax Administration Service (SAT) to generate and update electronic signatures for filing taxes online.

In select cases, Fakext is engineered to display an overlay that urges the victim to download a legitimate remote access tool by purporting to be the bank’s IT support team, ultimately enabling the threat actors to conduct financial fraud.

The campaign – active since at least November 2023 – singles out 14 banks operating in the region, a majority of which are located in Mexico. The extension has since been taken down from the Edge Add-ons store.

Users in Brazil are the target of a new banking trojan known as CHAVECLOAK that’s propagated via phishing emails bearing PDF attachments.

“This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware,” Fortinet FortiGuard Labs researcher Cara Lin said.

The attack chain involves the use of contract-themed DocuSign lures to trick users into opening PDF files containing a button to read and sign the documents.

In reality, clicking the button leads to the retrieval of an installer file from a remote link that’s shortened using the Goo.su URL shortening service.

Present within the installer is an executable named “Lightshot.exe” that leverages DLL side-loading to load “Lightshot.dll,” which is the CHAVECLOAK malware that facilitates the theft of sensitive information.

This includes gathering system metadata and running checks to determine whether the compromised machine is located in Brazil and, if so, periodically monitoring the foreground window to compare it against a predefined list of bank-related strings.

If it matches, a connection is established with a command-and-control (C2) server and proceeds to harvest various kinds of information and exfiltrate them to distinct endpoints on the server depending on the financial institution.

“The malware facilitates various actions to steal a victim’s credentials, such as allowing the operator to block the victim’s screen, log keystrokes, and display deceptive pop-up windows,” Lin said.

“The malware actively monitors the victim’s access to specific financial portals, including several banks and Mercado Bitcoin, which encompasses both traditional banking and cryptocurrency platforms.”

Fortinet said it also uncovered a Delphi variant of CHAVECLOAK, once again highlighting the prevalence of Delphi-based malware targeting Latin America.

“The emergence of the CHAVECLOAK banking Trojan underscores the evolving landscape of cyberthreats targeting the financial sector, specifically focusing on users in Brazil,” Lin concluded.

The findings come amid an ongoing mobile banking fraud campaign against the U.K., Spain, and Italy that entails using smishing and vishing (i.e., SMS and voice phishing) tactics to deploy an Android malware called Copybara with the goal of performing unauthorized banking transfers to a network of bank accounts operated by money mules.

“TAs [Threat actors] have been caught using a structured way of managing all the ongoing phishing campaigns via a centralized web panel known as ‘Mr. Robot,'” Cleafy said in a report published last week.

“With this panel, TAs can enable and manage multiple phishing campaigns (against different financial institutions) based on their needs.”

The C2 framework also allows attackers to orchestrate tailored attacks on distinct financial institutions using phishing kits that are engineered to mimic the user interface of the targeted entity, while also adopting anti-detection methods via geofencing and device fingerprinting to limit connections only from mobile devices.

The phishing kit – which serves as a fake login page – is responsible for capturing retail banking customer credentials and phone numbers and sending the details to a Telegram group.

Some of the malicious infrastructure used for the campaign is designed to deliver Copybara, which is managed using a C2 panel named JOKER RAT that displays all the infected devices and their geographical distribution over a live map.

It also allows the threat actors to remotely interact in real-time with an infected device using a VNC module, in addition to injecting fake overlays on top of banking apps to siphon credentials, logging keystrokes by abusing Android’s accessibility services, and intercepting SMS messages.

On top of that, JOKER RAT comes with an APK builder that makes it possible to customize the rogue app’s name, package name, and icons.

“Another feature available inside the panel is the ‘Push Notification,’ probably used to send to the infected devices fake push notifications that look like a bank notification to entice the user to open the bank’s app in such a way that the malware can steal credentials,” Cleafy researchers Francesco Iubatti and Federico Valentini said.

The growing sophistication of on-device fraud (ODF) schemes is further evidenced by a recently disclosed TeaBot (aka Anatsa) campaign that managed to infiltrate the Google Play Store under the guise of PDF reader apps.

“This application serves as a dropper, facilitating the download of a banking trojan of the TeaBot family through multiple stages,” Iubatti said. “Before downloading the banking trojan, the dropper performs advanced evasion techniques, including obfuscation and file deletion, alongside multiple checks about the victim countries.”

Feb 09, 2024NewsroomEndpoint Security / Cryptocurrency

Sixty-one banking institutions, all of them originating from Brazil, are the target of a new banking trojan called Coyote.

“This malware utilizes the Squirrel installer for distribution, leveraging Node.js and a relatively new multi-platform programming language called Nim as a loader to complete its infection,” Russian cybersecurity firm Kaspersky said in a Thursday report.

What makes Coyote a different breed from other banking trojans of its kind is the use of the open-source Squirrel framework for installing and updating Windows apps. Another notable departure is the shift from Delphi – which is prevalent among banking malware families targeting Latin America – to uncommon programming languages like Nim.

In the attack chain documented by Kaspersky, a Squirrel installer executable is used as a launchpad for a Node.js application compiled with Electron, which, in turn, runs a Nim-based loader to trigger the execution of the malicious Coyote payload by means of DLL side-loading.

The malicious dynamic-link library, named “libcef.dll,” is side-loaded by means of a legitimate executable named “obs-browser-page.exe,” which is also included in the Node.js project. It’s worth noting that the original libcef.dll is part of the Chromium Embedded Framework (CEF).

Coyote, once executed, “monitors all open applications on the victim’s system and waits for the specific banking application or website to be accessed,” subsequently contacting an actor-controlled server to fetch next-stage directives.

It has the capability to execute a wide range of commands to take screenshots, log keystrokes, terminate processes, display fake overlays, move the mouse cursor to a specific location, and even shut down the machine. It can also outright block the machine with a bogus “Working on updates…” message while executing malicious actions in the background.

“The addition of Nim as a loader adds complexity to the trojan’s design,” Kaspersky said. “This evolution highlights the increasing sophistication within the threat landscape and shows how threat actors are adapting and using the latest languages and tools in their malicious campaigns.”

The development comes as Brazilian law enforcement authorities dismantled the Grandoreiro operation and issued five temporary arrest warrants and 13 search and seizure warrants for the masterminds behind the malware across five Brazilian states.

It also follows the discovery of a new Python-based information stealer that’s related to the Vietnamese architects associated with MrTonyScam and distributed via booby-trapped Microsoft Excel and Word documents.

The stealer “collects browsers’ cookies and login data […] from a wide range of browsers, from familiar browsers such as Chrome and Edge to browsers focused on the local market, like the Cốc Cốc browser,” Fortinet FortiGuard Labs said in a report published this week.

Jan 30, 2024NewsroomCyber Crime / Malware

A Brazilian law enforcement operation has led to the arrest of several Brazilian operators in charge of the Grandoreiro malware.

The Federal Police of Brazil said it served five temporary arrest warrants and 13 search and seizure warrants in the states of São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso.

Slovak cybersecurity firm ESET, which provided additional assistance in the effort, said it uncovered a design flaw in Grandoreiro’s network protocol that helped it to identify the victimology patterns.

Grandoreiro is one of the many Latin American banking trojans such as Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, primarily targeting countries like Spain, Mexico, Brazil, and Argentina. It’s known to be active since 2017.

In late October 2023, Proofpoint revealed details of a phishing campaign that distributed an updated version of the malware to targets in Mexico and Spain.

The banking trojan has capabilities to both steal data through keyloggers and screenshots as well as siphon bank login information from overlays when an infected victim visits pre-determined banking sites targeted by the threat actors. It can also display fake pop-up windows and block the victim’s screen.

Attack chains typically leverage phishing lures bearing decoy documents or malicious URLs that, when opened or clicked, lead to the deployment of malware, which then establishes contact with a command-and-control (C&C) server for remotely controlling the machine in a manual fashion.

“Grandoreiro periodically monitors the foreground window to find one that belongs to a web browser process,” ESET said.

“When such a window is found and its name matches any string from a hardcoded list of bank-related strings, then and only then the malware initiates communication with its C&C server, sending requests at least once a second until terminated.”

The threat actors behind the malware are also known to employ a domain generation algorithm (DGA) since around October 2020 to dynamically identify a destination domain for C&C traffic, making it harder to block, track, or take over the infrastructure.

A majority of the IP addresses these domains resolve to are provided primarily by Amazon Web Services (AWS) and Microsoft Azure, with the life span of the C&C IP addresses ranging anywhere between 1 day to 425 days. On average, there are 13 active and three new C&C IP addresses per day, respectively.

ESET also said that Grandoreiro’s flawed implementation of its RealThinClient (RTC) network protocol for C&C made it possible to get information about the number of victims that are connected to the C&C server, which is 551 unique victims in a day on average mainly spread across Brazil, Mexico, and Spain.

Further investigation has found that an average number of 114 new unique victims connect to the C&C servers each day.

“The disruption operation led by the Federal Police of Brazil aimed at individuals who are believed to be high up in the Grandoreiro operation hierarchy,” ESET said.