Mar 13, 2024The Hacker NewsFinancial Fraud / Mobile Security

The threat actors behind the PixPirate Android banking trojan are leveraging a new trick to evade detection on compromised devices and harvest sensitive information from users in Brazil.

The approach allows it to hide the malicious app’s icon from the home screen of the victim’s device, IBM said in a technical report published today.

“Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background,” security researcher Nir Somech said.

PixPirate, which was first documented by Cleafy in February 2023, is known for its abuse of Android’s accessibility services to covertly perform unauthorized fund transfers using the PIX instant payment platform when a targeted banking app is opened.

The constantly mutating malware is also capable of stealing victims’ online banking credentials and credit card information, as well as capturing keystrokes and intercepting SMS messages to access two-factor authentication codes.

Typically distributed via SMS and WhatsApp, the attack flow entails the use of a dropper (aka downloader) app that’s engineered to deploy the main payload (aka droppee) to pull off the financial fraud.

“Usually, the downloader is used to download and install the droppee, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant,” Somech explained.

“In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee but also for running and executing it. The downloader plays an active part in the malicious activities of the droppee as they communicate with each other and send commands to execute.”

The downloader APK app, once launched, prompts the victim to update the app to either retrieve the PixPirate component from an actor-controlled server or install it if it’s embedded within itself.

What’s changed in the latest version of the droppee is the absence of activity with the action “android.intent.action.Main” and the category “android.intent.category.LAUNCHER” that allows a user to launch an app from the home screen by tapping its icon.

Put differently, the infection chain requires both the downloader and the droppee to work in tandem, with the former responsible for running the PixPirate APK by binding to a service exported by the droppee.

“Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it registered,” Somech said. “The receivers are set to be activated based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run.”

“This technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate downloader from their device.”

The development comes as Latin American (LATAM) banks have become the target of a new malware called Fakext that employs a rogue Microsoft Edge extension named SATiD to carry out man-in-the-browser and web injection attacks with the goal of grabbing credentials entered in the targeted bank site.

It’s worth noting that SAT ID is a service offered by Mexico’s Tax Administration Service (SAT) to generate and update electronic signatures for filing taxes online.

In select cases, Fakext is engineered to display an overlay that urges the victim to download a legitimate remote access tool by purporting to be the bank’s IT support team, ultimately enabling the threat actors to conduct financial fraud.

The campaign – active since at least November 2023 – singles out 14 banks operating in the region, a majority of which are located in Mexico. The extension has since been taken down from the Edge Add-ons store.

Mar 01, 2024NewsroomLinux / Cyber Threat

Cybersecurity researchers have discovered a new Linux variant of a remote access trojan (RAT) called BIFROSE (aka Bifrost) that uses a deceptive domain mimicking VMware.

“This latest version of Bifrost aims to bypass security measures and compromise targeted systems,” Palo Alto Networks Unit 42 researchers Anmol Maurya and Siddharth Sharma said.

BIFROSE is one of the long-standing threats that has been active since 2004. It has been offered for sale in underground forums for up to $10,000 in the past, according to a report from Trend Micro in December 2015.

The malware has been put to use by a state-backed hacking group from China tracked as BlackTech (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard), which has a history of striking organizations in Japan, Taiwan, and the U.S.

It’s suspected that the threat actor purchased the source code or gained access to it around 2010, and repurposed the malware for use in its own campaigns via custom backdoors like KIVARS and XBOW.

Linux variants of BIFROSE (aka ELF_BIFROSE) have been observed since at least 2020 with capabilities to launch remote shells, download/upload files, and perform file operations.

“Attackers typically distribute Bifrost through email attachments or malicious websites,” the researchers said. “Once installed on a victim’s computer, Bifrost allows the attacker to gather sensitive information, like the victim’s hostname and IP address.”

What makes the latest variant noteworthy is that it reaches out to a command-and-control (C2) server with the name “download.vmfare[.]com” in an attempt to masquerade as VMware. The deceptive domain is resolved by contacting a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1.

Unit 42 said it detected a spike in Bifrost activity since October 2023, identifying no less than 104 artifacts in its telemetry. It further discovered an Arm version of the malware, suggesting the threat actors are likely looking to expand their attack surface.

“With new variants that employ deceptive domain strategies like typosquatting, a recent spike in Bifrost activity highlights the dangerous nature of this malware,” the researchers said.

The development comes as McAfee Labs detailed a new GuLoader campaign that propagates the malware through malicious SVG file attachments in email messages. The malware has also been observed being distributed via VBS scripts as part of a multi-stage payload delivery.

“This recent surge highlights its evolving tactics for broader reach and evasion,” Trustwave SpiderLabs said in a post on X earlier this week.

The Bifrost and GuLoader attacks coincide with the release of a new version of the Warzone RAT, which recently had two of its operators arrested and its infrastructure dismantled by the U.S. government.

Feb 08, 2024NewsroomEndpoint Security / Cyber Threat

The threat actors behind a loader malware called HijackLoader have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling.

“The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe,” CrowdStrike researchers Donato Onofri and Emanuele Calvelli said in a Wednesday analysis. “This new approach has the potential to make defense evasion stealthier.”

HijackLoader was first documented by Zscaler ThreatLabz in September 2023 as having been used as a conduit to deliver DanaBot, SystemBC, and RedLine Stealer. It’s also known to share a high degree of similarity with another loader known as IDAT Loader.

Both the loaders are assessed to be operated by the same cybercrime group. In the intervening months, HijackLoader has been propagated via ClearFake and put to use by TA544 (aka Narwhal Spider, Gold Essex, and Ursnif Gang) to deliver Remcos RAT and SystemBC via phishing messages.

“Think of loaders like wolves in sheep’s clothing. Their purpose is to sneak in, introduce and execute more sophisticated threats and tools,” Liviu Arsene, director of threat research and reporting at CrowdStrike, said in a statement shared with The Hacker News.

“This recent variant of HijackLoader (aka IDAT Loader) steps up its sneaking game by adding and experimenting with new techniques. This is similar to enhancing its disguise, making it stealthier, more complex, and more difficult to analyze. In essence, they’re refining their digital camouflage.”

The starting point of the multi-stage attack chain is an executable (“streaming_client.exe”) that checks for an active internet connection and proceeds to download a second-stage configuration from a remote server.

The executable then loads a legitimate dynamic-link library (DLL) specified in the configuration to activate shellcode responsible for launching the HijackLoader payload via a combination of process doppelgänging and process hollowing techniques that increases the complexity of analysis and the defense evasion capabilities.

“The HijackLoader second-stage, position-independent shellcode then performs some evasion activities to bypass user mode hooks using Heaven’s Gate and injects subsequent shellcode into cmd.exe,” the researchers said.

“The injection of the third-stage shellcode is accomplished via a variation of process hollowing that results in an injected hollowed mshtml.dll into the newly spawned cmd.exe child process.”

Heaven’s Gate refers to a stealthy trick that allows malicious software to evade endpoint security products by invoking 64-bit code in 32-bit processes in Windows, effectively bypassing user-mode hooks.

One of the key evasion techniques observed in HijackLoader attack sequences is the use of a process injection mechanism called transacted hollowing, which has been previously observed in malware such as the Osiris banking trojan.

“Loaders are meant to act as stealth launch platforms for adversaries to introduce and execute more sophisticated malware and tools without burning their assets in the initial stages,” Arsene said.

“Investing in new defense evasion capabilities for HijackLoader (aka IDAT Loader) is potentially an attempt to make it stealthier and fly below the radar of traditional security solutions. The new techniques signal both a deliberate and experimental evolution of the existing defense evasion capabilities while also increasing the complexity of analysis for threat researchers.”