The Android banking trojan known as Vultur has resurfaced with a suite of new features and improved anti-analysis and detection evasion techniques, enabling its operators to remotely interact with a mobile device and harvest sensitive data.

“Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions,” NCC Group researcher Joshua Kamp said in a report published last week.

Vultur was first disclosed in early 2021, with the malware capable of leveraging Android’s accessibility services APIs to execute its malicious actions.

The malware has been observed to be distributed via trojanized dropper apps on the Google Play Store, masquerading as authenticator and productivity apps to trick unwitting users into installing them. These dropper apps are offered as part of a dropper-as-a-service (DaaS) operation called Brunhilda.

Other attack chains, as observed by NCC Group, involve the droppers being spread using a combination of SMS messages and phone calls – a technique called telephone-oriented attack delivery (TOAD) – to ultimately serve an updated version of the malware.

“The first SMS message guides the victim to a phone call,” Kamp said. When the victim calls the number, the fraudster provides the victim with a second SMS that includes the link to the dropper: a modified version of the [legitimate] McAfee Security app.”

The initial SMS message aims to induce a false sense of urgency by instructing the recipients to call a number to authorize a non-existent transaction that involves a large sum of money.

Upon installation, the malicious dropper executes three related payloads (two APKs and one DEX file) that register the bot with the C2 server, obtain accessibility services permissions for remote access via AlphaVNC and ngrok, and run commands fetched from the C2 server.

One of the prominent additions to Vultur is the ability to remotely interact with the infected device, including carrying out clicks, scrolls, and swipes, through Android’s accessibility services, as well as download, upload, delete, install, and find files.

In addition, the malware is equipped to prevent the victims from interacting with a predefined list of apps, display custom notifications in the status bar, and even disable Keyguard to bypass lock screen security measures.

“Vultur’s recent developments have shown a shift in focus towards maximizing remote control over infected devices,” Kamp said.

“With the capability to issue commands for scrolling, swipe gestures, clicks, volume control, blocking apps from running, and even incorporating file manager functionality, it is clear that the primary objective is to gain total control over compromised devices.”

The development comes as Team Cymru revealed the Octo (aka Coper) Android banking trojan’s transition to a malware-as-a-service operation, offering its services to other threat actors for conducting information theft.

“The malware offers a variety of advanced features, including keylogging, interception of SMS messages and push notifications, and control over the device’s screen,” the company said.

“It employs various injects to steal sensitive information, such as passwords and login credentials, by displaying fake screens or overlays. Additionally, it utilizes VNC (Virtual Network Computing) for remote access to devices, enhancing its surveillance capabilities.”

Octo campaigns are estimated to have compromised 45,000 devices, primarily spanning Portugal, Spain, Turkey, and the U.S. Some of the other victims are located in France, the Netherlands, Canada, India, and Japan.

The findings also follow the emergence of a new campaign targeting Android users in India that distributes malicious APK packages posing as online booking, billing, and courier services via a malware-as-a-service (MaaS) offering.

The malware “targets theft of banking information, SMS messages, and other confidential information from victims’ devices,” Broadcom-owned Symantec said in a bulletin.

Feb 14, 2024NewsroomMalware / Cybercrime

The infamous malware loader and initial access broker known as Bumblebee has resurfaced after a four-month absence as part of a new phishing campaign observed in February 2024.

Enterprise security firm Proofpoint said the activity targets organizations in the U.S. with voicemail-themed lures containing links to OneDrive URLs.

“The URLs led to a Word file with names such as “ReleaseEvans#96.docm” (the digits before the file extension varied),” the company said in a Tuesday report. “The Word document spoofed the consumer electronics company Humane.”

Opening the document leverages VBA macros to launch a PowerShell command to download and execute another PowerShell script from a remote server that, in turn, retrieves and runs the Bumblebee loader.

Bumblebee, first spotted in March 2022, is mainly designed to download and execute follow-on payloads such as ransomware. It has been put to use by multiple crimeware threat actors that previously observed delivering BazaLoader (aka BazarLoader) and IcedID.

It’s also suspected to be developed by threat actors the Conti and TrickBot cybercrime syndicate as a replacement for BazarLoader. In September 2023, Intel 471 disclosed a Bumblebee distribution campaign that employed Web Distributed Authoring and Versioning (WebDAV) servers to disseminate the loader.

The attack chain is notable for its reliance on macro-enabled documents in the attack chain, especially considering Microsoft began blocking macros in Office files downloaded from the internet by default starting July 2022, prompting threat actors to modify and diversify their approaches.

The return of Bumblebee also coincides with the reappearance of new variants of QakBot, ZLoader, and PikaBot, with samples of QakBot distributed in the form of Microsoft Software Installer (MSI) files.

“The .MSI drops a Windows .cab (Cabinet) archive, which in turn contains a DLL,” cybersecurity firm Sophos said on Mastodon. “The .MSI extracts the DLL from the .cab, and executes it using shellcode. The shellcode causes the DLL to spawn a second copy of itself and inject the bot code into the second instance’s memory space.”

The latest QakBot artifacts have been found to harden the encryption used to conceal strings and other information, including employing a crypter malware called DaveCrypter, making it more challenging to analyze. The new generation also reinstates the ability to detect whether the malware was running inside a virtual machine or sandbox.

Another crucial modification includes encrypting all communications between the malware and the command-and-control (C2) server using AES-256, a stronger method than was used in versions prior to the dismantling of QakBot’s infrastructure in late August 2023.

“The takedown of the QakBot botnet infrastructure was a victory, but the bot’s creators remain free, and someone who has access to QakBot’s original source code has been experimenting with new builds and testing the waters with these latest variants,” Andrew Brandt, principal researcher at Sophos X-Ops, said.

“One of the most notable changes involve a change to the encryption algorithm the bot uses to conceal default configurations hardcoded into the bot, making it more difficult for analysts to see how the malware operates; the attackers are also restoring previously deprecated features, such as virtual machine (VM) awareness, and testing them out in these new versions.”

QakBot has also emerged as the second most prevalent malware for January 2024, trailing behind FakeUpdates (aka SocGholish) but ahead of other families like Formbook, Nanocore, AsyncRAT, Remcos RAT, and Agent Tesla.

The development comes as Malwarebytes revealed a new campaign in which phishing sites mimicking financial institutions like Barclays trick potential targets into downloading legitimate remote desktop software like AnyDesk to purportedly resolve non-existent issues and ultimately allow threat actors to gain control of the machine.

Feb 01, 2024NewsroomCyber Attack / Botnet

The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network.

“The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible,” web infrastructure and security company Akamai said in a report shared with The Hacker News.

FritzFrog, first documented by Guardicore (now part of Akamai) in August 2020, is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. It’s known to be active since January 2020.

It has since evolved to strike healthcare, education, and government sectors as well as improved its capabilities to ultimately deploy cryptocurrency miners on infected hosts.

What’s novel about the latest version is the use of the Log4Shell vulnerability as a secondary infection vector to specifically single out internal hosts rather than targeting vulnerable publicly-accessible assets.

“When the vulnerability was first discovered, internet-facing applications were prioritized for patching because of their significant risk of compromise,” security researcher Ori David said.

“Contrastly, internal machines, which were less likely to be exploited, were often neglected and remained unpatched — a circumstance that FritzFrog takes advantage of.”

This means that even if the internet-facing applications have been patched, a breach of any other endpoint can expose unpatched internal systems to exploitation and propagate the malware.

The SSH brute-force component of FritzFrog has also received a facelift of its own to identify specific SSH targets by enumerating several system logs on each of its victims.

Another notable change in the malware is use of the PwnKit flaw tracked as CVE-2021-4034 to achieve local privilege escalation.

“FritzFrog continues to employ tactics to remain hidden and avoid detection,” David said. “In particular, it takes special care to avoid dropping files to disk when possible.”

This is accomplished by means of the shared memory location /dev/shm, which has also been put to use by other Linux-based malware such as BPFDoor and Commando Cat, and memfd_create to execute memory-resident payloads.

The disclosure comes as Akamai revealed that the InfectedSlurs botnet is actively exploiting now-patched security flaws (from CVE-2024-22768 through CVE-2024-22772, and CVE-2024-23842) impacting multiple DVR device models from Hitron Systems to launch distributed denial-of-service (DDoS) attacks.