Jump to content

Search the Community

Showing results for tags 'banking trojan'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 9 results

  1. Bizarro Banking Trojan Sports Sophisticated Backdoor The advanced Brazilian malware has gone global, harvesting bank logins from Android mobile users. A never-before-documented Brazilian banking trojan, dubbed Bizarro, is targeting customers of 70 banks scattered throughout Europe and South America, researchers said. According to an analysis from Kaspersky released Monday, Bizarro is a mobile malware, aimed at capturing online-banking credentials and hijacking Bitcoin wallets from Android users. It spreads via Microsoft Installer packages, which are either downloaded directly by victims from links in spam emails or installed via a trojanized app, according to the analysis. Once installed, it kills all running browser processes to terminate any existing sessions with online banking websites — so, when a user initiates a mobile banking session, they have to sign back in, allowing the malware to harvest the details. To maximize its success, Bizarro disables autocomplete in the browser, and even surfaces fake popups to snatch two-factor authentication codes, researchers added. Bizarro also has a screen-capturing module. “It loads the magnification.dll library and gets the address of the deprecated MagSetImageScalingCallback API function,” explained Kaspersky researchers. “With its help, the trojan can capture the screen of a user and also constantly monitor the system clipboard, looking for a Bitcoin wallet address. If it finds one, it is replaced with a wallet belonging to the malware developers.” And finally, Bizarro also has a main backdoor module that is capable of carrying out more than 100 commands, according to the analysis. A Fully Functional Backdoor “The core component of the backdoor doesn’t start until Bizarro detects a connection to one of the hardcoded online banking systems,” researchers explained. “The malware does this by enumerating all the windows, collecting their names. Whitespace characters, letters with accents (such as ñ or á) and non-letter symbols such as dashes are removed from the window name strings. If a window name matches one of the hardcoded strings, the backdoor continues starting up.” The commands fall into a few main camps: Commands that allow the command-and-control (C2) operators to get data about the victim and manage the connection status; for instance, one asks for Bizarro’s version, OS name, computer name, Bizarro’s unique identifier, installed antivirus software and the codename used for the bank that has been accessed. Commands that allow attackers to search for and steal the files located on the victim’s hard drive, and those that allow adversaries to install files on the victim device. Commands that allow attackers to control the user’s mouse and keyboard. Commands that allow the attackers to control the backdoor operation, shut down, restart or destroy the operating system, and limit the functionality of Windows. Commands that log keystrokes. Commands that display various messages that trick users into giving attackers access to bank accounts, including fake popup windows (i.e., messages like “the data entered is incorrect, please try again”; error messages asking the user to enter a confirmation code; and those that tell the user that their computer needs to be restarted in order to finish a security-related operation). Commands that enable Bizarro to mimic online banking systems. According to Kaspersky, “To display such messages, Bizarro needs to download a JPEG image that contains the bank logo and instructions the victim needs to follow. These images are stored in the user profile directory in an encrypted form. Before an image is used in a message, it is decrypted with a multi-byte XOR algorithm. As the messages are downloaded from the C2 server, they can be found only on the victims’ machines.” Commands that enable custom messages. “The custom messages that Bizarro may show are messages that freeze the victim’s machine, thus allowing the attackers to gain some time,” according to the analysis. “When a command to display a message like this is received, the taskbar is hidden, the screen is greyed out and the message itself is displayed. While the message is shown, the user is unable to close it or open Task Manager. The message itself tells the user either that the system is compromised and thus needs to be updated or that security and browser performance components are being installed. This type of message also contains a progress bar that changes over time.” Joining the Tétrade, Going Global Bizarro is active in Argentina, Chile, France, Germany, Italy, Portugal and Spain, researchers said. This global spread is typical of a group of banking malware strains originating in Brazil, consisting of Grandoreiro, Guildma, Javali and Melcoz. Collectively known as “the Tétrade” (translated as “a group of four”) these families employ a range of innovative and sophisticated techniques on the technical side as well. Bizarro is the latest to join the club (which, incidentally, makes the collective group name a bit of a misnomer). Researchers said that Bizarro is supported by a fairly extensive operation, which includes using affiliates and recruiting money mules to perform a variety of functions. The various duties include carrying out initial attacks to gain a foothold on victim devices; helping with cashouts to launder ill-gotten funds; and even translation help. “Cybercriminals are constantly looking for new ways to spread malware that steals credentials for e-payment and online banking systems,” said Fabio Assolini, security expert at Kaspersky, in a statement. “Today, we witness a game-changing trend in banking malware distribution – regional actors actively attack users, not only in their region but also around the globe. Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern.” Source: Bizarro Banking Trojan Sports Sophisticated Backdoor
  2. Experts warn of a new Android banking trojan stealing users' credentials Cybersecurity researchers on Monday disclosed a new Android trojan that hijacks users' credentials and SMS messages to facilitate fraudulent activities against banks in Spain, Germany, Italy, Belgium, and the Netherlands. Called "TeaBot" (or Anatsa), the malware is said to be in its early stages of development, with malicious attacks targeting financial apps commencing in late March 2021, followed by a rash of infections in the first week of May against Belgium and Netherlands banks. The first signs of TeaBot activity emerged in January. "The main goal of TeaBot is stealing victim's credentials and SMS messages for enabling frauds scenarios against a predefined list of banks," Italian cybersecurity, and online fraud prevention firm Cleafy said in a Monday write-up. "Once TeaBot is successfully installed in the victim's device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility Services." The rogue Android application, which masquerades as media and package delivery services like TeaTV, VLC Media Player, DHL, and UPS, acts as a dropper that not only loads a second-stage payload but also forces the victim into granting it accessibility service permissions. In the last link of the attack chain, TeaBot exploits the access to achieve real-time interaction with the compromised device, enabling the adversary to record keystrokes, in addition to taking screenshots and injecting malicious overlays on top of login screens of banking apps to steal credentials and credit card information. Other capabilities of TeaBot include disabling Google Play Protect, intercepting SMS messages, and accessing Google Authenticator 2FA codes. The collected information is then exfiltrated every 10 seconds to a remote server controlled by the attacker. Android malware abusing accessibility services as a stepping stone for perpetrating data theft has witnessed a surge in recent months. Since the start of the year, at least three different malware families — Oscorp, BRATA, and FluBot — have banked on the feature to gain total control of the infected devices. Interestingly, the fact that TeaBot employs the same decoy as that of Flubot by posing as innocuous shipment apps could be an attempt to mislead attribution and stay under the radar. The heightened FluBot infections prompted Germany and the U.K. to issue alerts last month warning of ongoing attacks via fraudulent SMS messages that trick users into installing "spyware that steals passwords and other sensitive data." Source: Experts warn of a new Android banking trojan stealing users' credentials
  3. IcedID Banking Trojan Surges: The New Emotet? A widespread email campaign using malicious Microsoft Excel attachments and Excel 4 macros is delivering IcedID at high volumes, suggesting it’s filling the Emotet void. The banking trojan known as IcedID appears to be taking the place of the recently disrupted Emotet trojan, according to researchers. IcedID (a.k.a. BokBot), bears similarities to Emotet in that it’s a modular malware that started life as a banking trojan used to steal financial information. Increasingly though, it’s being used as a dropper for other malware, researchers noted – also just like Emotet. The malware has been circulating at increasing rates, thanks to a spate of email campaigns using Microsoft Excel spreadsheet file attachments, according to Ashwin Vamshi and Abhijit Mohanta, researchers with Uptycs. In fact, in the first three months of the year, Uptyc’s telemetry flagged more than 15,000 HTTP requests from more than 4,000 malicious documents, the majority of which (93 percent) were Microsoft Excel spreadsheets using the extensions .XLS or .XLSM. If opened, targets would be asked to “enable content” to view the message. Enabling the content allows embedded Excel 4 macro formulas to execute. “.XLSM supports the embedding of Excel 4.0 macro formulas used in Excel spreadsheet cells,” according to an analysis published on Wednesday. “Attackers leverage this functionality to embed arbitrary commands, which usually download a malicious payload from the URL using the formulas in the document.” The URLs generally belong to legitimate but compromised websites, they added. Looking deeper into the activity, they were able to see similarities between all of the attacks, suggesting a coordinated campaign. For instance, the documents were all given vanilla business-related names, such as “overdue,” “claim” or “complaint and compensation claim,” along with a random series of numbers. And, the HTTP requests all delivered a second-stage executable file (either an .EXE or .DLL file), obfuscated with a fake extension — either .DAT, .GIF or .JPG. In reality, the files were either the IcedID or QakBot malware families. From an evasion-detection perspective, the macros also all used three techniques to stay hidden: “Upon investigation, we identified three interesting techniques used to hinder analysis,” the researchers noted. “Hiding macro formulas in three different sheets; masking the macro formula using a white font on white background; and shrinking the cell contents and making the original content invisible.” Will IcedID Replace Emotet? Emotet, which up until its disruption in January was packaged into an average of 100,000 to a half-million emails sent per day – that prompted Europol to call it the “world’s most dangerous malware.” Emotet is often used as a first-stage loader, tasked with retrieving and installing secondary malware payloads, including Qakbot, the Ryuk ransomware and TrickBot. Its operators often rent its infrastructure to other cybercriinals in a malware-as-a-service (MaaS) model. However, “Operation LadyBird,” a global takedown effort at the beginning of the year, disrupted hundreds of botnet servers supporting Emotet and eliminated active infections on more than 1 million endpoints worldwide. The malware hasn’t really seen a resurgence since then, leaving a void in the cybercrime market when it comes to initial access options. The volume of circulating IcedID samples led Uptycs researchers to believe that it’s a likely candidate to become the new Emotet. “Based on this increasing trend, we believe that IcedID will emerge as an incarnation of Emotet after its disruption,” Vamshi and Mohanta noted. “IcedID has also been recently reported to deploy ransomware operations, moving towards a MaaS model to distribute malware.” The good news is that companies have options to protect themselves against these well-known trojans. “IcedID, Emotet, and many other malware strains share a few elements that make it easier to stop them from affecting an infrastructure,” Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. “They might be sophisticated in the way they hide in an office document, however, that is only the first step of the infection chain. IcedID is not different from others as it also attempts to download – to drop – additional components. For these first two steps, monitoring system integrity is key, control changes happening on any device.” Source: IcedID Banking Trojan Surges: The New Emotet?
  4. Metamorfo Banking Trojan Abuses AutoHotKey to Avoid Detection A legitimate binary for creating shortcut keys in Windows is being used to help the malware sneak past defenses, in a rash of new campaigns. The Metamorfo banking trojan is abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information, researchers have warned. AHK is a scripting language for Windows originally developed to create keyboard shortcuts (i.e., hot keys). According to the Cofense Phishing Defense Center (PDC), the malware (a.k.a. Mekotio) is targeting Spanish-language users using two separate emails as an initial infection vector. One is a purported request to download a password-protected file; and the other is an elaborate spoofed notification about pending legal documents, with a link that downloads a .ZIP file. Metamorfo Abusing AHK In both cases, the malicious code is contained in a .ZIP file that’s ultimately downloaded to victim computers. It contains three files: the legitimate AHK compiler executable (.EXE), a malicious AHK script (.AHK) and the banking trojan itself (.DLL). These are unpacked into a randomly named file housed in C:\\ProgramData. A script will then run the AHK compiler, the AHK compiler will execute the AHK script, and the AHK script will finally load Metamorfo into the AHK compiler memory. “[Metamorfo] will then operate from within the AHK compiler process, using the signed binary as a front to make detection more difficult for endpoint solutions,” researchers explained, in a posting on Thursday. For persistence, copies of all three files are also placed in a new folder. “It will then use a run key to initiate the execution chain every time the system restarts by executing the renamed copy of the AHK compiler,” according to the report. Metamorfo Resurgence in LatAm, Europe Metamorfo started life as a Latin American banking trojan, first discovered in April 2018, in various campaigns that share key commonalities (like the use of “spray-and-pray” spam tactics). Its campaigns however have small, “morphing” differences — which is the meaning behind its name. A variant that emerged in February 2020, for instance, kills the auto-suggest data entry fields in browsers, forcing victims to write out their passwords – which it then tracks via a keylogger. That trick is also present in the latest attacks, according to the PDC, with cybercrooks targeting customers of banks in Latin America and Europe (including France, Portugal and Spain). Metamorfo monitors browser activity looking for targeted banks, which are listed in the form of strings in the AHK compiler process memory, researchers explained. When a victim opens one of the targeted banking pages, Metamorfo overlays it with a fake version of the webpage designed to harvest credentials. “[Metamorfo] disables specific registry browser values associated with password and form suggestions and autocompletion,” researchers said. “This forces the user to type in sensitive information, even if they have it saved in their browser history, allowing the malware to capture credentials with its keylogging capabilities.” This version of the trojan can also monitor Bitcoin addresses copied to a clipboard and replace them with one belonging to the attackers. “As of this writing, this specific attacker address had a balance of 0.01957271 BTC, approximately $800,” researchers said. Metamorfo’s Banking Trojan Infection Routine The PDC encountered two main mechanisms for delivering the payload in these campaigns. In the first instance, there is a .ZIP file containing an MSI file that includes a malicious domain harboring 32 and 64-bit versions of a second .ZIP file; and in the second scenario the original .ZIP file drops a shortcut file containing a malicious Finger command. Finger.exe is a native Windows command that allows the retrieval of information about a remote user. “The Custom Actions table of these MSI files enables the incorporation of custom code to the installation package and is often abused by attackers,” said the researchers. “[The table] shows an action titled ‘dqidwlCTIewiuap’ containing obfuscated JavaScript. The JavaScript is responsible for downloading the correct version of the .ZIP file from the payload site, unzipping its contents, renaming and placing it into a new randomly named folder.” In the second instance, a command is used to contact a server, which displays the contents of a hosted file in a command shell. The file in question is a PowerShell script that will run in this shell. “The script carries out similar actions to the MSI: it downloads a ZIP file, renames it, copies it to a newly created folder and unzips it there,” researchers explained. “The PDC also saw both tactics combined in at least one case, by incorporating the malicious Finger command directly into the MSI Custom Actions table.” Users can protect themselves by being wary of what files they download and also by checking their machines for random new file folders in the Windows Program Data directory. “The main takeaway is that legitimate binaries can be leveraged as a façade for malicious activity,” researchers concluded. “Vigilance is key. If a file or process is not meant to be there, it’s best to check.” Source: Metamorfo Banking Trojan Abuses AutoHotKey to Avoid Detection
  5. RTM Cybergang Adds New Quoter Ransomware to Crime Spree The Russian-speaking RTM threat group is targeting organizations in an ongoing campaign that leverages a well-known banking trojan, brand new ransomware strain and extortion tactics. The Russian-speaking group behind the infamous RTM banking trojan is now packing a trifecta of threats as it turns up the heat – part of a massive new money-grab campaign. Beyond the banking malware it is known for, attackers have enlisted a recently-discovered ransomware family called Quoter as part of a new double-extortion cyberattack strategy. The triple-threat attack, which started its “active phase” in December 2020 and is ongoing, has hit at least ten Russian organizations in the transport and finance sectors via malicious email messages, according to Kaspersky in a report released this week. Should the money-stealing tactics of RTM group’s hallmark Trojan-Banker.Win32.RTM payload fail, the attackers have a backup plan. Plan “B” is deploy a never-before-seen ransomware family, which researchers are calling Quoter. The name Quoter is derived from the fact the ransomware code embeds various popular quotes. Next, if attackers hit a brick wall, they try to extort money from victims, threatening that they will release breached data stolen from the targets if they don’t pay up. “What’s remarkable about this story is the evolution of the group behind the RTM ransomware,” according to a translation of Kaspersky’s research report. They said the group has gone far beyond its tried-and-true methods of “making money” – via extortion and doxing. They added, it’s unusual for Russian-speaking cybercriminals to attack organizations in Russia, although, the ransomware is also used in targeted attacks outside the country. RTM Email Attack: Downloading RTM Trojan Kaspersky said that the initial infection phase of the campaign initially hit corporations back in mid-2019, when several companies reported receiving various phishing emails with corporate-themed headings. These included subject lines that included such terms as “Subpoena,” “Request for refund,” “Closing documents” or “Copies of documents for the last month.” The text of the email was brief and asked email recipients to open an attached file for more detailed information. If the email recipient opened the attachment, Trojan-Banker.Win32.RTM was installed. The Trojan-Banker.Win32.RTM (also known as the RTM Trojan) is a popular banking trojan. According to a Kaspersky report in November, Trojan-Banker.Win32.RTM was the fifth most popular banking malware family in the third quarter of 2020, taking 7.4 percent of the share behind Emotet, Zbot and more. “RTM Trojan has always been linked to RTM group,” Sergey Golovanov, principal security researcher with Kasperksy GReAT, told Threatpost. “It was created specifically for accounting software and has a whole array of functions including remote access and search functions optimized for scanning accounting software. It can search for all mentions about banking clients, many organizations that it looks for and targets. Back in the days there were many programs like this, this one is the last, at least in Russia.” As in this attack, the malware is typically distributed via malicious emails (using messages disguised as accounting or finance correspondence) and once installed provides attackers with full control over the infected systems. After initial infection, attackers used legitimate remote access programs, to avoid detection, for lateral movement within companies’ local networks. These programs include LiteManager, remote control and administration software for Windows, Linux and MacOS. Once downloaded, the RTM trojan typically substitutes account details, while a victim attempts to make a payment or transfer funds. According to Kaspersky, the RTM trojan can also be used by attackers to manually transfer money from victim’s accounts using remote access tools. Quoter Ransomware Should the banking trojan’s methods fail, researchers found that attackers used their initial foothold on systems in order to deploy a never-before-seen ransomware, which they called Ransom.Win32.Quoter. “Quoter is very small, very fast and compiled on GCC,” Golovanov told Threatpost. “On average the attackers asked for 1 million USD as payment.” The ransomware encrypted the contents of computers, using the AES-256 algorithm, and left a message demanding a ransom. The code of these encrypted file included several popular quotes. For instance, Golovanov said, one discovered quote referenced bible verse Ezekiel 25: “I will execute great vengeance upon them with furious rebukes. And they shall know that I am the Lord when I lay My vengeance upon them.” Researchers said, “by this time, several months had passed since the RTM had been consolidated in the organization’s network.” Double-Extortion Tactics If victims failed to pay the ensuing ransom demand, attackers have yet another trick up their sleeves. Here, the RTM group relied on a ransomware tactic called double extortion. They hold compromised data for ransom and threaten to release or leak it if the victims don’t pay up. “If the backup plan did not work for one reason or another, then after a couple of weeks the attackers switched to blackmail,” said researchers. Victims receive a message that their data has been stolen a would cost a million dollars (in Bitcoin) to return – or the confidential data would be posted on the internet for free download. Double extortion is an increasingly popular tactic amongst ransomware actors. The tactic, which first emerged in late 2019 by Maze operators, has been rapidly adopted over the past few months by various cybercriminals behind the Clop, DoppelPaymer and Sodinokibi ransomware families. Source: RTM Cybergang Adds New Quoter Ransomware to Crime Spree
  6. The Ursnif Trojan has hit over 100 Italian banks Avast researchers reported that the infamous Ursnif Trojan was employed in attacks against at least 100 banks in Italy. Avast experts recently obtained information on possible victims of Ursnif malware that confirms the interest of malware operators in targeting Italian banks. Operators behind this attacks have stolen financial data and credential from targeted financial institutions. “Among the countries Ursnif has significantly impacted is Italy, a fact that we found reflected in the information our researchers obtained.” reads the analysis published by Avast. “Specifically we found usernames, passwords, credit card, banking and payment information that appears to have been stolen from Ursnif victims by the malware operators. We saw evidence of over 100 Italian banks targeted in the information we obtained. We also saw over 1,700 stolen credentials for a single payment processor.” According to data obtained by Avast, at least 100 Italian banks have been targeted with the Ursnif Trojan and in one case, crooks stolen over 1,700 sets of credentials from an unnamed payment processor. Ursnif is one of the most and widespread common threats today delivered through malspam campaigns. It appeared on the threat landscape about 13 years ago and gained its popularity since 2014 when its source code was leaked online giving the opportunity to several threat actors to develop their own version. Avast researchers shared their findings with the impacted payment processors and banks and Italian authorities and financial CERTs, including CERTFin. “With this information these companies and institutions are taking steps to protect their customers and help them recover from the impact of Ursnif.” concludes AVAST. Source: The Ursnif Trojan has hit over 100 Italian banks
  7. Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads. "The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt said in a write-up published today. "In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself." Dubbed "Gootloader," the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S. First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft. Over the years, the cybercrime tool has evolved to gain new information-stealing features, with the Gootkit loader repurposed in combination with REvil/Sodinokibi ransomware infections reported last year. While campaigns using social engineering tricks to deliver malicious payloads are a dime a dozen, Gootloader takes it to the next level. The infection chain resorts to sophisticated techniques that involve hosting malicious ZIP archive files on websites belonging to legitimate businesses that have been gamed to appear among the top results of a search query using manipulated search engine optimization (SEO) methods. What's more, the search engine results point to websites that have no "logical" connection to the search query, implying that the attackers must be in possession of a vast network of hacked websites. In one case spotted by the researchers, an advice for a real estate agreement surfaced a breached neonatal medical practice based in Canada as the first result. "To ensure targets from the right geographies are captured, the adversaries rewrite website code 'on the go' so that website visitors who fall outside the desired countries are shown benign web content, while those from the right location are shown a page featuring a fake discussion forum on the topic they've queried," the researchers said. Clicking the search result takes the user to a fake message board-like page that matches not only the search terms used in the initial query but also includes a link to the ZIP file, which contains a heavily obfuscated Javascript file that initiates the next stage of compromise to inject the fileless malware fetched from a remote server into memory. This takes the form of a multi-stage evasive approach that begins with a .NET loader, which comprises a Delphi-based loader malware, which, in turn, contains the final payload in encrypted form. In addition to delivering the REvil ransomware and the Gootkit trojan, multiple campaigns have been spotted currently leveraging the Gootloader framework to deliver the Kronos financial malware in Germany stealthily, and the Cobalt Strike post-exploitation tool in the U.S. It's still unclear as to how the operators gain access to the websites to serve the malicious injects, but the researchers suspect the attackers may have obtained the passwords by installing the Gootkit malware or purchasing stolen credentials from underground markets, or by leveraging security flaws in present in the plugins used alongside content management system (CMS) software. "The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware," said Gabor Szappanos, threat research director at Sophos. "This shows that criminals tend to reuse their proven solutions instead of developing new delivery mechanisms. Further, instead of actively attacking endpoint tools as some malware distributors do, the creators of Gootloader have opted for convoluted evasive techniques that conceal the end result," he added. Source: Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites
  8. Android banking trojan ‘Gustuff’ targets over 100 banking apps and 32 cryptocurrency apps Gustuff Android banking trojan uses social engineering techniques to trick device owners into giving access to the Android Accessibility service. Instead of phishing banking account credentials and then stealing funds, this ATS service allows the trojan to directly make fund transfers from the infected user’s device. A new Android banking trojan dubbed ‘Gustuff’ is gaining momentum by Android users in recent months. Why it matters - This trojan is capable of phishing credentials and stealing funds from over 100 banking apps and 32 cryptocurrency apps. Who are its targets? Gustuff has the ability to target international banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, and PNC Bank. The Android banking trojan can also target cryptocurrency apps such as BitPay, Cryptopay, Coinbase, and Bitcoin Wallet. It can also steal credentials from various Android payment apps and messaging apps such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut, and more. What are its capabilities? This trojan can disable Google Play Protect security feature of the Google Play Store. Gustuff can collect data such as documents, photos, and videos from infected apps. It has the ability to reset an Android device to factory settings. Besides, this Android banking trojan is capable of displaying custom push notifications disguised as an app. Upon clicking the notification, it either opens a webpage containing a phishing form that asks for credentials or opens a legitimate app, where the trojan auto-fills transaction forms and auto-approves fund transfers via the Accessibility service. How does it exploit the Android Accessibility service Researchers from Group-IB cybersecurity firm noted that the Gustuff Android banking trojan uses social engineering techniques to trick device owners into giving access to the Android Accessibility service. Accessibility service is for users with disabilities and it can automate various UI interactions and tap screen items on users’ behalf. Gustuff trojan exploits this service and runs Automatic Transfer Service (ATS). Instead of stealing banking account credentials and then stealing funds, this ATS service allows the trojan to directly make fund transfers from the infected user’s device. Using the Android Accessibility service, Gustuff implements an ATS system on the user’s device. The ATS implemented on the user’s device will open the apps and fills in the required details and credentials. It then auto-approves the fund transfer on its own. “Gustuff's unique feature is that it is capable of performing ATS with the help of the Accessibility Service. The fact that Gustuff uses [an] ATS makes it even more advanced than Anubis and RedAlert,” Rustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB told ZDNet. Worth noting Group-IB researchers noted that Gustuff was never deployed inside apps that are available for download in the Google Play Store. The only way attackers distribute Gustuff is via SMS spam message that includes links to the trojan’s APK installation file. Source
  9. Popular Video Editing Software Website Hacked to Spread Banking Trojan If you have downloaded the VSDC multimedia editing software between late February to late March this year, there are high chances that your computer has been infected with a banking trojan and an information stealer. The official website of the VSDC software — one of the most popular, free video editing and converting app with over 1.3 million monthly visitors — was hacked, unfortunately once again. According to a new report Dr. Web publishedtoday and shared with The Hacker News, hackers hijacked the VSDC website and replaced its software download links leading to malware versions, tricking visitors into installing dangerous Win32.Bolik.2 banking trojan and KPOT stealer. Even more ironic is that despite being so popular among the multimedia editors, the VSDC website is running and offering software downloads over an insecure HTTP connection. Though it's unclear how hackers this time managed to hijack the website, researchers revealed that the breach was reportedly never intended to infect all users, unlike last year attack. Instead, Dr.Web researchers found a malicious JavaScript code on the VSDC website that was designed to check visitor's geolocation and replace download links only for visitors from the UK, USA, Canada, and Australia. Insecure VSDC Website Was Distributing Malware for a Month The malicious code planted on the website went unnoticed for almost a month—between 21 February 2019 and 23 March 2019—until researcher discovered it and notified VSDC developers of the threat. Targeted users were served with a dangerous banking trojan designed to perform "web injections, traffic intercepts, key-logging and stealing information from different bank-client systems." Moreover, the attackers changed the Win32.Bolik.2 trojan to KPOT Stealer, a variant of Trojan.PWS.Stealer, on March 22, which steals information from web browsers, Microsoft accounts, several messenger services and some other programs. According to the researchers, at least 565 visitors downloaded VSDC software infected with the banking trojan, while 83 users has had their systems infected with the information stealer. VSDC site has been hacked several times in the past years. Just last year, unknown hackers managed to gain administrative access to its website and replaced the download links, eventually its visitors' computers with the AZORult Stealer, X-Key Keylogger and the DarkVNC backdoor. What to Do If You're a Victim? It should be noted that just installing the clean version of the software update over the malicious package would not remove the malware code from the infected systems. So, in case you had downloaded the software between that period, you should immediately install antivirus software, with the latest up-to-date definitions, and scan your system for malware. Beside this, affected users are also recommended to change their passwords for important social media and banking websites after cleaning the systems or from a separate device. Source
  • Create New...