Cell customers in Brazil are the goal of a brand new malware marketing campaign that delivers a brand new Android banking trojan named Rocinante.
“This malware household is able to performing keylogging utilizing the Accessibility Service, and can be in a position to steal PII from its victims utilizing phishing screens posing as completely different banks,” Dutch safety firm ThreatFabric stated.
“Lastly, it might probably use all this exfiltrated info to carry out system takeover (DTO) of the system, by leveraging the accessibility service privileges to realize full distant entry on the contaminated system.”
A few of the outstanding targets of the malware embody monetary establishments resembling Itaú Store, Santander, with the phony apps masquerading as Bradesco Prime and Correios Celular, amongst others –
- Livelo Pontos (com.resgatelivelo.money)
- Correios Recarga (com.correiosrecarga.android)
- Bratesco Prine (com.resgatelivelo.money)
- Módulo de Segurança (com.viberotion1414.app)
Supply code evaluation of the malware has revealed that Rocinante is being internally referred to as by the operators as Pegasus (or PegasusSpy). It is value noting that the identify Pegasus has no connections to a cross-platform spy ware developed by industrial surveillance vendor NSO Group.
That stated, Pegasus is assessed to be the work of a menace actor dubbed DukeEugene, who can be recognized for related malware strains resembling ERMAC, BlackRock, Hook, and Loot, per a current evaluation by Silent Push.
ThreatFabric stated it recognized components of the Rocinante malware which can be instantly influenced by early iterations of ERMAC, though it is believed that the leak of ERMAC’s supply code in 2023 might have performed a task.
“That is the primary case during which an unique malware household took the code from the leak and applied just a few a part of it of their code,” it identified. “It is usually potential that these two variations are separate forks of the identical preliminary venture.”
Rocinante is especially distributed by way of phishing websites that goal to trick unsuspecting customers into putting in the counterfeit dropper apps that, as soon as put in, requests for accessibility service privileges to report all actions on the contaminated system, intercept SMS messages, and serve phishing login pages.
It additionally establishes contact with a command-and-control (C2) server to await additional directions – simulating contact and swipe occasions – to be executed remotely. The harvested private info is exfiltrated to a Telegram bot.
“The bot extracts the helpful PII obtained utilizing the bogus login pages posing because the goal banks. It then publishes this info, formatted, right into a chat that criminals have entry to,” ThreatFabric famous.
“The data barely adjustments primarily based on which faux login web page was used to acquire it, and contains system info resembling mannequin and phone quantity, CPF quantity, password, or account quantity.”
The event comes as Symantec highlighted one other banking trojan malware marketing campaign that exploits the secureserver[.]internet area to focus on Spanish and Portuguese-speaking areas.
“The multistage assault begins with malicious URLs resulting in an archive containing an obfuscated .hta file,” the Broadcom-owned firm stated.
“This file results in a JavaScript payload that performs a number of AntiVM and AntiAV checks earlier than downloading the ultimate AutoIT payload. This payload is loaded utilizing course of injection with the purpose of stealing banking info and credentials from the sufferer’s system and exfiltrating them to a C2 server.”
It additionally follows the emergence of a brand new “extensionware-as-a-service” that is marketed on the market via a brand new model of the Genesis Market, which was shuttered by regulation enforcement in early 2023, and designed to steal delicate info from customers within the Latin American (LATAM) area utilizing malicious internet browser extensions propagated on the Chrome Internet Retailer.
The exercise, energetic since mid-2023 and focusing on Mexico and different LATAM nations, has been attributed to an e-crime group named Cybercartel, which affords a majority of these companies to different cybercriminal crews. The extensions are not obtainable for obtain.
“The malicious Google Chrome extension disguises itself as a official utility, tricking customers into putting in it from compromised web sites or phishing campaigns,” safety researchers Ramses Vazquez of Karla Gomez of the Metabase Q Ocelot Menace Intelligence Crew stated.
“As soon as the extension is put in, it injects JavaScript code into the net pages that the person visits. This code can intercept and manipulate the content material of the pages, in addition to seize delicate information resembling login credentials, bank card info, and different person enter, relying on the particular marketing campaign and the kind of info being focused.”