Mobile users in Brazil are currently being targeted by a new malware campaign that utilizes a new Android banking trojan called Rocinante. This trojan is capable of performing keylogging using the Accessibility Service and can also steal Personally Identifiable Information (PII) from victims through phishing screens that pose as various banks. Additionally, Rocinante has the ability to perform Device Takeover (DTO), granting the malware full remote access to the infected device.
One of the main targets of this malware campaign are financial institutions such as Itaú Shop and Santander. The malicious apps disguise themselves as legitimate banking apps, such as Bradesco Prime and Correios Celular. Some of the specific apps utilized by the malware include Livelo Pontos, Correios Recarga, Bratesco Prine, and Módulo de Segurança.
When analyzed, the source code of the Rocinante malware revealed that it is internally referred to as Pegasus (or PegasusSpy) by its operators. However, it is important to note that this name does not have any connections to the cross-platform spyware developed by the commercial surveillance vendor NSO Group. Instead, Pegasus is believed to be the work of a threat actor known as DukeEugene. This actor is also associated with other malware strains like ERMAC, BlackRock, Hook, and Loot.
ThreatFabric, a Dutch security company, has identified parts of the Rocinante malware that were directly influenced by early versions of ERMAC. It is suspected that the leak of ERMAC’s source code in 2023 may have played a role in this development. This is the first known instance where an original malware family has taken code from a leak and incorporated it into their own code. It is also possible that these two versions are separate forks of the same initial project.
Rocinante is primarily distributed through phishing sites that aim to deceive users into downloading and installing the counterfeit dropper apps. Once installed, these apps request accessibility service privileges, allowing them to record all activities on the infected device, intercept SMS messages, and display phishing login pages. The malware also establishes contact with a command-and-control (C2) server to receive further instructions. It can simulate touch and swipe events on the device, and it exfiltrates harvested personal information to a Telegram bot.
The Telegram bot extracts the obtained Personally Identifiable Information (PII) using the phishing login pages and publishes it in a chat accessible to the criminals. The information extracted varies depending on the fake login page that was used but includes device information such as the model and telephone number, CPF number, password, or account number.
This recent malware campaign follows the discovery by Symantec of another banking trojan campaign that targets Spanish and Portuguese-speaking regions, using the secureserver[.]net domain. The attack begins with malicious URLs leading to an archive containing an obfuscated .hta file. This file leads to a JavaScript payload that conducts multiple AntiVM and AntiAV checks before downloading the final AutoIT payload. The final payload steals banking information and credentials, exfiltrating them to a C2 server.
Furthermore, there has been the emergence of a new “extensionware-as-a-service” advertised for sale through the Genesis Market. This service is designed to steal sensitive information from users in the Latin American (LATAM) region using malicious web browser extensions. The market was previously shut down by law enforcement in early 2023 but has since resurfaced. The activity, attributed to an e-crime group named Cybercartel, primarily targets Mexico and other LATAM nations.
The malicious Google Chrome extension disguises itself as a legitimate application, tricking users into installing it from compromised websites or through phishing campaigns. Once installed, the extension injects JavaScript code into the web pages visited by the user. This code can intercept and manipulate page content, as well as capture sensitive data such as login credentials and credit card information, depending on the specific campaign and the type of information targeted.
In conclusion, the malware campaign targeting mobile users in Brazil with the Rocinante banking trojan highlights the evolving tactics of cybercriminals. These threats continue to grow in sophistication, utilizing techniques such as keylogging, phishing, and device takeover to steal sensitive information from unsuspecting victims. It is crucial for mobile users to remain vigilant, avoid downloading apps from untrusted sources, and regularly update their devices with the latest security patches to protect against these types of malware attacks.
Source link