.jpg "Rocinante Trojan Poses as Banking Apps to Steal Sensitive Data from Brazilian Android Users")
A fresh malicious scheme has set its sights on mobile users in Brazil, employing a novel Android banking trojan dubbed Rocinante.
“As indicated by the Dutch security firm ThreatFabric, this malicious code is adept at executing keylogging operations through the Accessibility Service and is equipped to snatch Personally Identifiable Information (PII) by deploying deceitful screens disguised as various banking entities,” noted the security firm The security firm mentioned.
“In addition, the trojan has the capacity to utilize all the pilfered data to perpetrate Device Takeover (DTO) on the affected device by exploiting the accessibility service privileges to establish complete remote control over the compromised device.”
Among the high-profile targets of this malware are financial institutions such as Itaú Shop and Santander, with the counterfeit apps posing as Bradesco Prime and Correios Celular, among other entities –
- Livelo Points (com.resgatelivelo.cash)
- Correios Recharge (com.correiosrecarga.android)
- Bratesco Prine (com.resgatelivelo.cash)
- Security Module (com.viberotion1414.app)
Examination of the source code of the malicious program has unveiled that Rocinante is internally referred to as Pegasus (or PegasusSpy) by the operators. It should be noted that the name Pegasus does not have any ties to a cross-platform spyware concocted by the commercial surveillance provider NSO Group.
That said, analyses indicate that Pegasus is attributed to a threat actor designated as DukeEugene, who is also recognized for developing comparable malware variants like ERMAC, BlackRock, Hook, and Loot, as outlined in a recent review presented by Silent Push.
ThreatFabric has revealed that elements of the Rocinante malware bear a resemblance to early versions of ERMAC; however, it is believed that the leakage of ERMAC’s source code in 2023 might have had an influence.
“This marks the first instance where an original strain of malware has incorporated code from the leak and integrated certain segments of it into their code,” the firm highlighted. “It is also conceivable that these two iterations are distinct offshoots of the same initial project.”
The dissemination of Rocinante primarily occurs through phishing platforms aimed at duping unsuspecting individuals into installing fake dropper apps which, upon installation, request accessibility service privileges to monitor all activities on the compromised device, intercept SMS messages, and furnish deceitful login pages.
Furthermore, the trojan establishes communication with a command-and-control (C2) server to await further directives – mimicking touch and swipe interactions – which can be executed remotely. The swindled personal data is dispatched to a Telegram bot.
“The bot filters out valuable PII collected using fake login pages impersonating the target banks. Subsequently, it posts this data in a formatted layout to a chat that cybercriminals can access,” highlighted ThreatFabric.
“The information varies slightly based on the specific bogus login page used to procure it and encompasses device specifics such as model and phone number, CPF number, password, or account details.”
In parallel, Symantec has drawn attention to another campaign involving a banking trojan malware that leverages the secureserver[.]net domain to ensnare Spanish and Portuguese-speaking regions.
“The multi-step assault kicks off with malevolent URLs leading to an archive containing a disguised .hta file,” stated the corporation owned by Broadcom in its declaration.
“This file points to a JavaScript payload that runs multiple checks for AntiVM and AntiAV before fetching the final AutoIT payload. Employing process injection, this payload is loaded with the objective of stealing banking data and credentials from the victim’s system and transmitting them to a C2 server.”
Furthermore, there has been an emergence of a novel “extensionware-as-a-service” marketed for purchase through an enhanced version of the Genesis Marketplace. This new variant, which targets users in the Latin American (LATAM) territory, endeavors to purloin sensitive details via malign web browser extensions distributed on the Chrome Web Store.
The operation, which has been active since mid-2023 and targets Mexico and other LATAM nations, has been ascribed to an online crime consortium named Cybercartel, which provides these services to other cybercriminal groups. The extensions are currently inaccessible for download.
“The fraudulent Google Chrome extension camouflages itself as a legitimate tool, ensnaring users into installing it from compromised sites or phishing drives,” remarked security experts Ramses Vazquez and Karla Gomez from the Metabase Q Ocelot Threat Intelligence Team, as reported in their statement.
“Upon installation of the extension, it introduces JavaScript code into the web pages visited by the user. This code has the capacity to intercept and manipulate the content of the pages, alongside harvesting sensitive data like login credentials, credit card information, and other user input, contingent upon the specific campaign and the type of data being targeted.”
About Author
