Tag Archive for: Banking

Hackers Update Vultur Banking Malware With Remote Controls

/in


Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management

Attackers Can Now Download, Alter and Delete Files – Plus Click, Scroll and Swipe

Prajeet Nair (@prajeetspeaks) •
April 2, 2024    

Hackers Update Vultur Banking Malware With Remote Controls
Image: Shutterstock

Threat actors are tricking banking customers with SMS texts into downloading new and improved banking malware named Vultur that interacts with infected devices and alters files.

See Also: Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

First documented in March 2021 by Threat Fabric, Vultur garnered attention for its misuse of legitimate applications such as AlphaVNC and ngrok, enabling remote access to the VNC server on targeted devices. Vultur also automated screen recording and keylogging for harvesting credentials.

The latest iteration of this Android banking malware boasts a broader range of capabilities and enables attackers to assume control of infected devices, hinder application execution, display customized notifications, circumvent lock-screen protections and conduct various file-related operations such as downloading, uploading, installing, searching and deleting.

The new functionalities primarily focus on remote interaction with compromised devices, although Vultur still relies on AlphaVNC and ngrok for remote access, said NCC Group security researchers in a report on Thursday.

Vultur’s creators also…

Source…

Authorities Dismantle Grandoreiro Banking Malware Operation

/in


Group-IB, a cybersecurity firm, helped INTERPOL and Brazil dismantle the Grandoreiro banking trojan operation, as their expertise in threat intelligence and investigation was key. 

Malware samples collected during independent investigations in Brazil and Spain (2020-2022) were analyzed by Group-IB and other partners, which helped track the constantly shifting infrastructure of the attackers and pinpoint the active command and control server. 

The combined effort led to the arrest of five administrators in January 2024.

Grandoreiro, a major threat since 2017, used phishing emails mimicking legitimate organizations to target victims in Spanish-speaking countries. 

The malware steals financial data by employing a multi-pronged approach, which monitors keystrokes to capture login credentials, simulates mouse clicks for potentially fraudulent transactions, shares the victim’s screen for real-time hijacking, and displays deceptive pop-ups to trick users into compromising information.

Targeting bank accounts, the malware specifically gathers usernames and bank identifiers, granting unauthorized access, which enables criminals to completely control the victim’s account and siphon funds. 

To launder the money, they employ a money mule network, likely transferring stolen funds to Brazil and estimates suggest the malware has defrauded victims of over EUR 3.5 million, with potential losses exceeding EUR 110 million if attempted thefts were successful. 

In response to a cybercrime campaign targeting Spanish banks with Grandoreiro malware, Brazilian and Spanish authorities independently collected samples between 2020 and 2022. 

To improve their investigations, they collaborated with INTERPOL’s Cyber Crime Unit, and Group-IB, a cybersecurity firm, joined the effort to analyze the malware samples. 

Their threat intelligence and cyber investigation specialists played a key role in dissecting the Grandoreiro samples, enabling investigators to track the malware’s ever-changing network infrastructure and pinpoint the command and control server’s IP address. 

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need…

Source…

Sneaky Chameleon Banking Malware Defeats Biometric Security On Android, Steals PINs

/in


Security researchers first spotted the Chameleon Android malware this past spring. This pervasive banking trojan has now evolved to become something much more dangerous. Through a series of fake system dialogs, the malware attempts to use the Android system Accessibility service, whic effectively gives Chameleon the keys to the kingdom, allowing it to modify security settings to steal passcodes and raid your personal data. 

When Chameleon first popped up, it posed as crypto, banking, and government apps. Now, the malware uses the Zombinder service, which attaches malicious apps to legitimate ones. The user believes they’ve installed a particular app, and it appears to work normally, but the malware comes along for the ride. The creators of Zombinder claim the sidecar virus is undetectable by Google Protect security and Chameleon is using this platform to pose as Google Chrome.

The other new twist for Chameleon is the way it tries to gain deeper access to the system. Android’s Accessibility service allows trusted apps to emulate buttons, control the screen, or disable features to help disabled individuals use their phones more efficiently. However, the capabilities granted through Accessibility can also be used to compromise the device, so Google has clamped down on how devs can use these APIs. Apps can’t just flip the Accessibility switch on their own. It’s a multistep process, so the updated Chameleon malware has added an HTML pop-over that guides the user through the steps. Because the malware is hiding behind a legitimate app (in this case Chrome), the user might not know anything is amiss.

When Chameleon has Accessibility control, it will disable the biometric unlock method. As soon as the user unlocks their device with a PIN or password, the malware records it for later use. The malware can then wake up at any time and unlock the device to upload stolen personal information and login data.

Chameleon has also gained support for Android’s AlarmManager API, which gives apps the ability to wake up in the…

Source…

Toyota Financial Services ransom attack exposes customer banking info

/in


Toyota Financial Services (TFS) says personal details, including bank account information, were compromised in last month’s ransomware attack claimed by the Medusa ransomware gang.

The European branch of the Japanese automaker’s vehicle financing and leasing subsidiary sent a notice, to affected individuals informing them of the exposure.

On December 5th, TFS has also announced the breach on its website and that “unauthorized persons had gained access to personal data.”

“As announced on November 16th, Toyota Financial Services Europe & Africa has detected unauthorized activity on systems at a limited number of locations, including Toyota Kreditbank GmbH in Germany,” the post stated, translated from German.


TFS handles auto loans, leases, and other financial services to Toyota customers in every continent.

Toyota Deutschland GmbH is an affiliated company held by Toyota Motor Europe (TME) in Brussels, Belgium and located in Köln (Cologne).

The breach notification letter, also sent in German,
 explains that certain TKG files were accessed during the attack.

Toyota Financial Services breach notice

At this time, TFS can confirm the compromised information of those affected includes first and last names, as well as their residential postal code.

Other contract information that may have been exposed includes “contract amount, possible dunning status, and your IBAN (International Bank Account Number),” the letter stated.

“We regret any inconvenience this may have caused to customers and business partners,” TFS wrote.

“It’s not clear how the attackers initially gained access to Toyota’s systems, but with unauthorized access being detected, this could indicate stolen credentials were involved,” said CEO of My1Login Mike Newman.

Data frequently reveals that phishing and credential theft are two of the most common attack vectors used to deploy ransomware, Newman explained.

Newman said the incident is yet another example of “how criminals hold all the power when it comes to ransomware,” adding that for groups like Medusa, the money-making opportunities are endless.

“It doesn’t matter if the organization pays the ransom demand, attackers always have the upper hand as they can still…

Source…