Tag Archive for: Banking

GoldDigger Android trojan targets Vietnamese banking apps, code contains hints of wider targets • The Register

/in


Singapore-based infosec outfit Group-IB on Thursday released details of a new Android trojan that exploits the operating system’s accessibility features to steal info that enables theft of personal information.

The security research outfit wrote that the trojan, named GoldDigger, currently targets Vietnamese banking apps – but includes code suggesting its developers plan wider attacks. Between June 2023, when it spotted GoldDigger, and late August, Group-IB identified 51 financial organization applications targeted by the trojan. The security form is unsure how many devices have been infected, or how much money has been stolen.

The malware makes its way onto devices after users visit fake websites that manipulate them into downloading the app. Once installed, GoldDigger requests access to Android’s Accessibility Service – the feature designed to assist users with disabilities by allowing apps to interact with each other and modify the user interface.

Permission to use the Accessibility Service means GoldDigger can monitor and manipulate a device’s functions and view personal information such as banking app credentials and the content of SMS messages, and send that info to command-and-control servers. A code snippet found by the researchers suggests the malware attempts to bypass two factor authentication, and is designed to fool banking apps that it is making legitimate transactions.

“We have not confirmed that the Trojan operators use these capabilities at the time of writing. However, based on the behavior of other known Trojans similar to GoldDigger, we don’t think they differ significantly,” explained Group-IB.

“We are definitely observing a significant increase in the Android malware strains abusing the Accessibility Service. For Android malware trends, there is a noticeable shift away from the traditional use of web fakes,” Sharmine Low, malware analyst at Group-IB, told The Register. Low said using the Accessibility Function was a “much more invasive approach compared to generating individual web fake files for each specific target.”

GoldDigger’s developers have left clues that their ambitions may reach beyond Vietnam. The malware includes translations…

Source…

New Android Banking Malware Pose as Government App

/in


New Android Banking Malware Pose as Government App to Target Users

Cybercriminals continue making malware for profit, with a recent report uncovering ASMCrypt in underground forums related to the DoubleFinger loader.

In the cybercrime landscape, researchers at Securelist have also reported on new Lumma stealer and Zanubis Android banking malware versions.

Researchers discovered an ad for ASMCrypt, a cryptor/loader variant designed to avoid AV/EDR detection, resembling the DoubleFinger loader.

However, researchers strongly suspect ASMCrypt is an evolved DoubleFinger version, acting as a ‘front’ for a TOR network service, though with some differences in operation.

Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


New Android Banking Malware

Buyers get the ASMCrypt binary, which connects to the malware’s TOR backend using hardcoded credentials and then displays the options menu.

Options menu
Options menu (Source – Securelist)

Here below, we have mentioned all the available options:-

  • Stealth injection method
  • Invisible injection method
  • The process the payload should be injected into
  • Folder name for startup persistence
  • Either the malware itself masquerading as Apple QuickTime
  • Either the malware itself masquerades as a legitimate application that sideloads the malicious DLL

Once options are chosen and the build button pressed, the app conceals an encrypted blob in a .png file to be uploaded on an image hosting site. Simultaneously, the cybercriminals create and distribute the malicious DLL or binary, reads the report.

  • Lumma: This stealer is written in C++ and is also known by other names: Arkei stealer, Vidar, Oski, and Mars. It has maintained its core function of stealing crypto wallet data since May 2018. Lumma, with a 46% overlap with Arkei, is the latest variant, and it spreads via a deceptive website, posing as a .docx to .pdf converter, and first appeared in August 2022.
Code snippet of the “debugging” sample
Code snippet…

Source…

Hardware Security Modules Market to grow by USD 982.86 million between 2021 – 2026 | Growth Driven by Rising use of Internet banking and digital payments

/in


NEW YORK, Sept. 17, 2023 /PRNewswire/ — The Hardware Security Modules Market report has been added to Technavio’s offering. With ISO 9001:2015 certification, Technavio has proudly partnered with more than 100 Fortune 500 companies for over 16 years. The potential growth difference for the hardware security modules market between 2021 and 2026 is USD 982.86  million. The rising use of Internet banking and digital payments drives the hardware security modules market. Consumers use smartphones to make online transactions at any time. Digital wallets are becoming the most popular mode of payment due to various features. The features include easy registration and login, robust merchant and consumer payment processing capability, and a user-friendly dashboard. Factors such as the growing need for faster checkouts at retail outlets, the high adoption of EMV cards, effective information management among retailers, and the increased focus on secure payments contribute to the growth of the global hardware security market. Hence, such factors drive the growth of the hardware security modules market during the forecast period. Get deeper insights into the market size, current market scenario, future growth opportunities, major growth driving factors, the latest trends, and much more. Buy the full report here

Technavio has announced its latest market research report titled Global Hardware Security Modules Market
Technavio has announced its latest market research report titled Global Hardware Security Modules Market
  • Market Challenge – The high preliminary acquisition cost challenges the growth of the hardware security modules market. Generally, hardware security modules developed with older generations of expertise pose significant barriers to adoption. High prices for hardware security modules are led by features such as secure cryptographic processing, a tamper-proof environment for key protection and management, and certification requirements to meet compliance standards. In addition, features such as secure cryptographic processing, a tamper-proof environment for key protection and management, and certification requirements lead to high prices for hardware security modules. This is required as organizations need to meet the quality standards. As the cost…

Source…

New Python Variant of Chaes Malware Targets Banking and Logistics Industries

/in


Sep 05, 2023THNCyber Threat / Malware

Chaes Malware

Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes.

“It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,” Morphisec said in a new detailed technical write-up shared with The Hacker News.

Chaes, which first emerged in 2020, is known to target e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information.

A subsequent analysis from Avast in early 2022 found that the threat actors behind the operation, who call themselves Lucifer, had breached more than 800 WordPress websites to deliver Chaes to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago.

Further updates were detected in December 2022, when Brazilian cybersecurity company Tempest Security Intelligence uncovered the malware’s use of Windows Management Instrumentation (WMI) in its infection chain to facilitate the collection of system metadata, such as BIOS, processor, disk size, and memory information.

Cybersecurity

The latest iteration of the malware, dubbed Chae$ 4 in reference to debug log messages present in the source code, packs in “significant transformations and enhancements,” including an expanded catalog of services targeted for credential theft as well as clipper functionalities.

Despite the changes in the malware architecture, the overall delivery mechanism has remained the same in attacks that were identified in January 2023.

Chaes Malware

Potential victims landing on one of the compromised websites are greeted by a pop-up message asking them to download an installer for Java Runtime or an antivirus solution, triggering the deployment of a malicious MSI file that, in turn, launches a primary orchestrator module known as ChaesCore.

The component is responsible for establishing a communication channel with the command-and-control (C2) server from where it fetches additional modules that support post-compromise activity and data theft –

  • Init, which gathers extensive information about the system
  • Online, which…

Source…