Tag: Banking | Page 5

‘Anatsa’ malware targets banking users in US, UK and Central Europe

June 27, 2023/in Computer Security

A mobile malware campaign targeting banking apps has been observed targeting users in the U.S., the U.K. and Central Europe.

Dubbed “Anatsa” by researchers at ThreatFabric B.V., the banking Trojan is distributed through malicious apps in the Google Play Store and is estimated to have had over 30,000 installations since March. Anatsa has advanced device-takeover capabilities that can circumvent existing fraud control mechanisms.

The malware is said to have been active since 2020 but has shifted focus over the years, with the current campaign targeting banking apps, particularly in Germany. According to the researchers, Anatsa’s target list includes almost 600 financial applications worldwide, with the malware stealing customers’ mobile banking application credentials to initiate fraudulent transactions.

Once installed, Anatsa makes a request to a page hosted on GitHub, where the dropper obtains a URL to download the payload, also hosted on GitHub. The payloads masquerade as an add-on to the original application.

After first detecting the campaign in March, the ThreatFabric researchers reported it to Google and it was removed from the Play Store. However, a month later, those behind Anatsa returned with a new app posing as a PDF viewer, with the malware masquerading as an add-on.

The researchers note that the choice of disguise for these malicious applications observed confirms the trend seen for droppers on Google Play. Droppers tend to impersonate file-management-related applications.

The new app was reported to Google again and removed, but in the ultimate game of Whac-A-Mole, every time the apps were removed, new apps appeared. The researchers note that the speed at which the actors return with a new dropper after the previous one is removed is notable in itself, given that the coding can take anywhere from a few days and several weeks.

“It is crucial for companies to remain vigilant regarding the ever-evolving capabilities of attackers who constantly innovate their methodologies,” Pedro Fortuna, co-founder and chief technology officer of JaveScript protection company Jscrambler S.A., told SiliconANGLE. “Similarly, users must exercise caution when…

Source…

Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit DrIBAN

May 5, 2023/in Internet Security

May 05, 2023Ravie Lakshmanan

Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.

“The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring money to an illegitimate bank account,” Cleafy researchers Federico Valentini and Alessandro Strino said.

The bank accounts, per the Italian cybersecurity firm, are either controlled by the threat actors themselves or their affiliates, who are then tasked with laundering the stolen funds.

The use of web injects is a time-tested tactic that makes it possible for malware to inject custom scripts on the client side by means of a man-in-the-browser (MitB) attack and intercept traffic to and from the server.

The fraudulent transactions are often realized by means of a technique called Automated Transfer System (ATS) that’s capable of bypassing anti-fraud systems put in place by banks and initiating unauthorized wire transfers from a victim’s own computer.

Over the years, the operators behind drIBAN have gotten more savvy at avoiding detection and developing effective social engineering strategies, in addition to establishing a foothold for long periods in corporate bank networks.

Cleafy said 2021 was the year when the classic “banking trojan” operation evolved into an advanced persistent threat. Furthermore, there are indications that the activity cluster overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the U.K.

The attack chain begins with a certified email (or PEC email) in an attempt to lull victims into a false sense of security. These phishing emails come bearing an executable file that acts as a downloader for a malware called sLoad (aka Starslord loader).

A PowerShell loader, sLoad is a reconnaissance tool that collects and exfiltrates information from the compromised host, with the purpose of assessing the target and dropping a more significant payload like Ramnit if the target is…

Source…

Mobile Threat Chains: Patterns of Attack Against APAC Banks

April 23, 2023/in Video

New Chameleon banking trojan is stealing account info — what you need to know

April 13, 2023/in Computer Security

A newly discovered Android banking trojan could be hiding among your other apps. One with the ability to change its app icon as it steals your passwords, text messages and other sensitive data.

According to a new report (opens in new tab) by the cybersecurity firm Cyble, security researchers discovered a new banking trojan that they have dubbed “Chameleon,” based on the commands used by the malware powering it.

The Chameleon banking trojan has been active since January of this year, and (like other Android malware) it abuses the operating system’s Accessibility Service to perform malicious activities. However, one thing that sets it apart from other banking trojans is the fact that Chameleon pretends to be other popular apps and can even change its icon to hide in plain sight.

So far, Cyble’s researchers have observed the banking trojan using the icons of ChatGPT, Chrome and other apps though it also uses pictures of popular cryptocurrencies like Bitcoin or Litecoin to disguise itself as well.

Stealing account info and disabling Google Play Protect

Based on Cyble’s investigation, it appears that malicious apps used to spread the Chameleon banking trojan are distributed through hacked websites, Discord attachments and Bitbucket hosting services.

Even though Chameleon is still relatively new and is in the early stages of development, it already has a wide range of malicious capabilities and the banking trojan can perform keylogging, launch overlay attacks, harvest SMS text messages, prevent itself from being uninstalled, steal cookies and automatically uninstall itself.

Another interesting capability already found in Chameleon is its lock grabber which can steal a victim’s device password.

One thing that makes this new malware strain particularly dangerous is that it can disable Google Play Protect on an infected smartphone. For those unfamiliar, Google Play Protect is Google’s own Android antivirus app which scans both your existing apps and any new apps you download for malware and removes them.

Another interesting capability already found in Chameleon is its lock grabber which can steal a victim’s device password. Surprisingly, the lock grabber can even identify whether…

Source…

Tag Archive for: Banking