Researchers have observed a significant increase in attempts to spread the Anatsa Banking Trojan under the veil of legitimate-looking PDF and QR code reader apps on the Google Play store. Also known as TeaBot, the malware employs dropper applications that appear harmless to users, deceiving them into unwittingly installing the malicious payload, said researchers at cybersecurity firm Zscaler. Once installed, Anatsa extracts sensitive banking credentials and financial information from various global financial applications. It achieves this through overlay and accessibility techniques, allowing it to discreetly intercept and collect data.

Distribution and Impact of Anatsa Banking Trojan

Two malicious payloads linked to Anatsa were found in the Google Play store, distributed by threat actors. The campaign impersonated PDF reader and QR code reader applications to attract numerous installations. The high number of installations, which had surpassed 70,000 at the time of analysis, further convinced victims of the applications' legitimacy. Anatsa employs remote payloads retrieved from Command and Control (C&C) servers to perform additional malicious activities. The dropper application contains encoded links to remote servers, from which the subsequent stage payload is downloaded. Along with the payload, the malware fetches a configuration file from the remote server to execute the next stage of the attack.

Anatsa Infection Steps

The Anatsa banking trojan works by employing a dropper application and executing a payload to launch its malicious activities. Dropper Application:

• The fake QR code application downloads and loads the DEX file.
• The application uses reflection to invoke code from the loaded DEX file.
• Configuration for loading the DEX file is downloaded from the C&C server.

Payload Execution:

• After downloading the next stage payload, Anatsa performs checks on the device environment to detect analysis environments and malware sandboxes.
• Upon successful verification, it downloads the third and final stage payload from the remote server.

Malicious Activities:

• The malware injects uncompressed raw manifest data into the APK, deliberately corrupting the compression parameters in the manifest file to hinder analysis.
• Upon execution, the malware decodes all encoded strings, including those for C&C communication.
• It connects with the C&C server to register the infected device and retrieve a list of targeted applications for code injections.

Data Theft:

• After receiving a list of package names for financial applications, Anatsa scans the device for these applications.
• If a targeted application is found, Anatsa communicates this to the C&C server.
• The C&C server then supplies a counterfeit login page for the banking operation.
• This fake login page, displayed within a JavaScript Interface (JSI) enabled web view, tricks users into entering their banking credentials, which are then transmitted back to the C&C server.

[caption id="attachment_71735" align="aligncenter" width="1038"] Anatsa Banking Trojan Attack Chain (Source: Zscaler)[/caption] The Anatsa banking trojan is increasing in prevalence and infiltrates the Google Play store disguised as benign applications. Using advanced techniques such as overlay and accessibility, it stealthily exfiltrates sensitive banking credentials and financial data. By injecting malicious payloads and employing deceptive login pages, Anatsa poses a significant threat to mobile banking security.

Best Practices to Stop the Anatsa Trojan

To protect against such threats, Cyble's Research and Intelligence Labs suggests following essential cybersecurity best practices:

• Install Software from Official Sources: Only download software from official app stores like the Google Play Store or the iOS App Store.
• Use Reputable Security Software: Ensure devices, including PCs, laptops, and mobile devices, use reputable antivirus and internet security software.
• Strong Passwords and Multi-Factor Authentication: Use strong passwords and enable multi-factor authentication whenever possible.
• Be Cautious with Links: Be careful when opening links received via SMS or emails.
• Enable Google Play Protect: Always have Google Play Protect enabled on Android devices.
• Monitor App Permissions: Be wary of permissions granted to applications.
• Regular Updates: Keep devices, operating systems, and applications up to date.

By adhering to these practices, users can establish a robust first line of defense against malware and other cyber threats, Cyble researchers said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: www.techrepublic.com – Author: Cedric Pernet A new report from IBM X-Force exposes changes in the Grandoreiro malware landscape. The banking trojan is now capable of targeting more than 1,500 global banks in more than 60 countries, and it has been updated with new features. Also, Grandoreiro’s targeting has become wider, as it initially only […]

La entrada IBM X-Force Report: Grandoreiro Malware Targets More Than 1,500 Banks in 60 Countries – Source: www.techrepublic.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

The Antidot Android banking trojan is a new threat on the surface web, disguising itself as a Google Play update, targeting Android users worldwide. The android banking trojan is a stealthy malware strategically designed to infiltrate devices, harvest sensitive information, and wreak havoc across diverse language-speaking regions. Revealed by cybersecurity experts at Cyble Research and Intelligence Labs (CRIL), the Antidot banking trojan represents a sophisticated evolution in mobile malware. Unlike its predecessors, Antidot employs a range of malicious tactics, including overlay attacks, keylogging, and VNC features, to compromise devices and extract valuable data.

Decoding the Antidot Android Banking Trojan Campaign

[caption id="attachment_68993" align="alignnone" width="1447"] Source: Cyble[/caption] At its core, Antidot masquerades as a legitimate Google Play update application, luring unsuspecting users into its trap. Upon installation, it presents counterfeit Google Play update pages meticulously crafted in various languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English. This strategic approach indicates a broad spectrum of targets, spanning multiple regions and demographics. [caption id="attachment_68994" align="alignnone" width="1536"] Source: Cyble[/caption] Behind its deceptive façade, Antidot operates with alarming sophistication. Leveraging overlay attacks as its primary modus operandi, the Trojan seamlessly overlays phishing pages onto legitimate applications, capturing sensitive credentials without the user's knowledge.  Additionally, Antidot integrates keylogging functionality, surreptitiously recording keystrokes to further enhance its data harvesting capabilities.

Sophisticated Communication and Control (C&C) Server

[caption id="attachment_68996" align="alignnone" width="1232"] Source: Cyble[/caption] Antidot maintains a stealthy line of communication with its Command and Control (C&C) server, facilitating real-time interaction for executing commands and transmitting stolen data. Through WebSocket communication, the malware establishes bidirectional connections, enabling seamless coordination between the infected devices and the malicious actors behind the scenes. [caption id="attachment_68998" align="alignnone" width="1071"] Source: Cyble[/caption] One of Antidot's most insidious features is its implementation of VNC (Virtual Network Computing), enabling remote control of infected devices. By leveraging the MediaProjection feature, the Trojan captures and transmits display content to the C&C server, allowing attackers to remotely execute commands and manipulate device functions. [caption id="attachment_69000" align="alignnone" width="1483"] Source: Cyble[/caption] To combat the growing threat posed by Antidot and similar Android banking trojans, cybersecurity experts from Cyble recommend adhering to essential best practices. These include downloading software from official app stores like Google Play or the iOS App Store.  Users can also utilize reputable antivirus and internet security software on all connected devices. Other precautionary methods include enforcing strong passwords and enabling multi-factor authentication whenever possible. Exercise caution when clicking on links received via SMS or email. Keep devices, operating systems, and applications up to date to mitigate potential vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft patched a zero-day vulnerability exploited by attackers to distribute QakBot and other malware payloads on susceptible Windows systems. Identified as CVE-2024-30051, this vulnerability is a privilege escalation flaw resulting from a heap-based buffer overflow in the Desktop Window Manager (DWM) core library. Successful exploitation grants attackers “SYSTEM privileges,” Microsoft said.

“These types of bugs are usually combined with a code execution bug to take over a target and are often used by ransomware (actors),” said Dustin Childs of the Zero Day Initiative.

Introduced in Windows Vista, the Desktop Window Manager (dwm.exe) is a compositing window manager that renders all GUI effects in Windows like transparent windows, live taskbar thumbnails, Flip3D, and even high-resolution monitor support. Applications do not draw directly on the screen. Instead, they write their window images to a specific spot in memory. Windows then combines and creates a “composite” of all these windows into one view before sending it to the monitor. This allows Windows to add effects like transparency and animations while displaying the windows. Kaspersky researchers uncovered this vulnerability while investigating another Windows DWM Core Library privilege escalation bug tracked as CVE-2023-36033, also exploited as a zero-day in attacks. While analyzing data related to recent exploits and associated attacks, Kaspersky researchers discovered an intriguing file uploaded to VirusTotal on April 1. The file's name hinted that it contained details on a Windows vulnerability. The file had information regarding a Windows DWM vulnerability – written in broken English - that could be exploited to escalate privileges to SYSTEM level, with the exploitation process nearly mirroring the one used in CVE-2023-36033 attacks, “but the vulnerability was different,” researchers said. Initially skeptical due to the document's quality and lack of crucial details on exploiting the vulnerability, further investigation confirmed the legitimacy of another zero-day vulnerability capable of privilege escalation. Kaspersky promptly reported it to Microsoft, leading to its designation as CVE-2024-30051 and subsequent patching in this month’s Patch Tuesday.

Zero-Day Exploited by QakBot

Following the reporting to Microsoft, Kaspersky continued monitoring for exploits and attacks leveraging this flaw.

“In mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware and believe that multiple threat actors have access to it,” Kaspersky said.

Security researchers at Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google-owned Mandiant also reported the zero-day to Microsoft, pointing to likely widespread exploitation in malware attacks, Childs said.

“Don’t wait to test and deploy this update as exploits are likely to increase now that a patch is available to reverse engineer,” said Childs.

The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2024-30051 to its Known Exploited Vulnerabilities catalog and directed all federal agencies to complete the patching process by June 4. Kaspersky plans to disclose technical specifics of CVE-2024-30051 once users have had adequate time to update their Windows systems.

QakBot’s Journey from Banking Trojan to Initial Access Broker

QakBot, also known as Qbot, emerged as a banking trojan in 2008 and was used to steal credentials, website cookies, and credit cards to commit financial fraud. QakBot operators evolved over the years into initial access brokers, partnering with other threat groups to provide initial access to enterprise and home networks for ransomware attacks, espionage, and data theft. QakBot’s infrastructure was taken down in August 2023 following a multinational law enforcement operation spearheaded by the FBI and known as “Operation Duck Hunt.” But Microsoft identified the resurgence of QakBot in phishing campaigns targeting the hospitality industry in December. Law enforcement linked QakBot infections to 700,000 victim computers which included ransomware attacks targeting businesses, healthcare providers, and government agencies worldwide, which according to conservative estimates caused hundreds of millions of dollars in damage. Throughout the years, Qakbot served as an initial infection vector for various ransomware gangs and their affiliates, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently Black Basta.

Another Zero-Day Fix

Microsoft patched 59 CVEs in its May 2024 Patch Tuesday release, with one rated “critical,” 57 rated as “important” and one rated as “moderate.” The patch also contains a fix for another zero-day flaw other that the one exploited by QakBot. The other bug, tracked as CVE-2024-30040, is rated "important" on the CVSS scale and is a Windows MSHTML platform security feature bypass vulnerability. MSHTML is a proprietary browser engine for the Microsoft Windows version of Internet Explorer.

“This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” Microsoft said.

A hacker who socially-engineers a victim into opening a malicious document would be able to execute arbitrary code by passing OLE mitigations in the Microsoft suite of office applications. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Finland has warned of an ongoing Android malware campaign that targets banking details of its victims by enticing them to download a malicious counterfeit McAfee app. Finland's Transport and Communications Agency – Traficom - issued a warning last week about an ongoing Android malware campaign that aims to withdraw money from the victim's online bank accounts. Traficom said this campaign exclusively targets Android devices, with no separate infection chain identified for Apple iPhone users. The agency has identified multiple cases of SMS messages written in Finnish language, instructing recipients to call a specified number. These messages often impersonate banks or payment service providers like MobilePay and utilize spoofing technology to appear as if they originate from domestic telecom operators or local networks. [caption id="attachment_66875" align="aligncenter" width="1024"] Finnish language smishing message (Credit: Traficom)[/caption] The scammers answering these calls direct victims to install a McAfee app under the guise of providing protection. However, the McAfee app being promoted is, in fact, malware designed to compromise victims' bank accounts. According to reports received by the Cyber Security Center, targets are prompted to download a McAfee application via a link provided in the message. This link leads to the download of an .apk application hosted outside the app store for Android devices. Contrary to expectations, this is not antivirus software but malware intended for installation on the phone. The OP Financial Group, a prominent financial service provider in Finland, also issued an alert on its website regarding these deceptive messages impersonating banks or national authorities. The police have similarly emphasized the threat posed by this malware, warning that it enables operators to access victims' banking accounts and initiate unauthorized money transfers. In one reported case, a victim lost 95,000 euros (approximately $102,000) due to the scam.

Vultur Android Malware Campaign Trademarks

While Finnish authorities have not definitively identified the type of malware involved or shared specific hashes or IDs for the APK files, the attacks bear a striking resemblance to those reported by Fox-IT analysts in connection with a new version of the Vultur trojan. [caption id="attachment_66873" align="alignnone" width="1024"] Vultur Trojan infection chain (Credit: Fox-IT)[/caption] The new iteration of the Vultur trojan employs hybrid smishing and phone call attacks to persuade targets into downloading a fake McAfee Security app. This app introduces the final payload in three separate parts for evasion purposes. Notable features of this latest version include extensive file management operations, abuse of Accessibility Services, app blocking, disabling Keyguard, and serving custom notifications in the status bar.

Things to Do If You Suspect Being Victim

If you suspect that your device has been infected with the malware, it is advisable to contact your bank immediately to enable protection measures. Additionally, restoring "factory settings" on the infected Android device to wipe all data and apps is recommended. OP Financial Group emphasizes that they do not request customers to share sensitive data over the phone or install any apps to receive or cancel payments. “We will never send you messages with a link to the online bank login page. The bank also never asks you for your ID or card information via messages. Such messages are scams and you should not click on the links in them,” the OP Financial Group said. “Even in order to receive or cancel a payment, you do not need to log in from a link, confirm with codes or provide your information. If you are asked to do this, contact the bank's customer service.” Any similar requests should also be promptly reported to the police. The news of the online banking fraud comes days after a multi-national police operation crack opened a massive fraudulent call center network run across Europe that targeted especially senior citizens with an intent to dupe them of thousands of dollars. The crack down, dubbed Operation Pandora, was initiated when a vigilant bank teller in Freiburg, Germany, alerted law enforcement of a customer aged 76-years attempting to withdraw a large sum of money. Scammers employed various tactics, posing as relatives, bank employees or police officers, to deceive victims into surrendering their savings. The operation revealed call centers operating in different countries, each specializing in different types of telephone fraud, from investment scams to debt collection demands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cybercriminals are targeting Mac users interested in cryptocurrency opportunities with fake calendar invites. During the attacks the criminals will send a link supposedly to add a meeting to the target’s calendar. In reality the link runs a script to install Mac malware on the target’s machine.

Cybersecurity expert Brian Krebs investigated and flagged the issue.

Scammers, impersonating cryptocurrency investors, are active on Telegram channels to get interested people to attend a meeting about a future partnership.

One of those investors called Signum Capital tweeted a warning on X in January that one of their team members was being impersonated on Telegram and sending out invites by direct message (DM).

Heads up! A fake account pretending to be one of our team members is going around DM-ing people on Telegram.

The screenshots below is from the scammer please take note and be alert. pic.twitter.com/6hFcUsaGtZ

— Signum Capital (@Signum_Capital) January 22, 2024

The criminals reach out to targets by DM on Telegram and ask if they have an interest in hearing more about the opportunity in a call or meeting. If they show interest they will be sent a fabricated invitation for a meeting. When the times comes to join the meeting the invitation link doesn’t work. The scammers tell the victim it’s a known issue, caused by a regional access restriction, which can be solved by running a script.

We asked Malwarebytes Director of Core Technology and resident Apple expert Thomas Reed to look at this method. This isn’t the first time criminals have used scripts to compromise users, he told us.

“AppleScript has been used against Mac users with moderate frequency by malware creators over the years. It has the advantage of being very easy to write, and if compiled, is also extremely difficult to reverse engineer.”

According to Reed, AppleScripts can be provided in a few different forms. One is a simple .scpt file that opens in Apple’s Script Editor app. This has a few drawbacks for criminals: A victim would need to click something within Script Editor to run the script, and they would able to see the code, which might be a problem because AppleScript tends to be more human readable than most other scripts. However, there are ways to obfuscate what the code is doing, and many users won’t bother to read it anyway.

Another option is an AppleScript applet. This is something that acts like a normal Mac app. It contains a basic AppleScript executable and the script to be run. In this form, the script can be code signed, notarized, given an icon, and otherwise made to appear more trustworthy. The code could be pretty bland, and unlikely to trigger any kind of detection from Apple’s notarization process, but could download and execute something less trustworthy.

Scripts have another advantage for criminals, Reed warned.

“AppleScripts also have the advantage of being able to very easily get administrator permissions.”

A script that attempts to run a command with administrator privileges will ask users to authenticate, triggering a password dialog.

If the user enters their password, the script doesn’t actually get to see it, but everything else the script attempts to do “with administrator privileges” will successfully run as root without further authentication. This makes it very easy for the script to show a standard authentication request dialog and trick the user into giving root permissions.

“So, in summary, AppleScript can be quite effective for writing malware. In fact, some malware has been written exclusively – or almost exclusively – in AppleScript, such as OSX.DubRobber or OSX.OSAMiner.”

In this case, the script was a simple Apple Script that downloaded and executed a macOS-oriented Trojan. The nature of the Trojan is unknown, but it certainly won’t surprise anyone if it turns out it was a banking Trojan that specializes in stealing cryptocurrencies.

Recognizing the scam

To avoid falling victim to these scammers, it’s good to know a few of their tactics.

• Targets are approached by DM on Telegram.
• Topics are cryptocurrency investment opportunities.
• The scammers have a preference for the Calendly scheduling platform.
• A fake “regional access restriction” creates a sense of last minute urgency.
• The script had the .scpt (Apple script) extension.
• The script was hosted on a domain that pretended to be a meeting support site.

The presence of Mac malware is unfortunately still underestimated, but you can find protection by Malwarebytes for Mac and protect Mac endpoints in your environment by ThreatDown solutions.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

For the most popular operating system in the world—which is Android and it isn’t even a contest—there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals.

These are “Android banking trojans,” and, according to our 2024 ThreatDown State of Malware report, Malwarebytes detected an astonishing 88,500 of them last year alone.

While the 2024 ThreatDown State of Malware report focuses heavily on the corporate security landscape today, make no mistake: Android banking trojans pose a serious threat to everyday users. They are well-disguised, hard to detect in regular use, and are a favorite hacking tool for cybercriminals who want to automate the theft of online funds for themselves.

What are Android banking trojans?

The idea behind Android banking trojans—and all cyber trojans—is simple: Much like the fabled “Trojan Horse” which, the story goes, carried a violent surprise for the city of Troy, Android banking trojans can be found on the internet disguised as benign, legitimate mobile apps that, once installed on a device, reveal more sinister intentions.  

By masquerading as everyday mobile apps for things like QR code readers, fitness trackers, and productivity or photography tools, Android banking trojans intercept a person’s online interest in one app, and instead deliver a malicious tool that cybercriminals can abuse later on.

But modern devices aren’t so faulty that an errant mobile app download can lead to full device control or the complete revelation of all your private details, like your email, social media, and banking logins. Instead, what makes Android banking trojans so tricky is that, once installed, they present legitimate-looking permissions screens that ask users to grant the new app all sorts of access to their device, under the guise of improving functionality.

Take the SharkBot banking trojan, which Malwarebytes detects and stops. Last year, Malwarebytes found this Android banking trojan hiding itself as a file recovery tool called “RecoverFiles.” Once installed on a device, “RecoverFiles” asked for access to “photos, videos, music, and audio on this device,” along with extra permissions to access files, map and talk to other apps, and even send payments via Google Play.

These are just the sorts of permissions that any piece of malware needs to dig into your personally identifiable information and your separate apps to steal your usernames, passwords, and other important information that should be kept private and secure.

Still, the tricks behind “RecoverFiles” aren’t yet over.

Not only is the app a clever wrapper for an Android banking trojan, it could also be considered a hidden wrapper. Once installed on a device, the “RecoverFiles” app icon itself does not show up on a device’s home screen. This stealth maneuver is similar to the features of stalkerware-type apps, which can be used to non-consensually spy on another person’s physical and digital activity.

But in the world of Android banking trojan development, cybercrminals have devised far more devious schemes than simple camouflage.

Slipping under the radar

The problem with the Ancient Greeks’ Trojan Horse strategy is that it could only work once—if you don’t sack Troy the first time, you better believe Troy is going to implement some strict security controls on all future big horse gifts.

The makers of Android banking trojans have to overcome similar (and far more advanced) security measures from Google. As the Google Play store has become the go-to marketplace for Android apps, cybercriminals try to place their malicious apps on Google Play to catch the highest number of victims. But Google Play’s security measures frequently detect malware and prevent it from being listed.

So, what’s a cybercriminal to do?

In these instances, cybercriminals make an application that is seemingly benign, but, once installed on a device, executes a line of code that actually downloads malware from somewhere else on the internet. This is how cybercriminals recently snuck their malware onto Google Play and potentially infected more than 100,000 users with the Anatsa banking trojan.

What was most concerning in this attack was that the malicious apps that made it onto the Google Play store reportedly worked for their intended purposes—the PDF reader read PDFs, the file manager managed files. But hidden within the apps’ coding, users were actually downloading a set of instructions that directed their devices to install malware.

These malicious packages are sometimes called “malware droppers” as the apps “drop” malware onto a device at a later time.  

What does it all mean for me?

There’s a lot of technical machinery at work inside any Android banking trojan that is put in place to accomplish a rather simple end goal, which is stealing your money.

All the camouflage, subterfuge, and hidden code execution is part of a longer attack chain in which Android banking trojans steal your passwords and personally identifiable information, and then use that information to take your money.

As we wrote in the 2024 ThreatDown State of Malware report:

“Once it has accessibility permissions, the malware initializes its Automated TransferSystem (ATS) framework, a complex set of scripts and commands designed to perform automated banking transactions without user intervention. The ATS framework uses the harvested credentials to initiate unauthorized money transfers to accounts held by the attacker. This mimics real user behavior to bypass fraud detection systems.”

Staying safe from Android banking trojans

Protecting yourself from Android banking trojans is not as simple as, say, spotting grammatical mistakes in a phishing email or refusing to click any links sent in text messages from unknown numbers. But just because Android banking trojans are harder to detect by eye does not mean that they’re impossible to stop.

Malwarebytes Premium provides real-time protection to detect and stop Android banking trojans that are accidentally installed on your devices. It doesn’t matter if the banking trojan is simply a malicious app in a convenient package, or if the banking trojan is downloaded through a “malware dropper”—Malwarebytes Premium provides 24/7 cybersecurity coverage and stops dangerous attacks before they can be carried out.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.