Jan 19, 2023Ravie Lakshmanan
The threat actor behind the BlackRock[1]
and ERMAC[2]
Android banking trojans has unleashed yet another malware for rent
called Hook that introduces new capabilities to
access files stored in the devices and create a remote interactive
session.
ThreatFabric, in a report[3]
shared with The Hacker News, characterized Hook as a novel ERMAC
fork that’s advertised for sale for $7,000 per month while
featuring “all the capabilities of its predecessor.”
“In addition, it also adds to its arsenal Remote Access Tooling
(RAT) capabilities, joining the ranks of families such as Octo[4]
and Hydra[5], which are capable
performing a full Device Take Over (DTO), and complete a full fraud
chain, from PII exfiltration to transaction, with all the
intermediate steps, without the need of additional channels,” the
Dutch cybersecurity firm said.
A majority of the financial apps targeted by the malware are
located in the U.S., Spain, Australia, Poland, Canada, Turkey, the
U.K., France, Italy, and Portugal.
Hook is the handiwork of a threat actor known as DukeEugene and
represents the latest evolution of ERMAC, which was first disclosed
in September 2021 and is based on another trojan named Cerberus[6]
that had its source code leaked in 2020.
“Ermac has always been behind Hydra and Octo in terms of
capabilities and features,” ThreatFabric researcher Dario Durando
told The Hacker News via email. “This is also known among threat
actors, who prefer these two families above Ermac.”
“The lack of some sort of RAT capabilities is a major issue for
a modern Android Banker, as it does not provide the possibility to
perform Device Take Over (DTO), which is the fraud methodology that
is most likely to be successful and not detected by fraud scoring
engines or fraud analysts. This is most likely what triggered the
development of this new malware variant.”
Like other Android malware of its ilk, the malware abuses
Android’s accessibility services APIs to conduct overlay attacks[7]
and harvest all kinds of sensitive information such as contacts,
call logs, keystrokes, two-factor authentication (2FA) tokens, and
even WhatsApp messages.
It also sports an expanded list of apps to include ABN AMRO and
Barclays, while the malicious samples themselves masquerade as the
Google Chrome web browser to dupe unsuspecting users into
downloading the malware:
- com.lojibiwawajinu.guna
- com.damariwonomiwi.docebi
- com.yecomevusaso.pisifo
Among the other major features to be added to Hook is the
ability to remotely view and interact with the screen of the
infected device, obtain files, extract seed phrases from crypto
wallets, and track the phone’s location, blurring the line between
spyware and banking malware[8].
ThreatFabric said the Hook artifacts observed so far in a
testing phase, but noted it could be delivered via phishing
campaigns, Telegram channels, or in the form of Google Play Store
dropper apps.
“The main drawback of creating a new malware is usually gaining
enough trust by other actors, but with the status of DukeEugene
among criminals, it is very likely that this will not be an issue
for Hook,” Durando said.
Found this article interesting? Follow us on Twitter [9]
and LinkedIn[10] to read more exclusive
content we post.
References
- ^
BlackRock
(thehackernews.com) - ^
ERMAC
(thehackernews.com) - ^
report
(www.threatfabric.com) - ^
Octo
(thehackernews.com) - ^
Hydra
(thehackernews.com) - ^
Cerberus
(thehackernews.com) - ^
overlay
attacks (thehackernews.com) - ^
spyware
and banking malware (thehackernews.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html