Jul 30 2021

Android Banking Trojan Vultur uses screen recording for credentials stealing

Category: TrojanDISC @ 11:15 pm

Experts spotted a new strain of Android banking Trojan dubbed Vultur that uses screen recording and keylogging for the capturing of login credentials.

ThreatFabric researchers discovered a new Android banking Trojan, tracked as Vultur, that uses screen recording and keylogging to capture login credentials.

Vultur was first spotted in late March 2021, it gains full visibility on victims’ devices via VNC (Virtual Network Computing) implementation taken from AlphaVNC.

“For the first time we are seeing an Android banking trojan that has screen recording and keylogging as main strategy to harvest login credentials in an automated and scalable way. The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking Trojans: this approach usually requires more time and effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.” reads the analysis published by ThreatFabric.

Most of the apps targeted by Vultur belong to banks in Italy, Australia and Spain, experts discovered a link with a popular dropper framework called Brunhilda.

Viruses, Hardware and Software Trojans: Attacks and Countermeasures

Tags: Banking Trojan, credentials stealing

Jun 14 2021

SEO poisoning campaign aims at delivering RAT, Microsoft warns

Category: TrojanDISC @ 1:04 pm

Microsoft spotted a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT) used by threat actors to steal sensitive data.

Microsoft is monitoring a wave of cyber attacks that leverages SEO poisoning to deliver a remote access trojan (RAT) to steal sensitive data from the infected systems

The IT giant revealed that the SEO poisoning technique is effective, its Microsoft Defender Antivirus has thousands of PDF documents delivered as part of the ongoing campaign.

Upon opening the PDF files, users are prompted to download a .doc file or a .pdf version of their desired info. Once clicked the links, users will be redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. The sites appear as a clone of Google Drive web pages used to serve the SolarMaker malware.

Microsoft experts noticed that the PDF files are hosted on Amazon Web Services and Strikingly primarily.

RATS! How Hackers Take Over Your Computer: An Introduction to Remote Access Trojans by [James Wilson]

Tags: remote access trojan (RAT)

May 20 2021

Bizarro Banking Trojan

Category: TrojanDISC @ 9:33 am

May 06 2021

A taste of the latest release of QakBot

Category: TrojanDISC @ 7:59 am

one of the most popular and mediatic trojan bankers active since 2007.

The malware QakBot, also known as QbotPinkslipbot, and Quakbot is a banking trojan that has been made headlines since 2007. This piece of malware is focused on stealing banking credentials and victim’s secrets using different techniques tactics and procedures (TTP) which have evolved over the years, including its delivery mechanisms, C2 techniques, and anti-analysis and reversing features.

Emotet is known as the most popular threat distributing QakBot in the wild, nonetheless, Emotet has been taken down recently, and QakBot operators are using specially target campaigns to disseminate this threat around the globe.

Apr 13 2021

Son of Stuxnet? Iran Nuke Site Hacked ‘by Israel’ (Again)

Category: Malware,TrojanDISC @ 4:08 pm

What’s the craic? Aunty Beeb’s anonymous scribblers sit back and wonder why—“Iran says key Natanz nuclear facility hit by sabotage”:

 The country’s top nuclear official … Ali Akbar Salehi, did not say who was to blame for the “terrorist act”, which caused a power failure … a day after it unveiled new uranium enrichment equipment. … Israeli public media, however, cited intelligence sources who said it was the result of an Israeli cyber-attack.

On Saturday, Iran’s President Hassan Rouhani inaugurated new centrifuges at the Natanz site in a ceremony that was broadcast live. … It represented another breach of the country’s undertakings in the 2015 deal, which only permits Iran to produce and store limited quantities of enriched uranium. [The] deal, known as the Joint Comprehensive Plan of Action (JCPOA), has been in intensive care since Donald Trump pulled the US out of it.

Later state TV read out a statement by … Atomic Energy Organisation of Iran (AEOI) … head Ali Akbar Salehi, in which he described the incident as “sabotage” and “nuclear terrorism.” … Last July, sabotage was blamed for a fire at the Natanz site which hit a central centrifuge assembly workshop.

Thorn in my side? Ronen Bergman, Rick Gladstone, Farnaz Fassihi, David E. Sanger, Eric Schmitt, Lara Jakes, Gerry Mullany and Patrick Kingsley tag-team thuswise—“Blackout Hits Iran Nuclear Site in What Appears to Be Israeli Sabotage”:

 [The] power failure … appeared to have been caused by a deliberately planned explosion. … American and Israeli intelligence officials said there had been an Israeli role. Two intelligence officials briefed on the damage said it had been caused by a large explosion that completely destroyed the … power system that supplies the underground centrifuges.

The officials, who spoke on the condition of anonymity to describe a classified Israeli operation, said that the explosion had dealt a severe blow to Iran’s ability to enrich uranium and that it could take at least nine months to [recover]. Some Iranian experts dismissed initial speculation that a cyberattack could have caused the power loss.

The United States and Israel have a history of covert collaboration, dating to the administration of President George W. Bush, to disrupt Iran’s nuclear program. The best-known operation under this collaboration … was a cyberattack disclosed during the Obama administration that disabled nearly 1,000 centrifuges at Natanz.

Source: Son of Stuxnet? Iran Nuke Site Hacked ‘by Israel’ (Again)

Tags: Stuxnet

Mar 07 2021

Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules

Category: App Security,TrojanDISC @ 6:44 pm

If you’ve ever used the Python programming language, or installed software written in Python, you’ve probably used PyPI, even if you didn’t realize it at the time.

PyPI is short for the Python Package Index, and it currently contains just under 300,000 open source add-on modules (290,614 of them when we checked [2021-03-07T00:10Z]).

You can download and install any of these modules automatically just by issuing a command such as pip install [nameofpackage], or by letting a software installer fetch the missing components for you.

Crooks sometimes Trojanise the repository of a legitimate project, typically by guessing or cracking the password of a package owner’s account, or by helpfully but dishonestly offering to “assist” with a project that the original owner no longer has time to look after.

Once the fake version is uploaded to the genuine repository, users of the now-hacked package automatically get infected as soon as they update to the new version, which works just as it did before, except that it includes hidden malware for the crooks to exploit.

Another trick involves creating Trojanised public versions of private packages that the attacker knows are used internally by a software company.

more on: Poison packages

Tags: Poison packages, Python

Jun 03 2020

RATs 101: The Grimy Trojans That Scurry Through Remote Access Pipes

Category: TrojanDISC @ 2:09 pm

Remote Access Trojans (RATs) can be the beginning of very bad things on your network or workstations.

Source: RATs 101: The Grimy Trojans That Scurry Through Remote Access Pipes

Remote access trojans (RATs) may not induce the same sort of nightmares as angry cannibal rats, but they can still be terror-inducing if they hit your network and workstations. Because there’s nothing like turning control of your resources over to someone you don’t know to make the job of IT security completely rat-tastic.

How easy is it to RAT Someone?

Download a Security Risk Assessment steps paper!

Subscribe to DISC InfoSec blog by Email

Jun 19 2019

Hackers Disguise New JavaScript-Based Trojan as Game Cheat

Category: TrojanDISC @ 10:06 am

Researchers discovered a new JavaScript-based and modular downloader Trojan camouflaged and distributed to targets in the form of game cheats via websites owned by its developers.

Source: Hackers Disguise New JavaScript-Based Trojan as Game Cheat

Worst JavaScript Flaws That Hackers Love To Abuse