Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
The new Android banking Trojan MMRat uses an interesting method to steal and transfer victim data to attackers. In particular, the use of the Protobuf protocol to serialize compromised information is noteworthy.
MMRat first came across to researchers from Trend Micro at the end of June 2023. What is remarkable: the malicious application was not detected by anti-virus engines on sites like VirusTotal.
According to experts, MMRat is distributed through websites disguised as legitimate Android app stores. A Trojan usually infiltrates a device under the guise of government services or online dating software.
Like many similar malware, MMRat requests access to accessibility features of the operating system (Accessibility Services), which should immediately alert the user.
Once the Trojan has landed on a smartphone, it establishes a connection with the command and control server (C2) and starts monitoring the activity of the mobile device in order to calculate the idle period.
In such windows, MMRat wakes the device remotely (using the Accessibility Service), unlocks the display, and attempts to make unauthorized money transfers.
What MMRat can do:
Collect network, screen and battery data;
Extract the list of user's contacts and installed programs;
Perform the functions of a keylogger;
Record everything that happens on the screen through the MediaProjection API;
Record and even stream video from your smartphone camera;
Transfer victim data to command and control server;
Uninstall and clean up all traces.
The Trojan attack chain looks like this:
To effectively transmit compromised information, the authors of MMRat chose the Protobuf protocol, which is rare among similar Trojans. Protobuf is similar in operation to XML and JSON. Google developed this protocol for serializing structured data.
Interestingly, port 8080 and HTTP are used to transfer stolen information, and RTSP and port 8554 are used for video streaming. At the same time, custom Protobuf and port 8887 are used to exchange data with C2.
MMRat first came across to researchers from Trend Micro at the end of June 2023. What is remarkable: the malicious application was not detected by anti-virus engines on sites like VirusTotal.
According to experts, MMRat is distributed through websites disguised as legitimate Android app stores. A Trojan usually infiltrates a device under the guise of government services or online dating software.
Like many similar malware, MMRat requests access to accessibility features of the operating system (Accessibility Services), which should immediately alert the user.
Once the Trojan has landed on a smartphone, it establishes a connection with the command and control server (C2) and starts monitoring the activity of the mobile device in order to calculate the idle period.
In such windows, MMRat wakes the device remotely (using the Accessibility Service), unlocks the display, and attempts to make unauthorized money transfers.
What MMRat can do:
Collect network, screen and battery data;
Extract the list of user's contacts and installed programs;
Perform the functions of a keylogger;
Record everything that happens on the screen through the MediaProjection API;
Record and even stream video from your smartphone camera;
Transfer victim data to command and control server;
Uninstall and clean up all traces.
The Trojan attack chain looks like this:
To effectively transmit compromised information, the authors of MMRat chose the Protobuf protocol, which is rare among similar Trojans. Protobuf is similar in operation to XML and JSON. Google developed this protocol for serializing structured data.
Interestingly, port 8080 and HTTP are used to transfer stolen information, and RTSP and port 8554 are used for video streaming. At the same time, custom Protobuf and port 8887 are used to exchange data with C2.
