Man
Professional
- Messages
- 2,943
- Reaction score
- 471
- Points
- 83
40 new versions of the Trojan with improved features continue to march through users' devices.
Zimperium has discovered 40 new versions of the TrickMo banking trojan, which has received features to evade detection and steal data.
Despite the lack of official indicators of compromise (IoC), experts identified 40 new versions of the program, including 16 droppers and 22 active C2 servers, as well as additional functionality. The analysis showed that many of the samples go unnoticed by the general public.
Features of the malware:
Such features allow malware to access any information on the device, which can lead to unauthorized access to bank accounts and financial transactions without the knowledge of the device owner.
In addition to these features, researchers have discovered a new mechanism that allows attackers to steal a device's patterns or PINs. The malware displays a fake unlock interface that mimics the real screen of the device. When the user enters a pattern or PIN, this data, along with the device ID, is transmitted to a remote server.
The phishing interface is an HTML page hosted on an external website and displayed in full-screen mode on the device, making it look like a real screen.
During the analysis, several C2 servers were accessed, where files with data on approximately 13,000 unique IP addresses of TrickMo victims were found. The main targets of the attacks were Canada, the UAE, Turkey and Germany. The list of IP addresses is regularly updated when malware steals new credentials. The total number of compromised devices is in the millions, and the volume of stolen data includes not only banking information, but also data for accessing corporate resources – VPNs and internal services.
TrickMo is currently being spread through phishing, so to minimize the chances of infection, don't download APKs from links sent via SMS or private messages by people you don't know.
Source
Zimperium has discovered 40 new versions of the TrickMo banking trojan, which has received features to evade detection and steal data.
Despite the lack of official indicators of compromise (IoC), experts identified 40 new versions of the program, including 16 droppers and 22 active C2 servers, as well as additional functionality. The analysis showed that many of the samples go unnoticed by the general public.
Features of the malware:
- interception of one-time passwords (OTP);
- screen recording;
- data theft;
- remote control;
- automatically grant permissions and automatically click on requests;
- abuse of Accessibility Services;
- displaying overlays and stealing credentials.
Such features allow malware to access any information on the device, which can lead to unauthorized access to bank accounts and financial transactions without the knowledge of the device owner.
In addition to these features, researchers have discovered a new mechanism that allows attackers to steal a device's patterns or PINs. The malware displays a fake unlock interface that mimics the real screen of the device. When the user enters a pattern or PIN, this data, along with the device ID, is transmitted to a remote server.
The phishing interface is an HTML page hosted on an external website and displayed in full-screen mode on the device, making it look like a real screen.
During the analysis, several C2 servers were accessed, where files with data on approximately 13,000 unique IP addresses of TrickMo victims were found. The main targets of the attacks were Canada, the UAE, Turkey and Germany. The list of IP addresses is regularly updated when malware steals new credentials. The total number of compromised devices is in the millions, and the volume of stolen data includes not only banking information, but also data for accessing corporate resources – VPNs and internal services.
TrickMo is currently being spread through phishing, so to minimize the chances of infection, don't download APKs from links sent via SMS or private messages by people you don't know.
Source