Posts

FantasyMW, a brazilian banking trojan

Image
Update: Apparently this is a rebrand from an existing malware family called GoatRat and it was named as FantasyMW. More details at: https://www.opencti.net.br/goatrat-ressurge-com-um-novo-nome-fantasymw-android-banking-trojan-40dbbba8e7d9 Sample seen from MalwareHunterTeam's tweet . The sample is written in kotlin and under a Windows host OS. This is possible to guess because the strings hint to Windows paths. At the time of the analysis the domains were not resolving. It seems to be a new or under development banking trojan, as hinted by the path strings: C:/Users/55119/Documents/NewBankingTrojan/production/app/src/main/java/com/fuck/thepolice/MainActivity.kt   This is not the first ITW sample of this developer. The first ITW sample was seen on 2023-06-06 13:25:28 UTC and uses a different path for development:  C:/Users/nuke/Documents/FantasyMalware/BasicVersion/ The path differs from the latest spotted sample. Since this is a brazilian malware, I chose to dub it as Casanossolar f

MammothFraud, an eastern SMS stealer

Image
  The malware, dubbed MammothFraud from one of the logging strings МАМОНТИЗАЦИЯ!   checks for the android.permission.CALL_PHONE permission and also that the SDK is greater than 26. If positive, it will attempt to introduce an USSD code to obtain the mobile phone number. For example, *111*0887# for the MTS RU provider. When the permissions are not granted by the user, it will prompt the user with a message to allow the requested permissions. In the list there are other telecom providers from Uzbekistan, Ukraine and Russia with USSD codes present. A list of the permissions requested: android.permission.CALL_PHONE android.permission.READ_SMS android.permission.READ_PHONE_STATE android.permission.SEND_SMS android.permission.RECEIVE_SMS android.permission.POST_NOTIFICATIONS In case there are active SIM cards in the device, the sample registers broadcast receivers for handling specific SMS-related events and for shutdown events. It also verifies whether the following applications are insta

Zanubis updates with screenshot recording

Image
As always, IOCs and targets at the end. Previous updates of this family at:  https://www.entdark.net/2022/09/zanubis-latam-banking-trojan.html The latest Zanubis sample contains overall updates to the code. Among the most interesting ones, is that they are shifting to record the screen via the MediaProjection API and use it to send to back to the C2. The functionality is triggered via socket with the command "iniciarVnc". The crafted video from the screen recording is stored as "RecordedVideo.mp4" in external storage: Via accessibility is has also added code to copy text from the clipboard as well as sending keystrokes remotely. It also contains a method to simulate swipes given the start and end coordinates, with the intention of controlling the victims device: As of recent samples, it will also send the users to a government site to check their debts on app startup: IOCs: SHA256: https://www.virustotal.com/gui/file/e756e44290ccf5f9d6864444bbd9044c2345c60a0352de572

SharkDBS IRC/FTP Bot

Image
As always, IOCs at the end.  Characteristics: Uses IRC to send data to the attacker and FTP. Get the victim's IP address via external services, uses ip2location until it is able to connect to the external service. Get list of applications Send SMS using the device. Requests several permissions: android.permission.INTERNET android.permission.READ_EXTERNAL_STORAGE android.permission.RECEIVE_BOOT_COMPLETED android.permission.REBOOT android.permission.CALL_PHONE android.permission.READ_SMS android.permission.READ_CONTACTS android.permission.SEND_SMS android.permission.WRITE_EXTERNAL_STORAGE android.permission.READ_CALL_LOG android.permission.SYSTEM_ALERT_WINDOW Includes Spanish strings in the code, suggesting the actor is from a Spanish speaking country.  The IP the duckdns serves the APK from is from Spain. Useful links: Virustotal Graph: https://www.virustotal.com/graph/embed/g1f66b84527234df186946867ace02cc1d175d8dd4bd045cf948261dd16565c7d  Virustotal Collection: https://www.virusto