Tag Archive for: bank

New Phishing Attack Delivers Keylogger Disguised as Bank Payment Notice

/in


Mar 27, 2024NewsroomVulnerability / Cybercrime

A new phishing campaign has been observed leveraging a novel loader malware to deliver an information stealer and keylogger called Agent Tesla.

Trustwave SpiderLabs said it identified a phishing email bearing this attack chain on March 8, 2024. The message masquerades as a bank payment notification, urging the user to open an archive file attachment.

The archive (“Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz”) conceals a malicious loader that activates the procedure to deploy Agent Tesla on the compromised host.

“This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods,” security researcher Bernard Bautista said in a Tuesday analysis.

“The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies to further obfuscate traffic.”

The tactic of embedding malware within seemingly benign files is a tactic that has been repeatedly employed by threat actors to trick unsuspecting victims into triggering the infection sequence.

Cybersecurity

The loader used in the attack is written in .NET, with Trustwave discovering two distinct variants that each make use of a different decryption routine to access its configuration and ultimately retrieve the XOR-encoded Agent Tesla payload from a remote server.

In an effort to evade detection, the loader is also designed to bypass the Windows Antimalware Scan Interface (AMSI), which offers the ability for security software to scan files, memory, and other data for threats.

It achieves this by “patching the AmsiScanBuffer function to evade malware scanning of in-memory content,” Bautista explained.

The last phase involves decoding and executing Agent Tesla in memory, allowing the threat actors to stealthily exfiltrate sensitive data via SMTP using a compromised email account associated with a legitimate security system supplier in Turkey (“merve@temikan[.]com[.]tr”).

The approach, Trustwave said, not only does not raise any red flags, but also affords a layer of anonymity that makes it harder to trace the attack back to the adversary, not to mention save…

Source…

teiss – News – Ukraine’s largest mobile-only bank, Monobank, faces severe DDoS cyberattacks

/in


Monobank, Ukraine’s leading mobile-only bank, encountered a relentless wave of denial of service (DDoS) attacks on January 21, severely disrupting its operations and causing widespread chaos.

 

Please take 30 seconds to register

or if you have an account please login

Source…

Cybercriminals expand targeting of Iranian bank customers with known mobile malware

/in


Researchers have uncovered more than 200 fake mobile apps that mimic major Iranian banks to steal information from their customers.

The campaign was first discovered in July of this year, but since then, the cybercriminals have expanded their capabilities, according to U.S.-based cybersecurity firm Zimperium.

Initially, the threat actor behind the campaign created 40 credential-harvesting apps imitating four major Iranian banks, including Bank Mellat, Bank Saderat, Resalat Bank and Central Bank of Iran.

These apps mimicked legitimate versions found on the popular Iranian marketplace Cafe Bazaar and were distributed through several phishing websites. The first campaign lasted from December 2022 until May 2023.

In the ongoing campaign detected by Zimperium, the hackers created malicious apps that now imitate 12 Iranian banks. Once installed, these apps also scan victims’ phones to find cryptocurrency wallet apps — an indication that they could be targeted in the future, researchers said.

The earlier versions of fake apps could steal banking login credentials and credit card information, intercept SMS traffic to steal one-time passwords used for authentication, and hide app icons to prevent uninstallation.

In a new campaign, the hackers added more capabilities to their malware to make it easier to harvest credentials and steal data. The hackers also narrowed their focus to Xiaomi and Samsung devices to execute some of the malware features, according to the report.

Other evidence suggests that the attackers are now likely working on a malware variant that targets iOS devices, the researchers said.

In addition to malicious apps, the same threat actor is linked to phishing attacks targeting customers of the same banks. “The phishing campaigns used are sophisticated, trying to mimic original sites in the closest detail,” researchers said. The data stolen by the phishing sites is sent to Telegram channels controlled by hackers.

It is not yet clear which threat actor is behind this campaign and how many users were affected by it.

Last week, researchers at Microsoft uncovered a similar information-stealing campaign targeting customers of Indian banks with mobile malware. The…

Source…

New ‘Octo’ malware tricks Android users into giving up bank details

/in


Teenage Hacker Girl Attacks Corporate Servers in Dark, Typing on Red Lit Laptop Keyboard. Room is Dark

File pic
Photo: 123RF

Netsafe says it’s not aware of New Zealanders being tricked into giving up their bank details by a sophisticated new malware but it is possible they have without realising.

The ABC reported that Russian cyber criminals have targeted hundreds of bank customers across the Tasman with a malware called Octo.

The scam tricks Android phone users into sharing their banking information using fake log-in screens.

Netsafe’s chief online safety officer Sean Lyons said it was a “pretty nasty piece of malware”, as it not only attacked people’s bank accounts but shut down their phones, leaving them helpless to act.

Customers from 15 banks in Australia, including ANZ and Westpac, had fallen for the scam.

Australian consumer advocates had warned the nation was seen as a soft target.

But Lyons says that was misleading, as anyone could be a victim of cyber crime.

“The technology is ever changing, the technology is using the mechanisms that are out there, to become ever more sophisticated, to evolve, and to get past the tips and tricks that we have to stop ourselves falling for these,” he said.

“I don’t know that they’re necessarily looking for an age demographic …. really, they’re targeting people with bank accounts and that’s quite a lot of us.”

Octo targeted Android phones – brands such as Samsung, Google and HTC – and could be hidden in what look like legitimate apps on the Google Play store.

It could also be downloaded and installed independently, because of the way software on Android phones works.

Lyons said people should be careful when downloading apps and software that were depositing Octo on their phone.

“Perhaps we could be a little more careful in what it is that we download, and look a little more closely into what permissions we’re giving to the apps that we’re installing.”

Source…