Technology NewsNew Hook Malware with RAT Capabilities Emerges

New Hook Malware with RAT Capabilities Emerges

-


Jan 19, 2023Ravie LakshmananMobile Security / Android

New Hook Malware with RAT Capabilities Emerges

The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session.

ThreatFabric, in a report shared with The Hacker News, characterized Hook as a novel ERMAC fork that’s advertised for sale for $7,000 per month while featuring “all the capabilities of its predecessor.”

“In addition, it also adds to its arsenal Remote Access Tooling (RAT) capabilities, joining the ranks of families such as Octo and Hydra, which are capable performing a full Device Take Over (DTO), and complete a full fraud chain, from PII exfiltration to transaction, with all the intermediate steps, without the need of additional channels,” the Dutch cybersecurity firm said.

A majority of the financial apps targeted by the malware are located in the U.S., Spain, Australia, Poland, Canada, Turkey, the U.K., France, Italy, and Portugal.

Hook is the handiwork of a threat actor known as DukeEugene and represents the latest evolution of ERMAC, which was first disclosed in September 2021 and is based on another trojan named Cerberus that had its source code leaked in 2020.

“Ermac has always been behind Hydra and Octo in terms of capabilities and features,” ThreatFabric researcher Dario Durando told The Hacker News via email. “This is also known among threat actors, who prefer these two families above Ermac.”

Hook Malware

“The lack of some sort of RAT capabilities is a major issue for a modern Android Banker, as it does not provide the possibility to perform Device Take Over (DTO), which is the fraud methodology that is most likely to be successful and not detected by fraud scoring engines or fraud analysts. This is most likely what triggered the development of this new malware variant.”

Like other Android malware of its ilk, the malware abuses Android’s accessibility services APIs to conduct overlay attacks and harvest all kinds of sensitive information such as contacts, call logs, keystrokes, two-factor authentication (2FA) tokens, and even WhatsApp messages.

It also sports an expanded list of apps to include ABN AMRO and Barclays, while the malicious samples themselves masquerade as the Google Chrome web browser to dupe unsuspecting users into downloading the malware:

  • com.lojibiwawajinu.guna
  • com.damariwonomiwi.docebi
  • com.yecomevusaso.pisifo

Among the other major features to be added to Hook is the ability to remotely view and interact with the screen of the infected device, obtain files, extract seed phrases from crypto wallets, and track the phone’s location, blurring the line between spyware and banking malware.

ThreatFabric said the Hook artifacts observed so far in a testing phase, but noted it could be delivered via phishing campaigns, Telegram channels, or in the form of Google Play Store dropper apps.

“The main drawback of creating a new malware is usually gaining enough trust by other actors, but with the status of DukeEugene among criminals, it is very likely that this will not be an issue for Hook,” Durando said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

How to know that you have to buy a new mobile phone

Despite the fact that smartphones can perfectly last several years being functional today, there are a series of...

எந்த வயதில் மக்கள் குறைவாக தூங்குகிறார்கள்?

ஆய்வில் பங்கேற்றவர்களில் இளையவர் (வயது 19) அதிகம் தூங்குவதாகவும் ஆய்வில் கண்டறியப்பட்டுள்ளது.இருந்து ஆராய்ச்சியாளர்கள் நடத்திய புதிய ஆய்வு லண்டன் பல்கலைக்கழக கல்லூரிதி கிழக்கு ஆங்கிலியா...

MSI laptops with NVIDIA GeForce RTX 4000 graphics – report from the premiere event in Warsaw

At this year's CES in Las Vegas, NVIDIA presented the new generation of GeForce RTX 4000 mobile graphics...

New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

Feb 04, 2023Ravie LakshmananEnterprise Security / Ransomware VMware ESXi hypervisors are the target of a new wave of attacks...

MSI laptops with NVIDIA GeForce RTX 4000 graphics – report from the premiere event in Warsaw

At this year's CES in Las Vegas, NVIDIA presented the new generation of GeForce RTX 4000 mobile graphics...

New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

Feb 04, 2023Ravie LakshmananEnterprise Security / Ransomware VMware ESXi hypervisors are the target of a new wave of attacks...

Must read

OnePlus 10T 5G (Moonstone Black, 8GB RAM, 128GB Storage)

Price: (as of - Details) OnePlus 10T 5G...

Visa Card Swiggy Offer – Claim ₹100 Free Swiggy Gift Vouchers

Visa Card Swiggy Offer Visa Card Swiggy Loot...