HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data


The HookBot malware family employs overlay attacks to trick users into revealing sensitive information by impersonating various brands and apps to gain trust. It also utilizes C2 servers to receive updates and evolve continuously. 

A builder tool empowers threat actors to create custom HookBot apps as the malware is often distributed through Telegram, where it’s sold at varying prices, indicating a competitive market for such tools. 

HookBot, a mobile banking Trojan, infiltrates Android devices by masquerading as legitimate apps, which, sourced from unofficial channels or bypassing Google Play store security, establish covert communication with a C2 server. 

– Advertisement –
SIEM as a Service
App overlay mimicking Airbnb login screen. App overlay mimicking Airbnb login screen. 
App overlay mimicking Airbnb login screen. 

Once installed, HookBot extracts sensitive user data, including banking credentials and PII, employing techniques like app overlays and device surveillance.

This data is then transmitted to the C2 server, facilitating financial fraud and other cybercrimes.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

Overlay attacks exploit vulnerabilities in mobile devices to stealthily superimpose malicious interfaces over legitimate app screens, which tricks users into unknowingly inputting sensitive data, such as login credentials and payment information. 

HookBot malware sellers posting on Telegram to discredit competitor products. HookBot malware sellers posting on Telegram to discredit competitor products. 
HookBot malware sellers posting on Telegram to discredit competitor products. 

The malware can further compromise devices by logging keystrokes, capturing screenshots, and intercepting SMS messages, including 2FA codes, granting attackers unrestricted access to victims’ accounts. 

It masquerades as popular apps like Facebook and Google Chrome and exploits user trust to gain unauthorized access to Android devices. Once installed, these malicious apps request excessive permissions to control the device. 

They can dynamically change their appearance to evade detection, mimicking legitimate apps with convincing overlays. This allows the malware to target many victims and execute malicious activities undetected.

Frame-by-frame showing the HookBot builder panel interface. Frame-by-frame showing the HookBot builder panel interface. 
Frame-by-frame showing the HookBot builder panel interface. 

The HookBot malware builder tool offers a user-friendly interface for creating customized malware variants with obfuscation techniques.

Along with Telegram channels, it facilitates the distribution of the malware, allowing buyers to choose different configurations based on their budget and campaign scale. 

The competitive nature of the malware market is evident in the public discourse among threat actors, where they discredit each other’s products to gain a competitive edge.

promotion of HookBot within Telegram promotion of HookBot within Telegram 
promotion of HookBot within Telegram 

The infected apps leverage HTML to dynamically load overlays from a C2 server, bypassing the need for app updates, where the malware abuses WhatsApp’s accessibility permissions to send messages autonomously, facilitating worm-like propagation. 

The applications use obfuscation techniques, such as those offered by Obfuscapk, to impede efforts to reverse engineer and detect malicious software. 

According to Netcraft, HookBot’s persistence highlights its effectiveness and adaptability. Its multi-channel supply chain facilitates widespread distribution, and low-skill threat actors can leverage tools to deploy it easily. 

Organizations must implement robust security measures, including advanced threat detection, email security solutions, and employee awareness training to counter this. Regular security audits and patching vulnerabilities are crucial. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!



Source link