New Copybara Android malware Remotely Controlling Infected Device


A new variant of Copybara, an Android malware family, has been detected to be active since November 2023 spreading through vishing attacks and leveraging the MQTT protocol for C2 communication. 

The malware exploits the Accessibility Service to gain control over infected devices and downloads phishing pages impersonating cryptocurrency exchanges and financial institutions, which trick victims into entering their credentials, which are subsequently stolen by the malware.

EHA

Copybara, a sophisticated Android trojan active since 2021, continues to evolve by boasting a wide range of malicious capabilities, including keylogging, multimedia recording, SMS interception, screen capturing, credential theft, and remote device control. 

Logos of financial institutions impersonated by Copybara.

Often posing as legitimate financial apps, it lures victims into phishing pages targeting cryptocurrency exchanges and global financial institutions by introducing MQTT for covert C2 communication, enhancing its stealth and persistence.

The latest Copybara variant, a malicious Android application, leverages the MQTT protocol for efficient communication with its command-and-control server.

Developed using the B4A framework, this variant often masquerades as legitimate financial institutions, particularly those based in Italy and Spain. 

It is also known to impersonate popular applications like Google Chrome and IPTV services, which aim to trick users into downloading and installing the malware, potentially compromising their personal and financial information.

Copybara is disguised as an IPTV application.

Copybara, a malicious Android application, leverages the Accessibility Service to gain extensive control over a victim’s device.

Upon installation, it persistently prompts users to enable this permission, which, if granted, allows the malware to manipulate various device settings and functions. 

The malware downloads and installs a list of phishing pages from a command-and-control (C2) server, designed to trick users into divulging their sensitive information. 

It establishes an MQTT connection to a C2 server, enabling it to receive and execute commands that range from capturing screenshots and recording audio to remotely controlling the device. 

The malware’s persistent notifications, blocked Settings menu options, and ability to download and install additional applications further hinder the victim’s ability to detect or remove it.

An example of a Copybara phishing page designed to look like a popular cryptocurrency exchange.

By mimicking legitimate apps with similar names and logos, the malware tricks victims into entering their credentials on phishing pages, which allows attackers to steal user information and gain unauthorized access to their accounts. 

Beyond credential theft, Copybara is a sophisticated trojan capable of audio and video recording, SMS hijacking, and screen capturing, making it a powerful tool for targeted attacks by malicious actors.

The Indicators of Compromise (IOCs) in this Zscaler ThreatLabz report include a list of malicious URLs and server IPs that are disguised to look like legitimate banking apps for BBVA, CaixaBank, Mediobanca, and BNL and distribute malware disguised as mobile banking apps. 

The server IPs listed could be hosting the malware or could be part of the attacker’s infrastructure. Security personnel should monitor these IOCs to detect and prevent potential malware infections.  

Indicators Of Compromise (IOCs) 

Sample hashes

  • 01b0e9cb7e864e753261b94e3e652254968d8188562a5abfc240d19fa783bc5f
  • 0280536885bb406bc8cd90631bb48ddd809dcf16ecfb5acdc2e75c40171a63af
  • 11470b5107f563c19ab92929a0e0ee5cf1b0c95fdd146f69ff9f9d4123f908cb
  • 136efade44da726858480a9b56aab5a9509e7c04b71fec08e9b779c069632d8c
  • 13b904ed2391fed303979b8b8fe0ac72a356cab091057600237fc8ac784db82a
  • 1487cfbb6d702b8b2cfa88a6d586c092cdfbb472274ff54f894df35edd2f9d3e
  • 19e74d9f5649e9180b2b32b95c654e7fe448d989a44c15c9b3c245fa3150df5a
  • 1a3e682c924edc1dc0a525f7f1c3e2534cb2945dfaf5bad52089592d216c6c7b
  • 22046aaef8a6439d1f5f2980b4d6282e7b69e98c95a0f52010d8953f0cb5e736
  • 22988cbb286f387036ced6fca6bb72b9f5e326706ad99065bc04bb8cb5dc4a12
  • 230f3d74004fee235055e786aba413abff2ed5cf4faa1987a070493be28c75d1
  • 24a58d1168d02009c97095e75387765e63b320a0dde1f8a9a7c8e3689a3f6dfb
  • 28323f93a6657363a0637341358303485d2cf240995457fc8393fb6b74f10d30
  • 29e642ef6bd41f343f66210e924724bb343432affd1ed25bf386d638ae79ee87
  • 2a1118c91d97a34e06344191eff546c062f81ccf58a7fa7bf1ec206a42d36c2b
  • 2a5d05a6bfb3a73a91d88c15384c9b384d9309e8db0ed4e348d1a85d0f6729db
  • 2d5e80f752608faa23f05e6558a695fcac261d78b9979d6746dc11dc995665e3
  • 376ff4dbea2e3570a5cb98a8b335c0503d050fecd7bb4f65d252b1b596d14fc7
  • 40df5d874ed86aa65454d3d7becc334b7ca2dcb11754f9131135071a98752691
  • 41b61acc644add0a40ec6dbda231ae41f9de478fbf8cc029bc89d95a2829a53e
  • 447c387fca23aea2b0b78f1cf9ee1c369078196fe3c3051bb99309268d4a9f79
  • 472feeabc60fdcc87345574586a7599ead1625c94bf75f373e9086b4a6cfedbe
  • 4b43f7145eebe4c07d208911b9d74c7c996a5037a04d52e4c38a80c2456d1187
  • 4daf21a708afc06c0da4ee6e192a6db6405efb1e3a9eb6905cc69d501e781c8b
  • 5bc6f1986a6e794e8feb78c763fef5f8cbb59f3696daa468aba058fb79befbf0
  • 6b15d8508e6782c25dc48618bbbe9b53c8c9a822655a8e52b7370e034fae7564
  • 6bc1ac4f844a6940c9e083c32bbf3f469b1322cc5aa83e12ab1a7f35cdb51c23
  • 6da8e49d8e083ec705985effa03cdb60cdd736f04ed711211b2a3842c815a708
  • 731a58248c7b467bc9d9a7482d8cb010242b3a534904ddc39471fa0620752d22
  • 767e4c42cefc4a29921f612f14611cf56b7d950ba91ccdd3a59adb57f25b7d18
  • 790b166081fd763cc6239881a78ba5c4d757b8f98d1b5d5f7abfdede76f54c05
  • 7a165645df48f6bde0fd5939a3e15d160826d944e603c34d46a7285f02f0941e
  • 7b3262b6c3ad52e50e2ec6faf1ffb12ca08f0d17ac4f90420f13a6053b7f9622
  • 7fa3d58a0056e8492a84894a6fd3b3d0d87ff1f9656f5e54b10580b9a4a4fd6a
  • 7ffbc88e97be67214ad17325142ceb54823a5bdcebdbd4e4c9d0c65b3f0a1813
  • 85901707c7d058269820671e10af027eeadd39ee15f079cff340eed0f0ac9c2e
  • 868ce8fa932c46b6de18455dfc0935a75029cc10c7b484bc358cdfabf0b0c533
  • 878bb68727daf025c0c9619d1d12337c289489f1190410ca4025c47f39357aa5
  • 8a2f6ff8aa1a6b416cb0aaa1530a8178c53760a69ce5c14d1d16ee880c335a4f
  • 8b05684a73f44ed82c0faf424b2d41a0c7b00c2fef4d7dc232c5433739a59f6c
  • 8bbb6cd5277177beb86b037ef77d6fcbae4a51a19668063d4d1b40ce2453dad3
  • 91fda73902e1a2a76b999df11caa4532c9c440d6f3da63dc03e0a78109d7583a
  • 9762eba15b893609b9461125c5adbcaf3bac7fea9536ffca72566abfa1bed084
  • 9830b91dfcf987a2556afd85893f8569c6ba03e3ebb194ecb6b32dafbc22e1e1
  • 989cf5faf307304f86db03180978ba4bd93c909bb458db83fcebe4fb48d7a002
  • 9b204f839aed79d4c27f8d28198ef596dec9848a27a51f0672743a91e618677c
  • 9c136701362e2d661805257c02e23c9aa01b9081e1a559571f947390522fc51b
  • 9f693923e5641c046bdcadf10b4e2b553d078b98afc2e30f2d72660b1e0161ed
  • a1a1fbdb6070ff388642974b1616d1955c2a89fbb8702caa02fa6927adbdad6c
  • a46537ccf4a188091f973a47b7186ee805539a0e5d94c62867cec08cec1c33e6
  • a8cc088426c6406f03ccedbb854e8dc83543d38c98a405db15074e9531731ade
  • ab85b62cad1a4009bf99c621b4950ee23c413b5c424952f225497bca7a318a99
  • ad1182d8bf3b1976e09f45b91085167559bc24e8f5e3f7315f96f344532cbcf8
  • afa3c43141a5b6f2473d49cdfa0bce1bf0af235a40f3ec092299287291137841
  • b009ad0ed336f1e4bff3f452e238b3ea83d3bc7773f52d16d057298c116a95ea
  • b1b6a2d91e6fcc07322edce92aa75c13763b6844b2a1a549eeaf0f536bdc6183
  • b217e4f8143a6fbbad2e0667ce8242fc207274a78ce464af9b122df8ba12690b
  • b4379324c7dc1fc623bcd9d2e8099dc3588ac23f87f33151d1c1005a1f33e713
  • b5c206d8f980c8fa12a29886fad49f6a1469264055740cdf763efa7f726cd8d7
  • b99fc0a9eea993d6b5a04b0a0b05fe103f164fb85281fcddb04ac686daee065f
  • bcae6ea26fe1dd1fa5652e05c1b888186307ad277ce238a255908061b837a484
  • bff6fb5cbb1c0f8d05e2c6acefcf499a9c22f10d7db8aeda994638bf75018fbf
  • c32eb3b850a20e4715a6db40635de9fc6cefad840ce7e64e9c68c2b3e378ee7e
  • c8c73080a2eb18ad1434ac408e916f3f819637550dfe07f20ad79e66ec1b2cf9
  • cad56908abd1508451a5af4a5304de092f0342ec6a24bbbeb9b3988683483c84
  • d23ef9fe27b116d982f8ebafb99587ffc9cc6c9b932f1b2d5efab2dad156e65e
  • d852f48e1c8a37d11f9dfb90f339316a5a3fa012bf152db43de1e81b45a69ba7
  • d887be78f443fabeb348ac2f85e1d42ed4d1c2cfc87d9e314c4b812c0b1fcfd8
  • de242d9428a378a1b0dacb2e8d481fdfb062a47450f815c13e105975d5a41663
  • e097bb08da761ae5780e6c600c79738e36285a59589098dde53c88611c1ac66a
  • e328dde9fa6db3da195e813696973657cc4fe636601cb0061a75c5086b04aa95
  • e3875e3b20be42f38f457cf0b0d85683535472b47535635ec42da52b73b27e6e
  • e57565bd3f398508321470f857dfb07c195ed9b7b494ba00dc7c407ac8b8f3e1
  • e82b0023abcc4bdb549f319389620c4cbd8ffabe8648168db31db62fd84a6904
  • eb1f89b2edaeda18023a6ea5cd7a4b2997e4839e1f3d57e54c5b7a1b64407874
  • eb779ec4ed2c85e114a18db89b8ef9c7a19adc907748d1f18076e167f79bf04b
  • f6975b1a9ab8935d45d6c2d94540b67b2374827734593c126785924afffb6634
  • f703f31f7b9ef95f820a724ebcee36377e2f4a42c92756b819bea6f34ec96cac
  • f91fd4f9b6594446144ba865356fde07669ea0b46a62ddd926bb8cac0aa04dc9

C2 Server IPs

  • 146.103.41[.]28
  • 146.19.143[.]42
  • 159.100.13[.]181
  • 159.100.20[.]184
  • 176.124.32[.]39
  • 176.126.113[.]210
  • 193.3.19[.]37
  • 193.31.41[.]93
  • 194.99.22[.]182
  • 212.237.217[.]111
  • 213.109.147[.]35
  • 213.109.192[.]177
  • 46.249.35[.]219
  • 80.251.153[.]96
form submtited



Source link