The ever-evolving malware landscape is evolving at an alarming rate, as a multitude of new strains have already been noticed.
Hackers are becoming more innovative and sophisticated in their mode of attack, specifically looking into the Internet of Things devices and exploiting popular apps’ flaws.
As a result, the mobile malware landscape has also rapidly evolved, with the most worrisome new strain for Brazil being “Rocinante,” as reported by the cybersecurity researchers at ThreatFabric.
Additionally, this malware uses keylogging through the Android Accessibility Service, creates fake phishing screens pretending to be representatives of various banks in order to collect personally identifiable information (PII), and takes over devices for full remote hacking.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Rocinante Malware Take Over Android Device Remotely
Rocinante is described as an evolution of a banking trojan, incorporating social engineering and achieving technical effectiveness.
Using these service privileges, it is capable of tracking how users operate the device, how they input sensitive information, and how they perform critical operations that interfere and could be harmful to mobile banking in general.
Rocinante is a Brazilian banking malware internally dubbed “Pegasus” or “PegasusSpy,” which is distinct from NSO Group’s Pegasus spyware.
It primarily targets major Brazilian financial institutions through phishing websites distributing malicious APKs masquerading as security updates, courier apps, or banking applications, ThreatFabric said.
After installation, Rocinante takes control of the Android’s Accessibility Services for keylogging as well as for monitoring events in the UI.
It includes the standard multi-protocol C2 communication, where it uses only HTTP for the setup, WebSockets to facilitate the data transfer, and Firebase for registering the device.
Data theft from PII and login details is accomplished using Telegram bots over the stolen data.
The amount of remote functionalities that the malware possesses includes sending simulated touches, swipes, and field movements, which enables illegitimate transactions.
Rocinante completes the retrieval of moving targets from the C2 servers and makes use of targeted phishing screeners designed for certain banks.
The earlier versions incorporated code from the leaked Ermac/Hook malware, which had to do with screenshots and the attacks on cryptocurrency wallets but as of the latest, there have been evolutions.
The keystroke logging component of the malware logs all crucial UI activities in a certain kind of format further which is sent via web socket channels.
Rocinante’s combination of PII theft, device control, and transaction manipulation poses significant risks to Brazilian banking customers. This highlights the current financial cybercrime landscape in Latin America.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial