[ad_1]
While monitoring a Windows campaign by the Guildma group, Kaspersky researchers found URLs that distributed not only a malicious .ZIP file for Windows, but also a malicious file that appeared to be a downloader for installing Ghimob, a new Trojan banking.
After infiltrating accessibility mode, Ghimob can gain persistence and disable the option to manually uninstall, capture data, manipulate screen content, and provide full remote control to the actors behind it. According to experts, the developers of this typical Mobile Remote Access Trojan (RAT) are very focused on users in Brazil, but have big plans to expand around the world. The campaign is still active.
Guildma, a group of cyber attackers that is part of the Tétrade series, known for its scalable malicious activities both in Latin America and elsewhere in the world, has been actively working on new techniques, developing malware and targeting new victims.
Its new creation, the Ghimob banking trojan, lures victims into installing the malicious file via an email suggesting that the person receiving it has some kind of debt. The email also includes a link that the victim can access so they can find out more. Once the RAT is installed, the malware sends a message about a successful infection to its server. The message includes the model of the phone, whether the screen lock is enabled or not, and a list of all installed applications that the malware may be affecting. In total, Ghimob can spy on 153 mobile applications, mainly from banks, fintech companies, cryptocurrencies and exchanges.
When it comes to functions, Ghimob is a spy in the victim’s pockets. Developers can remotely access the infected device and can scam using the owner’s smartphone, to avoid identifying their devices and bypassing the security measures implemented by financial institutions and their anti-fraud systems. Even if the user uses a screen lock system, Ghimob is able to record it and play it to unlock the device. When the developers are ready to commit a fraudulent transaction, they can insert an overlay on the screen, a black image or open some websites in full screen. Then, while the user looks at that screen, the developers execute the fraudulent transaction in the background, using the already open or connected financial application running on the device.
Kaspersky statistics show that, in addition to Brazil, Ghimob’s expansion goals target Paraguay, Peru, Portugal, Germany, Angola and Mozambique.
“The desire of cyber attackers in Latin America to create a banking Trojan for mobile devices with global coverage has a long history. We have already seen Basbanke, then BRata, but both were heavily focused on the Brazilian market. Ghimob is the first Brazilian Trojan for phones. mobile phones ready for international expansion. We believe this new campaign may be linked to Guildma, responsible for a well-known Brazilian banking Trojan, for several reasons, but mainly because they have the same infrastructure. We advise financial institutions to closely monitor these threats. while improving authentication processes, enhancing anti-fraud technology and gathering information on threats and trying to understand and mitigate all the risks of this new family of mobile RATs, “said Fabio Assolini, security expert at Kaspersky.
Kaspersky products detect the new family as Trojan-Banker.AndroidOS.Ghimob.
.
[ad_2]
Source link