GoldDigger: New Android Trojan Targets Banking Apps and Crypto Wallets
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
Threat intelligence researchers recently discovered a new Android trojan targeting financial applications in Vietnam. Dubbed GoldDigger, the malware’s primary goal is to commit financial fraud by secretly harvesting a user’s banking and other financial credentials.
According to researchers at Group-IB , the trojan is believed to be active since June 2023 and has been monitoring users of more than 50 financial apps, e-wallets, and crypto apps in Vietnam.
In addition to Vietnamese, the app also had translation support for Spanish and traditional Chinese. ‘’[..] these attacks may potentially extend their reach beyond Vietnam, encompassing Spanish-speaking nations and other countries in the APAC region,’’ Group-IB said.
Moreover, it has been found that the malware is being distributed via phishing sites impersonating either a Google Play page or a corporate website. The trojan itself is disguised as a fake Android application of a local energy company or Vietnamese government portal.
Although the trojan disguises itself as a seemingly legitimate app, it can successfully install and harvest user information only when the Android “Install from Unknown Sources” setting is enabled. When on, this setting allows the installation of third-party APKs onto the device.
Once installed, the malicious app requests many intrusive permissions, and exploits Android’s Accessibility Service to harvest sensitive user information, steal credentials, intercept SMS messages, and execute remote access commands. This stolen data is then transferred to a threat actor-controlled command and control (C2) server.
‘’Granting Accessibility Service permissions to GoldDigger enables it to gain full visibility into user actions and interact with user interface elements. This means it can see the victim’s balance, harvest the second credential issued for two-factor authentication, and implement keylogging functions, allowing it to capture credentials,’’ the investigation revealed.
During investigation, the researchers also discovered the use of an advanced obfuscation technique; use of Virbox Protector which prevents detection. ‘’Virbox Protector, a legitimate software [..], presents a challenge in triggering malicious activity in sandboxes or emulators.’’
With the presence of such malicious applications, it’s essential that mobile users keep their device updated, download and install applications from verified sources, and be careful in granting app request permissions.
Indeed.com Open Redirect Flaw Exploited by Phishers to Attack US Executives
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A recent phishing campaign targeting Microsoft365 accounts of senior executives in the US was seen exploiting the open redirection vulnerability in the popular job site, Indeed.com.
Discovered by researchers at Menlo Security, the campaign which started in July 2023 was seen using the EvilProxy phishing framework. This reverse proxy service enables phishers to harvest session cookies and to successfully bypass non-phishing resistant multi-factor authentication (MFA).
According to the report, the campaign was directed at C-suite and other high-ranking executives from banking and financial, insurance, property management and real estate, electronic components, and other manufacturing industries in the US.
The targeted victims were initially sent a phishing email containing a seemingly legitimate indeed.com link. When clicked, it would take the victim to a fake Microsoft login page deployed using the EvilProxy phishing-as-a-service platform.
The website, which acts as a reverse proxy, allows the actor to intercept the target’s actual requests and responses. It collects all the content dynamically from the legitimate Microsoft website and uses it to impersonate the victim and access their Microsoft365 accounts.
While investigating, the cybersecurity company confirmed the use of EvilProxy mechanism by highlighting attributions like domains hosted on Nginx servers, Microsoft’s Ajax CDN for dynamic collection of page content, etc.
‘’The reverse proxy fetches all the content that can be dynamically generated like the login pages and then acts as the adversary in the middle by intercepting the requests and responses between the victim and the legitimate site. This helps in harvesting the session cookies and this tactic can be attributed to the usage of EvilProxy Phishing kit.,’’ Menlo Security revealed.
To conclude, Menlo stated that this form of attack which initially starts from an account compromise, can result in business email compromise leading to huge financial losses. ‘’Account compromise only forms the preliminary stages of an attack chain that could possibly end up in a Business Email Compromise where the potential impact could range from identity theft, intellectual property theft and massive financial losses.’’
