Threat Database Mobile Malware Rocinante Mobile Malware

Rocinante Mobile Malware

A new malware campaign targets mobile users in Brazil, deploying an Android banking Trojan called Rocinante. This malware can log keystrokes by exploiting the Accessibility Service and harvest Personal Identifiable Information (PII) from victims through phishing screens that mimic various banks. Additionally, it uses the stolen data to take over the device, utilizing the accessibility service privileges to obtain full remote access to the infected device.

Masquerading as Legitimate Applications

The malware is targeting several prominent financial institutions, including the Itaú Shop and Santander, with fake applications posing as the Bradesco Prime and the Correios Celular, among others:

  • Livelo Pontos (com.resgatelivelo.cash)
  • Correios Recarga (com.correiosrecarga.android)
  • Bratesco Prine (com.resgatelivelo.cash)
  • Módulo de Segurança (com.viberotion1414.app)

Analysis of the malware's source code reveals that the operators internally refer to Rocinante as Pegasus or PegasusSpy. However, it's necessary to clarify that this Pegasus has no connection to the cross-platform spyware developed by the commercial surveillance vendor NSO Group.

Connections to Other Malware Families

Pegasus is attributed to a threat actor known as DukeEugene, who has also developed similar malware strains such as ERMAC, BlackRock, Hook and Loot, according to a recent analysis by Silent Push.

Researchers have discovered that Rocinante includes elements influenced by earlier versions of ERMAC. The 2023 leak of ERMAC's source code may have contributed to this development. This is the first instance where an original malware family appears to have incorporated parts of the leaked code into their own. It is also possible that Rocinante and ERMAC represent separate branches of the same initial project.

The Rocinante Banking Trojan Targets Sensitive Data

Rocinante is primarily spread through phishing websites designed to deceive users into installing counterfeit dropper applications. Once installed, these applications request accessibility service privileges to monitor all activities on the infected device, intercept SMS messages, and display phishing login pages.

The malware also connects to a Command-and-Control (C2) server to receive remote instructions, including simulating touch and swipe events. Collected personal information is sent to a Telegram bot, which extracts useful data obtained through the fake login pages impersonating target banks. This information is then formatted and shared in a chat accessible to criminals.

The details vary depending on the fake login page used and include device information such as model and phone number, CPF number, password or account number.

Threat Actors Exploit Similar Infection Vectors

The Rocinante Banking Trojan development coincides with cybersecurity researchers uncovering a new banking Trojan malware campaign that targets Spanish and Portuguese-speaking regions by exploiting the secureserver.net domain.

The multi-phase attack starts with threatening URLs that direct users to an archive containing an obfuscated .hta file. This file triggers a JavaScript payload that conducts various AntiVM and AntiAV checks before downloading the final AutoIT payload. The AutoIT payload is then executed through process injection, aiming to harvest banking information and credentials from the victim's system and exfiltrate the data to a Command-and-Control (C2) server.

Trending

Most Viewed

Loading...