Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution
Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution
harlan4096 Online
MalWare Zoo Team
*******
Posts: 15,293
Threads: 9,899
Thanks Received: 9,175 in 7,327 posts
Thanks Given: 10,035
Joined: 12 September 18
#1
Bug  16 October 25, 10:03
Quote:A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It targets mainly Brazilians and uses Portuguese-named URLs. To evade detection, the command-and-control (C2) server verifies each download to ensure it originates from the malware itself.

The whole infection chain is complex and fully fileless, and by the end, it will deliver a new banking Trojan named Maverick, which contains many code overlaps with Coyote. In this blog post, we detail the entire infection chain, encryption algorithm, and its targets, as well as discuss the similarities with known threats.

Key findings:
  • A massive campaign disseminated through WhatsApp distributed the new Brazilian banking Trojan named “Maverick” through ZIP files containing a malicious LNK file, which is not blocked on the messaging platform.
  • Once installed, the Trojan uses the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp Web, taking advantage of the access to send the malicious message to contacts.
  • The new Trojan features code similarities with another Brazilian banking Trojan called Coyote; however, we consider Maverick to be a new threat.
  • The Maverick Trojan checks the time zone, language, region, and date and time format on infected machines to ensure the victim is in Brazil; otherwise, the malware will not be installed.
  • The banking Trojan can fully control the infected computer, taking screenshots, monitoring open browsers and websites, installing a keylogger, controlling the mouse, blocking the screen when accessing a banking website, terminating processes, and opening phishing pages in an overlay. It aims to capture banking credentials.
  • Once active, the new Trojan will monitor the victims’ access to 26 Brazilian bank websites, 6 cryptocurrency exchange websites, and 1 payment platform.
  • All infections are modular and performed in memory, with minimal disk activity, using PowerShell, .NET, and shellcode encrypted using Donut.
  • The new Trojan uses AI in the code-writing process, especially in certificate decryption and general code development.
  • Our solutions have blocked 62 thousand infection attempts using the malicious LNK file in the first 10 days of October, only in Brazil.
Continue Reading...
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Wikipedia sees decline in human pageview...
Wikipedia has reve...harlan4096 — 11:30
Google announces end of many of its Priv...
When Google announ...harlan4096 — 11:29
Xubuntu's website was hacked to spread a...
Xubuntu's website ...harlan4096 — 07:19
EPIM PRO
NOTE Astonsoft ...jasonX — 18:32
PrivadoVPN - Secure Every Device with On...
PrivadoVPN - Secure ...jasonX — 17:45

[-]
Birthdays
Today's Birthdays
avatar (47)vikgoMam
Upcoming Birthdays
avatar (47)Michaelaceve
avatar (37)QuadirLigh
avatar (38)Mblippek
avatar (44)viecontAceve
avatar (40)Michaelcrini

[-]
Online Staff
There are no staff members currently online.

>