22 October 19, 17:36
Quote:An Instagram-initiated campaign using the Gustuff Android mobile banking trojan has rolled out in October, featuring an updated version of the malware that lowers its detection profile.
How the cybercriminals are rolling out the campaign is the same as a previous offensive seen in June, according to researchers at Cisco Talos: Instagram posts designed to lure users into downloading and installing malware are the initial attack vector. Once infected, SMS messages from the device are used to propagate the trojan to others in the victim’s contact lists.
And, just as before, the campaign mainly targets Australian banks and digital currency wallets, looking to steal credentials and financial data.
The application target pool has widened, however: This new version of Gustuff is also looking to harvest user names and passwords for hiring sites’ mobile apps, and interestingly, credentials used on the official Australian government’s web portal, according to the researchers.
“During our investigation, we received a command from the [command-and-control server] C2 to target the Australian Government Portal that hosts several public services, such as taxes and social security,” according to an analysis posted on Monday. “The command was issued before the local injections were loaded (using the changearchive command). The injections were loaded from one of the C2 infrastructure servers. This command is not part of the standard activation cycle and…this represents a change for the actor.”
Read more here: https://threatpost.com/gustuff-android-b...ch/149403/