Thursday, December 12, 2024
HomeAndroidAntidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Published on

SIEM as a Service

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices through a mobile-phishing (mishing) campaign, where this variant builds upon the version identified by Cyble in May 2024. 

The attackers leverage social engineering tactics, posing as recruiters offering job opportunities to lure victims. Once a user clicks on a malicious link within the phishing message, they are redirected to a network of phishing domains designed to distribute the AppLite malware. 

An example of a phishing email sent by attackers
An example of a phishing email sent by attackers

Upon successful installation, AppLite grants the attacker a broad range of malicious capabilities on the compromised device, which include credential theft for banking applications, cryptocurrency wallets, and potentially other sensitive applications like social media accounts, email clients, and messaging platforms. 

- Advertisement - SIEM as a Service

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

By stealing credentials for these accounts, attackers can gain unauthorized access to a user’s financial information, digital assets, and personal communications and potentially even hijack their online identities.

Targeting speakers across different countries based on the language
Targeting speakers across different countries based on the language

An analysis of the AppLite campaign highlights several key technical points. First, the attackers are leveraging a technique known as domain name generation algorithms (DGA) to dynamically generate phishing domains. 

This makes it difficult for traditional security solutions to block all malicious URLs, as new ones can be created quickly.

To address this challenge, Zimperium’s zLabs researchers leverage machine learning algorithms to detect and block malicious domains associated with DGA-based campaigns. 

website used to distribute the malwares
website used to distribute the malwares

The machine learning models are trained on vast datasets of known malicious URLs and are able to identify patterns and characteristics that are indicative of phishing domains, even if they have never been seen before, which allows to provide real-time protection against DGA-based phishing attacks.

Second, the AppLite malware itself is obfuscated to evade detection by static analysis tools, as the malware’s malicious code is hidden or disguised, making it more difficult for security researchers to understand how it works. 

To counter this tactic, they utilize advanced behavioral analysis techniques to detect malicious activities regardless of the obfuscation methods employed by the malware, where behavioral analysis involves monitoring the actions of an application on a device to determine whether it is exhibiting any suspicious or malicious behavior. 

 intercepted websocket communication
 intercepted websocket communication

If an application is attempting to steal credentials from other applications or if it is communicating with known command-and-control servers, this would be indicative of malicious intent. 

Finally, the attackers are using a technique known as reflection to inject malicious code into legitimate websites. In a reflection attack, attackers exploit a vulnerability in a website that allows them to inject arbitrary code into the website’s response. 

The injected code can then be used to steal credentials, deliver malware, or perform other malicious actions, while the solution defends against reflection-based attacks by inspecting the network traffic for signs of malicious code injection and blocking any attempts to deliver malware through this method. 

Users are able to identify and prevent reflection attacks, even if they are obfuscated or use novel techniques, by conducting an analysis of the traffic on the network to look for suspicious patterns and behaviors.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Latest articles

Triad Nexus, Chinese Hackers Using 200,000 Domains For Widespread Cyber Attack

Researchers identified FUNNULL, a Chinese CDN, as hosting malicious content, which includes fake trading...

Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the...

New Chinese Surveillance Tool Attack Android Users Since 2017

Wuhan Chinasoft Token Information Technology Co., Ltd. developed EagleMsgSpy, a surveillance tool operational since...

ConvoC2 – A Red Teamers Tool To Execute Commands on Hacked Hosts Via Microsoft Teams

A stealthy Command-and-Control (C2) infrastructure Red Team tool named ConvoC2 showcases how cyber attackers...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Triad Nexus, Chinese Hackers Using 200,000 Domains For Widespread Cyber Attack

Researchers identified FUNNULL, a Chinese CDN, as hosting malicious content, which includes fake trading...

Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the...

New Chinese Surveillance Tool Attack Android Users Since 2017

Wuhan Chinasoft Token Information Technology Co., Ltd. developed EagleMsgSpy, a surveillance tool operational since...