Saturday, December 14, 2024
HomeAndroidChameleon Device-Takeover Malware Attacking IT Employees

Chameleon Device-Takeover Malware Attacking IT Employees

Published on

SIEM as a Service

Researchers have identified a new Chameleon campaign targeting hospitality employees, where the attackers employed a deceptive tactic, disguising malicious software as a CRM app. 

File names uploaded to VirusTotal revealed evidence of targeted attacks, including a reference to a prominent international restaurant chain. This suggests a tailored approach to compromising specific organizations within the hospitality industry. 

Masquerading as CRM

Conventions regarding the naming of droppers and payloads indicate that the campaign is aimed at the hospitality industry and possibly more general business-to-consumer sectors. 

- Advertisement - SIEM as a Service

Successful infection of devices with corporate banking access grants the Chameleon malware control over business accounts, posing a significant organizational risk.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

The campaign’s focus on CRM-related employee roles likely increases the probability of such access, making them high-value targets for attackers. 

A newly identified dropper capable of circumventing Android 13’s security restrictions marks a critical evolution in banking Trojan capabilities. 

This development underscores the increasing accessibility of Android bypass techniques following the public release of BrokewellDropper’s source code.

Upon activation, a malicious dropper presents a fraudulent CRM login screen demanding an employee ID. Subsequently, a deceptive prompt encourages application reinstallation, which is subterfuge, while the application secretly installs a Chameleon payload. 

The payload circumvents the fortified security measures implemented in Android 13 and later versions, specifically targeting accessibility service restrictions to establish a covert foothold within the device. 

fake page

A malicious actor deployed a fake website post-installation, prompting users for credentials.

Upon submission, the website displayed an error message indicating potential credential harvesting or further malicious activity beyond credential acquisition. 

Chameleon malware, actively operating in the background, employs keylogging to steal credentials and sensitive information. It poses a significant threat that can be exploited for further attacks or sold illicitly. 

Mobile Threat Intelligence has identified Chameleon targeting specific financial institutions, disguising itself as a security app to install a fraudulent security certificate, emphasizing the malware’s evolving tactics and the critical need for robust countermeasures. 

Cybercriminals are increasingly targeting employees of B2C businesses to gain access to business banking accounts via mobile devices.

As exemplified by malware like Chameleon, the proliferation of mobile banking products for SMEs creates new opportunities for attackers. 

According to ThreatFabric, financial institutions must proactively educate business customers about these threats, emphasizing the potential consequences of malware infection. 

By implementing robust anomaly detection systems and malware detection capabilities, banks can enhance visibility into customer accounts, safeguarding assets from unauthorized access and fraudulent activities. 

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...