Wednesday, November 6, 2024
HomeCyber CrimeHookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

Published on

Malware protection

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information by impersonating various brands and apps to gain trust. It also utilizes C2 servers to receive updates and evolve continuously. 

A builder tool empowers threat actors to create custom HookBot apps as the malware is often distributed through Telegram, where it’s sold at varying prices, indicating a competitive market for such tools. 

HookBot, a mobile banking Trojan, infiltrates Android devices by masquerading as legitimate apps, which, sourced from unofficial channels or bypassing Google Play store security, establish covert communication with a C2 server. 

- Advertisement - SIEM as a Service
App overlay mimicking Airbnb login screen. 
App overlay mimicking Airbnb login screen. 

Once installed, HookBot extracts sensitive user data, including banking credentials and PII, employing techniques like app overlays and device surveillance.

This data is then transmitted to the C2 server, facilitating financial fraud and other cybercrimes.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

Overlay attacks exploit vulnerabilities in mobile devices to stealthily superimpose malicious interfaces over legitimate app screens, which tricks users into unknowingly inputting sensitive data, such as login credentials and payment information. 

HookBot malware sellers posting on Telegram to discredit competitor products. 
HookBot malware sellers posting on Telegram to discredit competitor products. 

The malware can further compromise devices by logging keystrokes, capturing screenshots, and intercepting SMS messages, including 2FA codes, granting attackers unrestricted access to victims’ accounts. 

It masquerades as popular apps like Facebook and Google Chrome and exploits user trust to gain unauthorized access to Android devices. Once installed, these malicious apps request excessive permissions to control the device. 

They can dynamically change their appearance to evade detection, mimicking legitimate apps with convincing overlays. This allows the malware to target many victims and execute malicious activities undetected.

Frame-by-frame showing the HookBot builder panel interface. 
Frame-by-frame showing the HookBot builder panel interface. 

The HookBot malware builder tool offers a user-friendly interface for creating customized malware variants with obfuscation techniques.

Along with Telegram channels, it facilitates the distribution of the malware, allowing buyers to choose different configurations based on their budget and campaign scale. 

The competitive nature of the malware market is evident in the public discourse among threat actors, where they discredit each other’s products to gain a competitive edge.

promotion of HookBot within Telegram 
promotion of HookBot within Telegram 

The infected apps leverage HTML to dynamically load overlays from a C2 server, bypassing the need for app updates, where the malware abuses WhatsApp’s accessibility permissions to send messages autonomously, facilitating worm-like propagation. 

The applications use obfuscation techniques, such as those offered by Obfuscapk, to impede efforts to reverse engineer and detect malicious software. 

According to Netcraft, HookBot’s persistence highlights its effectiveness and adaptability. Its multi-channel supply chain facilitates widespread distribution, and low-skill threat actors can leverage tools to deploy it easily. 

Organizations must implement robust security measures, including advanced threat detection, email security solutions, and employee awareness training to counter this. Regular security audits and patching vulnerabilities are crucial. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Rise Of Ransomware-As-A-Service Leads To Decline Of Custom Tools

Ransomware-as-a-Service (RaaS) platforms have revolutionized the ransomware market.Unlike traditional standalone ransomware sales, RaaS...

North Korean Hackers Employing New Tactic To Acruire Remote Jobs

North Korean threat actors behind the Contagious Interview and WageMole campaigns have refined their...

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as "penetration testing"...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Rise Of Ransomware-As-A-Service Leads To Decline Of Custom Tools

Ransomware-as-a-Service (RaaS) platforms have revolutionized the ransomware market.Unlike traditional standalone ransomware sales, RaaS...

North Korean Hackers Employing New Tactic To Acruire Remote Jobs

North Korean threat actors behind the Contagious Interview and WageMole campaigns have refined their...