Saturday, December 7, 2024
HomeCyber CrimeHookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

Published on

SIEM as a Service

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information by impersonating various brands and apps to gain trust. It also utilizes C2 servers to receive updates and evolve continuously. 

A builder tool empowers threat actors to create custom HookBot apps as the malware is often distributed through Telegram, where it’s sold at varying prices, indicating a competitive market for such tools. 

HookBot, a mobile banking Trojan, infiltrates Android devices by masquerading as legitimate apps, which, sourced from unofficial channels or bypassing Google Play store security, establish covert communication with a C2 server. 

- Advertisement - SIEM as a Service
App overlay mimicking Airbnb login screen. 
App overlay mimicking Airbnb login screen. 

Once installed, HookBot extracts sensitive user data, including banking credentials and PII, employing techniques like app overlays and device surveillance.

This data is then transmitted to the C2 server, facilitating financial fraud and other cybercrimes.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

Overlay attacks exploit vulnerabilities in mobile devices to stealthily superimpose malicious interfaces over legitimate app screens, which tricks users into unknowingly inputting sensitive data, such as login credentials and payment information. 

HookBot malware sellers posting on Telegram to discredit competitor products. 
HookBot malware sellers posting on Telegram to discredit competitor products. 

The malware can further compromise devices by logging keystrokes, capturing screenshots, and intercepting SMS messages, including 2FA codes, granting attackers unrestricted access to victims’ accounts. 

It masquerades as popular apps like Facebook and Google Chrome and exploits user trust to gain unauthorized access to Android devices. Once installed, these malicious apps request excessive permissions to control the device. 

They can dynamically change their appearance to evade detection, mimicking legitimate apps with convincing overlays. This allows the malware to target many victims and execute malicious activities undetected.

Frame-by-frame showing the HookBot builder panel interface. 
Frame-by-frame showing the HookBot builder panel interface. 

The HookBot malware builder tool offers a user-friendly interface for creating customized malware variants with obfuscation techniques.

Along with Telegram channels, it facilitates the distribution of the malware, allowing buyers to choose different configurations based on their budget and campaign scale. 

The competitive nature of the malware market is evident in the public discourse among threat actors, where they discredit each other’s products to gain a competitive edge.

promotion of HookBot within Telegram 
promotion of HookBot within Telegram 

The infected apps leverage HTML to dynamically load overlays from a C2 server, bypassing the need for app updates, where the malware abuses WhatsApp’s accessibility permissions to send messages autonomously, facilitating worm-like propagation. 

The applications use obfuscation techniques, such as those offered by Obfuscapk, to impede efforts to reverse engineer and detect malicious software. 

According to Netcraft, HookBot’s persistence highlights its effectiveness and adaptability. Its multi-channel supply chain facilitates widespread distribution, and low-skill threat actors can leverage tools to deploy it easily. 

Organizations must implement robust security measures, including advanced threat detection, email security solutions, and employee awareness training to counter this. Regular security audits and patching vulnerabilities are crucial. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...