Malware

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information by impersonating various brands and apps to gain trust. It also utilizes C2 servers to receive updates and evolve continuously. 

A builder tool empowers threat actors to create custom HookBot apps as the malware is often distributed through Telegram, where it’s sold at varying prices, indicating a competitive market for such tools. 

HookBot, a mobile banking Trojan, infiltrates Android devices by masquerading as legitimate apps, which, sourced from unofficial channels or bypassing Google Play store security, establish covert communication with a C2 server. 

App overlay mimicking Airbnb login screen.

Once installed, HookBot extracts sensitive user data, including banking credentials and PII, employing techniques like app overlays and device surveillance.

This data is then transmitted to the C2 server, facilitating financial fraud and other cybercrimes.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

Overlay attacks exploit vulnerabilities in mobile devices to stealthily superimpose malicious interfaces over legitimate app screens, which tricks users into unknowingly inputting sensitive data, such as login credentials and payment information. 

HookBot malware sellers posting on Telegram to discredit competitor products.

The malware can further compromise devices by logging keystrokes, capturing screenshots, and intercepting SMS messages, including 2FA codes, granting attackers unrestricted access to victims’ accounts. 

It masquerades as popular apps like Facebook and Google Chrome and exploits user trust to gain unauthorized access to Android devices. Once installed, these malicious apps request excessive permissions to control the device. 

They can dynamically change their appearance to evade detection, mimicking legitimate apps with convincing overlays. This allows the malware to target many victims and execute malicious activities undetected.

Frame-by-frame showing the HookBot builder panel interface.

The HookBot malware builder tool offers a user-friendly interface for creating customized malware variants with obfuscation techniques.

Along with Telegram channels, it facilitates the distribution of the malware, allowing buyers to choose different configurations based on their budget and campaign scale. 

The competitive nature of the malware market is evident in the public discourse among threat actors, where they discredit each other’s products to gain a competitive edge.

promotion of HookBot within Telegram

The infected apps leverage HTML to dynamically load overlays from a C2 server, bypassing the need for app updates, where the malware abuses WhatsApp’s accessibility permissions to send messages autonomously, facilitating worm-like propagation. 

The applications use obfuscation techniques, such as those offered by Obfuscapk, to impede efforts to reverse engineer and detect malicious software. 

According to Netcraft, HookBot’s persistence highlights its effectiveness and adaptability. Its multi-channel supply chain facilitates widespread distribution, and low-skill threat actors can leverage tools to deploy it easily. 

Organizations must implement robust security measures, including advanced threat detection, email security solutions, and employee awareness training to counter this. Regular security audits and patching vulnerabilities are crucial. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Recent Posts

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a hacking…

42 seconds ago

Rise Of Ransomware-As-A-Service Leads To Decline Of Custom Tools

Ransomware-as-a-Service (RaaS) platforms have revolutionized the ransomware market. Unlike traditional standalone ransomware sales, RaaS offers…

4 mins ago

North Korean Hackers Employing New Tactic To Acruire Remote Jobs

North Korean threat actors behind the Contagious Interview and WageMole campaigns have refined their tactics,…

13 mins ago

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as "penetration testing" or…

17 mins ago

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially misidentified…

23 mins ago

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could allow…

3 hours ago