Monday, January 27, 2025
HomeMalwareMnuBot - New Banking Trojan Take Browsers Screenshots, Keylogging to Steal Bank...

MnuBot – New Banking Trojan Take Browsers Screenshots, Keylogging to Steal Bank Data

Published on

SIEM as a Service

Follow Us on Google News

Newly discovered banking Trojan named MnuBot malware spreading to steal the sensitive bank related information such as login credentials through taking the screenshot of the browser window and set the keylogger in victims machine.

MnuBot malware using  Microsoft SQL Server as a communication medium and take the commands from C&C server and execute it into the victim’s machine.

MnuBot Malware authors who belong to Brazilian region are using the various technique to evade the detection and they are tried to hide their malicious network through innocent Microsoft SQL traffic.

MnuBot malware mainly targets bank website and it will steal the banking data Once the user has an open browsing session to his banking website account and later the malware will be downloaded and the malware gets into the browser session.

To achieve the stealing operation, this malware opens the browser session and take the screenshot, set the keylogger into the vicitms machine, Simulating user clicks and keystrokes.

According to securityintelligence, MnuBot uses a full-screen overlay form to assist the attacker to commit the fraud. Overlaying forms are used to prevent the victims from accessing their open banking session inside the browser.

“Those forms are a type of social engineering to keep the user waiting. In the background, the cybercriminal takes control over the user endpoint and attempts to perform an illegal transaction via the victim’s open banking session.”

How does MnuBot Malware Works

MnuBot performing the infection with 2 stages of Attack flow, In the first stage it looking for  Desk.txt file within the AppData Roaming folder.

Desk.txt file is using this malware to identify the currently running desktop in with the victim’s machine.

if the malware doesn’t find the Desk.txt file, then it creates the file, creates a new desktop and switches the user workspace to that newly created desktop and this new desktop will run along the side of the victim current desktop.

MnuBot runs inside the newly created desktop

Later, it keeps checking the legitimate user opened windows and waiting for the bank names that it have within its configuration and once it finds the relevant bank name then it will query the server for the second stage executable according to the bank name that was found.

At the second stage, the Trojan executes the downloaded MnuBot payload to steal the banking details which is opened by victims in their desktop, then the malware record the screen, take a screenshot, set keylogging to collect the various sensitive banking data.

Later on, MnuBot malware connects to the command & control server and uses SQL server details (server address, port, username and a password) to share the collected information with the attacker.

Also Read:

Android Spyware & Banking Trojan Attack via DNS Spoofing that Poses as Legitimate Facebook or Chrome App

New Banking Trojan IcedID Evade Sandboxes and Performing Web Injection Attacks

Banking Trojan “BankBot” Infected More Than 150 Play Store Apps to Steal Bank Details

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

White House Considers Oracle-Led Takeover of TikTok with U.S. Investors

In a significant development, the Trump administration is reportedly formulating a plan to prevent...

Critical Vulnerability in IBM Security Directory Enables Session Cookie Theft

IBM has announced the resolution of several security vulnerabilities affecting its IBM Security Directory...

Critical Apache Solr Vulnerability Grants Write Access to Attackers on Windows

A new security vulnerability has been uncovered in Apache Solr, affecting versions 6.6 through...

GitHub Vulnerability Exposes User Credentials via Malicious Repositories

A cybersecurity researcher recently disclosed several critical vulnerabilities affecting Git-related projects, revealing how improper...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices

A recent cybersecurity attack involving a Trojanized version of the XWorm Remote Access Trojan...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...