Saturday, December 7, 2024
HomeAndroidToxicPanda Banking Malware Attacking Banking Users To Steal Logins

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Published on

SIEM as a Service

Recent research has uncovered a new strain of malware developed for Android devices, initially misidentified as TgToxic. 

Despite sharing some bot command similarities, this malware, now dubbed ToxicPanda, exhibits significant code divergence from its original source.

It lacks key TgToxic capabilities and possesses placeholder commands without functional implementation. 

- Advertisement - SIEM as a Service

The malware leverages Remote Access capabilities to enable Account Takeover (ATO) via On Device Fraud (ODF), allowing threat actors to bypass detection and target a wide range of banking customers, even with less sophisticated techniques.

ToxicPanda botnet, likely operated by Chinese-speaking threat actors, infected over 1,500 Android devices, primarily in Italy, Portugal, Spain, France, and Peru, indicating a potential shift in their targeting strategy.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

The banking trojan sample shows reduced technical capabilities compared to its ancestor, TGToxic, likely due to the developers’ inexperience with new targets and stricter regulations, leading to simplified obfuscation and the removal of advanced features like ATS.

Identified ToxicPanda’s icons
Identified ToxicPanda’s icons

A sophisticated Android banking trojan leverages accessibility services to gain elevated privileges, remotely control infected devices, intercept OTPs, and employ obfuscation techniques to evade detection.

This enables attackers to execute on-device fraud and steal sensitive financial information.

The APK contains configuration files targeting specific Android systems and vendors. It aims to block user interactions with system settings and security permissions by identifying and interfering with system-level applications and utilities.

The “langs.json” file is parsed during execution to match target devices based on a Chinese string and application package, potentially revealing target countries through language associations (e.g., Spanish and LATAM). 

Blocking interaction with unwanted applications
Blocking interaction with unwanted applications

The malware accesses phone albums, converts images to BASE64, and sends them to a C2 server, stealing sensitive information like login credentials and virtual card details.

Its configuration file reveals the use of a Chinese public DNS service (114DNS) for communication, which suggests potential ties to Chinese threat actors and indicates that this region might be a testing ground for the malware’s operations. 

Network configuration settings (config.toml)
Network configuration settings (config.toml)

ToxicPanda and TgToxic share 61 unique commands, suggesting a potential link between their developers. While ToxicPanda introduces new commands and lacks implementation for some TgToxic commands, particularly those related to UI automation, the overlap in command names is highly suspicious.

According to Cleafy, ToxicPanda malware uses three fixed domains (dksu[.]top, mixcom[.]one, freebasic[.]cn) to connect with its C2 server, lacking the sophistication of dynamic C2 endpoint determination techniques like DGAs or configuration updates.

It initially connects to a hardcoded C2 domain, where the C2 server can remotely change this domain via a command.

After the initial HTTPS connection, a JSON response establishes a WebSocket connection for further communication. 

 Bot’s registration on the C2 server
 Bot’s registration on the C2 server

While the ToxicPanda C2 panel investigation provided crucial insights into TA operations, including techniques, compromised devices, and actions on infected devices. 

The ToxicPanda C2 panel’s “Machine Management” interface provides detailed information about each compromised Android device, enabling fraud operators to efficiently manage the botnet and target specific devices for fraudulent activities.

It is controlled through a web-based interface and enables remote device control, script updates, and ODF attacks by predominantly targeting Italian devices.

It has a significant presence in Portugal, Hong Kong, Spain, and Peru, suggesting a widening geographic scope.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...