Kaspersky Lab researchers warn that the Brazilian malware Ghimob is spreading not only outside the country, but also to a new level: now it also attacks mobile devices.
For example, a new Ghimob malware has appeared in the Guildma family of Brazilian banking Trojans. With its help, attackers spy on their victims, including those located in Paraguay, Peru, Portugal, Germany, Angola and Mozambique.Malware spreads through malicious emails allegedly reporting a debt that the addressee has. The recipient is invited to follow the link to find out more about the problem. If the user clicks on the link, a remote access trojan is loaded into the system.
Researchers have found links used simultaneously to distribute both ZIP files for Windows and APKs for mobile devices. If, when clicking on a malicious link, the user agent is detected as a browser on the Android system, then the link will download the APK file of the Ghimob installer.
“APKs distributed in this way are masked as installers of popular applications; they are not presented on Google Play, but are hosted on several domains registered by malware operators”, – say the researchers.
After successful installation, the malware sends information about the model of the infected mobile device, whether it has screen lock settings, and a list of applications to the C&C server.
According to experts, Ghimob can spy on 153 mobile apps, mostly owned by banks, fintech companies, and cryptocurrency exchanges. The Trojan knows how to avoid manual shutdown, collect data, manipulate what is displayed on the screen, and provide attackers with the ability to completely control the device using remote access tools.
Ghimob can hide from the security systems introduced by financial institutions and unlock the device screen, as it has the function of recording and replaying user actions, including those associated with entering a password. To conduct a fraudulent transaction, attackers can forcibly turn off the device screen or use an already open financial application in the background while a person sees another application on the screen.
Technically speaking, Ghimob is interesting as it uses backup C&C servers protected by Cloudflare and hides its real C&C server with DGA. However, so far, researchers have not found any signs of commercial use of this malware under the MaaS (malware as a service) scheme.
It is noted that compared to BRATA or Basbanke (another Brazilian family of mobile banking Trojans), Ghimob is much more advanced, has an expanded set of functions and is more firmly fixed on target devices.
“The desire of Latin American cybercriminals to spread mobile banking Trojans around the world has a long history. We have already seen Basbanke, BRata, but they focused on the Brazilian market. Ghimob is the first mobile banking Trojan of Brazilian origin, ready for international distribution. We believe that this malware belongs to the Guildma family for several reasons, but mainly because they use the same infrastructure”, — comments Dmitry Galov, cybersecurity expert at Kaspersky Lab.
The experts recommend that financial institutions keep a close eye on these threats while improving authentication processes, implementing anti-fraud technologies and using threat intelligence to reduce the likelihood of successful attacks by this mobile banking Trojan.
Recall that US government announces new versions of ComRAT and Zebrocy malware from one more northern region than Brazil.