The PhishLabs Blog

In the last article, we looked at why threat actors have flocked to the mobile space in droves, and which tools they’re using to ply their trade.

And naturally, no discussion of mobile threats would be complete without a detailed look at the most concerning current mobile threat: mobile banking trojans.

Since we’ve already covered the most common functionality, permissions, and distribution mechanisms, it only makes sense to take things a stage further and look at specific banking trojan families. To that end, in this article we’ll be looking at the two of the most widespread families: Marcher and BankBot.

Once we’re through with that, we’ll go over some of the things organizations and individuals can do to avoid falling prey to mobile banking trojans in the future.

In the world of cyber security, there are some threats that seem to have been specifically designed to wreck your day.

Ransomware is one of those threats.

Even if you have secure backups, and they’re kept safely away from the rest of your network, the time it takes to restore from them and remove all traces of the offending trojan is sure to get your blood boiling.

So when a new ransomware threat arises, it pays to make sure your house is in order, and your users are on high alert.

Over the past few years the way people interact with the Internet has changed.

In the past, the vast majority of people (over 80 percent) accessed the Internet using Windows desktop and laptop machines, with similar OSX devices taking a distant second spot.

But by the end of 2016, everything had changed. Android mobile devices overtook Windows desktops as the most common means of accessing the Internet.

Naturally, this trend hasn’t gone unnoticed.

 Sample Analyzed:
415a75cd01a4b00385c974b59bbbd3e5211a985bf2560d7639d464fd5a56e9e6

Smoke Loader, also known as Dofoil, has been advertised on dark web forums since at least mid 2011.[1] Since initial release, this modular loader has continued to evolve with the addition of more complex anti-analysis techniques. Modular loaders such as this work by communicating with the command and control infrastructures to receive secondary execution instructions and/or to download additional functional modules, providing multiple stages of infection. Currently, Smoke Loader’s primary delivery method is via exploit kits, primarily Rig EK. Smoke Loader is commonly used to load the Trickbot banking Trojan and Globe Imposter ransomware.

This week, PhishLabs analysts have detected a new TrickBot campaign that began at approximately 23:30 EST on July 17th, and continued through the evening of July 18th before ending later that night.

Thousands of lures were detected, the bulk of which were sent between 12:30 - 15:30 EST on July 18th.

But let’s back up a little.

In case you missed it first time around, TrickBot is a prominent example of a type of malware known as a Trojan.  Like the Trojan from which it was developed, Dyre, Trickbot is configured to steal banking credentials. 

Once a victim's machine is infected, Trickbot sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. As a result, many victims are unaware their machine has been infected.

PhishLabs has recently observed a technique change implemented by a threat actor tracked by our Research, Analysis, and Intelligence Division (R.A.I.D^TM). This actor is utilizing a variant of the Marcher Android banking trojan to target clients of financial institutions, payment companies, auction sites, retailers, email providers, and social media companies, primarily located in North America.

Overview of Marcher

Marcher is a family of malicious Android applications that run in the background on an infected device and monitor its operation to detect the launch of specific applications or websites. When a targeted application or site is opened, Marcher overlays the screen with a customized phishing site which mimics the look and feel of the targeted institution. Marcher first appeared in 2013, and there are a number of variants in the wild with varying levels of functionality. Some samples contain only the web overlay and credential theft capability, while others extend functionality to include the ability to intercept and send SMS messages, lock the screen, steal system data, detect and hide anti-virus software, and even utilize the infected device as a SOCKS proxy.  

While there was a lively running debate over whether it was Petya or NotPetya yesterday, we all can all agree that what locked up some of the world’s largest shipping companies, spread through the infamous SMB exploit, and may have been delivered as an infected update, was not Karo. However, this obscure ransomware family was launched into the spotlight due to early confusion over Petya's initial infection vector.

In a world where new cyber threats seem to develop almost daily, it’s easy to forget that some tactics have stood the test of time.

Since mid-May, PhishLabs has been tracking an ongoing consumer-focused email phishing campaign.

And what tactic have they been using? The dreaded tech support scam.

No matter how much technology develops, threat actors will nearly always default to the simplest tactic that still works. And when it comes to consumer-focused phishing, there’s nothing simpler (and more effective) than a well constructed tech support scam.

The past few years has seen an explosion of cyber attack activity in the healthcare industry.

But that shouldn’t come as a surprise. Healthcare records are a goldmine for enterprising hackers, and with low security budgets across the industry it’s no wonder that healthcare organizations are considered a soft target.

A cursory glance at the industry’s security profile tells us everything we need to know. There are weaknesses everywhere, and hackers all over the world know it.

Incredibly, from a single successful healthcare breach, a hacker stands to earn anything from $285,000 to $1.7 million.

At this point, everybody knows phishing is a threat.

But then, it’s difficult to deny. As Verizon points out, over 90 percent of data breaches include a phishing or social engineering component, including many of the high profile breaches we all read about each week.

In fact, from a security perspective, phishing is the single greatest threat to most organizations, whether they’re tiny family owned businesses or huge multinational conglomerates.

So what are most organizations doing to defend against phishing?