Recent Posts

Recent Blog Posts

The PhishLabs Blog

Joshua Shilko

Joshua works as a Manager, Digital Forensics and Incident Response within PhishLabs Research, Analysis, and Intelligence Division. He holds an M.S. in Cybersecurity - Computer Forensics from Utica College, a National Center of Academic Excellence in Cyber Defense Education.
Find me on:

Recent Posts

New Variant of BankBot Banking Trojan Ups Ante, Cashes Out on Android Users

Posted by Joshua Shilko on Mar 13, '18

A newly observed variant of BankBot has been discovered masquerading as Adobe Flash Player, Avito, and an HD Video Player. This variant, now detected by PhishLabs as BankBot Anubis, was first identified on March 5, 2018. 

Read More

Topics: Phishing, Banking Trojan, BankBot Anubis

Office DDE feature exploited to deliver DNSMessenger payload in new targeted phishing campaign

Posted by Joshua Shilko on Nov 14, '17

The Research, Analysis, and Intelligence Division (R.A.I.D.) here at PhishLabs interacts with a multitude of malware samples in our day-to-day operations. Occasionally, we come across a campaign that stands out from the rest. One such instance occurred recently when one of our Phishing Threat Monitoring service clients was targeted with DNSMessenger, a sophisticated, memory-based infection technique, which has been previously associated with a financially-motivated Advanced Persistent Threat (APT) actor group. Also notable is the delivery method – the increasingly popular Dynamic Data Exchange (DDE) protocol Office document attack. This delivery method has recently been adopted by actors ranging from nation-state APTs to spammers peddling downloaders and ransomware. In this article, we will examine this delivery vector and dissect the initial DNSMessenger payload.

Read More

Topics: Spear Phishing, Office DDE Exploit

RedAlert2 Mobile Banking Trojan Actively Updating Its Techniques

Posted by Joshua Shilko on Sep 25, '17

RedAlert2, an Android banking Trojan, has received a significant amount of attention since first noted last week (read more in this article by Bleeping Computer). The high level of interest in this Trojan is due to the fact that the code base appears to be completely new and the Trojan itself includes some unique functionality.  The PhishLabs Research, Analysis, and Intelligence Division (R.A.I.D.) recently identified a new sample which exhibits changed tactics, techniques, and procedures relative to previous samples. We’ll review some of the interesting features of RedAlert2 before identifying the changes observed in the most recent sample.

Read More

Topics: Android, Banking Trojan, Mobile Crimeware

BankBot Continues Its Evolution as AgressiveX AndroBot

Posted by Joshua Shilko on Sep 5, '17

PhishLabs researchers recently came across BankBot Android Banking Trojan samples which have a redesigned Administration Panel and new URL paths in their C2 infrastructure. The actor may be customizing BankBot to his or her liking, or perhaps re-packaging the leaked software for sale under another name. The use of the branded domain, agressivex[.]com, supports the latter. The new panel login screen is displayed below next to a more typical BankBot Maza-in panel. 

Read More

Topics: Mobile Crimeware

The Evolution of Mobile Banking Trojans… and What To Do About Them (Part II)

Posted by Joshua Shilko on Aug 15, '17

In the last article, we looked at why threat actors have flocked to the mobile space in droves, and which tools they’re using to ply their trade.

And naturally, no discussion of mobile threats would be complete without a detailed look at the most concerning current mobile threat: mobile banking trojans.

Since we’ve already covered the most common functionality, permissions, and distribution mechanisms, it only makes sense to take things a stage further and look at specific banking trojan families. To that end, in this article we’ll be looking at the two of the most widespread families: Marcher and BankBot.

Once we’re through with that, we’ll go over some of the things organizations and individuals can do to avoid falling prey to mobile banking trojans in the future.

Read More

Topics: Phishing, Android, Banking Trojan

The Evolution of Mobile Banking Trojans… and What To Do About Them (Part I)

Posted by Joshua Shilko on Aug 8, '17

Over the past few years the way people interact with the Internet has changed.

In the past, the vast majority of people (over 80 percent) accessed the Internet using Windows desktop and laptop machines, with similar OSX devices taking a distant second spot.

But by the end of 2016, everything had changed. Android mobile devices overtook Windows desktops as the most common means of accessing the Internet.

Naturally, this trend hasn’t gone unnoticed.

Read More

Topics: Phishing, Trojan, Vishing, Rogue Mobile Applications

Marcher Android Banking Trojan - Threat Actor Shifts Technique to Evade Detection

Posted by Joshua Shilko on Jul 12, '17

PhishLabs has recently observed a technique change implemented by a threat actor tracked by our Research, Analysis, and Intelligence Division (R.A.I.DTM). This actor is utilizing a variant of the Marcher Android banking trojan to target clients of financial institutions, payment companies, auction sites, retailers, email providers, and social media companies, primarily located in North America.

Overview of Marcher

Marcher is a family of malicious Android applications that run in the background on an infected device and monitor its operation to detect the launch of specific applications or websites. When a targeted application or site is opened, Marcher overlays the screen with a customized phishing site which mimics the look and feel of the targeted institution. Marcher first appeared in 2013, and there are a number of variants in the wild with varying levels of functionality. Some samples contain only the web overlay and credential theft capability, while others extend functionality to include the ability to intercept and send SMS messages, lock the screen, steal system data, detect and hide anti-virus software, and even utilize the infected device as a SOCKS proxy.  

Read More

Marcher and Other Mobile Threats: What You Need to Know

Posted by Joshua Shilko on May 26, '17

When most people think about cyber risk, they think primarily of their organization’s servers, PCs, and laptops, and how they might be vulnerable to attack.

But in recent years, the way in which users interact with the outside world has changed. In March this year, for the first time ever, Android overtook Windows to claim the largest share of Internet traffic.

And naturally, where users go, threat actors will surely follow.

Read More

Topics: Mobile, Rogue Mobile Applications, Mobile Crimeware

Marcher Android Malware Increases its Geographic Reach

Posted by Joshua Shilko on Jun 23, '16

Earlier this year, PhishLabs wrote an in-depth analysis on Marcher, an Android Banking Trojan which is available for purchase as a kit on underground marketplaces. Marcher runs in the background on an infected device and monitors its operation to detect the launch of specific applications or websites. When a targeted application or site is opened, Marcher overlays the screen with a customized phishing site which mimics the look and feel of the targeted institution. Recent samples of Marcher have demonstrated an increase in total number of targeted institutions as well as a spread to additional geographic locations.

Read More

Topics: Malware, Android, marcher

Fraudster Phishing Users with Malicious Mobile Apps

Posted by Joshua Shilko on Apr 25, '16

Since the beginning of 2016, PhishLabs has observed a number of malicious mobile applications targeting users of popular payment card companies and online payment sites.  These attacks combine traditional, browser-based phishing attacks with the mobile platform in order to create convincing mobile applications. These applications claim to afford the user access to their accounts directly from their mobile device; however, their only functionality is the capability to collect credentials and personal information and deliver that stolen information to the attacker. Our research has indicated that these malicious applications have been created by the same actor or group of actors.

Read More

Topics: Phishing, Brand Abuse Lure, Mobile

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Posts by Topic

see all