Our Tactical Threat Intelligence Team at Fox-IT, part of NCC Group, has released an in-depth breakdown of some newly found technical features inside Vultur- a nefarious Android banking malware.
It was one of the first Android banking malware families to include screen recording capabilities and contains features such as keylogging and interacting with a victim’s device screen. Vultur mainly targets banking apps for keylogging and remote control. ThreatFabric first discovered Vultur in late March 2021. The authors behind Vultur have now been spotted adding new technical features, which allow the malware operator to further interact with the victim’s mobile device remotely. Vultur has also started masquerading more of its malicious activity by encrypting its Command-and- Control server (C2) communication, using multiple encrypted payloads that are then decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions.
Back in 2021, Vultur (ab)used legitimate software products, AlphaVNC and ngrok, to provide remote access to the VNC server running on the victim’s device. Vultur was distributed through a dropper framework called Brunhilda, responsible for hosting malicious applications on the Google Play Store. In a recent campaign, the Brunhilda dropper was spread in a hybrid attack using both SMS and phone calls. The first SMS message guides the victim to a phone call. When the victim calls the number, the fraudster provides the victim with a second SMS that includes the link to the dropper: a modified version of the McAfee Security app. The dropper deploys an updated version of Vultur banking malware through three payloads, where the final two Vultur payloads effectively work together by invoking each other’s functionality. The payloads are installed when the infected device has successfully registered with the Brunhilda C2 server.
Figure 4: Visualisation of the complete infection chain. Note: communication with the C2 server occurs during every malware stage
13
Made with FlippingBook Ebook Creator