Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Hackers Update Vultur Banking Malware With Remote Controls
Attackers Can Now Download, Alter and Delete Files - Plus Click, Scroll and SwipeThreat actors are tricking banking customers with SMS texts into downloading new and improved banking malware named Vultur that interacts with infected devices and alters files.
See Also: OnDemand: AI Model Security Challenges: Financial and Healthcare Data
First documented in March 2021 by Threat Fabric, Vultur garnered attention for its misuse of legitimate applications such as AlphaVNC and ngrok, enabling remote access to the VNC server on targeted devices. Vultur also automated screen recording and keylogging for harvesting credentials.
The latest iteration of this Android banking malware boasts a broader range of capabilities and enables attackers to assume control of infected devices, hinder application execution, display customized notifications, circumvent lock-screen protections and conduct various file-related operations such as downloading, uploading, installing, searching and deleting.
The new functionalities primarily focus on remote interaction with compromised devices, although Vultur still relies on AlphaVNC and ngrok for remote access, said NCC Group security researchers in a report on Thursday.
Vultur's creators also refined anti-analysis and detection evasion strategies, spreading with multiple encrypted payloads that are decrypted on the fly. The malware now uses legitimate applications, such as McAfee Security and Android Accessibility Suite, to conceal its operations.
The infection process begins with a fraudulent SMS message prompting the victim to call a specified phone number under the pretext of resolving an unauthorized large transaction. During this call, the victim receives a second SMS containing a link to a modified version of the McAfee Security application.
The altered application harbors a dropper-framework named Brunhilda, responsible for deploying the Vultur malware through a sequence of three payloads, each intended to activate the subsequent stage.
Brunhilda initially connects to its command-and-control server, which then delivers the first payload. This payload is designed to acquire Accessibility Service privileges and facilitate the installation of the subsequent stage. The second payload incorporates the setup for AlphaVNC and ngrok, and the third payload houses the core backdoor functionality.
To facilitate remote interaction with the compromised device, the malware incorporates seven additional command-and-control methods. These methods enable attackers to carry out actions such as clicks, scrolls, swipe gestures and more.
These commands are transmitted to the infected device through Firebase Cloud Messaging, a messaging service offered by Google. Upon receiving a command via FCM, the malware executes the corresponding functionality as directed by the operator.
The latest iteration of Vultur also can obstruct user interaction with specific applications installed on the device. These applications are identified in a list provided by the attacker.