Security News

Four months after security researchers uncovered a "Tetrade" of four Brazilian banking Trojans targeting financial institutions in Brazil, Latin America, and Europe, new findings show that the criminals behind the operation have expanded their tactics to infect mobile devices with spyware. According to Kaspersky's Global Research and Analysis Team, the Brazil-based threat group Guildma has deployed "Ghimob," an Android banking Trojan targeting financial apps from banks, fintech companies, exchanges, and cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola, and Mozambique.

A trojan targeting Linux and deployed by a known ransomware gang has been discovered by Russian antivirus firm Kaspersky. The trojan was, so the two said, similar to the existing RansomEXX trojan, which they said had been deployed only last week against Brazil's courts, as well as targets in the US and elsewhere.

The Wroba mobile banking trojan has made a major pivot, targeting people in the U.S. for the first time. Where Android users are served up the full Wroba download, according to researchers, the executable doesn't work on iPhone.

The group had three hierarchical levels: leaders, mid-level managers, and money mules. The funds were transferred through a complex series of transactions that included transfers to other bank accounts controlled by the money-laundering group and conversion to cryptocurrency.

The U.S. Cybersecurity and Infrastructure Security Agency warns of an increase in attacks targeting state and local governments with the Emotet Trojan. Active for over a decade, Emotet is a Trojan mainly used to drop additional malware onto compromised systems.

Virus Bulletin 2020 - A loose affiliation of cybercriminals are working together to author and distribute multiple families of banking trojans in Latin America - a collaborative effort that researchers say is highly unusual. Multiple, distinct malware families have plagued Latin American banking customers for years - the variants include Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist and Zumanek, according to ESET. In examining these families over time, ESET researchers began to notice "Some similarities between multiple families in our series, such as using the same uncommon algorithm to encrypt strings or suspiciously similar DGAs to obtain C2 server addresses," according to a Thursday analysis.

More variants of the Joker Android malware are cropping up in Google Play as well as third-party app stores, in a trend that researchers say points to a relentless targeting of the Android mobile platform. The Joker apps advertise themselves as legitimate apps.

A newly uncovered banking trojan called Alien is invading Android devices worldwide, using an advanced ability to bypass two-factor authentication security measures to steal victim credentials. Researchers believe Alien is a "Fork" of the infamous Cerberus banking malware, which has undergone a steady demise in use over the past year.

The Zeppelin ransomware has sailed back into relevance, after a hiatus of several months. These, like an initial Zeppelin wave observed in late 2019, start with phishing emails with Microsoft Word attachments that have malicious macros on board.

Cybersecurity agencies across Asia and Europe have issued multiple security alerts regarding the resurgence of email-based Emotet malware attacks targeting businesses in France, Japan, and New Zealand. "The emails contain malicious attachments or links that the receiver is encouraged to download," New Zealand's Computer Emergency Response Team said.