Pradeo didn't specify in its report if this dropper app is Brunhilda. The dropper app, aptly named "2FA Authenticator" is responsible for dropping Vultur onto Android devices. Recently, researchers from Pradeo, another mobile security solutions provider, found a fresh variant of Vultur after they spotted a fake two-factor authenticator (2FA) app on the Google Play Store. However, for VNC to work properly, Vutur uses ngrok, another legitimate tool that uses an encrypted tunnel to expose local systems behind firewalls and NATs (network address translation)to the public Internet. This a legitimate tool that allows one to remotely control a device, so whatever the user sees on his phone screen, the actors can see it, too. Moreover, the group behind Vultur can see every interaction the user does to their device, thanks to the real-time implementation of VNC (Virtual Network Computing)screen sharing. Vultur uses JSON-RPC to communicate with its C2, a tactic that Brunhilda used to do.Vultur is seen using the same icon and package name of a Brunhilda dropper.Vultur is seen using the same C2 that Brunhilda used in the past.The command and control server (C2) of "Project Brunhilda" supports Vultur-specific bot commands.The company has linked the two for the following reasons: ThreatFabric believes that the group behind this dropper and Vultur are one and the same. Note, however, that there are many Brunhilda dropper apps on the Store, which suggests that infection count could be a lot higher.Ī Brunhilda dropper masquerading itself as a faux security solution for Android. Initial variants of Vultur have been dropped by an Android app called "Protection Guard", which have had 5,000 installs on the Google Play Store upon its discovery. One of the Android dropper malware that drops Vultur (among others) is Brunhilda, a privately operated dropper. In steering away from this, the attackers made less effort but yielded the same results. This approach usually requires time and effort for the attackers in order to steal what they want from the user. Vultur (Romanian for "vulture") is known to target banks, cryptocurrency wallets, social media (Facebook, TikTok), and messaging services (WhatsApp, Viber) to harvest credentials using keylogging and screen recording.Īccording to ThreatFabric, the mobile security company that first spotted Vultur in 2021, the cybercriminals behind the malware have steered away from the common HTML overlay strategy usually seen in other Android banking Trojans. After making its first in-the-wild appearance in March 2021, Vultur-an information-stealing RAT that runs on Android-is back.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |