Researchers studying cybersecurity have uncovered a new iteration of the Octo banking trojan for Android that has enhanced capabilities for carrying out fraudulent transactions and device takeovers (DTOs).
According to a report shared with the media by Dutch security firm ThreatFabric, the malware author has given the new version the codename Octo2. Campaigns disseminating the virus have been observed in European nations such as Italy, Poland, Moldova, and Hungary.
“The malware developers took actions to increase the stability of the remote action capabilities needed for device takeover attacks,” the company said.
The following is a list of some of the malicious programs that incorporate Octo2:
- Europe Enterprise (com.xsusb_restore3)
- Google Chrome (com.havirtual06numberresources)
- NordVPN (com.handedfastee5)
The business initially reported Octo in early 2022, characterizing it as the product of a threat actor using the internet names Goodluck and Architect. It has been determined that it is a “direct descendant” of the 2016-detected Exobot virus, which gave rise to the Coper variation in 2021.
“Based on the source code of the banking Trojan Marcher, Exobot was maintained until 2018 targeting financial institutions with a variety of campaigns focused on Turkey, France, and Germany, as well as Australia, Thailand, and Japan,” ThreatFabric noted at the time.
“Subsequently, a ‘lite’ version of it was introduced, named ExobotCompact by its author, the threat actor known as ‘Android’ on dark-web forums.”
The primary cause of Octo2’s birth is believed to have been the earlier this year Octo source code breach, which prompted other threat actors to produce other malware versions.
According to Team Cymru, Octo’s transformation into a malware-as-a-service (MaaS) business is another significant development. This allows the developer to make money by selling the malware to cybercriminals wishing to conduct information theft operations.
“When promoting the update, the owner of Octo announced that Octo2 will be available for users of Octo1 at the same price with early access,” ThreatFabric said. “We can expect that the actors that were operating Octo1 will switch to Octo2, thus bringing it to the global threat landscape.”
The addition of a Domain Generation Algorithm (DGA) to generate the command-and-control (C2) server name, along with enhancements to its general stability and anti-analysis strategies, is one of the major changes to Octo2.
An intrinsic benefit of using a DGA-based C2 system is that it makes it simple for threat actors to switch to new C2 servers, making domain name blocklists useless and enhancing resistance to possible takedown attempts.
A well-known APK binding tool called Zombinder is used by the rogue Android apps that spread the malware to trojanize genuine apps so that they download the actual malware (in this example, Octo2) while pretending to install a “necessary plugin.”
Since there is currently no proof that Octo2 is distributed through the Google Play Store, consumers are probably either getting them from unreliable sources or falling for social engineering tricks to get them installed.
“With the original Octo malware’s source code already leaked and easily accessible to various threat actors, Octo2 builds on this foundation with even more robust remote access capabilities and sophisticated obfuscation techniques,” ThreatFabric said.
“This variant’s ability to invisibly perform on-device fraud and intercept sensitive data, coupled with the ease with which it can be customized by different threat actors, raises the stakes for mobile banking users globally.”
Also read: Automation in Oil and Gas: Horizons and Expectations for the Next 5 Years
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
