Block 17 of the most common new banking and crypto trojans and malware

[summercms]

Enhancement idea

• [ ] Block 17 of the most common new banking and crypto trojans and malware.
• [x] Anubis
• [x] BrasDex
• [x] Cabassous
• [x] Coper
• [x] Exobot aka Coper
• [x] GoatRat
• [x] Godfather
• [x] Hook
• [x] Medusa
• [x] Mysterybot
• [x] Nexus
• [x] PixBankBot
• [x] Pixpirate
• [ ] Saderat
• [ ] Teabot
• [ ] Vultur
• [ ] Xenomorph

Description

These ten new trojans are listed below:

1. Nexus: MaaS (malware-as-a-service) with 498 variants offering live screen-sharing, targeting 39 apps in nine countries.
2. Godfather: MaaS with 1,171 known variants targeting 237 banking apps in 57 countries. It supports remote screen-sharing.
3. Pixpirate: Trojan with 123 known variants powered by an ATS module. It targets ten bank apps.
4. Saderat: Trojan with 300 variants targeting eight banking apps in 23 countries.
5. Hook: MaaS with 14 known variants powered by live screen-sharing. It targets 468 apps in 43 countries and is rented to cybercriminals for $7k/month.
6. PixBankBot: Trojan with three known variants targeting four banking apps. It comes with an ATS module for on-device fraud.
7. Xenomorph v3: MaaS operation with six variants capable of ATS operations, targeting 83 bank apps in 14 countries.
8. Vultur: Trojan with nine variants targeting 122 banking apps in 15 countries.
9. BrasDex: Trojan that targets eight bank apps in Brazil.
10. GoatRat: Trojan with 52 known variants empowered by an ATS module, targeting six banking apps.

Of the malware families that existed in 2022 and were updated for 2023, those that maintain notable activity are: Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anubis and Coper.

Links

https://www.zimperium.com/resources/zimperiums-2023-mobile-banking-heists-report-finds-29-malware-families-targeted-1800-banking-apps-across-61-countries-in-the-last-year/

https://threatfox.abuse.ch/browse/malware/apk.anubis/

https://www.threatfabric.com/blogs/double-trouble-in-latam

https://otx.alienvault.com/pulse/639b1f94a3ce39ae072ace99

https://malpedia.caad.fkie.fraunhofer.de/details/apk.brasdex

https://threatfox.abuse.ch/browse/malware/apk.flubot/

https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous

https://threatfox.abuse.ch/browse/malware/win.medusa/

https://threatfox.abuse.ch/browse/malware/apk.coper/

https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot

https://otx.alienvault.com/pulse/647f308d931109e6179b207b

https://threatfox.abuse.ch/browse/malware/apk.godfather/

https://threatfox.abuse.ch/browse/malware/apk.hook/

https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8

https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot

https://otx.alienvault.com/pulse/5b23c6b5222d4f7379619822

https://threatfox.abuse.ch/browse/malware/apk.nexus/

https://cyble.com/blog/pixbankbot-new-ats-based-malware-poses-threat-to-the-brazilian-banking-sector/

https://www.cleafy.com/cleafy-labs/pixpirate-a-new-brazilian-banking-trojan

https://otx.alienvault.com/pulse/6475ca6e26d358bb8259755f

https://otx.alienvault.com/browse/global/pulses?include_inactive=0&sort=-modified&page=1&limit=10&q=Pixpirate&indicatorsSearch=Mysterybot,Pixpirate

IOC

I2P websites

n/a

IPFS websites

n/a

Tor2web websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

n/a

IP's

n/a

Emails

n/a

Wallet addresses

n/a

Mining pool addresses

n/a

[summercms]

https://github.com/summercms/ransomware_notes

[summercms]

https://github.com/Zimperium/IOC/tree/master

[summercms]

https://github.com/Zimperium/Iranian-banking-malware

[summercms]

https://threatfox.abuse.ch/browse/malware/win.bianlian/

https://threatfox.abuse.ch/browse/malware/js.fakeupdates/

https://threatfox.abuse.ch/browse/malware/win.cryptbot/