Mobile users in Brazil have become the latest target of a malicious campaign involving a new Android banking trojan, dubbed Rocinante. This sophisticated malware is designed to perform keylogging via the Accessibility Service, making it highly effective at stealing personal identifiable information (PII) through phishing screens that mimic well-known banks.
Dutch security firm ThreatFabric commented on the malware, stating, "This malware family is capable of performing keylogging using the Accessibility Service and is also able to steal PII from its victims using phishing screens posing as different banks." They further explained that Rocinante can leverage the stolen data to fully take over the device, exploiting accessibility service privileges to gain complete remote access.
Key targets of this malware include financial institutions such as Itaú Shop and Santander, with counterfeit apps disguising themselves as Bradesco Prime and Correios Celular. Some examples of these fraudulent apps are:
- Livelo Pontos (com.resgatelivelo.cash)
- Correios Recarga (com.correiosrecarga.android)
- Bradesco Prime (com.resgatelivelo.cash)
- Módulo de Segurança (com.viberotion1414.app)
Upon analyzing Rocinante's source code, researchers discovered that the operators internally refer to it as Pegasus (or PegasusSpy). It's important to clarify that this Pegasus is unrelated to the notorious spyware developed by NSO Group. Instead, this variant is believed to be the creation of a threat actor known as DukeEugene, who has previously been linked to other malware strains like ERMAC, BlackRock, Hook, and Loot, according to a recent analysis by Silent Push.
ThreatFabric noted similarities between Rocinante and earlier versions of ERMAC, speculating that the leak of ERMAC's source code in 2023 may have influenced Rocinante's development. "This is the first case in which an original malware family took the code from the leak and implemented just some part of it in their code," the researchers pointed out. They also suggested that these versions might be separate forks of the same initial project.
Rocinante is primarily distributed through phishing websites that trick users into installing fake dropper apps. Once installed, these apps request accessibility service privileges, allowing them to monitor all activities on the device, intercept SMS messages, and present phishing login pages. The malware then connects to a command-and-control (C2) server to receive further instructions, including simulating touch and swipe actions remotely. The stolen personal information is sent to a Telegram bot, where it is formatted and shared in a chat accessible to criminals.
"The bot extracts the useful PII obtained using the bogus login pages posing as the target banks. It then publishes this information, formatted, into a chat that criminals have access to," ThreatFabric explained. The data collected can include details such as device model, telephone number, CPF number, passwords, and account numbers, depending on the fake login page used.
This development comes on the heels of another banking trojan campaign highlighted by Symantec, which exploits the secureserver[.]net domain to target Spanish and Portuguese-speaking regions. According to Symantec, "The multistage attack begins with malicious URLs leading to an archive containing an obfuscated .hta file. This file leads to a JavaScript payload that performs multiple AntiVM and AntiAV checks before downloading the final AutoIT payload." The ultimate goal of this malware is to steal banking credentials and other sensitive information, which is then exfiltrated to a C2 server.
Additionally, there has been a rise in "extensionware-as-a-service" offerings on the Genesis Market, a platform that was shut down by law enforcement in early 2023. These malicious web browser extensions, designed to steal sensitive information, have been targeting users in the Latin American region, particularly in Mexico. The extensions are no longer available for download, but the e-crime group Cybercartel, responsible for their distribution, continues to offer similar services to other cybercriminals.
Security researchers Ramses Vazquez and Karla Gomez from the Metabase Q Ocelot Threat Intelligence Team explained, "The malicious Google Chrome extension disguises itself as a legitimate application, tricking users into installing it from compromised websites or phishing campaigns." Once installed, the extension injects JavaScript code into web pages visited by the user, capturing sensitive data such as login credentials, credit card information, and other user input, depending on the specific campaign.
