14 DAY TRIAL // Threat Fabric uncovered a new Android-based Remote Access Trojan (RAT) capable of recording smartphones' screens and stealing personal information, including financial data, in order to lay the groundwork for device fraud.
Vultur is the first Android banking Trojan capable of using keylogging and screen recording to automate and scale login credentials harvesting. In comparison to other Android banking Trojans, the threat actors skipped the more popular HTML overlay tactic and instead simply recorded the screen.
Until recently, financial malware relied primarily on overlay attacks. Banker.BR, Vizom, and Grandoreiro, for instance, operate by first creating a fake version of the bank's login screen and then overlaying it on top of the original app, scamming its victims into entering their credentials and other sensitive information.
Vultur takes advantage of accessibility permissions to capture keystrokes and uses the VNC screen recording function to log every activity on the phone, thereby avoiding the requirement to register a new device, making it harder for banks to identify the fraud.
Brunhilda may be the cybercriminal gang responsible for the spreading of Vultur malware
ThreatFabric was able to correlate the Vultur campaign to Brunhilda using the MTI (Mobile Threat Intelligence) portal and real-time detections from the CSD (Client-Side Detection) solution. The overall number of victims of the Brunhilda cybercriminal group is estimated to be approximately 30.000. The sample analyzed by the cybersecurity researchers was withdrawn from the Google Play Store in the meantime.
Threat actors are moving away from leased Trojans (MaaS) distributed on underground markets and towards proprietary/private malware suited to their needs. This could mean that mobile banking threats are turning into RAT-type malware, acquiring valuable tricks like identifying foreground applications to initiate screen recording.
The features of the new malware enable on-device fraud, avoiding detection and conducting cyber frauds utilizing the victim's infected device. The activities to commit fraud can be written on the malware backend and supplied as sequenced commands. Bear in mind that ThreatFabric also reported that the C2 of the "Brunhilda Project" now supports Vultur-specific bot commands.