A new strain of mobile malware known as Rocinante has recently surfaced in Brazil, targeting mobile users in Brazil and Spanish and Portuguese-speaking regions.
Description
Distributed by threat actors under the alias DukeEugene, Rocinante is a sophisticated Android banking trojan capable of keylogging, stealing personal information through phishing screens posing as various banks [2] [3], and taking over devices by exploiting accessibility service privileges. The malware utilizes Firebase messaging, HTTP traffic [1], WebSocket [1], and the Telegram API for communication [1]. It is disseminated through phishing sites masquerading as security updates or banking apps [1], establishing contact with a command-and-control server to receive further instructions [3]. Stolen information is sent to a Telegram bot for criminal access. Additionally, a banking trojan malware campaign exploits the secureserver[.]net domain. Moreover, a new “extensionware-as-a-service” available for purchase through the Genesis Market targets Latin American users with malicious web browser extensions [3]. Rocinante poses a significant threat to banking customers [1], potentially resulting in unauthorized transfers and account depletion. The trojan can log keystrokes using the Accessibility Service and extract personally identifiable information through phishing screens mimicking different banks [2].
Conclusion
Rocinante’s emergence highlights the ongoing challenges posed by mobile malware, particularly in the banking sector. To mitigate risks, users should exercise caution when downloading apps or clicking on links, ensure their devices are updated with the latest security patches, and use reputable security software. As cyber threats continue to evolve, it is crucial for individuals and organizations to remain vigilant and proactive in safeguarding their digital assets.
References
[1] https://blog.netmanageit.com/the-trojan-horse-that-wanted-to-fly/
[2] https://www.techcool.com/rocinante-trojan-poses-as-banking-apps-to-steal-sensitive-data-from-brazilian-android-users/
[3] https://thehackernews.com/2024/09/rocinante-trojan-poses-as-banking-apps.html
