June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
CVE-2024-28987 – SolarWinds Web Help Desk Vulnerability
October 16, 2024
North Korean ScarCruft Distributes RokRAT Malware by Using Windows Zero-Day Exploit – Active IOCs
October 16, 2024
CVE-2024-28987 – SolarWinds Web Help Desk Vulnerability
October 16, 2024
North Korean ScarCruft Distributes RokRAT Malware by Using Windows Zero-Day Exploit – Active IOCs
October 16, 2024
Severity
High
Analysis Summary
TrickMo, an Android banking trojan, has been discovered to have new versions that contain features never before reported that allow it to steal a device's PIN or unlock pattern. The threat actor can now access the device even while it is locked due to this new feature.
TrickMo, which was first discovered in the wild in 2019, got its name from its connections to the TrickBot cybercrime group. It can take over compromised devices remotely, steal one-time passwords (OTPs) via SMS, and use Android's accessibility features to display overlay screens to obtain credentials.
Updated variants of the mobile malware with better evasion methods and more permissions to do different malicious acts on the device, including illegal transactions, were revealed by researchers last month. A few of the latest malware variations are also capable of obtaining the device's PIN or unlock pattern by tricking the victim into believing that the device's unlock screen is what they're seeing.
The user interface (UI) is an HTML page that appears to be a genuine unlock screen because it is hosted on an external website and is shown in full-screen mode. If unwary users input their PIN or unlock pattern, the data—along with a unique device identifier—is sent as an HTTP POST request to a server under the control of the attacker.
Researchers said that it was feasible to learn more about the types of data kept on the C2 servers due to their inadequate security measures. This comprises files with over 13,000 distinct IP addresses, the majority of which are geolocated in Germany, Canada, the United Arab Emirates, and Turkey.
These compromised credentials include those used to access corporate resources like VPNs and internal websites in addition to banking information. This emphasizes how vital it is to safeguard mobile devices since they might be the main point of entry for cyberattacks against businesses. TrickMo's wide targeting is another noteworthy feature. It collects information from applications in a variety of areas, including social media, banking, e-commerce, trading, enterprise, employment and recruitment, government, education, telecom, and healthcare.
Impact
- Credential Theft
- Unauthorized Access
- Financial Loss
Indicators of Compromise
Domain Name
- everythingispossible.group
- trustmode.at
- backstage.cn.com
- android.ipgeo.at
- products-receiver.group
MD5
- 4ac484f345acdf8890166cbfeaa83768
- baad1a096943396b872af542377a426e
- b7b3743beb7ed215c61a62a91d63f895
- 091b75faaf12a73636e9ad491a6f42c2
- fb6d1aa2a7a80a2cc6302530f0569585
- 7b0656c11354582efb7a6566b005ecf2
- d68ba68b105b8437bc7e59868ddfcdad
- f7569f29dd3cb5a22eb97b559c69ed35
- 5616c009bc8493140cd44f89bcf6a16b
- 91fcae5c678aecd2e80df371104eda3f
SHA-256
- 11af0da9a7c5f65bb098ed52973e814b12eba492fb3615a5fada5d4cc390928d
- 4bdc30e872b879e2303e2f4ccbc73f0ce5335d9d3b98b165fc2b22fc8c3251e5
- 493b219932c105a9e2a8dd90dbbd0bb8ffc8bab3035c7353f9beba1747ef0d4e
- a8aae68daa34dfaac611da07accca9d32d99242e3ed2b991f90d24e310b9fcff
- edbef1be12821b7bcf37476dbd06e03171926c4c85791540d1e0385cfde53e4b
- acc38e90e868a63795fe8ad44c5820b00f4b7661b5b488d5c29a8cfdc1ffe8db
- 2d70c9887d1c135d5b39739018742dae6423adb55a112a0a08bfcd98a98a862a
- d4d5751f6b6e28f03cad4fafd9e2755af937535f4485d7ea43cd069e97429807
- e81f26ac05a84b7178d029038851a07ac5f8e2c9867471ff96ff5d5526a24bb2
- 9f69f3ae0c08df7d5d3a43a93d2089cafc5c05b65c5b87ea4aedbb2b9052adaf
SHA-1
- dc2e2796fabb883ca0c78248bb9c04ed1011f3a9
- bcf0e09170ccfba516d3e00957de7b460392e6ea
- 0e4562e0e57a45b16c78d09d0a62341f782cb6d0
- 7d997e99623c01f50348cc75be04599e51f7695f
- f4e177a81b8626185b07799455954f11533463a7
- 04def30b89e4ebd1427e5405c0ceeb598556b47e
- b9641529712f8928057b361f5a25dc3c7bd23f75
- 63fc6c25302a1f6e7060018aa88be37074a9d94b
- 33d21c808649a7619d4ea127c09209c431fb9494
- 795801e1b9c19f2a53a7c59e6a4a43cfdc08ac17
URL
- http://chiggers.cn.com/c
- http://starnow.cn.com/c
- http://keepass.ltd/c
- http://letsencryp.at/c
- http://stagepool.cn.com/c
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
- Conduct regular security awareness training for users to recognize and avoid phishing emails.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Implement network segmentation to limit lateral movement within the network.
- Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
- Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
- Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
- Regularly back up critical data and ensure that the backup copies are stored securely.
