VMX Labs detected 5 active Command & Control (C2) server login panels in Poland, Italy, and Brazil that specialized in overlay attacks (manual and automatic) against Android users, especially in Brazil and Italy.
This (claimed) new Android banking trojan (ABT) is marketed as AzraelBot.
One of the servers we found uses the leaked injects from the Hook ABT. This was foreseen and, unfortunately, lowered the entry barrier to the Android banking malware scene.
Manual overlay attacks mainly target Italy and Brazil. Generic injections used for Italy are as below:
Manual overlay attacks on Brazilian banks are more sophisticated and customized.
C2 IOC List |
|
200.98.200.130 | Panel IP address |
200.98.200.107 | Panel IP address |
179.43.148.2 | Panel IP address |
185.241.208.123 | Panel IP address |
45.83.31.225 | Panel IP address |
azzzzzzzzzz000000bro.com | C2 domain |
googleoverdroid.com | C2 domain |
Note: Special thanks to the security researcher, whose earlier findings have greatly contributed to this ongoing research.
Salt Typhoon Exposes Critical Gaps in Mobile Security: CISA Reacts