Threat actors used vishing in campaigns to deploy malware

October 19, 2022
Threat Actors Vishing Phishing Copybara Malware Social Engineering Android Italy

Threat actors used another threat campaign called voice phishing (vishing) to deceive victims into installing their malware on the targeted devices.

A security research firm stated that they had found a network of phishing sites that targets Italian online-banking users. The adversaries create sites to harvest contact details from their victims.

The campaign was called telephone-oriented attack delivery, a social engineering tactic that calls targets using previously gathered information from malicious websites.

Based on reports, the caller impersonates a support agent from a legitimate bank. Subsequently, the attacker will instruct a target to install a security app and permit it. However, the security app is a compromised software that the actors specially craft to obtain remote access or conduct financial fraud on the victim’s device.

 

Once the vishing tactic is successfully executed, the threat actors deploy the Copybara malware.

 

The vishing tactic could lead to deploying a mobile trojan called Copybara. This malware was first identified in November last year and is commonly used by actors for performing on-device fraud through an overlay attack against Italian users.

Researchers can compare the Copybara RAT’s capabilities to other Android-based malware. Hence, its operators could fully utilise its abilities if it abuses the OS’ accessibility services API. Once it exploits the API, the malware could collect critical data and potentially uninstall the downloader app to avoid getting traced by threat analysts.

Furthermore, the infrastructure used by the hackers has been seen by researchers delivering a second malware called ‘SMS Spy.’ This additional payload allows the attackers to obtain access to incoming SMS messages, which can lead to the interception of OTPs sent by banks.

This new set of hybrid fraud attacks shows new ways for scammers to deploy their malware. Currently, the most used vectors for deploying malware are rouge ads, smishing attacks, and Google Play Store droppers.

Separate researchers revealed they have already encountered the TOAD strategy to run their banking malware. Last month, an identical attack against an Indian bank was initiated by separate hackers to install information-stealing malware that spoofs a credit card rewards app.

About the author