Attackers behind the BlackRock and ERMAC banking trojans are offering another malware for rent, named Hook. It is an ERMAC fork that comes with additional capabilities to access saved files and create a remote interactive session.
Hook: The new combo threat
According to ThreatFabric, the Hook malware claims to feature all banking trojan-related capabilities of its predecessor, along with several additional features.
- It comes with a RAT feature, with the ability to complete device takeover.
- It supports all the steps of a full fraud chain, starting from PII exfiltration to transaction with intermediate steps.
- It is developed by the DukeEugene threat group and displays the evolution of ERMAC, first spotted in September 2021.
Most targeted financial apps are based in the U.S., Australia, Poland, Turkey, Canada, the U.K., Spain, Italy, Portugal, and France.
Malware capabilities
Hook abuses Android's accessibility services APIs to perform overlay attacks and harvest sensitive details such as call logs, contacts, keystrokes, WhatsApp messages, and 2FA tokens.
- It comes with an expanded list of targeted banking apps, including ABN AMRO and Barclays, while the malicious samples pretend to be Google Chrome web browsers to fool users into downloading the malware.
- The malware allows its users to remotely view and interact with the screen, obtain files, extract seed phrases from crypto wallets, and track location, making it a combination of spyware and banking malware.
- So far, the Hook artifacts are thought to be in the testing phase. However, it could spread using phishing campaigns, in the form of Google Play Store dropper apps, or Telegram channels.
Conclusion
Hook is the latest variant of the ERMAC family that comes with lots of additional capabilities beyond banking malware. It can perform a full attack chain from infection to fraudulent transactions. Experts believe that once it is fully developed, it may rise to new heights in the list of banking malware available for rent.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e56d_shutterstock_641443576.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5dc9_shutterstock_2130044327.jpg)
