Since the beginning of the year, an increase in SpyNote activity has been observed. Although the spyware is usually used to collect user data or conduct espionage campaigns, it is currently being used to perform bank frauds against European banking customers. During the months of June and July, Cleafy Threat Intelligence Team observed an extensive campaign targeting European banking customers.
Modus operandi
According to researchers, the attack process starts with a deceptive smishing campaign where victims receive a fake SMS message urging them to install a new certified banking app.
- Subsequently, the recipients are redirected to the legitimate TeamViewer app, which in reality, enables the attackers to gain remote access to the victim’s device and deploy the malware.
- The spyware exploits Accessibility services and other permissions granted during the installation of the app to pilfer user data.
Capabilities
- SpyNote is capable of collecting SMSes and contact lists, keylogging, tracking GPS locations, and capturing screenshots.
- It can intercept 2FA codes and transmit them to the attackers’ C2 server.
- To evade detection, it employs various defense evasion techniques such as code obfuscation, anti-emulator controls, and junk code to slow down the static analysis of the code.
Spyware campaigns have become aggressive
Recently, Winnti was associated with a cyberespionage campaign that dropped WyrmSpy and DragonEgg spyware to infect Android devices.
- Pradeo researchers uncovered two spyware apps on the Google Play Store—File Recovery and Data Recovery and File Manager—that impacted approximately 1.5 million users. These applications illicitly acquire data, such as OS version number, device brand, and model, network provider, network code of the SIM provider, country code, and real-time user location.
- An updated version of the GravityRAT Android spyware was observed stealing backup files and receiving commands to delete files from messaging apps such as WhatsApp, BingeChat, and Chatico.
Ending note
Going by the nature of the recent SpyNote campaign, Cleafy concludes that threat actors will likely continue to exploit the malware’s multiple functionalities to launch more bank fraud attacks. Financial institutions and users must remain vigilant against phishing attacks and regularly update their security measures to defend against those evolving threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/2c9f_shutterstock_791299255.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/c92e_shutterstock_1820029409.jpg)
