Rocinante Trojan Poses as Banking Apps to Steal Sensitive Data from Brazilian Android Users

Cyber Security

Mobile users in Brazil are the target of a new malware campaign that delivers a new Android banking trojan named Rocinante.

“This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks,” Dutch security company ThreatFabric said.

“Finally, it can use all this exfiltrated information to perform device takeover (DTO) of the device, by leveraging the accessibility service privileges to achieve full remote access on the infected device.”

Some of the prominent targets of the malware include financial institutions such as Itaú Shop, Santander, with the phony apps masquerading as Bradesco Prime and Correios Celular, among others –

  • Livelo Pontos (com.resgatelivelo.cash)
  • Correios Recarga (com.correiosrecarga.android)
  • Bratesco Prine (com.resgatelivelo.cash)
  • Módulo de Segurança (com.viberotion1414.app)

Source code analysis of the malware has revealed that Rocinante is being internally called by the operators as Pegasus (or PegasusSpy). It’s worth noting that the name Pegasus has no connections to a cross-platform spyware developed by commercial surveillance vendor NSO Group.

That said, Pegasus is assessed to be the work of a threat actor dubbed DukeEugene, who is also known for similar malware strains such as ERMAC, BlackRock, Hook, and Loot, per a recent analysis by Silent Push.

ThreatFabric said it identified parts of the Rocinante malware that are directly influenced by early iterations of ERMAC, although it’s believed that the leak of ERMAC’s source code in 2023 may have played a role.

“This is the first case in which an original malware family took the code from the leak and implemented just some part of it in their code,” it pointed out. “It is also possible that these two versions are separate forks of the same initial project.”

Rocinante is mainly distributed via phishing sites that aim to trick unsuspecting users into installing the counterfeit dropper apps that, once installed, requests for accessibility service privileges to record all activities on the infected device, intercept SMS messages, and serve phishing login pages.

It also establishes contact with a command-and-control (C2) server to await further instructions – simulating touch and swipe events – to be executed remotely. The harvested personal information is exfiltrated to a Telegram bot.

“The bot extracts the useful PII obtained using the bogus login pages posing as the target banks. It then publishes this information, formatted, into a chat that criminals have access to,” ThreatFabric noted.

“The information slightly changes based on which fake login page was used to obtain it, and includes device information such as model and telephone number, CPF number, password, or account number.”

The development comes as Symantec highlighted another banking trojan malware campaign that exploits the secureserver[.]net domain to target Spanish and Portuguese-speaking regions.

“The multistage attack begins with malicious URLs leading to an archive containing an obfuscated .hta file,” the Broadcom-owned company said.

“This file leads to a JavaScript payload that performs multiple AntiVM and AntiAV checks before downloading the final AutoIT payload. This payload is loaded using process injection with the goal of stealing banking information and credentials from the victim’s system and exfiltrating them to a C2 server.”

It also follows the emergence of a new “extensionware-as-a-service” that’s advertised for sale through a new version of the Genesis Market, which was shuttered by law enforcement in early 2023, and designed to steal sensitive information from users in the Latin American (LATAM) region using malicious web browser extensions propagated on the Chrome Web Store.

The activity, active since mid-2023 and targeting Mexico and other LATAM nations, has been attributed to an e-crime group named Cybercartel, which offers these types of services to other cybercriminal crews. The extensions are no longer available for download.

“The malicious Google Chrome extension disguises itself as a legitimate application, tricking users into installing it from compromised websites or phishing campaigns,” security researchers Ramses Vazquez of Karla Gomez of the Metabase Q Ocelot Threat Intelligence Team said.

“Once the extension is installed, it injects JavaScript code into the web pages that the user visits. This code can intercept and manipulate the content of the pages, as well as capture sensitive data such as login credentials, credit card information, and other user input, depending on the specific campaign and the type of information being targeted.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.