Rewterz Threat Alert – A New Gh0st RAT Malware Variant Targets South Korea and Uzbekistan – Active IOCs
December 3, 2023Rewterz Threat Alert – Agent Tesla Malware – Active IOCs
December 4, 2023Rewterz Threat Alert – A New Gh0st RAT Malware Variant Targets South Korea and Uzbekistan – Active IOCs
December 3, 2023Rewterz Threat Alert – Agent Tesla Malware – Active IOCs
December 4, 2023Severity
High
Analysis Summary
A new and sophisticated Android malware, named FjordPhantom, has been disclosed by cybersecurity researchers. The malware targets users in Southeast Asian countries, including Indonesia, Thailand, and Vietnam, and has been active since early September 2023. Oslo-based mobile app security firm Promon conducted an analysis revealing that FjordPhantom primarily spreads through messaging services, employing a combination of app-based malware and social engineering to defraud banking customers.
The malware is propagated via email, SMS, and messaging apps, tricking recipients into downloading a purported banking app that appears legitimate but contains rogue components. Once installed, victims are subjected to a social engineering technique similar to telephone-oriented attack delivery (TOAD). This involves calling a bogus call center to receive step-by-step instructions for using the app.
FjordPhantom stands out from other banking trojans due to its use of virtualization to run malicious code in a container, bypassing Android’s sandbox protections. The virtualization method allows different apps to run on the same sandbox, enabling the malware to access sensitive data without requiring root access. The malware downloads a host app that includes a malicious module and the virtualization element. This virtual container is then used to install and launch the embedded app of the targeted bank, allowing FjordPhantom to grab sensitive information from the application’s screen programmatically.
Google Play Protect, according to a Google spokesperson, offers protection to users by warning or blocking apps exhibiting malicious behavior on Android devices, even if sourced from outside Google Play. FjordPhantom is modular, adapting its attacks based on the embedded banking app, enabling it to target various banking applications. The malware’s stealthy techniques highlight the ongoing challenges in Android security and the need for robust protection measures against evolving threats.
Impact
- Security Bypass
- Unauthorized Access
- Sensitive Information Theft
Remediation
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.