April 1, 2024 at 12:30PM
The Android banking malware Vultur has been updated, providing operators with greater control over infected devices. New capabilities include remote interaction, file modification, and the ability to bypass lock-screen protections. The malware continues to rely on AlphaVNC and ngrok for remote access, while employing anti-analysis techniques and evading detection. (Words: 50)
From the meeting notes, here are the key takeaways:
1. Update on Vultur Android Banking Malware:
– New capabilities include remote device control, file modification, preventing application execution, displaying custom notifications, bypassing lock-screen protections, and more.
– Continues to rely on AlphaVNC and ngrok for remote access.
2. Updated Anti-analysis and Evasion Techniques:
– Spreads malicious code over multiple payloads, modifies legitimate applications, uses native code for payload decryption, and relies on AES encryption for C&C communication.
3. Infection Chain:
– Infection starts with a SMS message instructing the victim to call a phone number, followed by a second SMS message containing a link to a modified McAfee Security package.
4. Deployment:
– Brunhilda deploys Vultur via three payloads, each designed to invoke the others’ functionality.
5. Remote Interaction and Commands:
– Seven new C&C methods for performing clicks, scrolls, swipe gestures, and more.
– 41 new commands related to Firebase Cloud Messaging (FCM), eliminating the need for an ongoing connection with the device.
6. Additional Functionality:
– Prevents user interaction with applications defined in a list provided by the attacker.
These takeaways provide a comprehensive overview of the updated capabilities, deployment methods, and remote interaction features of the Vultur Android banking malware.