The trojan horse that wanted to fly

Sept. 2, 2024, 4:40 p.m.

Description

Rocinante is a new strain of mobile malware originating from Brazil, capable of keylogging, stealing PII through phishing, and performing device takeover. It targets Brazilian banking institutions using a combination of Firebase messaging, HTTP traffic, WebSocket, and Telegram API for communication. The malware is distributed via phishing websites posing as security updates or banking apps. Rocinante's features include keylogging, phishing screens, data exfiltration, and remote actions. The malware shows influence from Ermac/Hook, indicating a shift in LATAM cybercriminals' interests. Rocinante poses a significant risk to banking customers, potentially leading to unauthorized transfers and account draining.

External References

https://www.threatfabric.com/blogs/the-trojan-horse-that-wanted-to-fly-rocinante
https://otx.alienvault.com/pulse/66d5e5678b57a44ebd08d1c1
Tags
phishing
remote access
banking trojan
brazil
keylogging
mobile malware
2024-09-02
device takeover
hook
rocinante
ermac

Date

  • Created: Sept. 2, 2024, 4:18 p.m.
  • Published: Sept. 2, 2024, 4:18 p.m.
  • Modified: Sept. 2, 2024, 4:40 p.m.

Indicators

  • a4886346e8bcfd20f6b5131f2440004675cf851fa86fef7594f8096f63eb6a38
  • a39a3acc18c84624489d91d25c4517097f18bf4cc3bb8282aa2689bcfd860b0f
  • 64ec090ea5e22648e46651b12569107f94b10c1e8e4635ef42716aaec28fd6bd
  • 23c51ed174a6014b3207b41a82c2aee0eea16df8fa1cd14c2864fb3307215070
Download all indicators here!

Attack Patterns

  • Rocinante
  • Rocinante

Additional Informations

  • Finance
  • Brazil