![]() Hxxps://soldatenccarmygoldenshower.at/jadafire/ Hxxps://soldatenccarmythegaynation.at/jadafire/ Hxxps://soldatenccarmytriptheleader.at/jadafire/ Offline – shut down in March 2017 by F5 researchers While monitoring Marcher activity in March, F5 researchers shut down 12 malicious C&C servers that were detected. In the following table, we’ve listed the 54 distinct C&C servers detected, 63% of which were using HTTPS. QUESTIONROADFAR campaigns target French banks as well as social network apps globally.angelkelly campaigns target banks in UK, Germany, and France.TRUELESSCARBLAC campaigns target German and Austrian banks.moon campaigns targeting Australian banks specifically.MUCHTHENWERESTO campaigns targeting German and Czech Republic banks.THREEHADFOUND campaigns targeting German banks specifically.balls51 campaigns target banks in Austria, Germany, Argentina, UK, Colombia, Peru, and Mexico.MANUNIT campaigns targeting German banks specifically.jadafire campaigns target Austrian and German banks, as well as social network apps globally.012 campaigns spanned different geolocations in one campaign targeting Germany, Poland, Austria, and Australia.We classified the current online campaigns via these subfolder identifications as follows: The common pattern in the latest configuration was distinct and repeated subfolders in the C&C details, such as 012, THREEHADFOUND, or jadafire. This is likely due to configuration files being hardcoded within the APK, and old spam campaigns infecting different users, thus, old configurations still being detected in the wild.įigure 3: Marcher-targeted countries, March 2017 Campaigns and Targets The remaining 99 C&C servers were duplicated configurations from different APKs. Of the 54 distinct C&C servers, 12 of them were online and operational (until F5 had them shut down in March), 10 were sink-holed, and 32 were already offline. Among the 153 configuration files, 54 distinct command and control (C&C) servers were detected. Each APK has the ability to target different financial institutions in specific geographical locations.į5 research conducted in March 2017 followed 153 Marcher configuration files to uncover target and activity trends in the worldwide attack campaigns. ![]() Marcher inspects its infected devices carefully by using a dedicated, hard-coded configuration in each Android Package Kit (APK), Google’s file format for distributing and installing application software (like mobile banking apps) on the Android OS. 3 As with any malware campaign, attackers must continually evolve to evade detection of their C&C servers and keep the cash flowing. 2 That is a huge number of devices to test and secure, made more difficult by the fact that most Android phones are behind in critical patches and thus are more vulnerable to attack. ![]() 1 That growth is somewhat expected since Android, with over 24,000 implementations, is the most popular smartphone operating system. In fact, the mobile banking malware market is so hot, it grew 400% in 2016, 81% of which targeted Android phones. The longevity and evolution of this malware is not surprising, given that mobile banking malware is the quickest and easiest way to grab money from victims. ![]() Marcher is an Android banking Trojan, first detected in 2013, that continually evolves to stay active. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |