Cybersecurity researchers on Monday warned of a Trojan malware campaign that is targeting India’s co-operative banks using COVID-19 as a bait. And The Indian Computer Emergency Response Team (CERT-In) has issued an advisory warning people against a trojan called EventBot, which can affect Android smartphone users in the country and steal their personal financial information.
Seqrite, the enterprise arm of IT security firm Quick Heal Technologies, detected the new wave of Adwind Java Remote Access Trojan (RAT) campaign. Researchers at Seqrite warned that if attackers are successful, they can take over the victim’s device to steal sensitive data like SWIFT logins and customer details and move laterally to launch large scale cyberattacks and financial frauds.
How is it attacked?
The Java RAT campaign starts with a spear-phishing email that claims to have originated from either the Reserve Bank of India or a nationalized bank. The content of the email refers to COVID-19 guidelines or a financial transaction, with detailed information in an attachment, which is a zip file containing a JAR based malware.
Seqrite found that the JAR based malware is a Remote Access Trojan that can run on any machine which has Java runtime enabled, and hence it can impact a variety of endpoints, irrespective of their base operating system.
And Once the RAT is installed, the attacker can take over the victim’s device, send commands from a remote machine, and spread laterally in the network. This malware can also log keystrokes, capture screenshots, download additional payloads, and extract sensitive user information, Seqrite said, adding that such attack campaigns can effectively jeopardize the privacy and security of sensitive data at the co-operative banks and result in large scale attacks and financial frauds.
To prevent such attacks, users need to exercise ample caution and avoid opening attachments and clicking on web links in unsolicited emails.
A trojan is essentially a type of malware that is attached to what seems to be a legit program. The EventBot is a banking trojan or a banker Trojan that specifically targets the financial apps on the phone and the financial data of its victim.
The CERT-In advisory said that EventBot is a ‘mobile-banking Trojan and info-stealer that abuses Android’s in-built accessibility features to steal user data from financial applications, read user SMS messages and intercept SMS messages, allowing malware to bypass two-factor authentication.’
The cybersecurity agency noted that the malware asks for permissions such as ‘controlling system alerts, reading external storage content, installing additional packages, accessing the internet, whitelisting it to ignore battery optimization, auto-initiated upon reboot, read and receive SMS messages as well as continue running and accessing data in the background’ once it is installed on victim’s Android phone.
CERT-In has suggested certain counter-measures for Android phone users to save themselves from the virus infection.
Users should also look at the app reviews, details, number of downloads, and user reviews of an app before downloading from the Play Store. Other security steps include installing an updated anti-virus solution and keeping their phone updated with the latest Android updates and patches. Users should also exercise caution while tapping on URLs and avoid using unsecured or unknown Wi-Fi networks.
EventBot has not been spotted on the official Google Play Store as of now but it can ‘masquerade’ as a genuine application to cheat users.