Mobile users in Brazil are currently facing a significant cybersecurity threat from a new malware campaign that has introduced an Android banking trojan known as Rocinante. This malware has been identified by Dutch security firm ThreatFabric, which highlights its capabilities, including keylogging via the Accessibility Service and the theft of personally identifiable information (PII) through phishing screens that impersonate various banks.
The Rocinante malware does not only harvest personal data; it also has the potential to execute a device takeover, utilizing its accessibility privileges for complete remote access to infected devices. Notably, the malware targets a range of financial institutions in Brazil, including Itaú Shop and Santander, and disguises itself using fraudulent applications like Bradesco Prime and Correios Celular.
A closer examination of the malware’s source code indicates that the operators internally refer to Rocinante as Pegasus, a name unrelated to the well-known cross-platform spyware created by NSO Group. Furthermore, the malware is suspected to be the product of a threat actor named DukeEugene, who has been linked to previous malware variants, including ERMAC and BlackRock. ThreatFabric also observed that Rocinante has drawn influences from earlier ERMAC iterations, suggesting that the leak of ERMAC’s source code could have impacted Rocinante’s development. This situation marks what has been described as a unique example of how original malware families may integrate code from leaks into their own framework.
Rocinante primarily spreads through phishing sites that deceive users into downloading counterfeit apps. These dropper applications request accessibility service permissions, enabling them to record user activity, intercept SMS messages, and display phishing login pages with fake banking interfaces. Once operational, the malware establishes a connection with a command-and-control (C2) server to await further commands, which include simulating touch and swipe events remotely. The stolen data is sent to a Telegram bot that categorizes and shares the information within a secure channel accessible to criminals.
ThreatFabric emphasizes the variability of the information harvested based on which phishing page is utilized, which might include sensitive details such as device specifications, phone numbers, CPF numbers, passwords, and account numbers. In response to rising concerns, a Google spokesperson confirmed that there have been no detections of the malware on the Play Store. They assured users that Google Play Protect provides a layer of security against such threats, regardless of whether apps are downloaded from alternative app stores.
This alarming development comes alongside another banking trojan campaign, identified by Symantec, which exploits malicious URLs to target the Spanish and Portuguese-speaking markets. This multistage attack starts with links leading to an obfuscated file designed to download a JavaScript payload that evades detection mechanisms while ultimately aiming to exfiltrate banking credentials.
Considering the tactics employed, the Rocinante attack could utilize several techniques outlined in the MITRE ATT&CK framework. Initial access may be achieved via phishing and social engineering tactics, while persistence is maintained through the exploitation of accessibility privileges. Privilege escalation could also be a part of the attack, allowing the malware to perform functions that exceed normal user permission levels. With the growing sophistication of these attacks, it is imperative for business owners to remain vigilant about their cybersecurity posture, ensuring robust defenses against potential breaches stemming from such malicious activities.
