- by AlienVault
- Public
- TLP: White
In this blogpost, ThreatFabric presents its findings on Vultur, a new banking trojan that can record and keylogging on victims’ devices via VNC, as part of a series of blog posts.
REFERENCE: https://www.threatfabric.com/blogs/vultur-v-for-vnc.html
TAGS:Vultur, VNC, Keylogging, RAT, Brunhilda
INDUSTRY:Banking
TARGETED COUNTRIES:Spain, Australia, Italy
MALWARE FAMILIES:Brunhilda, Vultur
ATT&CK IDS:T1113 – Screen Capture, T1056 – Input Capture, T1219 – Remote Access Software, T1030 – Data Transfer Size Limits, T1082 – System Information Discovery, T1505 – Server Software Component, T1573 – Encrypted Channel
In late March 2021, ThreatFabric detected a new RAT malware that we dubbed Vultur due to its full visibility on victims device via VNC. For the first time we are seeing an Android banking trojan that has screen recording and keylogging as main strategy to harvest login credentials in an automated and scalable way. The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking Trojans: this approach usually requires more time and effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.
Based on the intelligence gathered, ThreatFabric was able to obtain the list of apps targeted by Vultur. Italy, Australia and Spain were the countries with most banking institutions targeted. In addition, many crypto-wallets are targeted, which is in line with the trend we observed in our previous blog “The Rage of Android Banking Trojans”.
During the investigation ThreatFabric analysts discovered its connection with a well-known dropper framework called Brunhilda, which uses droppers located in Google Play to distribute malware (MITRE T1475).
In this blogpost ThreatFabric will prove that this dropper and Vultur are both developed by the same threat actor group. The choice of developing its own private trojan, instead of renting third-party malware, displays a strong motivation from this group, paired with the overall high level of structure and organization present in the bot as well as the server code.