Cybersecurity researchers have discovered a new version of the Android banking trojan called Octo that comes with enhanced device hijacking capabilities (DTO) and perform fraudulent transactions.
The new version received a code name October 2 Dutch security firm ThreatFabric said in a report shared by The Hacker News, adding that the malware distribution campaigns were spotted in European countries such as Italy, Poland, Moldova and Hungary.
“Malware developers have taken steps to improve the stability of the remote capabilities required for Device Takeover attacks,” the company said in a statement. said.
Some of the malware that Octo2 contains are listed below –
- Europe Enterprise (com.xsusb_restore3)
- Google Chrome (com.havirtual06numberresources)
- NordVPN (com.handedfastee5)
Okto was the first is indicated campaign in early 2022, describing it as the work of a threat actor using the online aliases Architect and goodluck. It was judged to be a “direct descendant” of the Exobot malware originally discovered in 2016, which also spawned another variant called Coper in 2021.
“Based on the source code of the Marcher banking trojan, Exobot was maintained until 2018, targeting financial institutions with various companies targeting Turkey, France, and Germany, as well as Australia, Thailand, and Japan,” ThreatFabric noted at the time.
“A ‘lite’ version was then introduced, named by the author of ExobotCompact, a threat creator known as ‘android’ on dark web forums.”
The emergence of Octo2 is said to have been primarily triggered by the leak of Octo’s source code earlier this year, which led to other threat actors spawning several variants of the malware.
Another important development is Octo’s transition to a malware-as-a-service (MaaS) operation, according to Team Cymru, which allows the developer to monetize the malware by offering it to cybercriminals looking to carry out information-stealing operations.
“While promoting the update, Octo owner announced that Octo2 will be available to Octo1 users at the same early access price,” ThreatFabric said. “We can expect the entities that operated Octo1 to move to Octo2, thus bringing it into the global threat landscape.”
One of the significant improvements in Octo2 is the introduction of the Domain Generation Algorithm (DGA) to generate the command and control (C2) server name, as well as improvements to its overall stability and anti-analysis techniques.
Fake Android apps that distribute malware are created using a well-known APK tethering service called Zombinderwhich allows legitimate applications to be trojanized so that they extract real malware (in this case Octo2) under the guise of installing a “required plugin”.
“Because the source code of the Octo malware was already leaked and readily available to various threat actors, Octo2 builds on this foundation with even more robust remote access capabilities and sophisticated obfuscation techniques,” ThreatFabric said.
“This option’s ability to stealthily perform device fraud and intercept sensitive data, combined with the ease with which it can be configured by various threat actors, raises the stakes for mobile banking users worldwide.”
