HomeCII/OTTrojan-as-a-Service Targets European Banks and Cryptocurrency Exchanges

Trojan-as-a-Service Targets European Banks and Cryptocurrency Exchanges

Published on

spot_img

A recent development in the cybersecurity world has sparked concerns among analysts as a dangerous Android remote access Trojan (RAT), known as “DroidBot,” has been discovered. This sophisticated malware is equipped with spyware features like keylogging, monitoring, and inbound and outbound data transmission, targeting banks, cryptocurrency exchanges, and other national organizations. What sets DroidBot apart is its potential shift towards becoming a full-fledged malware-as-a-service operation, raising alarms among cybersecurity experts.

According to researchers, the DroidBot RAT first surfaced in mid-2024 and has since become a tool of choice for at least 17 affiliate groups, carrying out 77 cyberattacks in countries like France, Italy, Portugal, and Spain. The severity of this threat is compounded by the continuous updates being made to the Android banking Trojan, hinting at a possible expansion into Latin America in the near future.

It has been observed that the developers behind DroidBot are native Turkish speakers, but recent activities indicate their intention to broaden their reach into Spanish-speaking regions, with a vision to target Central and South America. The malware is still in active development, as evidenced by inconsistencies across multiple samples, including placeholder functions, varying levels of obfuscation, and multi-stage unpacking. These discrepancies suggest ongoing efforts to enhance the malware’s capabilities and tailor it to specific environments.

One of the standout features of DroidBot is its use of surveillance tools such as SMS message interception, keylogging, and capturing screen shots of the victim device at regular intervals. Additionally, the malware exploits accessibility services to enable threat actors to remotely issue commands and control the victim’s device. The use of dual-channel communication, with outbound data transmitted via MQTT and inbound commands received through HTTPS, provides added operational flexibility and resilience, distinguishing DroidBot from other Android banking Trojans.

While the technical aspects of DroidBot are concerning, the emergence of a new banking RAT-as-a-service business model is what truly sets it apart. This shift presents a significant change in the threat landscape, as it elevates the monitoring of potential attacks to a whole new level. The distribution and affiliation model associated with this new trend could have far-reaching implications, potentially increasing the cognitive load associated with defending against such threats.

Overall, the rise of DroidBot and its evolution into a malware-as-a-service operation underscore the need for heightened vigilance and enhanced cybersecurity measures. As threat actors continue to innovate and adapt their tactics, staying ahead of the curve in detecting and mitigating such advanced malware is imperative to safeguarding sensitive data and protecting organizations from financial losses and reputational damage.

Source link

Latest articles

New NetScaler Vulnerability Similar to CitrixBleed Under Active Exploitation

Smaller Leak But Still Dangerous: A New Vulnerability in Citrix Technologies In a recent security...

Russia’s Involvement in the Jaguar Land Rover Investigation

In the latest discussion from ISMG Editors' Panel, a group of four distinguished editors...

FBI and Google Dismantle NetNut Proxy Network Exploited by Cyber Threat Actors

FBI and Google Join Forces to Disrupt NetNut, a Major Proxy Network In a significant...

Four Major Breaches in Japan Share a Common Entry Point

In late June 2026, four major Japanese corporations—Aflac Japan, KDDI, Sapporo Holdings, and Nidec—reported...

More like this

New NetScaler Vulnerability Similar to CitrixBleed Under Active Exploitation

Smaller Leak But Still Dangerous: A New Vulnerability in Citrix Technologies In a recent security...

Russia’s Involvement in the Jaguar Land Rover Investigation

In the latest discussion from ISMG Editors' Panel, a group of four distinguished editors...

FBI and Google Dismantle NetNut Proxy Network Exploited by Cyber Threat Actors

FBI and Google Join Forces to Disrupt NetNut, a Major Proxy Network In a significant...