Attacks involving the new RedHook Android banking trojan have been launched against Vietnamese mobile users as part of a phishing campaign, reports The Cyber Express.
Illicit websites spoofing Vietnamese financial and government organizations have been leveraged to distribute a trojanized APK file with the RedHook malware, an analysis from Cyble Research and Intelligence Labs researchers showed. Installation of the malware is followed by overlay access and Android accessibility services requests, enabling overlay phishing page deployment, keylogging, contact and SMS exfiltration, and app installation or removal activities. RedHook also tapped WebSocket over skt9 to facilitate remote access trojan functionality. Additional examination of RedHook artifacts has indicated the malware to have been from a Chinese-speaking threat actor, with C2 interface, log strings, and internal code revealing Chinese text. CRIL researchers also noted the phishing campaign's staging domain and one of its exposed data buckets to reference older Vietnamese fraud operations.
Illicit websites spoofing Vietnamese financial and government organizations have been leveraged to distribute a trojanized APK file with the RedHook malware, an analysis from Cyble Research and Intelligence Labs researchers showed. Installation of the malware is followed by overlay access and Android accessibility services requests, enabling overlay phishing page deployment, keylogging, contact and SMS exfiltration, and app installation or removal activities. RedHook also tapped WebSocket over skt9 to facilitate remote access trojan functionality. Additional examination of RedHook artifacts has indicated the malware to have been from a Chinese-speaking threat actor, with C2 interface, log strings, and internal code revealing Chinese text. CRIL researchers also noted the phishing campaign's staging domain and one of its exposed data buckets to reference older Vietnamese fraud operations.
