Toddler Mobile Banking Botnet: Analysis Report
Starting from the second half of 2020, PRODAFT Threat Intelligence ("PTI") team witnessed a rising trend of mobile banking malware attacks against European countries; primarily targeting customers of banking institutions based in Spain, Germany, Switzerland, and the Netherlands. Toddler is considered an important example of this trend in terms of its technical features and operational chain.
This report presents a behind-the-scenes analysis of this newly emerging Android malware, also known as Teabot or Anatsa.
At the time of the analysis, Toddler largely targets Spain, but the malware sample contains textual content for targeting Spanish, English, Italian, German, French, and Dutch-speaking users.
The PTI team has de-anonymized the C&C server and discovered that Toddler has already infected more than 7,632 devices at the time of this report.
Apart from our detailed technical analysis, statistics and observations from the main C&C panel are also provided in detail.
More reports
Smoke and Mirrors: Understanding The Workings of Wazawaka
Wazawaka has recently risen to prominence within the Threat Intelligence (TI) community, emerging as a key player in the dynamic digital threat landscape. Wazawaka is currently under scrutiny for his alleged involvement in cybercriminal activities, prompting concerns across the cyber realm.
This research provides a comprehensive analysis of Wazawaka’s background, affiliations, and tactics in the threat landscape associated with his activities. It includes information about Wazawaka’s team and his close relations with other threat actors.
The structure of Wazawaka’s team and its choice of third-party ransomware-as-a-service vendors provide in-depth insights into the current state of the cybercriminal industry as a whole. This research is vital for information security leaders who wish to improve their risk management models and boost cyber resilience against sophisticated threats.
Nomadic Octopus: Paperbug Campaign
This report explores the operational environment of the Nomadic Octopus espionage group's Tajikistan Campaign: Paperbug.
According to victim analysis, the group targets high-ranking government officials, telecommunication services, and public service infrastructures. The types of compromised machines range from individuals' computers to OT devices. These targets make operation "Paperbug" intelligence-driven.
The environment itself is built with fundamental functionality. This makes the attribution challenging; it leaves little room for comments. However, the findings were sufficient to profile this group in this case.
RIG Exploit Kit: In-depth Analysis
RIG EK is a financially-motivated program that has been active since 2014. Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware the threat actors distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.
This report aims to provide insight into how RIG EK operates, what kinds of malware it distributes, and how the distribution happens.
The PTI team has identified and gained visibility of the infrastructure of RKIT, which revealed threat actors’ inner workings and their identities.
FIN7 Unveiled: A Deep Dive into Notorious Cybercrime Gang
The highly active threat group FIN7 has been continuously broadening its cybercrime horizons and recently added ransomware to its attack arsenal.
FIN7 group is known to hold a notorious status due to their achievement in deploying extensive backdoors in leveraging software supply chains, distributing malicious USB sticks, and cooperating with other groups.
PTI team obtained visibility into the inner workings of the FIN7 threat group and managed to gain information about their organizational structures, identities, attack vectors, infrastructures, proof-supported affiliations with other ransomware groups (such as DarkSide, who were behind the Colonial Pipeline attack in 2021), victim targeting, and other relevant observations. All of the findings are supported by translated conversations among the members of FIN7, including screenshots of their infrastructures.
You can download the full version of the report and the summary of the most important findings.