WannaLocker ransomware found combined with RAT and banking trojan

News by Bradley Barth

Cybercriminals have been using a Wannacry-like all-in-one malware package in a campaign targeting Brazilian banks and their Android mobile customers

Researchers are warning that a new version of WannaLocker – essentially a mobile derivative of WannaCry ransomware – has been enhanced with spyware, remote access trojan and banking trojan capabilities.

Cybercriminals have been using the all-in-one malware package in a campaign targeting Brazilian banks and their Android mobile customers, according to a blog post from Avast.

Avast threat researcher Nikolaso Chrysaidos, who discovered the malware, reported via his Twitter account that this new WannaLocker version appears to be a trifecta of the WannaLocker ransomware user interface, the AhMyth RAT program and custom banking malware. (French security researcher Elliot Alderson replied to Chrysaido’s tweets, identifying the ransomware as SLocker – to which Chrysaido responded, "Yeah, it’s the same [thing].")

"We believe this is the first sighting of this new mobile version of WannaLocker," said Chrysaidos, as quoted by his company’s blog post. "It harvests text information, call logs, phone number[s] and credit card information, and if it takes off it could be a very serious issue."

The likely attack vectors in this campaign are malicious links or third-party app stores, Avast reports.

"The banking Trojan works by showing users a fake interface and urging them to address an issue with their account by signing in," Avast’s blog post states. "When they do, the malware collects a wide range of data, including the mobile manufacturer and other hardware information, call log, text messages, phone number, photos from front and back camera, contact list, GPS location and microphone audio data."

When it was originally discovered in 2017, WannaLocker targeted Chinese Android device users via gaming forums, encrypting their files on their infected devices’ external storage, and then delivering a ransom message. This version has an encryption component as well, "but appears to still be in development," Chrysaidos said.

"Hackers are becoming bolder and more shifty as they attempt to capitalise on previous attacks by combining them into a newer and more lethal attack," said Will LaSala, director of security solutions and security evangelist at OneSpan in emailed comments. "Banks should be well aware of these individual attacks, but are probably [caught] off-guard by the new way they are being combined and used. It is important to continue to adjust our security methodologies, while maintaining what we have done in the past."

This article was originally published on SC Media US.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews