...
Write
OneWriteup
  • Login
  • Register
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
OneWriteup
No Result
View All Result

What is Octo2 Malware and How does it spread?

Mukesh Bhatt by Mukesh Bhatt
September 25, 2024
Reading Time: 48 mins read
19
0
Share on FacebookShare on Twitter

Introduction:-

Octo2 malware: In recent times, security researchers have observed that a new variant of “Octo” an android banking trojan has surfed again but this time it has emerged with an upgraded name i.e. Octo2 and so are its capabilities, notorious group of hackers from all around the globe are exploiting this bug to perform Device Takeover. and it’s just not about device takeover but it’s still breaking down the security of online banking infrastructure, it is being used to target mobile banking users around the globe.

Octo2 malware

Whom is it affecting?

  • As mentioned above the bug named Octo was previously recognized as android banking trojan and use to attack android user indulged in mobile banking, posing threat to both customers and users. and some sources have mentioned some group of “European banks” are already in attack of this Octo2 malware:
  • Informations from various sources over the internet have alerted about the availability of this malware in some malicious application mentioned below:
    • Europe Enterprise (com.xsusb_restore3)

    • Google Chrome (com.havirtual06numberresources)

    • NordVPN (com.handedfastee5)

Understanding about Octo2: –

The Octo group of malware, also known as Octo2, is a cyber threat often associated with sophisticated attacks targeting financial institutions and individuals. Here are five key points about it:

  1. Origins: Octo is considered an evolved variant of older mobile malware like Exobot, which initially appeared in 2016. Over time, it incorporated advanced techniques to evade detection.

  2. Functionality: Octo specializes in remote access attacks (RAT), allowing attackers to control victims’ devices remotely without their knowledge, bypassing security measures like two-factor authentication.

  3. Targeting: Primarily focused on Android devices, Octo typically targets banking apps and services, enabling fraud and unauthorized transactions through manipulation of user sessions.

  4. Distribution: The malware is often distributed through malicious apps, phishing campaigns, or app stores, disguised as legitimate services.

  5. Evasion: Its developers have continuously enhanced the malware with obfuscation techniques and anti-analysis features, making it harder for security tools to detect or remove.

Octo demonstrates how mobile malware can evolve over time, becoming more dangerous and elusive.

 

  • A new variant (named Octo2) of Octo, currently the most widespread malware family, has been released by the original threat actor
  • The malware developers took action to increase the stability of the remote action capabilities needed for Device Takeover attacks
  • New Octo2 campaigns have been spotted in European countries
  • Octo2 contains sophisticated obfuscation techniques to ensure the Trojan stays undetected, including the introduction of Domain Generation Algorithm (DGA)

How did it came into limelight?

The emergence of Octo2 is said to have been primarily driven by the leak of the Octo source code earlier this year, leading other threat actors to spawn multiple variants of the malware. The emergence of this Octo2 variant represents a significant evolution in mobile malware, particularly in the context of banking security,” ThreatFabric said, commenting on the malware’s new features.

Based on the source code of the banking Trojan Marcher, Exobot was maintained until 2018 targeting financial institutions with a variety of campaigns focused on Turkey, France and Germany as well as Australia, Thailand and Japan,” ThreatFabric noted at the time

Since 2022, our Mobile Threat Intelligence team has observed increasing activity from Octo and its operators. More campaigns have been spotted in the wild, and more actors have gained access to this malware family, attracted by its extensive capabilities, including continuously updated remote access features.

In 2024, several notable events affected the mobile threat landscape, some related to Octo. First, the source code of Octo was leaked, resulting in multiple forks launched by other threat actors. The leak of the source codes was likely one of the main reasons behind the second notable event in the story of Octo: a new version, Octo2, was released by the original threat actor. 

How does it spread?

 Octo’s transition to a malware-as-a-service (MaaS) operation, per Team Cymru, enabling the developer to monetize the malware by offering it to cybercriminals who are looking to carry out information theft operations. “When promoting the update, the owner of Octo announced that Octo2 will be available for users of Octo1 at the same price with early access,” ThreatFabric said. “We can expect that the actors that were operating Octo1 will switch to Octo2, thus bringing it to the global threat landscape.”

The rogue Android apps distributing the malware are created using a known APK binding service called Zombinder, which makes it possible to trojanize legitimate applications such that they retrieve the actual malware (in this case, Octo2) under the guise of installing a “necessary plugin.”

In the Octo2 campaigns that were spotted by ThreatFabric, we observed Zombinder serving as the first stage of the installation: upon launch, Zombinder will request the installation of an additional “plugin” which is, in fact, Octo2, thus successfully bypassing Android 13+ restrictions.

ADVERTISEMENT

Zombinder making the victim into allowing the installation of Octo2

Key Features: –

  • increasing the stability of remote-control sessions
  • Device Takeovers, (DTO)
  • anti-detection and anti-analysis techniques
  • Communication with C2 and Domain Generation Algorithm (DGA)

Indicators of compromise

Hash (SHA256) app name package name
83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae NordVPN com.handedfastee5
6cd0fbfb088a95b239e42d139e27354abeb08c6788b6083962943522a870cb98 Europe Enterprise com.xsusb_restore3
117aa133d19ea84a4de87128f16384ae0477f3ee9dd3e43037e102d7039c79d9 Google Chrome com.havirtual06numberresources
Thank you for reading🙂! If you’re interested in learning more about Bugs in android, check out this article on Ngate Bug in Android: key to credit card scam for more insights.
ADVERTISEMENT
Mukesh Bhatt

Mukesh Bhatt

Cybersecurity Enthusiast, delving deep into the field of cybersecurity. learning and sharing knowledge gained through deep research and curiosity.

Recently Posted

HOW To BECOME AN ETHICAL HACKER ROADMAP

Free Cybersecurity Roadmap for Ethical Hacking Career in 2025

November 15, 2024
699
Top 4 Cyber attacks Commonly used for Hacking Websites!

Top 4 Cyber attacks Commonly used for Hacking Websites!

November 9, 2024
161
How to use bloodhound tool for pentesting

How to use Bloodhound / Sharphound for Pentesting Active Directory?

November 6, 2024
433
Pass The Hash

How to perform Pass The Hash Attack on Active Directory in 2024?

November 2, 2024
145
Load More

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

ADVERTISEMENT

Recommended

how-to-become-a-hacker-in-2025

How To Become A Hacker In 2025? (Complete Guide)

August 28, 2024
248
What is Password Spraying Attack? Complete Practical Guide 2024.

What is Password Spraying Attack? Complete Practical Guide 2024.

October 27, 2024
120

Popular Story

  • Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    715 shares
    Share 286 Tweet 179
  • Top 10 Ethical Hacking and Exam Prep Books: including free PDF links

    70 shares
    Share 28 Tweet 18
  • Termux Top 10 Most Powerful Tools in 2024

    259 shares
    Share 104 Tweet 65
  • How to use Bloodhound / Sharphound for Pentesting Active Directory?

    78 shares
    Share 31 Tweet 20
  • How To Create Your Open Source SIEM Home Lab?

    122 shares
    Share 49 Tweet 31
ADVERTISEMENT
OneWriteup

Discover expert cybersecurity articles, tutorials, and the latest trends to protect your digital world.

  • OneWriteup Labs
  • About Us
  • Feedback
  • Contact Us
  • Report
  • Privacy Policy
  • Community Guidelines
  • Terms Of Service

© 2024 OneWriteup

No Result
View All Result
  • Trending
  • Articles
  • News
  • Blog
  • Tutorials
  • Research
  • Top 10 Lists
  • Case Studies
  • Interviews
  • Login
  • Sign Up

© 2024 OneWriteup

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.