Ruchna 

@[email protected]
8 Followers
47 Following
14 Posts
Reverse Engineer • Mobile Threat Researcher • Thought thinker • Sentence writer • Computer-er • Tweets are my own • Opinions my own
Ruchna Mar 13, 2025

Italian 🇮🇹 bank Widiba is the latest victim of Copybara impersonation. Newer variants also now implement anti-debug checks to prevent running on an emulator. Some more variants impersonating an ISP and the Poste can be seen at an open directory.
C2 : 45.86.231[.]15
Technical analysis here : https://www.zscaler.com/blogs/security-research/technical-analysis-copybara

#android #malware

Technical Analysis of Copybara | ThreatLabz

Copybara is an Android trojan with keylogging, audio & video recording, SMS hijacking, screen capturing, credential stealing, and remotely controlling an infected device.

Ruchna Nov 15, 2024
Italian 🇮🇹 bank Hype is the latest victim of Copybara impersonation. Accessibility Service abuse continues. Technical analysis here : https://www.zscaler.com/blogs/security-research/technical-analysis-copybara
C2 : 92.255.85[.]200
#Android #Malware
Technical Analysis of Copybara | ThreatLabz

Copybara is an Android trojan with keylogging, audio & video recording, SMS hijacking, screen capturing, credential stealing, and remotely controlling an infected device.

Ruchna Sep 25, 2024

Noticed an <activity-alias> definition in an AndroidManifest.xml for the first time and this particular case specifies android:enabled as false for the alias. Truly curious why an application (malicious in this case) would define an activity-alias if it didn't want for it to be instantiated?

#Android

Ruchna Aug 26, 2024
Yet another tale of Accessibility Service abuse. Sharing findings around a new #Copybara Android malware variant that impersonates financial institutions in Italy🇮🇹 and Spain🇪🇸 to exfiltrate credentials from unsuspecting victims. https://threatlabz.zscaler.com/blogs/security-research/technical-analysis-copybara #android #malware
Zscaler | ThreatLabZ

threatlabz

Ruchna Apr 26, 2024
Nice presentation by Victor Chebyshev at @botconf on #LightSpy2, the next stage payload dropped by #DragonEgg and #Wrmspy attributed to APT41 https://youtu.be/dk-9X5FczPY?feature=shared #Botconf2024
LightSpy2 feature rich mobile surveillance tool set - Victor Chebyshev

YouTube
Ruchna Apr 2, 2024
Virus BulletinMar 29, 2024
Fox IT researchers look into the development of the Vultur Android banker distributed through a dropper-framework called Brunhilda. In a recent campaign, the Brunhilda dropper is spread in a hybrid attack using both SMS and a phone call. https://blog.fox-it.com/2024/03/28/android-malware-vultur-expands-its-wingspan/
Android Malware Vultur Expands Its Wingspan

Authored by Joshua Kamp Executive summary The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely int…

Fox-IT International blog
Ruchna Sep 12, 2023
Virus BulletinSep 12, 2023
NCC Group's Joshua Kamp & Alberto Segura investigate the technical differences between two Android malware variants: Hook and ERMAC. https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/
From ERMAC to Hook: Investigating the technical differences between two Android malware variants

Authored by Joshua Kamp (main author) and Alberto Segura. Summary Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest vari…

NCC Group Research Blog
Ruchna Aug 25, 2023
Cisco TalosAug 24, 2023
We've spotted the #LazarusGroup exploiting a vulnerability in the ManageEngine software to deliver two new trojans https://blog.talosintelligence.com/lazarus-quiterat/
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

Cisco Talos Blog
Ruchna Aug 25, 2023
Conference abstract/"paper" submissions littered with emojis - not "digging it"
Ruchna Aug 22, 2023
Dynamic DNS TXT Records as TDS - that's a first https://blog.sucuri.net/2023/08/from-google-dns-to-tech-support-scam-sites-unmasking-the-malware-trail.html
From Google DNS to Tech Support Scam Sites: Unmasking the Malware Trail

Bad actors are elevating their malware campaigns by leveraging the DNS protocol to hide requests to their infrastructure. Learn how hackers are injecting malicious JavaScript to send requests to Google DNS, then using the responses to redirect users to tech support scams and adult websites.

Sucuri Blog