Threats Tagged 'keylogger'

A comprehensive analysis of 339 commands issued by a French-speaking threat actor nicknamed 'Poisson' over 33 days, targeting a French automotive small business and four French individuals. The attacker utilized a multi-stage fileless attack deploying a 70-line Python keylogger to harvest banking and email credentials. The operation leveraged free-tier infrastructure including Havoc C2 framework, Backblaze B2 storage, and DuckDNS. Most significantly, the attacker installed OpenSSH and Tailscale VPN on victim machines, creating persistent access that survived C2 server takedown. When the C2 went offline for 18 days, the attacker's access remained intact through the VPN mesh, demonstrating that VPN-mesh-based persistence is actively used in real-world intrusions and that traditional C2 takedown is insufficient for remediation.

MediumMalwareFrance#tailscale#rustdesk#poisson

A newly identified Android banking trojan named Rokarolla has been discovered, distributed through malicious websites masquerading as popular applications like TikTok or Google Chrome. The malware targets 217 distinct cryptocurrency and banking applications using 137 sophisticated commands for device control. Capabilities include harvesting lock screen credentials, exfiltrating contact lists and SMS data, deploying keyloggers, blocking calls, creating fraudulent screen overlays, and disabling Google Play Protect. The infection begins with a dropper impersonating Google Play Protect that installs a secondary payload. Rokarolla communicates with C2 infrastructure via HTTPS, uses overlays to steal banking credentials and device unlock patterns, silently monitors WhatsApp contacts, hijacks SMS and calls, manipulates clipboard content for cryptocurrency theft, and employs snapshot-based screen surveillance. It maintains persistence by hiding its icon, muting device audio, and keeping screens active indefinitely.