Introduction

The Mobile malware landscape has continuously evolving over the last few years, with many new actors joining a field that has been growing for almost a decade now. The introduction of simple and instant transactions via mobile attracted a myriad of new actors to this landscape.

Recently, we were able to identify a new strain of malware, originating from Brazil, which embodies this new wave of bankers, which we called Rocinante.

This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks. Finally, it can use all this exfiltrated information to perform Device takeover (DTO) of the device, by leveraging the Accessibility Service privileges to achieve full Remote Access on the infected device.

Key Takeaways

• Rocinante is active in Brazil and targets the majority of banking institutions from this region
• Rocinante is able to perform Keylogging, phishing attacks, and Remote Access Sessions on an infected device
• Rocinante uses a combination of Firebase messaging, HTTP traffic, Websocket traffic, and the Telegram API to register the infected device, exfiltrate the information, and perform Device Takeover
  
• The authors of Rocinante are influenced by developments in the threat landscape in other regions, adding parts of the source code of Ermac / Hook to their implementation

Rocinante or Pegasus?

it is clear from the the names of the Telegram bots that are used to collect the PII stolen by the malware or from the C2 endpoints paths used by the samples, that the actors behind this malware family refer to the bot as "Pegasus" or "PegasusSpy" internally. 

Adopting this name for the malware would be very confusing however. There is a very infamous Spyware family already called "Pegasus", developed by the NSO Group, which has been used to track and spy on journalists, lawyers, political dissidents, and human rights activists.

We want to clarify that the malware family that we are about to discuss has no ties with this existing malware family, and despite providing clear information on the victim, its capabilities as spyware are far inferior to the ones of NSO Group's Pegasus. Its targeting of Brazilian Banking institutions for financial gain also clearly differs from the existing Pegasus.

Considering the misunderstanding and confusion that would arise from adopting the name used by the actors behind this malware family, ThreatFabric analysts decided to assign another name to this malware family.

We will refer to this malware family in this article as "Rocinante", from the name of Don Quixote's horse. Just like its literary owner, Rocinante is aspiring to be something it is not, in this case a mythological winged horse.

DTO malware targeting Brazil

Features and Capabilities

C2 communication

Rocinante utilizes a combination of multiple different protocols and services to communicate information from the infected device.

Below are the protocols used:

The very first communication is initiated towards the Firebase messaging server, which registers the installations of the bot on the infected device and communicates a token that will be then be used in communication with one of the C2 servers later.

This token is used to correlate the unique ID used in the WebSocket communication with a specific installation of the malware.

The malware then contacts its first stage C2 server. This is done via a simple HTTP GET request, asking to upgrade the communication to use the WebSocket protocol. When this is successfully set up, the bot starts to communicate the keylogging data to its WebSocket server, and at the same time waits for commands to be executed.

The malware also utilises a third C2 server, which is used to communicate the installation token received from Firebase and correlate it with the ID used in the WebSocket communication:

GET /api/v1/Pegasus/InserirAtualizarToken?idUser=<WebSocketID>&Token=<FirebaseInstallationToken> HTTP/1.1
Host: <C2_Address>
Accept-Encoding: gzip, deflate, br
User-Agent: okhttp/4.9.2
Connection: keep-alive

From this URL we can also confirm that the naming used by criminals for this malware is indeed Pegasus.

The code base also contains other reachable paths, but they do not seem to be used currently. Based on the code and the path, we can infer the usage of these paths for future reference.

Endpoints

Keylogging, Phishing screens, and Exfiltration

Once the Accessibility Service privileges are granted, the malware starts actively logging everything that happens on the device.

Every time an event is fired, which means anytime anything happens on the UI, Rocinante logs in detail everything that is shown to the user on the UI.

Each event that is logged is then sent in the following format via the websocket channel:

{
   "top": <Coordinates from the top>,
   "bottom": <Coordinates from the bottom>,
   "left": <Coordinates from the left>,
   "right": <Coordinates from the right>,
   "centerX": <X Coordinates of the center of the element>,
   "centerY": <Y Coordinates of the center of the element>,
   "width": <Width>,
   "height": <Height>,
   "exactCenterX": <Exact X Coordinates of the center of the element>,
   "exactCenterY": <Exact Y Coordinates of the center of the element>,
   "text": <Text contained in the element>,
   "packageName": <Package name>,
   "className": <Class name>,
   "Visible": <Is the element visible>,
   "Focus": <Is the focus of the OS on this element>,
   "Password": <Is it a password Field>,
   "des": <Description of the text>,
   "clickable": <Is the element clickable>,
   "Enabled": <Is the element enabled>,
   "Checked": <Is the element checked>
}

In this way, the actors can effectively log any action or information that is shown to the victim on the screen of the infected device.

The most important information obtained by Rocinante, information obtained by the phishing pages, is processed directly on the client side, and sent using a different methodology. Each Rocinante sample is connected to a Telegram Bot whose job it is to receive the information about PII extracted from the bot.

The bot extracts the useful PII obtained using the bogus login pages posing as the target banks. It then publishes this information, formatted, into a chat that criminals have access to. The information slightly changes based on which fake login page was used to obtain it, and includes device information such as model and telephone number, CPF number, password, or account number:

Remote Actions

Another very important functionality of Rocinante, and something that is being actively developed by criminals, is the ability to perform remote actions on the infected device.

By leveraging the Accessibility Service privileges, this banker malware can simulate touches, gestures, and modify the text contained in EditText and MultiAutoCompleteTextView, which can be used to navigate the different UI screens on the infected device in order to initiate and then authorise fraudulent transactions.

The instructions on what to do are received from the C2 server via the WebSocket channel, and are listed  in the following section:

Commands

Ermac / Hook influence

Some of the older samples belonging to Rocinante date all the way back to December 2023. In the span of the last 6 months, Rocinante changed a large part of its code base: specifically, the section responsible for taking screenshots of the device's UI and part of the remote actions.

What is interesting is the fact that the previous implementation, present in the early versions of Rocinante, was actually taken from the Ermac family.

This is interesting because it is the first case in which we see a malware family taking advantage of the source code leak of Ermac / Hook that happened in 2023. In the past months we have seen a multitude of re-brandings of these families, managed by external actors and sold in hacking forums under different names. However, this is the first case in which an original malware family took the code from the leak and implemented just some part of it in their code.

Newer versions of Rocinante seem to have lost this part of the code. In some parts, the logic has been substituted with an alternative, like in the case of Screenshots, which are achieved in both versions, but with different techniques.

Some parts have been completely removed: this older code also contains the logic responsible for attacks towards cryptocurrency wallets, which is one of the main target groups of Ermac. This part is not present anymore in the more recent versions, while the usage of Telegram as a way to communicate the exfiltrated PII is only present in the latest versions.

It is also possible that these two versions are separate forks of the same initial project. However, we have not seen them being distributed at the same time, so at this time we are unable to prove or disprove either possibility. 

Conclusion

Despite featuring a relatively short list of samples, it is clear that Rocinante is currently under active development and has been already observed in the wild, targeting customers of Brazilian institutions.

With its keylogging, phishing, and remote access capabilities, it poses a significant risk to banking customers as their sensitive financial data, including account numbers, passwords, and transaction details, can be compromised. Once in possession of this information, malicious actors can initiate unauthorised transfers, and drain bank accounts. Additionally, the remote access capability allows attackers to maintain persistent control over the device, monitoring activities and potentially manipulating transactions in real time, further exacerbating the financial risk for unsuspecting customers.

The effort to hybridise this malware strain with code derived from leaked Ermac / Hook sources reveals a newfound curiosity among LATAM cybercriminals towards malicious activity originating outside their geographical area of interest. Historically, threat actors in LATAM primarily focused on the regional threat landscape, exhibiting little interest in external developments. This is also potentially a beginning of our predictions coming true: Ermac / Hook becoming the new “Cerberus” and the basis or source of inspiration for new threat actors and malware families.

Rocinante.A also serves an example of the vital set of capabilities for the modern banking malware that allows the criminals to perform their fraudulent operations even while the malware is in development stage, further enriching and driving development according to their interests.

IOCs

Samples

With Ermac / Hook Code

Without Ermac / Hook Code

Full list of targets

Supported Commands