Threat Research

TrickMo’s Return: Banking Trojan Resurgence With New Features – Cyble

Securonix

TrickMo reemerged in 2023 as an enhanced Android banking Trojan, shifting from screen recording to overlay-based credential capture and using JsonPacker for obfuscation. It communicates with a C2 server at keepass.ltd (194.169.175.138) and targets a broad set of apps via HTML overlays and the Android Accessibility Service. #TrickMo #OnStream

Keypoints

  • TrickMo reappeared in September 2023 with overlay injection as the main credential-theft method, replacing earlier screen-recording approaches.
  • The latest variants incorporate JsonPacker for obfuscation and consistently contact a C2 server at hxxp://keepass[.]ltd/c, hosted on 194.169.175.138.
  • Attack surface expanded to 45 commands, including overlay management, runtime module loading, data exfiltration, and additional capabilities.
  • The malware leverages the Android Accessibility Service to automatically grant permissions and perform malicious actions without user interaction.
  • APKs metadata show OnStream as the disguise, with the package name d2.d2.d2 and associated overlay workflows.
  • The campaign uses HTML overlay injections against numerous target apps (wallets, banking apps, and popular services) to harvest credentials and data.

MITRE Techniques

  • [T1624.001] Event Triggered Execution: Broadcast Receivers – ‘The malware registered broadcast receivers to trigger malicious actions.’
  • [T1655.001] Masquerading: Match Legitimate Name or Location – ‘TrickMo Masqaurades popular applications.’
  • [T1406.002] Obfuscated Files or Information: Software Packing – ‘Malware uses JsonPacker.’
  • [T1407] Download New Code at Runtime – ‘Malware downloads additional payload on command.’
  • [T1629.001] Impair Defenses: Prevent Application Removal – ‘Abuses accessibility service to prevent uninstallation.’
  • [T1426] System Information Discovery – ‘Collects device information such as device ID, model, and manufacturer.’
  • [T1418] Software Discovery – ‘Collects installed application details.’
  • [T1417.001] Input Capture: Keylogging – ‘Uses key logging feature to steal credentials.’
  • [T1533] Data from Local System – ‘Collect files from storage.’
  • [T1636.004] Protected User Data: SMS Messages – ‘Steals SMSs from infected device.’
  • [T1646] Exfiltration Over C2 Channel – ‘Sending exfiltrated data over C&C server.’

Indicators of Compromise

  • [Hash] TrickMo file hashes – 55554c599507947c5eb96264a7db9acaa65d2b42742b39b15686836d0fac2ba0, a03c968ed6f639f766cf562493a90ae7a61e909d99e098aea2abbbf607003337, and 2 more hashes (TrickMo Banking Trojan file hashes).
  • [URL] C2 server – hxxp://keepass[.]ltd/c
  • [IP] C2 server – 194.169.175.138
  • [Hash] TrickMo banking trojan file hash – 43e19c7bbaf2d85c3952c4f28cb11ff3c711c3bb0d8396b2ac48a9d4efb955e8, 55e3647bb960f0faba06b39a5ddec26485f03c16, and 2 more hashes.
  • [Hash] TrickMo banking trojan dropper file hash – 65d7a2019922d8c97cdc38a2b0f1bb046bf0ec35780847ac5c8fb38469e6cd58, 381a8ba257c028e302d6db14170d8c000363d718, and 1 more.
  • [APK Package Name] d2.d2.d2 (OnStream) – APK metadata indicating an app disguised as OnStream with App Name OnStream.

Read more: https://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/