Trend Micro security researchers have uncovered a new malware family called Mangit (BKDR_MANGIT.SM), linked to the Brazilian hacking underground, where it’s peddled as a Banking-Trojan-as-a-Service offering.
Researchers say the malware is new and seems to be coded from the ground-up by a programmer from Northern Brazil named Ric.
The crook doesn’t limit the marketing of his tool only to the Dark Web, but also uses public Internet services such as YouTube.
Access to the Mangit infrastructure costs $600/ten days
Ric offers Mangit as two options. Crooks can rent the trojan’s infrastructure for $600 per ten days, or they can buy Mangit’s source code for around $8,800 (both prices converted from Brazilian Reals). A Skype username is also available if criminals want to negotiate a custom renting scheme.
Buyers get access to a control panel where they can manage their little portion of the Mangit botnet, the actual trojan, a dropper (to infect users and then download the trojan), an auto-update system, and the server infrastructure to run their attacks.
Trend Micro doesn’t believe Ric to be part of a larger crime syndicate. Brazil is famous of its, where crooks above all other sorts of malware.
Mangit targets only nine Brazilian banks
Ric’s Mangit malware comes with support for nine Brazilian banks, such as Citibank, BB, Sicredi, Sicoob, Itau, HSBC, Bradesco, Santander, and Caixa. Additionally, Mangit can also harvest user credentials for PayPal accounts, and various social media services.
According to Trend Micro’s technical analysis of the trojan’s mode of operation, the company says the trojan has integrated many RAT (Remote Access Trojan) features.
Mangit can collect banking credentials, but it can also allow crooks to interact with infected computers in real-time, serving custom screens and pop-up messages.
Mangit is a crossbreed between banking malware and RATs
Criminals can receive SMS alerts on their phones whenever a user is trying to access his bank account, and the crook can take over the user’s browser.
The attacker can lock the user’s browser page, asking users to wait, while he accesses the bank account and makes illegal transactions. If the bank uses two-factor authentication or transaction verification codes, crooks use Mangit to push browser popups in real-time, asking users for the codes they just received on their phones.
“This ability to carry out transactions from the victim’s machine remotely makes detecting fraud more difficult,” Trend Micro’s team. “Without an in-depth examination of the user’s system, it will appear that any transactions were carried out from the user’s PC (and therefore, by the actual client).”