Ransomware, Content

WannaLocker Malware Variant Combines Spyware, RAT, Banking Trojan

A security researcher has found a new variant of WannaLocker that combines a mobile lookalike of the notorious WannaCry ransomware, spyware, remote-access-Trojan (RAT) malware, and a banking Trojan all in one gruesome package.

Cyber crooks are deploying the potent ransomware in a campaign aimed at Brazilian banks and their Android mobile customers, anti-malware provider Avast said in a blog post. The cybersecurity researcher has dubbed the variant malware WannaHydra. To date, targeted banks include Santander, Itau and Banco do Brasil. It’s unclear how much, if any, money the attackers have demanded in ransom payment.

“We believe this is the first sighting of this new mobile version of WannaLocker,” said Nikolaos Chrysaidos, who heads Avast's mobile threat and security. “It harvests text information, call logs, phone number, and credit card information, and if it takes off it could be a very serious issue.” MSSPs will want to keep an eye out for this bug for sure.

WannaLocker emerged in 2017 concurrently with the WannaCry ransomware, which hit some 300,000 users worldwide. WannaHydra has the same UI as WannaCry, Chrysaidos said (via DarkReading.) "It has quite wide-ranging abilities to collect information and could be used to extract personal and financial information in addition to delivering the ransomware package," he said.

The banking Trojan works by showing users a fake interface and urging them to sign on to address an account issue. Once injected, the malware collects information such as the device manufacturer, call log, text messages, phone number, photos from front and back camera, contact list, GPS location, and microphone audio data. As with other versions, this iteration of WannaLocker can also encrypt files on an infected user’s external storage along with a ransom demand. This edition includes the design to do this and the message to show to the infected user, but appears to still be in development, Chrysaidos said. Researchers aren’t sure how WannaHydra initially infiltrates phones, but one possibility is through malicious links or third-party stores. (Hence, the caution by security experts to only download apps from trusted developers on certified app stores like Google Play.)

Here are ways to guard against banking trojans, according to Avast:

  • Confirm that the banking app you’re using is the official, verified version.
  • If anything looks awry or suddenly unfamiliar, check in with your bank’s customer service team.
  • Use two-factor authentication if it’s available.
  • Make sure you have a strong AI-powered mobile antivirus installed to detect and block this kind of tricky malware if it ever makes its way onto your system.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.