Related Families: Brunhilda
Verticals Targeted: Financial
Executive Summary
Vultur is an Android banking malware. A new version of Vultur with updated features was recently discovered.
Key Takeaways
- Vultur is an Android banking malware.
- An updated version of Vultur was recently discovered.
- Added features include new commands to allow threat actors to remotely interact with a victim device and the addition of encrypted C2 communication.
- Vultur uses the Brunhilda dropper framework.
What is Vultur?
Vultur is an Android banking malware. NCC Group recently reported on an updated version of Vultur containing new features that allow threat actors to remotely interact with a victim device, as well as the addition of encrypted C2 communication.
Vultur has been active in the wild since March 2021. It is known as the first Android banking malware to have a screen recording feature. It facilitates keylogging and allows threat actors to interact with a compromised device. This allows threat actors to target banking apps. Vultur is distributed via the Brunhilda dropper framework, which is developed by the same threat actor.
The recently discovered Vultur variant is spread via a hybrid attack that leverages SMS and phone calls. A financial-themed SMS message claiming an unauthorized transaction has taken place is sent to the victim. This leads them to call a phone number. When the victim calls the number, a threat actor sends the victim a second SMS containing a link to the dropper, which masquerades as the McAfee Security app. It is a trojanized version of the legitimate McAfee Security app containing the Brunhilda dropper.
The dropper uses three payloads to deploy Vultur. The second and third payloads work together to invoke each other’s functionality. Installation is complete when the victim device registers with the Brunhilda C2.
In the past three years, the threat actors behind Vultur have overhauled the malware, adding new features. Features added in the newest variant include the following capabilities:
- The ability to upload, download, delete, install, and find files
- The ability to control the victim device using Android Accessibility Services
- The ability to prevent apps from running
- The ability to display a custom notification in the status bar
- The ability to disable Keyguard to bypass lock screen security
Vultur has also improved its detection evasion and anti-analysis features. The new Vultur variant is able to modify legitimate apps. It uses native code to decrypt payloads and can spread malicious code over multiple payloads. Seven new C2 methods and 41 new Firebase Cloud Messaging commands have been added in this version. Most of these commands give the threat actor enhanced functionality to interact with the victim’s device. The new version of Vultur also encrypts C2 communication using AES encryption and Base64 encoding.
IOCs
PolySwarm has multiple samples of Vultur.
d3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a
f4d7e9ec4eda034c29b8d73d479084658858f56e67909c2ffedf9223d7ca9bd2
7ca6989ccfb0ad0571aef7b263125410a5037976f41e17ee7c022097f827bd74
c646c8e6a632e23a9c2e60590f012c7b5cb40340194cb0a597161676961b4de0
You can use the following CLI command to search for all Vultur samples in our portal:
$ polyswarm link list -f Vultur
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
