Security experts from Trend Micro have discovered a new malware family called Mangit. The newly-found malware is linked to the Brazilian hacking underground, where it’s peddled as a Banking-Trojan-as-a-Service offering.
According to the researchers, Magnit malware seems to be coded from the ground-up by the developer Ric who is from Northern Brazil.
Unfortunately, the hacker doesn’t limit the marketing of his tool only to the Dark Web, but also uses public Internet services such as YouTube.
Ric offers Mangit as two options. Cyber criminals can either rent the trojan’s infrastructure for $600 per ten days, or they can buy Mangit’s source code for around $8,800 (both prices converted from Brazilian Reals). A Skype username is also available if criminals want to negotiate a custom renting scheme.
Once they buy the malware, the crooks get access to a control panel where they can manage their little portion of the Mangit botnet, the actual trojan, a dropper (to infect users and then download the trojan), an auto-update system, and the server infrastructure to run their attacks.
Trend Micro doesn’t believe Ric to be part of a larger crime syndicate. Brazil is famous of its flourishing cyber-crime underground, where hackers specialize mostly in banking trojans.
Mangit malware comes with support for nine Brazilian banks, such as Citibank, BB, Sicredi, Sicoob, Itau, HSBC, Bradesco, Santander, and Caixa. In addition, the malware can also harvest user credentials for PayPal accounts, as well as some other social media services.
Trend Micro’s technical analysis of the trojan’s mode of operation shows that the trojan has integrated many RAT (Remote Access Trojan) features.
Apart from collecting banking credentials, Mangit can also allow hackers to interact with infected computers in real-time, serving custom screens and pop-up messages.
The attackers can receive SMS alerts on their phones whenever a user is trying to access his bank account, and the crook can take over the user’s browser.
The hackers can also lock the user’s browser page, asking users to wait, while they accesses the bank account and make illegal transactions. In case the bank uses two-factor authentication or transaction verification codes, the attackers use Mangit to push browser popups in real-time, asking users for the codes they just received on their phones.
“This ability to carry out transactions from the victim’s machine remotely makes detecting fraud more difficult,” Trend Micro’s team states. “Without an in-depth examination of the user’s system, it will appear that any transactions were carried out from the user’s PC (and therefore, by the actual client).”