Rocinante (Trojan) – Malware

Overview

In the ever-evolving landscape of mobile malware, new threats are continuously emerging, targeting unsuspecting users and exploiting the growing dependence on smartphones for banking, transactions, and personal communication. One such threat, identified by cybersecurity researchers as Rocinante, has emerged as a sophisticated piece of malware that specifically targets users in Brazil. Named after the horse from the novel Don Quixote, Rocinante embodies the deceptive nature of this trojan, which seeks to elevate itself to the level of a formidable threat, much like its literary namesake, despite its relatively modest capabilities when compared to some of its more infamous counterparts.

Rocinante is designed with a primary focus on financial exploitation, using a variety of tactics to steal sensitive personal information. Operating in the shadows of Brazilian banking institutions, it employs sophisticated methods like keylogging, phishing screens, and device takeover to achieve its malicious goals. Once installed, it leverages Android’s Accessibility Service to monitor and record keystrokes, effectively capturing login credentials, bank details, and other private information from users. The malware is also capable of displaying fake login pages, posing as legitimate banking applications to trick victims into submitting sensitive data. With these stolen credentials, the attackers can gain unauthorized access to the victims’ financial accounts, leading to potential theft and fraud.

Targets

Individuals

Finance and Insurance

How they operate

At the core of Rocinante’s operation is its ability to request and abuse the Accessibility Service of Android devices. This service, typically designed to help users with disabilities, provides elevated privileges, allowing the malware to monitor and control almost every aspect of the device. By gaining these permissions, Rocinante can effectively log user keystrokes, capture screenshots, and manipulate the device’s UI without the user’s consent or knowledge. This makes it capable of performing comprehensive keylogging actions, which are crucial for stealing sensitive information like bank account credentials, credit card numbers, and other personally identifiable information (PII).

Once installed, Rocinante establishes a persistent presence on the infected device by using the Accessibility Service to monitor and log every UI event. This is especially effective for financial applications, where it can capture login credentials or any other user interactions related to banking apps. The malware does not rely on traditional static targets; instead, it adapts dynamically to different banking institutions by displaying phishing screens designed to look like the legitimate login pages of these institutions. This phishing capability allows Rocinante to collect personal information for financial fraud purposes.

Rocinante’s communication with its command-and-control (C2) infrastructure is carried out using a combination of Firebase messaging, WebSocket communication, HTTP traffic, and the Telegram API. After installation, the malware contacts a Firebase messaging server to receive an installation token, which is then used for further communication with the C2 servers. This token helps correlate the device’s identity with the malware’s WebSocket communication, creating a unique identification for the compromised device. The malware then initiates a secure WebSocket connection, enabling real-time communication between the malware and the C2 servers.

Through this WebSocket connection, Rocinante continuously transmits the keylogging data it captures from the infected device and listens for commands from the attacker. These commands can instruct the malware to perform various actions, such as stealing additional data, exfiltrating it, or executing remote commands to manipulate the device further. The malware’s ability to collect sensitive data in real time and send it to the attackers via secure communication channels makes it highly effective at exfiltrating PII for malicious use, including financial theft.

One of the key aspects of Rocinante’s operation is its remote access capabilities, which are triggered once the malware gains full control of the device. Through the Accessibility Service, the malware can execute remote actions, such as activating the device’s microphone or camera, or changing system settings to further facilitate its control. It can also deploy additional phishing screens to capture more sensitive data or block the victim from using their banking apps by mimicking legitimate login pages.

Rocinante also has the capability to adapt and scale its attacks by retrieving a dynamic target list from its C2 servers. This feature allows it to adjust its phishing tactics to target various banking institutions or to pause its attacks by taking down the C2 infrastructure temporarily. This dynamic nature is a key component of Rocinante’s operational flexibility, allowing attackers to maintain control over their campaigns without having to distribute entirely new malware variants.

The malware’s versatility is further underscored by its use of various exfiltration methods. Along with direct WebSocket communication, Rocinante also employs HTTP requests to send data back to the C2 servers. This multi-channel exfiltration approach increases the likelihood that stolen data will successfully reach the attackers, even if one channel is disrupted. Additionally, the malware uses encryption to safeguard the exfiltrated information, ensuring that the data remains hidden from network monitoring tools and making it difficult to trace back to the source.

MITRE Tactics and Techniques

Initial Access (T1071):

Phishing: Rocinante is distributed through phishing websites, which trick users into installing a malicious APK that masquerades as a security solution or a banking application. Once installed, it grants the malware the ability to execute further actions on the device.

Execution (T1059):

Command and Scripting Interpreter: Rocinante uses various scripting capabilities to execute commands on the infected device, including controlling and manipulating processes remotely. It uses WebSockets for communication between the infected device and the command-and-control (C2) servers.

Persistence (T1071):

Accessibility Service Abuse: The malware exploits the Accessibility Service on Android devices, which allows it to maintain persistence. By requesting and receiving accessibility privileges, it ensures that it can continue running in the background and avoid detection or removal.

Privilege Escalation (T1068):

Accessibility Service Abuse: Through the abuse of Android’s Accessibility Service, Rocinante can escalate its privileges and gain full control over the infected device. This enables the malware to log user input, take over the device, and carry out further malicious activities without the user’s knowledge.

Collection (T1056):

Input Capture: Rocinante performs keylogging to capture sensitive user inputs, such as usernames and passwords for banking applications. It logs any UI event, capturing all data entered into the device, and then sends it to the C2 server via WebSocket.

Exfiltration (T1041):

Exfiltration Over Web Service: The malware exfiltrates stolen data, including login credentials and other sensitive information, using encrypted WebSocket channels and Firebase messaging. It sends this data back to the C2 servers, where it is stored for further exploitation.

Command and Control (C2) (T1071):

Application Layer Protocol: Rocinante uses a combination of Firebase messaging, HTTP traffic, WebSocket communication, and the Telegram API to set up command-and-control channels. These communication methods are designed to exfiltrate information and remotely control the device.

Impact (T1486):

Data Encrypted for Impact: Although primarily focused on financial theft, Rocinante may also be used to disable certain device functionalities or to obstruct the user’s ability to access banking applications by showing phishing screens or capturing credentials.

References:

• Rocinante: The trojan horse that wanted to fly