HQ/EMEAFind out how we can help your business
Threat actors have adopted the new Nexus banking trojan to target about 450 financial apps and execute fraud campaigns. This new banking trojan seems to be in its early development stage, showing incomplete capabilities.
Researchers explained that Nexus could provide the primary tools for performing Account Takeover (ATO) attacks against banking portals and crypto services. Hence, this new threat can steal credentials and intercept messages.
Hackers could use the Nexus banking trojan through a monthly subscription.
The Nexus banking trojan appeared in several hacking forums at the start of 2023. Its developers advertised the malicious tool as a subscription service to its customers for a monthly fee of approximately $3000.
Unfortunately, some researchers claimed that there are indicators that the malware has already targeted different entities as early as June last year. The first alleged attack was six months before its official release on the underground markets.
A security researcher confirmed that the malware authors have a Telegram channel, and most of the Nexus infections occurred in Turkey. The new trojan overlaps with another banking malware called SOVA. Both strains could reuse parts of their source code and include a ransomware module that constantly improves.
Experts also noted that Nexus could be the same malware as Cleafy, a new variant of SOVA released in August last year.
The most notable thing about this new malware is its author placed specific rules prohibiting users from using Nexus in several countries, such as Kazakhstan, Kyrgyzstan, Moldova, Armenia, Belarus, Russia, Azerbaijan, Tajikistan, Ukraine, Uzbekistan, and Indonesia.
Like other banking threats, the Nexus malware includes tools to take over accounts related to banking and crypto services through overlay attacks and keylogging to steal users’ credentials. Furthermore, the newly discovered threat could read 2FA codes from messages and the Google Authenticator application through Android’s accessibility services.
Researchers indicated that the malware authors added a new list of functionalities like removing received SMS messages, starting or stopping its 2FA module, and updating itself by pinging its command-and-control server.
