Chameleon Unleashed: The Silent Predator of Mobile Banking Earth Baku began using tools like Cobalt Strike, Crosswalk, and Metasploit in their cyber espionage campaigns.

ChameleonTrojan AndroidMalware BankingTrojan MobileSecurity

The Chameleon malware, initially targeting general Android users, has now evolved to impersonate CRM applications, specifically aiming at employees. This sophisticated banking trojan uses advanced tactics to infiltrate and exploit corporate environments, posing significant risks to financial and personal data security.

IOC
DETAILS

HASHES

Domains	Source	Last Update

Hashes	Source	Last Update
153410238d01773e5c705c6d18955793bd61cb2e82c5c7656e74563bb43b3ffa	SOCRadar	2024-08-28
0a6ffd4163cd96d7d262be5ae7fa5cfc3affbea822d122c0803379d78431e5f6	SOCRadar	2024-08-28
2211c48a4ace970e0a9b3da75ac246bd9abaaaf4f0806ec32401589856ea2434	SOCRadar	2024-08-28
15569757171999c15ac7ab7248bb75efb9bcb7a273c5fe4e59fde2d7582e0e0d	SOCRadar	2024-08-28

Ipv4s	Source	Last Update

Cves	Source	Last Update

Emails	Source	Last Update

Domains	Insert Date

MITIGATION

T1055-Process Injection

ID	Mitigation	Description
M1040	Behavior Prevention on Endpoint	Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. [85]
M1026	Privileged Account Management	Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.

T1562 - Impair Defenses

ID	Mitigation	Description
M1047	Audit	Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings.
M1038	Execution Prevention	Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.
M1022	Restrict File and Directory Permissions	Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
M1024	Restrict Registry Permissions	Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
M1054	Software Configuration	Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.[4]
M1018	User Account Management	Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

T1566 - Phishing

ID	Mitigation	Description
M1049	Antivirus/Antimalware	Anti-virus can automatically quarantine suspicious files.
M1047	Audit	Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
M1031	Network Intrusion Prevention	Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.
M1021	Restrict Web-Based Content	Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
M1054	Software Configuration	Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[14][15]
M1017	User Training	Users can be trained to identify social engineering techniques and phishing emails.

T1059 - Command and Scripting Interpreter

ID	Mitigation	Description
M1049	Antivirus/Antimalware	Anti-virus can be used to automatically quarantine suspicious files.
M1040	Behavior Prevention on Endpoint	On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic and JavaScript scripts from executing potentially malicious downloaded content [48].
M1045	Code Signing	Where possible, only permit execution of signed scripts.
M1042	Disable or Remove Feature or Program	Disable or remove any unnecessary or unused shells or interpreters.
M1038	Execution Prevention	Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).[49]
M1026	Privileged Account Management	When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[50] PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.[51]
M1021	Restrict Web-Based Content	Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.

T1056 - Input Capture

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

T1406 - Obfuscated Files or Information

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

T1409 - Access Stored Application Data

ID	Mitigation	Description
M1006	Use Recent OS Version	Android 9 introduced a new security policy that prevents applications from reading or writing data to other applications’ internal storage directories, regardless of permissions.

T1417 - Input Capture

ID	Mitigation	Description
M1012	Enterprise Policy	When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.[2] An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.
M1006	Use Recent OS Version	The HIDE_OVERLAY_WINDOWS permission was introduced in Android 12 allowing apps to hide overlay windows of type TYPE_APPLICATION_OVERLAY drawn by other apps with the SYSTEM_ALERT_WINDOW permission, preventing other applications from creating overlay windows on top of the current application.[3]
M1011	User Guidance	Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.

T1517-Access Notifications

ID	Mitigation	Description
M1013	Application Developer Guidance	Application developers could be encouraged to avoid placing sensitive data in notification text.
M1012	Enterprise Policy	On Android devices with a work profile, the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running.[15]
M1011	User Guidance	Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications.

REMEDIATION

T1055-Process Injection

ID	Data Source	Data Component	Detects
DS0022	File	File Metadata	Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.
		File Modification	Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.
DS0011	Module	Module Load	Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.
DS0009	Process	OS API Execution	Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[86] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[87] [88] [89] [90]
		Process Access	Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.
		Process Metadata	Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[91]
		Process Modification	Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

T1562 - Impair Defenses

ID	Data Source	Data Component	Detects
DS0025	Cloud Service	Cloud Service Disable	Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.[5] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.[6] In Azure, monitor for az monitor diagnostic-settings delete.[7] Additionally, a sudden loss of a log source may indicate that it has been disabled.
		Cloud Service Modification	Monitor changes made to cloud services for unexpected modifications to settings and/or data.
DS0017	Command	Command Execution	Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
DS0027	Driver	Driver Load	Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products.
DS0022	File	File Deletion	Monitor for missing log files hosts and services with known active periods.
		File Modification	Monitor changes made to configuration files that contain settings for logging and defensive tools.
DS0018	Firewall	Firewall Disable	Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).
		Firewall Rule Modification	Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
DS0009	Process	OS API Execution	Monitor for the abnormal execution of API functions associated with system logging.
		Process Creation	Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
		Process Modification	Using another process or third-party tools, monitor for modifications or access to system processes associated with logging.
		Process Termination	Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
DS0012	Script	Script Execution	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
DS0013	Sensor Health	Host Status	Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious.
DS0019	Service	Service Metadata	Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
DS0002	User Account	User Account Modification	Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.[8]
DS0024	Windows Registry	Windows Registry Key Deletion	Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
		Windows Registry Key Modification	Monitor Registry edits for modifications to services and startup programs that correspond to security tools.

T1566 - Phishing

ID	Data Source	Data Component	Detects
DS0015	Application Log	Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.
DS0022	File	File Creation	Monitor for newly constructed files from a phishing messages to gain access to victim systems.
DS0029	Network Traffic	Network Traffic Content	Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15]
		Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious

T1059 - Command and Scripting Interpreter

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.
DS0011	Module	Module Load	Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).
DS0009	Process	Process Creation	Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
		Process Metadata	Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[52]
DS0012	Script	Script Execution	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

T1056 - Input Capture

ID	Data Source	Data Component	Detects
DS0027	Driver	Driver Load	Monitor for unusual kernel driver installation activity
DS0022	File	File Modification	Monitor for changes made to files for unexpected modifications to access permissions and attributes
DS0009	Process	OS API Execution	Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [7]
		Process Creation	Monitor for newly executed processes conducting malicious activity
		Process Metadata	Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.
DS0024	Windows Registry	Windows Registry Key Modification	Monitor for changes made to windows registry keys or values for unexpected modifications

T1406 - Obfuscated Files or Information

ID	Data Source	Data Component	Detects
DS0041	Application Vetting	API Calls	Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.

T1409 - Access Stored Application Data

ID	Data Source	Data Component	Detects
DS0041	Application Vetting	API Calls	Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.

T1417 - Input Capture

ID	Data Source	Data Component	Detects
DS0041	Application Vetting	Permissions Requests	Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.
DS0042	User Interface	System Settings	The user can view and manage installed third-party keyboards.

T1517-Access Notifications

ID	Data Source	Data Component	Detects
DS0041	Application Vetting	Permissions Requests	Application vetting services can look for applications requesting the BIND_NOTIFICATION_LISTENER_SERVICE permission in a service declaration.
DS0042	User Interface	System Settings	The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).

CONCLUSION

The Chameleon banking trojan highlights the evolving sophistication of Android malware, now targeting employees of B2C businesses to access business banking accounts. With the rise of mobile banking products, especially for SMEs, cybercriminals are likely to exploit these avenues further. Financial organizations must educate their customers on the risks and implement measures to detect and prevent such threats.

Chameleon’s advanced features, including impersonation of legitimate apps and disruption of biometric operations, underscore its threat. Understanding and addressing these evolving threats is essential for effective cybersecurity strategies.

File Name	Description	Actions

APT Name	Aliases	Target Countries	Source Countries	Total IOCs

Threat Reports

Threat Reports

Chameleon Unleashed: The Silent Predator of Mobile Banking Earth Baku began using tools like Cobalt Strike, Crosswalk, and Metasploit in their cyber espionage campaigns.

T1562 - Impair Defenses

T1562 - Impair Defenses

New IOC's Added

Created!

Chameleon Banking Trojan Masquerading as CRM App

Emergence of New Chameleon Android Banking Trojan

Chameleon Banking Trojan Targeting Italian Corporations