Advisory ID: ngCERT-2025-010004

Summary: 

ngCERT is issuing an urgent security alert regarding the infiltration of ViperSoftX malware within Nigerian cyberspace. ViperSoftX is a JavaScript-based Remote Access Trojan (RAT) capable of stealing sensitive information like banking and cryptocurrency details while evading detection and analysis on an infected system. Cybercriminals distribute this malware through infected email attachments, malicious online advertisements, social engineering, and cracked software. When successfully deployed on a system, the Trojan could be used for several malicious activities, leading to system compromise, data exfiltration, financial losses, identity theft, and ransomware attacks. ngCERT advises individuals and organizations to protect their systems and data from ViperSoftX malware immediately.

Damage/Probability: CRITICAL/HIGH

Platform(s): Operating Systems

Description: 

ViperSoftX malware infection begins when cybercriminals lure unsuspecting victims into downloading malicious files from multimedia sites, endpoints of cracked software, eBooks, torrent sites, and malicious emails. Upon execution, ViperSoftX initiates checks to avoid virtual environments and security monitoring, identification of antivirus tools to ascertain the risk of detection, and the running of a PowerShell script to download its core malicious components. Thereafter, the Trojan establishes two-way communication with its C2 servers to receive instructions and exfiltrates sensitive data. Summarily, the attack process involves infection and delivery stage, anti-analysis and security evasion procedures, PowerShell script execution, and rogue browser extension installation such as VenomSoftX, while carrying out cryptocurrency and password management targeting. These are aimed at stealing login credentials, cookies, and autofill data, allowing for a sweeping breach of user accounts and sensitive data. Also, through clipboard hijacking, ViperSoftX copies valid wallet addresses and replaces them with its own, thereby diverting any cryptocurrency transactions away from the victim. It further carries out password manager data extracting, which exposes the entire security framework of the victim’s system to further attacks.

Consequences: 

 Successful exploitation of the vulnerabilities could lead to:

• System compromise

• Unauthorized access to sensitive data.

• Loss and theft of sensitive data.

• Reputation Damage.

• Ransomware attacks.

• Financial loss.

Solution:  

 ngCERT recommends the following: 

• Refrain from opening attachments in emails received unexpectedly from trustworthy users or unreliable sources.

• Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.

• Conduct regular system scans and remove detected/potential threats.

• Maintain regular data backups on external devices or reputable cloud storage providers.

• Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solutions, endpoint detection and response solutions including anti-malware software.

• Implement comprehensive security solutions to all necessary devices such as BitLocker, FileVault, and/or device encryption.

• Enforce a strong password policy and implement regular password changes.c

• Disable unused services and open ports on your agency's servers and endpoint devices. Only open ports and activate services that are necessary for daily operations.

References:

• https://thehackernews.com/2023/04/vipersoftx-infostealer-adopts.html

• https://www.pcrisk.com/removal-guides/19945-vipersoftx-rat

• https://cujo.com/blog/vipersoftx-tracking-and-countering-a-persistent-threat/

• https://social.cyware.com/news/vipersoftx-upgraded-with-sophisticated-anti-detection-techniques-7bb40000

• https://medium.com/@survivormansales/how-does-vipersoftx-work-75bbe179df23

Advisory ID: ngCERT-2024-0036

Summary: 

ngCERT has observed the resurgence of Tinybanker Malware, also known as “Tinba” or “Zusy”, which is a sophisticated Malware designed to steal sensitive banking information. This Trojan has been used to attack a large number of popular banking websites around the world. Threat actors infiltrate systems primarily through phishing attacks, malicious downloads, and compromised websites. Once inside, it can capture sensitive data which includes login credentials, keystrokes and allow attackers to gain unauthorized access to users' online banking accounts without any of their knowledge using techniques such as Man-in-the-Browser (MITB) attacks, JavaScript Injection, Keylogging, and Packet Sniffing. Tinybanker is the smallest known trojan at 20KB, which makes it much harder to detect; With its source code published online, there is a continuous emergence of new iterations of the malware which makes it to be considered a very destructive malware strain. Individuals and organizations are advised to take immediate steps to protect their systems and data from Tinybanker malware threats. 

Damage/Probability: CRITICAL/HIGH

Platform(s): Windows Operating Systems

Description: 

The Tinybanker malware is small-sized at 20KB and stealthy which makes it very difficult to detect, it is a modified version of Zeus Trojan that infiltrates systems through phishing emails, compromised websites, and malicious links. It operates by using Man-in-the-browser (MITB) attacks, JavaScript Injection, Keylogging, and Packet Sniffing to access victims' financial information. Once successfully deployed it copies itself as bin.exe in the %AppData% folder. Based on the infected system details, different versions of Tinybanker could appear in various folders using random names and hide their activities by encrypting their memory. When the affected system restarts, bin.exe runs again which keeps Tinybanker active. Tinybanker targets sensitive processes like explorer.exe and svchost.exe on Windows. It could change settings in web browsers like Internet Explorer and Firefox turning off warnings and permitting HTTP content to show on HTTPS sites without alerts. Tinybanker uses encryption for its communication with its control server and uses four C&C domains to remain connected and it has local configuration files to use if it can’t reach a server.

Consequences: 

 Successful exploitation of the vulnerabilities could lead to:

• System compromise.

• Unauthorized access to sensitive data.

• Loss and theft of sensitive data.

• Reputation Damage.

• Ransomware attacks.

• Financial loss.

• DDoS attacks.

Solution:  

 ngCERT recommends the following: 

• Avoid downloading or opening attachments in emails received from untrusted sources or unexpectedly received from trusted users.

• Regularly monitor for irregularities on websites or systems.

• Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.

• Regularly backup data on external devices or reputable cloud storage providers.

• Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti phishing solutions, endpoint detection and response solutions including anti-malware software.

• Enforce a strong password policy, and implement regular password changes.

• Implement comprehensive security solutions to all necessary devices such as BitLocker, FileVault and/or device encryption.

• Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

References:

• https://www.memcyco.com/steps-to-protect-from-tiny-bankertrojan-tinba/

• https://cybeready.com/cyber-attacks/steps-to-protect-from-tinybanker-trojan-tinba

• https://www.imperva.com/learn/application-security/tinybanker-trojan-tbt-tinba/

• https://www.xenonstack.com/insights/virus-banking-trojantinba/

• https://www.wallarm.com/what/how-to-identify-and-preventtiny-banker-trojan

• https://securityintelligence.com/tinba-worlds-smallest-malwarehas-big-bag-of-nasty-tricks/

Advisory ID: NCC-CSIRT-122024-014

Summary: 

NCC-CSIRT is aware of the reappearance of Nymaim malware, which is a sophisticated malware family known for its dual-stage infection process. It primarily delivers ransomware and banking Trojans. Initially identified around 2013, Nymaim has evolved, employing advanced evasion techniques to bypass security measures. Nymaim is a malware family that spreads through malicious emails and compromised websites, delivering secondary payloads such as ransomware and banking Trojans.

Damage/Probability: CRITICAL/HIGH

Platform(s): Windows Operating Systems

Description: 

Nymaim is a sophisticated malware that primarily infiltrates systems through phishing emails with malicious attachments, compromised websites, and exploits kits targeting vulnerabilities in browsers and plugins. Once it successfully infects a system, it acts as a dropper, downloading and executing secondary payloads such as ransomware that encrypts user data or banking Trojans that steal financial information. To avoid detection, Nymaim employs advanced obfuscation techniques, disguising its code to evade security software, and utilizes anti-debugging methods to prevent analysis. This stealthy behavior allows Nymaim to operate undetected, causing severe disruptions by compromising sensitive data and financial systems while spreading across connected devices.

Consequences: 

Nymaim malware disrupts operations by encrypting files, stealing sensitive data, and enabling financial theft. It spreads across connected devices, causing reputational damage and significant economic losses due to ransom demands, recovery costs, and service interruptions.

Solution:  

To mitigate the Nymaim malware threat, the following steps are recommended:

• Educate users about the dangers of opening unsolicited email attachments or clicking on unknown links.

• Implement robust email filtering to detect and block malicious attachments and links.

• Ensure all systems and applications are updated with the latest security patches to mitigate exploit vulnerabilities.

• Deploy reputable antivirus and anti-malware solutions capable of detecting and preventing Nymaim infections.

• Maintain regular backups of critical data to facilitate recovery in case of ransomware encryption.

References:

• https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

• https://www.malwarebytes.com/blog/detections/trojan-nymaim

• https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots

Advisory ID: NTR-061224-01

Summary: 

A new and sophisticated variant of banking malware called Grandoreiro, has been identified, targeting financial institutions and individuals globally. Grandoreiro has evolved with new features and capabilities since it first appeared around 2016. This malware is deployed via phishing emails and malicious websites masquerading as cryptocurrency trading platforms, aiming to steal sensitive financial credentials, perform unauthorised transactions, and exfiltrate cryptocurrency wallet keys.

The malware employs advanced obfuscation techniques to evade detection and uses phishing tactics to lure victims into downloading trojanized installers. These installers contain payloads capable of intercepting two-factor authentication codes and mimicking legitimate banking app activities. This report highlights technical details, IOCs, and actionable steps to mitigate the threat.

Damage/Probability: CRITICAL/HIGH

Platform(s): Finance Apps

Description: 

The new version of Grandoreiro has adopted a cryptographic technique known as Ciphertext Stealing (CTS). It aims to encrypt the malicious code strings. “Grandoreiro has a large and complex structure, which would make it easier for security tools or analysts to detect if its strings were not encrypted. This is likely why they introduced this new technique to complicate the detection and analysis of their attacks.

Grandoreiro operates and adopted new tricks such as the usage of Domain Generation Algorithms (DGAs) in its command and control (C&C) communications to hide its C&C servers, the adoption of Ciphertext Stealing Encryption (CTS) for advanced encryption, mouse behaviour tracking, advanced sandbox evasion codes, aiming to avoid detection. Key tactics include:

Delivery and Persistence: Delivered through spear-phishing emails with malicious links, it downloads as a Windows Installer (MSI) file. It executes embedded DLLs or VBS scripts to retrieve an encrypted payload, transitioning from XOR-based encryption to base64-encoded ZIP files. The malware registers itself on Windows startup for persistence.

Evasion Tactics: Grandoreiro employs advanced techniques to bypass security solutions like antivirus and banking security systems. These include sandbox evasion, binary padding with large BMP files, fraudulent digital certificates, and CAPTCHAs to impede automated analysis. Its C2 communications leverage Domain Generation Algorithms (DGAs) to hide C&C servers.

Encryption Enhancements: Adopting Ciphertext Stealing (CTS) encryption and robust anti-debugging methods in its loader phase complicates detection and analysis.

Credential Theft and Control: The malware monitors browser and email activity, collects host details, and hijacks clipboard content to replace cryptocurrency wallet addresses. Fake banking login screens capture credentials and 2FA codes, enabling attackers to control victims' accounts.

This highly adaptive malware remains a significant threat to financial institutions, combining credential theft, remote control capabilities, and evasion tactics to execute fraudulent activities undetected.

Consequences: 

The discovered malware poses severe risks to both individuals and organizations:

• Financial loss arising from unauthorized transactions and stolen cryptocurrency assets.
• Data compromise, as leaked credentials can be sold or reused for broader attacks.
• In addition to financial theft, Grandoreiro can capture personal information that may be used for identity theft or sold on the dark web.
• Operational disruption, as persistent infections may hinder IT operations and require extensive remediation.
• Increased phishing exposure, as users redirected to fraudulent cryptocurrency websites may fall victim to further scams.

Solution:  

The following steps are preventive measures that you could advise your constituents on to protect their infrastructure.

For Organizations:

• Educate employees on phishing attacks and safe browsing practices to reduce risks. 

• Deploy advanced endpoint protection solutions that are confirmed to be effective against Grandoreiro and other similar malware.

• Ensure all systems have up-to-date antivirus solutions.

• Block access to known malicious and suspicious domains.

• Regularly update all software, operating systems, and third-party applications to mitigate exploitation risks.

• Enforce strong password policies and implement multi-factor authentication (MFA) wherever possible.

• For Individuals:

• Only interact with verified and legitimate cryptocurrency platforms. Check the domain authenticity before entering sensitive information.

• Refrain from downloading installers or files from untrusted sources.

• Use updated security solutions on personal devices.

• Review financial and cryptocurrency accounts regularly for unauthorized activities.

• Keep encrypted backups of wallet keys and other sensitive data in offline storage.

References:

• https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

• https://securelist.com/grandoreiro-banking-trojan/114257/

• https://www.trendmicro.com/en_us/research/24/d/trend-microcollaborated-with-interpol-in-cracking-down-grandore.html