Uncategorized

XDR Use case: MTD & SOAR vs Hook RAT

Why do you need MTD protection ?

There is no need to state that the extensive use of mobile phones considerably broadens the attack surface for ill-intentioned actors. However, it is important to keep in mind that professional mobile phones are exposed to greater risks, in particular because they tend to be misused for personal uses, blurring the line between corporate and personal data.

Information contained in smartphones prove to be very sensitive such as localization or contact phones. Professional phones could be entry points to access corporate confidential files and can be targeted by espionage-oriented or profit-driven threat groups. Installing a cybersecurity protection on your mobile fleet is essential to keep a full visibility on potential threats or vulnerabilities. TEHTRIS MTD detects and neutralizes any type of attacks and suspect behaviors in real-time. Let’s have a look at how TEHTRIS MTD reacts faced with recent threat Hook RAT (Remote Access Trojan).

About Hook RAT

Threat actor Duke Eugene, who is behind the creation of Ermac, an Android banking trojan, has developed a new variant called Hook in January 2023. Hook is an enhanced version of Ermac: it includes RAT capabilities which allows the attacker to take control of the target’s device and to perform actions such as taking screenshots, scrolling or unlocking the device. As a banking trojan, it is capable of stealing credentials from a large number of banking and crypto apps. Other features include accessing the file list and geolocation of the device, as well as logging into WhatsApp and sending messages, thus spreading the malware to the target’s contacts. Hook has targeted institutions from all over the world. The initial infection vector comes from the download of a malicious application from the Google Play Store or from WhatsApp.

How TEHTRIS XDR Platform protects you from Hook RAT?

TEHTRIS MTD secures professional mobile phones

With TEHTRIS MTD, every application downloaded on devices is monitored and analysed. The MAST (Mobile Automated Security System) performs static and dynamic code security analysis of applications installed on your devices’ fleet or the application under development in your own organization.

In the case of Hook, MTD detects the malicious APK which raises an alert on the unified XDR Platform view of the cybersecurity analysts:

From the XDR Platform, the malicious app can be remotely deleted to prevent further infection. This feature is available only through the use of a MDM (Mobile Device Management) software.

TEHTRIS MTD also allows to search for specific APK on a mobile fleet, to ensure that no trace of Hook RAT is detected. The good practice is to keep an eye on the applications of the mobile fleet and remove all applications flagged as malicious or applications that shouldn’t be used by the users in your professional context.

It is also recommended to activate TEHTRIS DNS Firewall on the MTD configuration to monitor and block all malicious traffic from the devices. For instance, it can block the communication between the infected device and the malware C2 server.

Implementing a SOAR scenario allows immediate action

Due to the severity of the malicious activities that a malware such as Hook RAT can perform, implementing a SOAR Playbook in your XDR Platform to be alerted in real time is the best way to keep on top of your cybersecurity.

The following playbook example shows how to set-up real-time alerts and automatic remediation. This scenario covers 3 actions :   

  • the sending of an automatic email to the cyber analyst,     
  • a prevention notification to the end user of the compromised device,   
  • and a direct and automatic remediation on the infected device.

Example of a notification received on the compromised phone :

Thanks to this feature, the time needed to react to a cybersecurity alert is significantly reduced. This is useful considering the lack of human resources for 24/7 on-call duty periods or even weekends and holidays.

Conclusion

Installed in a few seconds, the TEHTRIS MTD application offers a unique protection by detecting and neutralizing in real time any types of attacks and suspect behaviors on your smartphones. Deploying TEHTRIS MTD on top of a Mobile Device Management (MDM) will provide day-to-day protection and remediation solutions to your mobile fleet against the various vectors of infection and compromission such as smishing or malicious applications.

TEHTRIS MTD solution was recognized as a Representative Vendor in 2023 Market Guide for Mobile Threat Defense.

Check out our previous articles on mobile threats : Joker fleeceware or BRATA.

Sources:

TEHTRIS Threat Research weekly feeds 27/01/23