The Android banking Trojan Mamont is now being distributed on a number of websites that offer high-value goods for cheap to businesses and individuals.
This is the latest attempt by criminals to distribute Mamont, which had previously been disseminated via a neighborhood chat groups or unknown messaging contacts.
Criminals have set up a dedicated private Telegram chat to instruct users to DM their agent to place an order. On delivery, no prepayment is required.
The criminals then send a tracking number to the app and attach a tracking number to download a fake parcel tracking app.
When installed, the Mamont banking Trojan requests permission to access a wide range of personal data, as well as initiating malicious services designed to harvest data useful for social engineering hacks to extract money, and hijack users' push notifications.
The cybercriminals running this Mamont campaign exclusively target Android phone users in Russia.
Kaspersky Security Network (KSN) telemetry data consensually provided by users revealed more than 31,000 Mamont attacks disguised as a parcel-tracking app in October and November 2024.
In conclusion, businesses and individuals should avoid clicking on links from unknown sources, beware of generous offers and only download apps from trusted sources.
To prevent Mamont from infecting devices, Kaspersky recommends using a reliable security solution.
If you want to check for indicators of compromise, the C2 server is at apisys003[.]com, and the MD5 for the Mamont Trojan is 12936056e8895e6a662731c798b27333.