On this page, I will post whitepapers, references of each work or blogpost where I was personally involved. The goal of this page is to share additional information that I wasn’t capable of directly posting on the main page for any reason (e.g., conferences slide, working activities, etc… ).

Operation drIBAN: insight from modern banking frauds behind Ramnit

In 2019, me and my colleagues from the Incident Response Team (TIR) at Cleafy, observed and analyzed a persistent fraud operation that started around that time. It was hitting Italy and was leveraging an interesting infection chain, which Threat Actors (TAs) consolidated over the past few years. During our research, we were able to discover the usage of an almost brand-new web-inject kit, dubbed as drIBAN, for conducting banking frauds against Italian Corporate banking clients.

Botconf 2023: slide

Cleafy Lab articles: part1, part2, part3

Nexus: a new Android botnet?

At the beginning of January 2023, a new Android banking botnet named Nexus that was promoted by a user on multiple underground hacking forums. This article explores the history of this threat, target countries, main features as well as its control panel.

Cleafy Labs article: here

PixPirate: a new Brazilian Banking Trojan

PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS (Automatic Transfer System), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks.

Cleafy Labs article: here

The Android Malware’s Journey: From Google Play to banking fraud

During the last years, the number of Android banking trojans has increased, and new techniques to perform banking fraud have been developed. Although most of the banking trojans are distributed via *ishing campaigns, TAs also use official app stores to deliver their malware using dropper applications, namely an application designed to download malware into the target device.

Cleafy Labs article: here

BRATA is evolving into an Advanced Persistent Threat

Threat Actors behind BRATA, now target a specific financial institution at a time, and change their focus only once the targeted victim starts to implement consistent countermeasures against them. Then, they move away from the spotlight, to come out with a different target and strategies of infections. At first glance, it seems to be a good strategy with a relevant pay off. However, it’s important to point out also the struggles and the plan needed to apply this pattern.

Cleafy Labs article: here