A new variant of the Octo mobile banking trojan, dubbed Octo2, has recently been detected in a series of attacks on European banks. Many fear that the trojan will extend beyond Europe, potentially impacting banking systems in other regions as cybercriminals continue to refine their tools.
Octo, also known as ExobotCompact, has become a dominant player in the mobile malware landscape. It has gained notoriety for its ability to facilitate remote device takeovers and siphon off sensitive banking credentials.
The discovery of Octo2, created by the same threat actor behind the original variant, suggests a calculated escalation in the malware’s capabilities.
When researchers further analysed the trojan, they found that the new variant of Octo2 builds upon its predecessor’s strengths, focusing on amplifying its ability to execute Device Takeover attacks with greater stability and precision.
These attacks enable hackers to gain full control over a compromised device, often leading to the financial theft of banking apps and accounts. The new variant has already been detected in active campaigns targeting multiple European countries, with the expectation that Octo2 will spread further as cybercriminals seek to exploit global vulnerabilities.
A particularly concerning feature of Octo2 is its use of advanced obfuscation techniques designed to evade traditional security measures. Among its more notable features is the introduction of a Domain Generation Algorithm (DGA), which allows the malware to generate new command-and-control (C2) domains dynamically.
This technique makes it increasingly difficult for cybersecurity teams to detect and block malicious communication channels, providing Octo2 with a stealthy edge over older versions.
Researchers have uncovered other alarming developments, in addition to mobile banking trojans like Octo2. Over 400 scam email addresses have been identified, highlighting the breadth of current phishing campaigns.
These scams range from fake donation offers to fraudulent investment proposals, all aimed at extracting personal information or financial assets from unsuspecting victims. For instance, the emails use subject lines such as ‘Dear winner!’ or ‘UN Compensation Fund,’ which attempt to lure victims with promises of money or aid.
Researchers have urged organisations to patch known vulnerabilities, regularly update passwords, and employ stronger access controls on critical servers.
In the News: YouTube reaches deal with SESAC to restore removed songs