Critical Alert: New Banking Trojans & Hidden RATs Detected

If your organization relies on employee mobile devices or handles sensitive customer data, the last 48 hours have been critical. Between December 8th and 9th, threat intelligence researchers disclosed details on three aggressive new malware families and a sophisticated web-based campaign.

The common thread? Evasion. Whether it’s an Android banking trojan that performs transactions from the victim's device to bypass MFA, or a corporate desktop attack hiding inside legitimate websites, attackers are finding new ways to blend in.

Here is what you need to know about the threats active right now.

‍

1. The Mobile Siege: Albiriox, FvncBot, and SeedSnatcher

Scope: Android Users, Banking Apps, Crypto Wallets

Just yesterday, researchers pulled the curtain back on a new wave of mobile malware that doesn’t just steal credentials—it takes full control.
‍

Albiriox & FvncBot: The "On-Device" Fraudsters

The most dangerous evolution in current mobile malware is On-Device Fraud (ODF).

• The Threat: Albiriox (a Malware-as-a-Service) and the newly discovered FvncBot are banking trojans that use VNC (Virtual Network Computing) to remotely control a victim's phone.
• How It Works: Instead of stealing your password and logging in from a different computer (which triggers security alerts), the attacker logs in on your phone. They use the malware to tap, swipe, and approve transfers in real time.
• Targeting: FvncBot was spotted masquerading as a security app from mBank, specifically targeting Polish users, while Albiriox is targeting over 400 financial apps globally.
• Technical Note: FvncBot appears to be written completely from scratch, not recycled code, signaling a dedicated new development team is behind it.

SeedSnatcher: The Crypto Hunter

• The Threat: A specialized malware distributed via Telegram channels (often disguised as a "Coin" app).
• The Goal: It is laser-focused on stealing cryptocurrency recovery seed phrases and private keys.
• The Mechanism: It intercepts SMS messages to bypass 2FA and uses integer-based Command & Control (C2) codes to stay under the radar of network scanners.

‍
‍

2. The Web-Injection Trap: JS#SMUGGLER Campaign

Scope: Corporate Desktops, Windows Users, Web Browsing

While mobile users are fighting trojans, corporate desktops are facing a stealthy drive-by threat known as JS#SMUGGLER, detailed in reports released on December 9.

‍

The Attack Vector:

A web-injection campaign where attackers are breaching legitimate, vulnerable websites (often WordPress-based) and injecting a malicious JavaScript loader (often named phone.js) into the site's code.This campaign is terrifyingly effective because it exploits trust.

‍

The "Smuggling" Chain The campaign gets its name from how it smuggles the payload past network defenses using a multi-stage chain initiated by the browser:

• The Profile: When a user visits the compromised site, the injected script profiles the device.
• The Handoff: If it detects a desktop environment, it silently downloads an HTA (HTML Application) file.
• The Execution: The HTA file uses the legitimate Windows tool mshta.exe to execute an encrypted PowerShell script.
• The Payload: This script downloads the NetSupport RAT (Remote Access Trojan), giving the attacker full remote control.

Why It Matters Standard web filtering often misses this because the initial traffic comes from a legitimate, trusted website. The attack relies on the user simply visiting a page, with no need to download a file explicitly until the HTA triggers in the background.

‍

For Corporate Network Defense:

• Hunt for mshta.exe: Since this is a drive-by attack, the initial indicator is often the browser spawning a child process. Tune your EDR (Endpoint Detection & Response) to alert specifically on mshta.exe being spawned by a browser (Chrome, Edge, Firefox) or executing scripts from temporary folders.

‍

3. Actionable Defense: What to Do TODAY

This isn't just news; it's a call to action. Here are the immediate steps for Security Operations Centers (SOCs) and IT admins:

‍

For Mobile Fleet Defense:

• Audit Accessibility Services: Both Albiriox and FvncBot rely on abusing Android's "Accessibility Services" to control the screen. Review your MDM (Mobile Device Management) policy to flag or block apps requesting this permission unexpectedly.
• Warn Users: Send a blast to employees specifically warning them about "fake security updates" or apps sent via Telegram.

‍

For Corporate Network Defense:

• Hunt for mshta.exe: Tune your EDR (Endpoint Detection & Response) to alert on mshta.exe spawning PowerShell processes or making network connections. This is a hallmark of the JS#SMUGGLER campaign.
• Block IoCs: Block connections to known NetSupport C2 ports if your organization doesn't use the software legitimately.
• Check the "ProgramData" Folder: Scan endpoints for suspicious executables hiding in C:\ProgramData, specifically looking for the persistence mechanism disguising itself as WindowsUpdate.lnk.

‍

The Bottom Line: 

The barrier to entry for high-end cybercrime is lowering. With "Malware-as-a-Service" like Albiriox and automated web-injection campaigns like JS#SMUGGLER, attackers are moving faster than ever. Stay vigilant, patch your systems, and keep your eyes on your logs.

‍

‍

‍