Android banking Trojan TrickMo evolves using TON network for C2

Key Points:

• A new variant of the TrickMo Android banking Trojan has emerged, utilizing the TON network for command-and-control (C2) communication, enhancing its stealth and persistence.
• The threat primarily targets banking and cryptocurrency wallet users in France, Italy, and Austria, allowing attackers to remotely control infected devices and perform advanced networking functions.
• Security teams should monitor for TrickMo indicators, implement mobile device management (MDM) solutions, and educate users on the risks of granting accessibility permissions to unknown applications.

Technical Details: The TrickMo Trojan has migrated its C2 traffic to The Open Network (TON), a decentralized blockchain platform. This change complicates detection efforts as it avoids traditional DNS systems.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1041 - Exfiltration Over Command and Control Channel (Exfiltration)
• T1053.005 - Scheduled Task/Job: Scheduled Task (Persistence)

IOCs Mentioned: None mentioned.