Full Report
Russian authorities said they arrested three people and seized hardware in an operation against Mamont malware, which specializes in stealing money from Android device users.
Analysis Summary
# Threat Actor: Developers of Mamont Malware (Attribution Pending/Operational Cell)
## Attribution & Identity
The threat actors are a group of three individuals arrested by Russian authorities (Saratov region). Their specific identities remain undisclosed. They are linked to the development and deployment of the *Mamont* Android banking trojan.
## Activity Summary
The group is responsible for over 300 cybercrime incidents utilizing the *Mamont* malware. Their primary operation involved creating a sophisticated Android banking trojan to steal funds via SMS banking services. They also operated a scheme involving a fake online store to trick victims into installing the malicious file disguised as an order tracker.
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Distribution via Telegram channels and private messages.
- **Masquerading/Social Engineering:** Disguising the malware as legitimate mobile applications, video files (often using filenames like, "Is this you in the video?"), or order tracking software following a purchase on a fake online store.
- **Fund Exfiltration:** Utilizing SMS banking services to transfer funds from compromised victim accounts to criminal-controlled phone numbers and electronic wallets.
- **Data Collection:** Collecting device information.
- **Information Exfiltration:** Exfiltrating messages related to financial or monetary transactions over the attackers' controlled Telegram channel.
- **Lateral Movement/Spreading:** Ability to spread to contacts within the victim’s messenger application.
## Targeting
- **Sectors:** Financial/Banking (indirectly, through targeting individuals' bank accounts).
- **Geography:** Activities primarily noted within Russia based on law enforcement action.
- **Victims:** Android device owners targeted for financial theft via SMS banking fraud. Specific organizations are not detailed, only individual victims of financial fraud.
## Tools & Infrastructure
- **Malware Families Used:** Mamont (Android Banking Trojan).
- **Infrastructure:**
- Telegram channels (used for malware distribution and exfiltration of stolen data).
- Phone numbers and electronic wallets used to receive stolen funds.
## Implications
This case highlights the operational sophistication of local cybercrime groups within Russia targeting financial infrastructure through mobile devices, specifically leveraging SMS banking vulnerabilities. The disruption via domestic law enforcement action suggests a successful interdiction of an active, financially motivated operation linked to hundreds of victims.
## Mitigations
- Due to the delivery mechanism: Exercise extreme caution when downloading applications from non-official sources, especially those received via Telegram.
- Be suspicious of unexpected files (such as videos or trackers) received via messengers, even from known contacts.
- Due to the nature of the fraud: Organizations and users should review settings related to SMS banking authorization, as attackers rely on intercepting SMS codes.