Cybercriminals target Canadian restaurant chain with Chameleon malware

Avatar

Researchers have uncovered a campaign targeting hospitality workers in Canada and Europe in July with banking malware known as Chameleon.

Among the hackers’ targets was an unnamed Canadian restaurant chain operating internationally, according to a report released by the cybersecurity firm Threat Fabric on Monday.

In these attacks, Chameleon was disguised as a customer relationship management (CRM) app, which is often used in the hospitality industry for task automation, communication, and data analysis. Threat Fabric did not specify the app.

Researchers noted that other intended victims of the campaign likely include hospitality workers and potentially employees of direct-to-customer retailers in Canada and Europe.

If the attackers succeed in infecting a device that has corporate banking access, Chameleon can then target business banking accounts.

“The increased likelihood of such access for employees whose roles involve CRM is the likely reason behind the choice of masquerading during this latest campaign,” researchers said.

The report does not specify how the hackers initially accessed the targeted systems but indicates that the first stage of the malware installation process involves a dropper capable of bypassing security restrictions in versions 13 and above of the Android operating system.

Once loaded, the dropper displays a fake page with CRM login fields, requesting the employee ID. If a user then clicks on a message asking them to reinstall the application, Chameleon infects the computer.

After installation, users are directed to a fake website asking for the employee’s credentials.

Because Chameleon is already running in the background, it is also able to collect credentials and other sensitive information using keylogging. “Such information can be used in further attacks, or the actors can monetize it by selling it on underground forums,” researchers said.

The malware was discovered in December 2022 and has previously targeted entities in Australia, Italy, Poland and the U.K.

Threat Fabric has also observed recent Chameleon attacks on customers of unnamed financial organizations, with the malware masquerading as a security app installing a security certificate released by the bank.

In incidents last year, the malware found victims in Australia and Poland, disguising itself as institutions like the Australian Taxation Office (ATO) and popular banking apps.

MalwareNewsNews BriefsCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

New Linux Kernel Exploit Technique ‘SLUBStick’ Discovered by Researchers

Next Post

Critical Security Flaw in WhatsUp Gold Under Active Attack – Patch Now

Related Posts

CapraRAT Spyware Disguised as Popular Apps Threatens Android Users

The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. "These APKs continue the group's trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex
Avatar
Read More