New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots
Summary
A new variant of the TrickMo Android banking trojan has been identified, utilizing The Open Network (TON) for its command-and-control (C2) infrastructure. This updated trojan, observed targeting banking and cryptocurrency users in France, Italy, and Austria, employs SOCKS5 proxies to establish network pivots on infected Android devices.
IFF Assessment
This development represents new tactics and infrastructure for a known banking trojan, making it harder for defenders to track and block its command and control.
Defender Context
Defenders should be aware of TrickMo's evolving C2 methods, particularly its use of TON and SOCKS5 proxies, as this can complicate network traffic analysis and threat hunting. Monitoring for unusual network connections originating from Android devices, especially those indicative of proxy usage, is crucial.