diff --git a/README.md b/README.md index 30e8193f..9284f6f2 100644 --- a/README.md +++ b/README.md @@ -74,25 +74,25 @@ | Family | Summary | Signature Behaviors | Report | |-------------|----------------------------------------------------|--------------------------|--------| -| DroidKungFu | Privilege escalation with C2 control. | 1. Gain unlimited access to a device.
2. Install/Uninstall additional apps.
3. Forward confidential data. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-droidkungfu) | -| GoldDream | SMS/call log exfiltration with remote C2 commands. | 1. Monitor SMS messages and phone calls.
2. Upload SMS messages and phone calls to remote servers. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-golddream) | -| SpyNote | Credential theft and device surveillance via RAT. | 1. Take screenshots.
2. Simulate user gestures.
3. Log user input.
4. Communicate with C2 servers. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-spynote) | -| DawDropper | Dropper that installs banking trojans for financial theft. | 1. Download APKs from remote servers.
2. Install additional APKs. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-dawdropper) | -| SLocker | Android ransomware locking/encrypting devices. | 1. Lock the device with an overlay screen. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-slocker) | -| PhantomCard | NFC relay–based financial fraud. | 1. Communicate with C2 servers.
2. Read the payment data of NFC cards.
3. Captures PINs of NFC cards through deceptive screens. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-phantomcard) | -| ToxicPanda | Banking trojan enabling on-device fraud. | 1. Abuse Accessibility.
2. Remote device control.
3. Intercept OTP. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-toxicpanda) | -| Hydra | Banking trojan using overlay attacks. | 1. Overlay credential theft.
2. Accessibility abuse.
3. Steal OTP/cookies. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-hydra) | -| SharkBot | Banking trojan targeting financial credentials and transactions. | 1. Abuse Accessibility services.
2. Perform overlay attacks to steal credentials.
3. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-sharkbot) | -| Antidot | Banking trojan disguised as legitimate updates for financial data theft. | 1. Intercept SMS messages (OTP).
2. Log user input (keylogging).
3. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-antidot) | -| Arsink | Banking trojan focusing on credential and financial data exfiltration. | 1. Steal sensitive data from device.
2. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-arsink) | -| TrickMo | Banking trojan using overlay attacks and accessibility abuse for credential theft. | 1. Overlay attacks to steal banking credentials.
2. Intercept SMS for 2FA bypass.
3. Screen recording and accessibility abuse.
4. Dynamic payload loading via reflection. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-trickmo) | -| Anubis | Banking trojan with RAT capabilities. | 1. Overlay credential theft.
2. Keylogging.
3. Intercept SMS (OTP).
4. Remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-anubis) | -| GodFather | Banking trojan targeting financial credentials through overlay and accessibility abuse. | 1. Perform overlay attacks to steal credentials.
2. Abuse Accessibility services.
3. Intercept SMS messages (OTP).
4. Steal banking credentials and sensitive data. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-godfather) | -| TangleBot | SMS-based Android malware stealing personal and financial data. | 1. Spread through SMS phishing links.
2. Control device interactions and overlay screens.
3. Access SMS, contacts, call logs, camera, and microphone.
4. Steal account and financial information. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-tanglebot) | -| BRATA | Banking trojan with remote control and anti-analysis capabilities. | 1. Perform overlay attacks to steal banking credentials.
2. Abuse Accessibility services for device control.
3. Intercept SMS messages (OTP).
4. Execute factory reset or device wipe commands. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-brata) | -| Cerberus | Banking trojan targeting financial credentials through overlay and device control. | 1. Perform overlay attacks to steal credentials.
2. Abuse Accessibility services.
3. Log user input (keylogging).
4. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-cerberus) | -| SuperCardX | NFC relay malware enabling contactless payment fraud. | 1. Read NFC payment card data.
2. Relay NFC transactions to attacker-controlled devices.
3. Communicate with C2 servers.
4. Facilitate unauthorized contactless payments. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-supercardx) | -| NGate | NFC-based malware enabling relay attacks and payment fraud. | 1. Read NFC payment card data.
2. Relay NFC communications to attacker-controlled devices.
3. Communicate with C2 servers.
4. Facilitate unauthorized contactless payments. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-ngate) | +| DroidKungFu | Privilege escalation with C2 control. | 1. Gain unlimited access to a device.
2. Install/Uninstall additional apps.
3. Forward confidential data. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-droidkungfu) | +| GoldDream | SMS/call log exfiltration with remote C2 commands. | 1. Monitor SMS messages and phone calls.
2. Upload SMS messages and phone calls to remote servers. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-golddream) | +| SpyNote | Credential theft and device surveillance via RAT. | 1. Take screenshots.
2. Simulate user gestures.
3. Log user input.
4. Communicate with C2 servers. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-spynote) | +| DawDropper | Dropper that installs banking trojans for financial theft. | 1. Download APKs from remote servers.
2. Install additional APKs. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-dawdropper) | +| SLocker | Android ransomware locking/encrypting devices. | 1. Lock the device with an overlay screen. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-slocker) | +| PhantomCard | NFC relay–based financial fraud. | 1. Communicate with C2 servers.
2. Read the payment data of NFC cards.
3. Captures PINs of NFC cards through deceptive screens. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-phantomcard) | +| ToxicPanda | Banking trojan enabling on-device fraud. | 1. Abuse Accessibility.
2. Remote device control.
3. Intercept OTP. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-toxicpanda) | +| Hydra | Banking trojan using overlay attacks. | 1. Overlay credential theft.
2. Accessibility abuse.
3. Steal OTP/cookies. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-hydra) | +| SharkBot | Banking trojan targeting financial credentials and transactions. | 1. Abuse Accessibility services.
2. Perform overlay attacks to steal credentials.
3. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-sharkbot) | +| Antidot | Banking trojan disguised as legitimate updates for financial data theft. | 1. Intercept SMS messages (OTP).
2. Log user input (keylogging).
3. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-antidot) | +| Arsink | Banking trojan focusing on credential and financial data exfiltration. | 1. Steal sensitive data from device.
2. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-arsink) | +| TrickMo | Banking trojan using overlay attacks and accessibility abuse for credential theft. | 1. Overlay attacks to steal banking credentials.
2. Intercept SMS for 2FA bypass.
3. Screen recording and accessibility abuse.
4. Dynamic payload loading via reflection. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-trickmo) | +| Anubis | Banking trojan with RAT capabilities. | 1. Overlay credential theft.
2. Keylogging.
3. Intercept SMS (OTP).
4. Remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-anubis) | +| GodFather | Banking trojan targeting financial credentials through overlay and accessibility abuse. | 1. Perform overlay attacks to steal credentials.
2. Abuse Accessibility services.
3. Intercept SMS messages (OTP).
4. Steal banking credentials and sensitive data. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-godfather) | +| TangleBot | SMS-based Android malware stealing personal and financial data. | 1. Spread through SMS phishing links.
2. Control device interactions and overlay screens.
3. Access SMS, contacts, call logs, camera, and microphone.
4. Steal account and financial information. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-tanglebot) | +| BRATA | Banking trojan with remote control and anti-analysis capabilities. | 1. Perform overlay attacks to steal banking credentials.
2. Abuse Accessibility services for device control.
3. Intercept SMS messages (OTP).
4. Execute factory reset or device wipe commands. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#brata-malware-family-analysis-report) | +| Cerberus | Banking trojan targeting financial credentials through overlay and device control. | 1. Perform overlay attacks to steal credentials.
2. Abuse Accessibility services.
3. Log user input (keylogging).
4. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#cerberus-malware-family-analysis-report) | +| SuperCardX | NFC relay malware enabling contactless payment fraud. | 1. Read NFC payment card data.
2. Relay NFC transactions to attacker-controlled devices.
3. Communicate with C2 servers.
4. Facilitate unauthorized contactless payments. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#supercardx-malware-family-analysis-report) | +| NGate | NFC-based malware enabling relay attacks and payment fraud. | 1. Read NFC payment card data.
2. Relay NFC communications to attacker-controlled devices.
3. Communicate with C2 servers.
4. Facilitate unauthorized contactless payments. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#ngate-malware-family-analysis-report) | ## Quick Start