Security researchers at Solar 4RAYS Cyber Threat Intelligence Center have uncovered ongoing malicious activities related to the sophisticated Android banking trojan Mamont, despite recent law enforcement operations targeting its operators. The analysis reveals that the threat continues to evolve and poses significant risks to both individual users and enterprise environments.
Sophisticated Distribution Strategy and Initial Infection Vector
The malware operators employ a deceptive distribution method through Telegram messaging platform, using social engineering tactics to trick users into installing the malicious payload. The trojan is typically disguised as a video file with an enticing message “Is this you in the video?” Upon execution, victims are presented with a loading screen while the malware silently initiates its infection routine in the background.
Advanced Malware Capabilities and Data Exfiltration
Analysis of the Mamont trojan reveals an extensive set of malicious capabilities designed for comprehensive device compromise. The malware can:
– Harvest detailed device information and installed application data
– Monitor and log call history
– Initiate unauthorized outbound calls
– Execute USSD commands
– Intercept and redirect SMS messages
– Gain control over messaging applications
– Perform unauthorized banking operations
Enterprise Security Implications
The threat poses a particularly significant risk to organizations implementing SMS-based two-factor authentication systems. When employee devices are compromised, attackers can intercept authentication codes, potentially leading to unauthorized access to corporate resources. This capability makes Mamont an effective tool for initiating sophisticated supply chain attacks and corporate network infiltrations.
Current Infrastructure Analysis
Technical investigation has identified four active command-and-control (C2) servers associated with the Mamont operation. One server hosts an exposed APK builder, enabling automated generation of new malware variants with customizable attack parameters. This infrastructure suggests professional-level operation and development capabilities.
Despite recent law enforcement actions against suspected operators, the persistence of active infrastructure components indicates ongoing campaign activities. Security professionals recommend implementing robust mobile security policies, including strict application installation controls and enhanced authentication mechanisms beyond SMS-based verification. Users should maintain heightened vigilance against suspicious messages and avoid installing applications from untrusted sources or through direct APK downloads.
