EXECUTIVE SUMMARY
Cisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions. As the investigation progressed, Talos came to understand that this campaign was associated with the "ChristinaMorrow" text message spam scam previously spotted in Australia.
Although this malware's credential-harvest mechanism is not particularly sophisticated, it does have an advanced self-preservation mechanism. Even though this is not a traditional remote access tool (RAT), this campaign seems to target mainly private users. Aside from the credential stealing, this malware also includes features like the theft of users' contact list, collecting phone numbers associated names, and files and photos on the device. But that doesn't mean companies and organizations are out of the woods. They should still be on the lookout for these kinds of trojans, as the attackers could target corporate accounts that contain large amounts of money.
The information collected by the malware and the control over the victim's mobile device allows their operators to perform more complex social engineering attacks. A motivated attacker can use this trojan to harvest usernames and passwords and then reuse them to login into the organization's system where the victim works. This is a good example where two-factor authentication based on SMS would fail since the attacker can read the SMS. Corporations can protect themselves from these side-channel attacks by deploying client-based two-factor authentication, such as Duo Security.
One of the most impressive features of this malware is its resilience. If the command and control (C2) server is taken down, the malicious operator can still recover the malware control by sending SMS messages directly to the infected devices. This makes the taking down and recovery of the network much harder and poses a considerable challenge for defenders.
THE CAMPAIGN
The malware's primary infection vector is SMS. Just like the old-school mail worms that used the victim's address book to select the next victims, this banking trojan's activation cycle includes the exfiltration of the victim's address book. The trojan will receive instructions from the C2 to spread.
Spread command from C2
The victim receives the command sendSMSMass. Usually, this message targets four or five people at a time. The body contains a message and URL. Again, the concept is that new victims are more likely to install the malware if the SMS comes from someone they know. When a victim tries to access the URL in the SMS body, the C2 will check if the mobile device meets the criteria to receive the malware (see infrastructure section). If the device does not meet the criteria, it won't receive any data, otherwise, it will be redirected to a second server to receive a copy of the malware to install on their device.
The domain on this campaign was registered on Jan. 19, 2019. However, Talos has identified that was used at least since November 2018. During the investigation, Talos was also able to determine that the same infrastructure has been used to deploy similar campaigns using different versions of the malware.
Distribution of victims
Talos assess with high confidence that this campaign is targeting Australian financial institutions based on several factors. Our Umbrella telemetry shows that the majority of the request comes from Australia and the majority of the phone numbers infected have the international indicative for Australia. Finally, the specific overlays are designed for Australian financial institutions, and Australia is one of the geographic regions that is accepted by the C2.
DNS queries distribution over time
The campaign doesn't seem to be growing at a fast pace. Our data shows, on average, about three requests per hour to the drop host. This request is only made upon installation, but there is no guarantee that it will be installed. This data, when analyzed with the number of commands to send SMSs that Talos received during the investigation, lead us to conclude that the malicious operator is aggressively spreading the malware, but that doesn't seem to result in the same number of new infections.
Examples of the overlays available to the malware
Above, you can see examples of the injections that distributed to the malware as part of this specific campaign.
While doing our investigation we were able to identify other malware packages with different names. Some of these might have been used on old campaigns or were already prepared for new campaigns.
MALWARE TECHNICAL DETAILS
During our investigation, researchers uncovered a malware known as "Gustuff." . Given the lack of indicators of compromise, we decided to check to see if this was the same malware we had been researching. Our Threat Intelligence and Interdiction team found the Gustuff malware being advertised in the Exploit.in forum as a botnet for rent. The seller, known as "bestoffer," was, at some point, expelled from the forum.
Gustuff advertising screenshot
The companies advertised in the image above were from Australia, which matches up with the campaign we researched. The screenshots provided by the author align with the advertised features and the features that we discovered while doing our analysis.
Admin panel
The administration panel shows the application configuration, which matches the commands from the C2.
Country selection
The administration console screenshots also show the ability to filter the results by country. In this case, "AU" is the code shown, which is Australia.
Based on this information, Talos assesses with high confidence that the malware is the same and this is, in fact, the Gustuff malware.
Design
In the manifest, the malware requests a large number of permissions. However, it doesn't request permissions like BIND_ADMIN. To perform some of its activities, the malware does not need high privileges inside the device, as we will explain ahead.
Permissions in the manifest
This malware is designed to avoid detection and analysis. It has several protections in place, both in the C2 and the malware's code. The code is not only obfuscated but also packed. The packer, besides making the static analysis more complex, will break the standard debugger.
Manifest activity declaration
Class list inside the dex file
The main malware classes are packed, to a point where the class defined in the manifest has a handler for the MAIN category that does not exist in the DEX file.
Error when trying to debug the malware using the Android Studio IDE.
One of the side effects of this packer is the inability of Android Studio IDE to debug the code. This happens because the IDE executes the code from the Android debug bridge (ADB) by calling the activity declared in the manifest by name. Since the class does not exist at startup, the application does not run on the debugger. Although Talos analyzed the unpacked version of the code, the packer analysis is beyond the scope of this post.
Check code for emulators
As part of its defense, the malware payload first checks for emulators to prevent analysis on sandboxes. It checks for different kinds of emulators, including QEMU, Genymotion, BlueStacks and Bignox. If the malware determines that is not running on an emulator, it then performs additional checks to ensure that it won't be detected.
Code to check the existence of SafetyNet Google API
It also checks if the Android SafetyNet is active and reporting back to the C2. This helps the C2 define what actions it can do before being detected on the mobile device.
List of anti-virus packages that are checked
The payload goes a long way to protect itself and checks for anti-virus software installed on the mobile device. The trojan uses the Android Accessibility API to intercept all interactions between the user and the mobile device.
The Android developer documentation describes the accessibility event class as a class that "represents accessibility events that are seen by the system when something notable happens in the user interface. For example, when a button is clicked, a view is focused, etc."
For each interaction, the malware will check if the generator is a package that belongs to the anti-virus list, the malware will abuse another feature of the Accessibility API. There is a function called "performGlobalAction" with the description below.
Android documentation describes that function as "a global action. Such an action can be performed at any moment, regardless of the current application or user location in that application. For example, going back, going home, opening recents, etc."
The trojan calls this function with the action GLOBAL_ACTION_BACK, which equals the pressing of the back button on the device, thus canceling the opening of the anti-virus application.
The same event interception is used to place the webview overlay when the user tries to access the targeted applications, allowing it to display its overlay, thus intercepting the credentials.
The beaconing only starts after the application is installed and removed from the running tasks.
Beaconing information
The ID is generated for each installation of the malware, while the token remains unique. Some of the checks performed previously are immediately sent to the C2, like the safetyNet, admin and defaultSMSApp. The beaconing is sent to the URL http://<SERVER>/api/v2/get.php with an interval of 60 seconds.
Answer from the C2
The C2 will check the country field, if it's empty or if the country is not targeted, it will reply with a "Unauthorized" answer. Otherwise, it will return a JSON encoded "OK," and if that is the case, the command to be executed.
List of available commands
The command names are self-explanatory. The command will be issued as an answer to the beaconing, and the result will be returned to the URL http://<SERVER>/api/v2/set_state.php
Example of the command "changeServer"
The commands are issued in a JSON format, and the obfuscation is part of the malware code and not added by the packer. It is a custom obfuscation partly based on base85 encoding, which is in itself unusual, in malware. Base85 encoding is usually used on pdf and postscript documentsThe configuration of the malware is stored in custom preferences files, using the same obfuscation scheme.
Activation cycle
As we have explained above, the malware has several defence mechanisms. Beside the obfuscation and the environment checks, the malware also has some interesting anti-sandbox mechanisms.
After installation, the user needs to run the application. The user needs to press the "close" button to finish the installation. However, this won't close the application, it will send it to the background, instead. While the application is in the background, although the service is already running, the beaconing will not start. The beaconing will only start after the application is removed from the background, ultimately stopping it. This will be the trigger for the service to start the beaconing.
As mentioned previously, the beaconing is done every 60 seconds. However, no command is received from the C2 until the inactiveTime field (see beaconing information image above) has at least the value of 2000000. This time resets every time the user performs some activity.
After the checks, the malware becomes active, but first, it goes through seven steps, each one calling a different command:
- uploadPhoneNumbers: Exfiltrates all phone numbers that are in the contact list. Aside from the natural value of phone numbers associated with the names of their owners. Using the SMS has an initial infection vector is another possibility for the exfiltration. One of the purposes of the exfiltration of the contact list is to use them to attack other victims using SMS as an initial vector.
- checkApps: Asks the malware to see if the packages sent as parameters are installed. The malware contains a list of 209 packages hardcoded in its source code. However, the C2 can send an updated list.
List of packages received from the C2
- adminNumber: Setup of the admin phone number. In our case, the administrator phone number belongs to a mobile network in Australia.
Phone number for administration
- changeServer: At this point, the malware changes the C2 to a new host, even though the API and communication protocol continues to be the same.
Change server request
The URL's for the new server is obfuscated, preventing easy network identification.
- changeActivity: This command will set up the webview to overlay any of the target activities.
changeActivity command
The webview injects are not hosted on the C2, they are hosted on a completely different server.
- params: This command allows the malicious operator to change configuration parameters in the malware. During this stage of the activation cycle, the malware increases the beaconing time to avoid detection.
Command to change the beaconing
- changeArchive: The final command of the activation cycle is the download of an archive. This archive is stored in the same host has the webviews. The archive is a ZIP containing several files, which is protected with a password.
Change archive command
After this activation cycle, the malware will start the collection of information activities and dissemination.
Malicious activity
Once the activation cycle ends, the trojan will start its malicious activities. These activities depend on the device configuration. Depending if the victim has any of the targeted applications, the anti-virus installed or geographic location, the malware can harvest credentials from the targeted applications, exfiltrate all personal information or simply use the victim's device to send SMS to spread the trojan
The malware deploys overlaying webviews to trick the user and eventually steal their login credentials. These are adapted to the information the malicious operator wants to retrieve. The first webview overlay is created on step 6 of the activation cycle.
Pin request overlay
This overlay asks the user to provide their PIN to unlock the mobile device, which is immediately exfiltrated to the C2. The last step of the activation cycle is the download of a password-protected ZIP file. This file contains all HTML, CSS and PNG files necessary to create overlays. Talos found 189 logos from banks to cryptocurrency exchanges inside the archive, all of which could be targeted. The archive also contained all the necessary codes to target Australian financial institutions. The overlays are activated by the malicious operator using the command changeActivity, as seen on step 5 of the activation cycle. In this case, we can see that the HTML code of the overlay is stored in the C2 infrastructure. However, since the archive that is downloaded into the device has all the necessary information and the malicious actor has access to the device via SMS, the malicious operator can keep its activity even without the C2 infrastructure.
Infrastructure
The infrastructure supporting this malware is rather complex. It is clear that on all stages there are at least two layers.
The infrastructure has several layers, although not being very dynamic, still has several layers each one providing some level of protection. All the IP addresses belong to the same company Hetzner, an IP-hosting firm in Germany.
COVERAGE
Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.
Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.
Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
INDICATORS OF COMPROMISE (IOCS)
Domains
Facebook-photos-au.su
Homevideo2-12l.ml
videohosting1-5j.gq
URLs
hxxp://88.99.227[.]26/html2/2018/GrafKey/new-inj-135-3-dark.html
hxxp://88.99.227[.]26/html2/arc92/au483x.zip
hxxp://94.130.106[.]117:8080/api/v1/report/records.php
hxxp://88.99.227[.]26/html2/new-inj-135-3-white.html
hxxp://facebook-photos-au[.]su/ChristinaMorrow
hxxp://homevideo2-12l[.]ml/mms3/download_3.php
IP addresses
78.46.201.36
88.99.170.84
88.99.227.26
94.130.106.117
88.99.174.200
88.99.189.31
Hash
369fcf48c1eb982088c22f86672add10cae967af82613bee6fb8a3669603dc48
b2d4fcf03c7a8bf135fbd3073bea450e2e6661ad8ef2ab2058a3c04f81fc3f3e
8f5d5d8419a4832d175a6028c9e7d445f1e99fdc12170db257df79831c69ae4e
a5ebcdaf5fd10ec9de85d62e48cc97a4e08c699a7ebdeab0351b86ab1370557d
84578b9b2c3cc1c7bbfcf4038a6c76ae91dfc82eef5e4c6815627eaf6b4ae6f6
89eecd91dff4bf42bebbf3aa85aa512ddf661d3e9de4c91196c98f4fc325a018
9edee3f3d539e3ade61ac2956a6900d93ba3b535b6a76b3a9ee81e2251e25c61
0e48e5dbc3a60910c1460b382d28e087a580f38f57d3f82d4564309346069bd1
c113cdd2a5e164dcba157fc4e6026495a1cfbcb0b1a8bf3e38e7eddbb316e01f
1819d2546d9c9580193827c0d2f5aad7e7f2856f7d5e6d40fd739b6cecdb1e9e
b213c1de737b72f8dd7185186a246277951b651c64812692da0b9fdf1be5bf15
453e7827e943cdda9121948f3f4a68d6289d09777538f92389ca56f6e6de03f0
0246dd4acd9f64ff1508131c57a7b29e995e102c74477d5624e1271700ecb0e2
88034e0eddfdb6297670d28ed810aef87679e9492e9b3e782cc14d9d1a55db84
e08f08f4fa75609731c6dd597dc55c8f95dbdd5725a6a90a9f80134832a07f2e
01c5b637f283697350ca361f241416303ab6123da4c6726a6555ac36cb654b5c
1fb06666befd581019af509951320c7e8535e5b38ad058069f4979e9a21c7e1c
6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341
ADDITIONAL INFORMATION
Packages monitored
pin.secret.access
com.chase.sig.android
com.morganstanley.clientmobile.prod
com.wf.wellsfargomobile
com.citi.citimobile
com.konylabs.capitalone
com.infonow.bofa
com.htsu.hsbcpersonalbanking
com.usaa.mobile.android.usaa
com.schwab.mobile
com.americanexpress.android.acctsvcs.us
com.pnc.ecommerce.mobile
com.regions.mobbanking
com.clairmail.fth
com.grppl.android.shell.BOS
com.tdbank
com.huntington.m
com.citizensbank.androidapp
com.usbank.mobilebanking
com.ally.MobileBanking
com.key.android
com.unionbank.ecommerce.mobile.android
com.mfoundry.mb.android.mb_BMOH071025661
com.bbt.cmol
com.sovereign.santander
com.mtb.mbanking.sc.retail.prod
com.fi9293.godough
com.commbank.netbank
org.westpac.bank
org.stgeorge.bank
au.com.nab.mobile
au.com.bankwest.mobile
au.com.ingdirect.android
org.banksa.bank
com.anz.android
com.anz.android.gomoney
com.citibank.mobile.au
org.bom.bank
com.latuabancaperandroid
com.comarch.mobile
com.jpm.sig.android
com.konylabs.cbplpat
by.belinvestbank
no.apps.dnbnor
com.arkea.phonegap
com.alseda.bpssberbank
com.belveb.belvebmobile
com.finanteq.finance.ca
pl.eurobank
pl.eurobank2
pl.noblebank.mobile
com.getingroup.mobilebanking
hr.asseco.android.mtoken.getin
pl.getinleasing.mobile
com.icp.ikasa.getinon
eu.eleader.mobilebanking.pekao
softax.pekao.powerpay
softax.pekao.mpos
dk.jyskebank.mobilbank
com.starfinanz.smob.android.bwmobilbanking
eu.newfrontier.iBanking.mobile.SOG.Retail
com.accessbank.accessbankapp
com.sbi.SBIFreedomPlus
com.zenithBank.eazymoney
net.cts.android.centralbank
com.f1soft.nmbmobilebanking.activities.main
com.lb.smartpay
com.mbmobile
com.db.mobilebanking
com.botw.mobilebanking
com.fg.wallet
com.sbi.SBISecure
com.icsfs.safwa
com.interswitchng.www
com.dhanlaxmi.dhansmart.mtc
com.icomvision.bsc.tbc
hr.asseco.android.jimba.cecro
com.vanso.gtbankapp
com.fss.pnbpsp
com.mfino.sterling
cy.com.netinfo.netteller.boc
ge.mobility.basisbank
com.snapwork.IDBI
com.lcode.apgvb
com.fact.jib
mn.egolomt.bank
com.pnbrewardz
com.firstbank.firstmobile
wit.android.bcpBankingApp.millenniumPL
com.grppl.android.shell.halifax
com.revolut.revolut
de.commerzbanking.mobil
uk.co.santander.santanderUK
se.nordea.mobilebank
com.snapwork.hdfc
com.csam.icici.bank.imobile
com.msf.kbank.mobile
com.bmm.mobilebankingapp
net.bnpparibas.mescomptes
fr.banquepopulaire.cyberplus
com.caisseepargne.android.mobilebanking
com.palatine.android.mobilebanking.prod
com.ocito.cdn.activity.creditdunord
com.fullsix.android.labanquepostale.accountaccess
mobi.societegenerale.mobile.lappli
com.db.businessline.cardapp
com.skh.android.mbanking
com.ifs.banking.fiid1491
de.dkb.portalapp
pl.pkobp.ipkobiznes
pl.com.suntech.mobileconnect
eu.eleader.mobilebanking.pekao.firm
pl.mbank
pl.upaid.nfcwallet.mbank
eu.eleader.mobilebanking.bre
pl.asseco.mpromak.android.app.bre
pl.asseco.mpromak.android.app.bre.hd
pl.mbank.mnews
eu.eleader.mobilebanking.raiffeisen
pl.raiffeisen.nfc
hr.asseco.android.jimba.rmb
com.advantage.RaiffeisenBank
pl.bzwbk.ibiznes24
pl.bzwbk.bzwbk24
pl.bzwbk.mobile.tab.bzwbk24
com.comarch.mobile.investment
com.android.vending
com.snapchat.android
jp.naver.line.android
com.viber.voip
com.gettaxi.android
com.whatsapp
com.tencent.mm
com.skype.raider
com.ubercab
com.paypal.android.p2pmobile
com.circle.android
com.coinbase.android
com.walmart.android
com.bestbuy.android
com.ebay.gumtree.au
com.ebay.mobile
com.westernunion.android.mtapp
com.moneybookers.skrillpayments
com.gyft.android
com.amazon.mShop.android.shopping
com.comarch.mobile.banking.bgzbnpparibas.biznes
pl.bnpbgzparibas.firmapp
com.finanteq.finance.bgz
pl.upaid.bgzbnpp
de.postbank.finanzassistent
pl.bph
de.comdirect.android
com.starfinanz.smob.android.sfinanzstatus
de.sdvrz.ihb.mobile.app
pl.ing.mojeing
com.ing.mobile
pl.ing.ingksiegowosc
com.comarch.security.mobilebanking
com.comarch.mobile.investment.ing
com.ingcb.mobile.cbportal
de.buhl.finanzblick
pl.pkobp.iko
pl.ipko.mobile
pl.inteligo.mobile
de.number26.android
pl.millennium.corpApp
eu.transfer24.app
pl.aliorbank.aib
pl.corelogic.mtoken
alior.bankingapp.android
com.ferratumbank.mobilebank
com.swmind.vcc.android.bzwbk_mobile.app
de.schildbach.wallet
piuk.blockchain.android
com.bitcoin.mwallet
com.btcontract.wallet
com.bitpay.wallet
com.bitpay.copay
btc.org.freewallet.app
org.electrum.electrum
com.xapo
com.airbitz
com.kibou.bitcoin
com.qcan.mobile.bitcoin.wallet
me.cryptopay.android
com.bitcoin.wallet
lt.spectrofinance.spectrocoin.android.wallet
com.kryptokit.jaxx
com.wirex
bcn.org.freewallet.app
com.hashengineering.bitcoincash.wallet
bcc.org.freewallet.app
com.coinspace.app
btg.org.freewallet.app
net.bither
co.edgesecure.app
com.arcbit.arcbit
distributedlab.wallet
de.schildbach.wallet_test
com.aegiswallet
com.plutus.wallet
com.coincorner.app.crypt
eth.org.freewallet.app
secret.access
secret.pattern