pedro drimel neto - · pdf file• common packer • conclusion • q&a 3 ... bot...
TRANSCRIPT
![Page 1: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/1.jpg)
Pedro Drimel Netopedro.drimel AT int.fox-it.com
The new era of Android banking botnets
![Page 2: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/2.jpg)
First things first
Real-time contextual threat intelligence
$whoami• Threat Analyst at Fox-IT focused on cybercrime. Brazilian. Proud daddy and husband. Wannabe tennis player,
retired football player.
2
Thank you:• Frank Ruiz• Jose Miguel Esparza• InTELL Team• Han Sahin and Niels Croese from Securify
![Page 3: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/3.jpg)
Agenda
Real-time contextual threat intelligence
• Old-fashion Android banking malware• Perkele• iBanking
• The new era of Android banking botnets: targeting bank app• Slempo/MazarBOT• Marcher• BankBot• Shiz/Shifu• Common Packer
• Conclusion• Q&A
3
![Page 4: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/4.jpg)
Perkele
Real-time contextual threat intelligence
When: March/April 2013Propagation: social-engineering / SMSRelated Threats: Carberp, Citadel, ZeusP2P, Silon/Tilon
4
![Page 5: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/5.jpg)
Perkele
Real-time contextual threat intelligence
Social-engineering APK installation
5
![Page 6: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/6.jpg)
Perkele
Real-time contextual threat intelligence
Fake Trusteer app
6
![Page 7: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/7.jpg)
Perkele
Real-time contextual threat intelligence
Author/Forum: “Forkasen” (Citadel botnets targeting Italy)Price: 1 bank (1K USD), all banks (15K USD)
7
![Page 8: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/8.jpg)
Perkele
Real-time contextual threat intelligence
Backend: PHP (on this backend using SMSC for sending SMS)
8
![Page 9: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/9.jpg)
Perkele
Real-time contextual threat intelligence
Botnets: different botnets per customer but one of them soft1 was targeting mainly NL (11K+) and CZ (7K+), UK (3K+) and IL (3K+)Code: No obfuscation, no encryption, real simple SMS forwarding.C&C communication: SMSBot Commands: ON/OFF/set admin
9
![Page 10: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/10.jpg)
iBanking
Real-time contextual threat intelligence10
New features: “modular” with templates, more commands such as contact list and outgoing calls.When: October 2013Propagation: Social-engineering / SMS, phishingRelated threats: ZeuS P2PActor: “GFF”, price 4K USD.
![Page 11: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/11.jpg)
iBanking
Real-time contextual threat intelligence11
Backend/Panel: PHP as well, not that advanced as well.
![Page 12: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/12.jpg)
iBanking
Real-time contextual threat intelligence12
![Page 13: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/13.jpg)
iBanking
Real-time contextual threat intelligence13
Usage of “templates”:
![Page 14: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/14.jpg)
iBanking
Real-time contextual threat intelligence14
Builder using templates (leaked in February 2014).
![Page 15: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/15.jpg)
iBanking
Real-time contextual threat intelligence15
Code:• No obfuscation, still very simple• Usage of AES in order to hide C&C strings, BOT_ID, etc.
![Page 16: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/16.jpg)
iBanking
Real-time contextual threat intelligence16
Code:• Some sort of anti-emulator
![Page 17: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/17.jpg)
iBanking
Real-time contextual threat intelligence
C&C communication: HTTP / SMSBot Commands: get installed apps, get list of calls, recording call, get contact list, start call, send SMS.
17
![Page 18: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/18.jpg)
Old-fashion banking malware wrap-up
Real-time contextual threat intelligence
• The year was 2013
• Malicious apps used for SMS forwarding: gather OTP (one-time-password) / 2FA (two factor authentication) codes.
• C&C changed from mostly SMS to HTTP but still no custom communication protocol
• Malicious apps being used as part of other families campaigns such as ZeusP2P, Citadel, etc.
• Code not that advanced but on iBanking some encryption and anti-analysis were used.
18
![Page 19: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/19.jpg)
GMBot/Slempo/MazarBOT (new era)
Real-time contextual threat intelligence
When: October/2015 (traces of development since August 2015)• Similar technique described by CERT PL in May 2015 (https://www.cert.pl/en/news/single/malware-attack-
on-both-windows-and-android/)New feature: Introduce overlay type of attack where malicious app “pops up” in front of the valid app. Leaked in early 2016 (January/February): variants MazarBOT, Arbvall and likely others.Related threats: UnknownActor: GanjaMan from Exploit.IN (banned in March 2016)
19
![Page 20: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/20.jpg)
Slempo/MazarBOT (new era)
Real-time contextual threat intelligence
Overlay
20
![Page 21: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/21.jpg)
Slempo/MazarBOT (new era)
Real-time contextual threat intelligence
Overlay
21
![Page 22: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/22.jpg)
Slempo/MazarBOT (new era)
Real-time contextual threat intelligence
Overlay
22
![Page 23: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/23.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
Overlay
23
![Page 24: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/24.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
Builder
24
![Page 25: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/25.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
Obfuscation
25
![Page 26: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/26.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
Builder
26
![Page 27: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/27.jpg)
Slempo/MazarBOT
ce
Distribution method: phishing, SMS, Google PlayExample of SMS: “Please install this app for your antifraud protect. hxxp://bit.ly/29DU4HA”Traffic Distribution System (TDS) targeting Europe and AU
27
![Page 28: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/28.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
Panel
28
![Page 29: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/29.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
Panel
29
![Page 30: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/30.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
Panel
30
![Page 31: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/31.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
Target list: Besides hard-coded target list, new targets could be added dynamically through #update_htmlcommand.Currently, MazarBOT only delivers HTML data if targeted app is found on the infected device.
31
![Page 32: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/32.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
C&C communication: HTTP. We’ve seen one variant using SOCKS5 proxies which then communicates through its C&C on the TOR network but not lately.
32
HTTP/1.1 200 OK
Server: nginx/1.6.2 (Ubuntu)
Date: Thu, 17 Aug 2017 12:41:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.31
Content-Length: 8829
{"command":"update html","params":{"html
version":1,"data":[{"packages":[“com.paypal.android.p2pmobile"],"html":
"PGh0bWw+DQo8a...
![Page 33: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/33.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
C&C communication: one variant called Abrvall targeting mostly Turkey found using different type of communication but still not encrypted in any way.
33
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Wed, 17 Feb 2016 18:41:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2522
X-Powered-By: PHP/5.4.45
injectslist:6f72672e776573747061632e62616e6b5e636f6d2e776573747061632e6361736874616
e6b5e61752e636f6d2e776573747061632e6f6e6c696e65696e76657374696e675e6f72672e62616e6b
696e672e776573747061632e7061797761795e636f6d2e7265762e6d6f62696c6562616e6b696e672e7
76573747061635e636f6d2e776573747061632e696c6c756d696e6174655e636f6d2e62656e6469676f
62616e6b2e6d6f62696c655e636f6d2e636f6d6d62616e6
![Page 34: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/34.jpg)
Slempo/MazarBOT
Real-time contextual threat intelligence
C&C communication: BOT commands#update_html#domain#sms_intercept_start#sms_intercept_stop#sms_listen_start#sms_listen_stop#sms_send#call_forward_start#sms_blocklist_start#apps#proxy_start#proxy_stop#plugin_add#plugin_start#files_list#file_transfer#spam#extract_phone_numbers#open_url
34
![Page 35: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/35.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
When: October/2015, in the news more in June/2016Distribution method: phishing / social-engineering, SMSNew feature: more advanced from a code level perspective, phishing on the website itself, “proxy” module.
35
![Page 36: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/36.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
Phishing page being displayed both on app and website.
36
![Page 37: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/37.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
Overlay
37
![Page 38: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/38.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
Anti-analysis (debugging, emulator, country)
38
![Page 39: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/39.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
Anti-analysis (debugging, emulator, country)
39
![Page 40: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/40.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
Modules
40
![Page 41: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/41.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
Modules
41
![Page 42: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/42.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
Modules• Fire CC• Get Contacts• Intercept ON/OFF• Kill ON/OFF• Notification• Repeat Inject• Request Coordinates• Request Token (TODO)• Screen Lock ON/OFF• SMS• SMS Redirect• SMS to Contacts• SMS to List• Update Info• USSD
42
![Page 43: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/43.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
C&C communication: HTTP/HTTPS
43
![Page 44: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/44.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
Backend
44
![Page 45: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/45.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
Backend
45
![Page 46: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/46.jpg)
Marcher (Exobot)
Real-time contextual threat intelligence
Backend
46
![Page 47: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/47.jpg)
BankBot
Real-time contextual threat intelligence
When: January/2017Distribution method: mostly through Google PlayNew feature: encoded communication, target list “hashed” on the malicious appActor: maza-in, source code leaked on exploit.in forum
47
![Page 48: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/48.jpg)
BankBot
Real-time contextual threat intelligence
Example of “inject” targeting Google.
48
![Page 49: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/49.jpg)
BankBot
Real-time contextual threat intelligence
Backend
49
![Page 50: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/50.jpg)
BankBot
Real-time contextual threat intelligence
Anti-analysis
50
![Page 51: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/51.jpg)
BankBot
Real-time contextual threat intelligence
Checking targeted apps
51
![Page 52: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/52.jpg)
BankBot
Real-time contextual threat intelligence
Checking targeted apps
52
![Page 53: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/53.jpg)
BankBot
Real-time contextual threat intelligence
C&C communication: HTTP with “custom” encodingPOST /private/tuk_tuk.php HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.1; Phone Build/JRO03S)
Host: frak.mcdir.ru
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
p=48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 37 5w 65 49 37 5w 65 49
53
![Page 54: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/54.jpg)
Shiz
Real-time contextual threat intelligence
When: December/2016, first bot from November/2015Distribution: UnknownActor: Private GroupFull string encryptionStagefright exploit
This is the only Android malware being specifically by a private group, it has more “professional” code style such as full string encryption, usage of exploits (stagefright on this case).
54
![Page 55: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/55.jpg)
Shiz
Real-time contextual threat intelligence
Backend
55
![Page 56: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/56.jpg)
Shiz
Real-time contextual threat intelligence
Backend
56
![Page 57: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/57.jpg)
Shiz
Real-time contextual threat intelligence
Backend
57
![Page 58: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/58.jpg)
Shiz
Real-time contextual threat intelligence
Backend
58
![Page 59: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/59.jpg)
Shiz
Real-time contextual threat intelligence
Anti-analysis: string encryption and checking Avs• com.drweb
• com.kaspersky
• com.kms
• com.avast
• com.symantec
• com.antivirus
• com.avira
• com.wsandroid
• com.eset
• com.bitdefender
• com.s.antivirus
• com.pandasecurity
• com.sophos
• com.comodo
• org.antivirus
• com.abvcorp
59
![Page 60: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/60.jpg)
Shiz
Real-time contextual threat intelligence
C&C communication: HTTP/HTTPSList of commands
60
![Page 61: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/61.jpg)
Packer
Real-time contextual threat intelligence
It’s being very common usage of same “packer” between families (Marcher and MazarBOT for example) which was also used on another family (Catelites – 2015).
Packed DEX files were placed on assets directory under “random.bat” and recently saw that into “urlsDB.txt” file, every sample has its own key.
61
![Page 62: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/62.jpg)
Real-time contextual threat intelligence
2013 2014 2015 2016 2017
Slempo/MazarBOT
Marcher
Shiz
Perkele
iBanking
BankBot
Marcher
MazarBOT
Wrap-upTimeline of recent Android malware families
62
SMS forwarding
Usage by private and non-
private groups
Targeting bank and social media apps
Seems mostly targeting CC data
Distribution on Google Play, phishing
Unknown usage by private groups (except Shiz)
Packing, anti-analysis, encryption/obfuscation
![Page 63: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/63.jpg)
Takeaways
Real-time contextual threat intelligence
1. There’s a clear evolution in terms of coding level: string encryption, anti-analysis, C&C communication, packing, target list on the infected device and on the server side, backend filtering bad bots.
2. Distribution method has changed as well from social engineering (tied with Windows malware) to broad infection such as Google Play, phishing or direct SMS.
3. For the most part, mobile banking Trojans are being sold/leaked on underground forums and being sold as a Kit, initial posts ended up seeing more malicious files in the wild later on.
4. Private groups (like Shiz) tend to develop even better malicious file: full string encryption, obfuscation, usage of exploits.
5. New era mobile banking Trojans haven’t been used (from our perspective) by other malware such as old-fashion mobile banking Trojans which were used by Citadel, ZeusP2P, etc.
6. Even thought lots have been said about modern mobile banking Trojans being able to directly attack bank app, what we’ve seen in fact is that they are grabbing more CC data than actual login/password.
63
![Page 64: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/64.jpg)
Real-time contextual threat intelligence
Questions
64
Thank you
![Page 65: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/65.jpg)
Real-time contextual threat intelligence
Questions
65
Thank you
![Page 66: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/66.jpg)
Real-time contextual threat intelligence
Targets – Slempo/MazarBOT
66
![Page 67: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/67.jpg)
Real-time contextual threat intelligence
Targets – Marcher
67
![Page 68: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/68.jpg)
Real-time contextual threat intelligence
Targets – Shiz
68
![Page 69: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/69.jpg)
Real-time contextual threat intelligence
Targets – BankBot
69
![Page 70: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/70.jpg)
Real-time contextual threat intelligence
Questions
70
Thank you
![Page 71: Pedro Drimel Neto - · PDF file• Common Packer • Conclusion • Q&A 3 ... Bot Commands: get installed apps, get list of calls, ... Traffic Distribution System (TDS) targeting Europe](https://reader031.vdocuments.site/reader031/viewer/2022021503/5a78fc007f8b9a523d8b9029/html5/thumbnails/71.jpg)
Real-time contextual threat intelligence
Questions
71
Thank you