By The PhishLabs Team | August 8, 2018
Over the past few years mobile banking trojans have been a persistent threat.
While Windows desktops and laptops once made up the lion’s share of Internet traffic, mobile devices (particularly Android) have long since become the most common means of browsing the web.
With banking trojans now incorporating such a wide range of malicious functionality, it’s hardly surprising they have become a favorite among malicious actors.
Back in March, we identified a variant of the popular banking trojan BankBot, which was dubbed BankBot Anubis. The variant packs a serious punch and incorporates a wide range of malicious functionality such as ransomware, keylogging, remote access, SMS interception, and call forwarding.
Over the past few weeks, we have identified further updates to BankBot Anubis’ source code. Here’s what changed:
No More Plain Text
The first thing to understand about banking trojans is that they typically rely on so called command and control servers (C2 servers) to maintain communication with a compromised device. It’s all very well for a banking trojan to log keystrokes and intercept SMS messages, but if there’s no way for a threat actor to access that information, it won’t do them any good.
When our analysts first identified BankBot Anubis, the static configuration file for each sample contained the URL of its designated C2 server in plain text:
Using plain text for C2 URLs is the simplest option for malware designers, but it also makes it easy for security researchers to identify and report malicious URLs. When their existing C2 URLs are quickly taken down, malware designers are forced to continually register new domains, which can interrupt their business model.
Naturally, then, the malware designers responsible for the latest versions of BankBot Anubis have come up with a solution: Base64 encoding.
Instead of using plain text in their configuration files (e.g., http://ropnoon.win) the latest versions of BankBot Anubis include base64 encoded strings like the one shown in the example above.
When decoded, these base64 strings become simpler (but still far from plain text) hexadecimal strings, also known as base16. For instance, the example above decodes to:
We have not yet been able to decode these strings to discover the specific URLs they point to.
Why go to this trouble? Because it makes it much harder for security researchers to identify and report malicious domains.
Encoded strings aren’t the only trick malware designers are using to obscure their C2 URLs. While reverse engineering the latest BankBot Anubis samples, we have also detected an interesting new trend: using public Twitter accounts to provide encoded C2 strings.
For the latest BankBot Anubis samples, the JAR file includes the URL of a public Twitter page in plain text:
If you take the time to visit that Twitter page (which of course we did) you’ll find the top two posts provide further base64 encoded strings.
Although we haven’t been able to decode these strings, it’s likely this process is designed to obfuscate the process by which BankBot Anubis samples identify and connect to live C2 servers.
What Can We Learn From This?
For the average individual or organization, the specifics of how malware variants function isn’t of great importance. After all, few individuals or organizations conduct their own malware analysis and/or design their own security controls.
What’s significant here is the fact that the BankBot Anubis malware is still being actively developed and enhanced. These latest developments make it significantly harder for the security community to disrupt Anubis’ infrastructure, ensuring individual samples of Anubis remain dangerous for longer than they previously would have.
At the same time, Anubis is still finding its way into official app stores, making it a legitimate threat for both individuals and organizations. Anubis has already proven a highly popular choice for active threat actors, so further campaigns centered around the trojan are all but inevitable.
To find out how you can protect your organization and users from Anubis and other mobile banking trojans, you can read more about the evolution of mobile banking trojans here.
And don’t forget, one of the most common tactics used to disguise banking trojans is to impersonate legitimate brands and applications. If you’re concerned about the damage these imposters could cause your brand, click here to find out more about our rogue mobile app protection service.