By The PhishLabs Team | March 13, 2018
A newly observed variant of BankBot has been discovered masquerading as Adobe Flash Player, Avito, and an HD Video Player. This variant, now detected by PhishLabs as BankBot Anubis, was first identified on March 5, 2018.
BankBot Anubis takes mobile threats to the next level incorporating ransomware, keylogger abilities, remote access trojan functions, SMS interception, call forwarding, and lock screen functionality.
Android Banking Trojans are sinister enough on their own; however, there is now a growing trend of integrating the functionality of other malware genres alongside Banker’s typical phishing overlay and SMS-stealing capabilities. According to our research, Lokibot was the first Android banking trojan to integrate ransomware functionality. Now, one BankBot actor is further upping the ante with code aimed at delivering functionality that ranges from ransomware to remote access.
When the BankBot source code was first publicly leaked, many researchers forecasted an increase in the number of threat actors using the malware and a spike in the development of new variants with unique features. This forecast has now come to fruition, and multiple variants are currently active.
When reviewing recent detections we noticed that some new network endpoints had been introduced to the command and control (C2) server infrastructure of one of the variants PhishLabs tracks. These new endpoints clued us into the new functionality and feature juicy names like locker, keylogger, and ratgate.
Figure 1 illustrates the typical set of PHP files referenced in earlier samples (left) alongside the PHP files referenced in recent samples.
Figure 1. C2 Network Endpoints
The BankBot malware’s configuration is stored in a file named ‘set.xml’ in the application’s ‘shared prefs’ directory. This file is updated following installation, giving additional clues regarding the new functionality.
Figure 2 shows an example of the static configuration and Figure 3 shows an updated version. The updated version, which stores a base64-encoded image as part of an HTML file, has been truncated for readability.
Figure 2. Static Configuration
Figure 3. Updated Configuration
Locker – AnubisCrypt
As seen in the configuration, there are several entries related to the new ransomware functionality. These include ‘htmllocker’, which is updated after installation to contain the HTML code for a lock screen. This lock screen, shown in Figure 4, contains a poorly-worded message about illicit activity being detected on the victim’s phone.
Figure 4. Lock screen
While the lock screen is reminiscent of other locking ransomware that simply disables access to the user interface, this implementation is indeed crypto ransomware. Some of the code responsible for the ransomware functionality is shown in Figure 5. The encrypted files are renamed with the extension ‘.AnubisCrypt’ and files are encrypted using a 256-bit symmetric key.
Figure 5. Ransomeware encryption/decryption code
Additional configuration fields related to the ransomware functionality include lock_btc , lock_amount, and key. These fields are updated via communication with the C2 server and were never updated during execution of the samples analyzed for this article. Figure 6 shows the code for populating these configuration entries. It appears that files encrypted with AnubisCrypt will be recoverable, based upon the symmetric key being stored in the configuration.
Figure 6. Ransomware configuration data population code
Remote Access Trojan
In addition to the ransomware functionality detailed above, this version of BankBot now contains remote access trojan (RAT) functionality. Commands available via the RAT service include Open Directory, Download File, Delete File/Folder, Start & Stop VNC, and Stop & Start Sound Recording. This functionality allows the attacker to directly manipulate the file system and monitor the victim’s activity. Figure 7 displays code for some of the aforementioned RAT functions.
Figure 7. RAT command examples
The malicious actor behind this update has also implemented keylogger functionality. The ability to record sound and log keystrokes makes this malware both potent and remarkably invasive. Figure 8 shows the implementation of the keylogger functionality, including the name of the log file.
Figure 8. Code to exfiltrate logged keystrokes
Banking Trojan & Additional Functionality
Even with all the new functionality, BankBot is still a banking trojan at heart. Like most Android bankers, BankBot monitors for a targeted application to be launched, and then overlays the legitimate app with a phishing screen to steal the victim’s credentials. It then uses its SMS theft capabilities to intercept any subsequent security codes sent from the bank.
Additional functionality found in BankBot Anubis includes:
- Monitor for attempts to remove the malware or reset the system
- Abuse accessibility features to authorize actions on behalf of the user
- Send, receive, and intercept SMS
- Lock the screen with an overlay
- Display fake notifications and alerts
- Collect system information such as installed applications, IP address, and GPS location
- Request additional permissions
- Send USSD requests
- Forward calls to a specified number
- Launch applications & open URLs
- Update command and control servers
- Clear configuration data to kill the bot
The samples analyzed for this article targeted a total of 275 unique applications from organizations across the globe. Recent additions to this list of targets include 29 cryptocurrency applications. The domains utilized for command and control in these samples were registered from a variety of geolocations, including Japan, Moldova, and France. The infrastructure was hosted on servers in Ukraine, Germany, and the Netherlands.
Nearly all of the relevant strings in the sample are in English although there are some grammatical and spelling errors. The malware configuration contains one string in Bulgarian (perehvat_sws → intercept SMS), however, the fact that this variant is based on leaked source code renders this less meaningful. This updated variant has been observed masquerading as Adobe Flash Player, Avito, and an HD Video Player.
Figure 9. Recent BankBot Anubis APK icons
We published this in an earlier blog post (The Evolution of Mobile Banking Trojans… and What To Do About Them (Part II) but it’s worth mentioning again to help safeguard against mobile threats.
As an individual, there are plenty of things you can do to minimize the chances of your devices being infected by mobile banking trojans. Among other things, you can:
- Watch out for suspicious activity on your device and associated accounts, e.g., New and unknown device admin users being added, apps requesting extensive permissions, and strange activity on accounts accessed via mobile.
- Use antivirus software. This will help you to detect indicators that can’t be identified manually.
- Don’t root your devices, and don’t change your settings to allow apps from unknown sources. Seriously, just don’t do it.
- Don’t install apps distributed by SMS, email, or ads, and don’t visit unofficial app stores.
- Exercise caution even when installing from official stores. Only follow links to applications from trusted sites, and if you’re in any doubt, don’t install.
- Keep software and operating systems up to date, as many malware variants prey on older, insecure versions.
- Enable account notifications from your bank. Most banks offer these for when certain types of activity are detected.
But of course, mobile banking trojans aren’t just an issue for individuals. If you’re concerned your organization or customers could be harmed by mobile banking trojans, there are are several steps you can take:
- Attacks will happen. Educate your customers, particularly if your organization offers one or more legitimate apps through official app stores, and provide users with best practice information.
- Allow users to report attacks or suspicious applications, and make sure you look into each reported incident.
- Make use of alternative two-factor authentication techniques (i.e., not SMS) – Physical tokens, biometrics, and one-time password applications are all good options.
- Monitor transactions and IP geolocation information to identify suspicious activity. On the same note, provide your users with an easy way of informing you about upcoming travel or significant activity in order to avoid unnecessary lockouts.
- Offer account notifications to inform your users of suspicious activity.