Nowadays, more and more people use their mobile devices to carry out their everyday tasks, such as managing their bank accounts, which has resulted in an upward trend in the amount of malware detected for these types of platforms.
Here, at buguroo, we have noticed this upward trend in the number of detections as well as a rise in the samples of the mobile banking type identified.
This leads us to the conclusion that these types of threats are going to become increasingly sophisticated. This article provides an overview of the history of the BankBot/Anubis banking trojan, examining its evolution over the years and comparing it with the latest samples found in order to ascertain its origin and the way in which it has evolved, not only from a technical point of view but also from the perspective of criminals’ interests.
As a result of the excellent work carried out by Lukas Stefanko in tracking the Bankbot, we have a clear insight into how and when the different variants of this trojan have gradually surfaced.
First version discovered in the Russian forum underworld It was first sighted by Dr. Web in early 2017. This sighting was published openly at the end of 2016 in forums such as nora.biz, forum.exploit.in and a0007517.xsph.ru. To date, access to the original code can still be gained in one of these forums.
In this first campaign, the malware’s primary target was the theft of credentials from Russian banks. To this end, in its initial version, Bankbot passed itself off as Google applications, such as Google Play.
It had the following functionalities:
- Collection of the victim’s contacts.
- SMS mailing and takeover.
- Privilege escalation.
- Access to geolocation information.
- A banker module that consisted in popping up a fake overlay page of the target bank once the victim opened the legitimate application.
- Anti-detection techniques. Seeking known antivirus applications installed in the device.
An interesting detail is that the original C&C code did not have a login system; hence, anyone could gain access to the functionalities it contained (Connected Bots, logs, etc.), which, moreover, had been programmed intentionally by the initial developer, as can be seen in one of their comments in the forums.
Campaña “Good Weather”
On February 22, 2017, ESET published the detection of a banking trojan that had succeeded in bypassing Google’s security mechanism and entering the Google Play market posing as a weather forecast application.
This time, the campaign’s target was Turkish banks and the functionalities were the same as in the previous case plus a new functionality, the ability to lock and unlock the device. It is suspected that this functionality was added to keep the user blocked while funds were being withdrawn from the victim’s bank account.
Second wave of fake weather apps
The day after the preceding publication, ESET announced that it had found more malware impersonating weather applications. The only difference with the previous one was that now the targets were many more banking institutions (69 to be specific) in different countries, such as England, Austria, Germany and Turkey.
The appearance of BankbotAlpha
On April 26, 2017, Fortinet published an article announcing that it had sighted a new variant of the one known to date as Bankbot, which was to be called BankBot Alpha. Following Fortinet’s analysis, the conclusion was reached that the new version was clearly a derivation of the original one owing to the multiple coincidences in the code, such as the use of the same strings and spelling mistakes in the comments. Unlike the original, this new version had fewer functionalities, such as disabling antivirus software, a smaller number of bank-supported applications, messaging and code obfuscation.
In 2019 Bankbot is still active and present by old malware versions but also by new emerging ones. If you are interested in learning more about Bankbot presence this year, in the following Whitepaper buguroo addresses a detailed technical analysis about Bankbot malware activity nowadays.
Learn more about how bugFraud is able to detect, among others type of attacks, malware like Bankbot to commit banking fraud in our site www.buguroo.com