In recent weeks, the Cerberus Android malware source code has been made public, which we have already written about on several occasions.
At the end of July, we released a report outlining our analysis of a new Android banking trojan that shared certain similarities with other popular Android banking malware families such as Cerberus and Eventbot.
At the time of conducting our analysis, this new banker had not received a name yet, but eventually the community of analysis has ended up calling it BlackRock.
As we discussed in our report, although this new malware shares similarities with Cerberus and Eventbot in terms of its functionality and protocol, it also distances itself from them in certain aspects such as protection from analysis, since it doesn't obfuscate or encrypt the text strings, something that is basic in the other two.
After being named and recognized by the analyst community, new samples have appeared that are very similar to those of BlackRock, but with slight differences. One of the most obvious differences is the list of affected entities, since this variant only affects entities in Turkey.
The researchers who spotted this new Turkish version called it ThiefBot, although it was actually a somewhat special version of BlackRock aimed at the Turkish market. Next we are going to introduce the new functionalities and differences that exist between both versions or variants.
BlackRock vs. ThiefBot
As previously mentioned, the main difference lies in the list of affected entities, which with BlackRock includes entities from different countries such as Spain, Italy, France, Germany, Peru or Chile, among others. In the case of ThiefBot, we only found injections for Turkish entities.
The shorter list tells us that it is a specific version developed by the attackers (probably different from the authors of BlackRock) to infect Turkish users and steal their credentials.
First of all, we must remember that neither BlackRock nor ThiefBot are trojans developed from scratch, but are rather based on the public source code of Xerxes, a banking trojan that was also based on a previous banking trojan, LokiBot. This is the main reason why both are practically the same, except for a few details.
For starters, both trojans use the same protocol based on HTTP requests sent to the control server. The commands available for both bankers are practically the same, except for one of them: ReInjection. This command is used to download a compressed file with all the injections for all the affected entities.
ReInjection command that downloads the injections from C2
This ZIP file contains the injections for each affected entity and application, separated by folders. This leads to another difference, which is that in the case of BlackRock, the list of entities is included in the application code itself, stored in a variable. However, in the case of ThiefBot, there is no list of entities, instead the downloaded ZIP is used directly and it is iterated over the directories to determine if an app is affected or not.
Code that iterates over the injection directories to determine whether or not it should display one of them
This way of operating prevents analysts or an automated analysis system from obtaining the list of affected entities directly, instead the ZIP must be downloaded and its content processed. This scheme is similar to when other families request the list of entities or the trojan's configuration from the control server.
With the exception of the reduced list of entities and the operating scheme based on downloading a compressed file and checking the available injections, the rest of how it works is the same for ThiefBot and BlackRock. They both support practically the same commands, and both base the theft of credentials on overlays with phishing web injections.
List of commands implemented in ThiefBot
In this case, we are facing a variant of BlackRock, or rather Xerxes, which has been used in attacks directed at Turkish users. Apparently the attackers were interested in obtaining the bank credentials of Turkish citizens and therefore have only included injections for certain entities of Turkish origin.
The authors behind this campaign don't appear to be the same as those who have been deploying BlackRock campaigns in recent months, and instead are most likely different groups with different interests, at least in terms of the selected entities, since their interest in stealing credentials is the same.
What's happened with these two banking trojans is what usually happens with malware for which the source code is released. Once published, anyone can use it as the foundation for their own creations, leading to new versions and variants.
The code of the Cerberus banking trojan was recently published, so it's only a matter of time before the same thing that happened with BlackRock and ThiefBot occurs, with new versions, variants and even families starting to appear based off modifications made by other developers.