TrickMo: Trickbot’s Man-in-the-Mobile


Recently, Check Point researchers have detected malware for Windows that uses the coronavirus (COVID-19) to infect its victims. This malware campaign has been dubbed 'Vicious Panda', and its main objective is the public sector in Mongolia.

The TrickBot banking Trojan has been identified for a long time; it was first detected in 2016. Since then, the Trojan has evolved to the point of being more than a banking Trojan, and in recent months it has mainly been used as a 'dropper' that downloads and installs ransomware on the infected device.

We have written on previous occasions about how this banking Trojan for Windows works. Now it's time to talk about one of the novelties that TrickBot has been incorporating for several months: an Android application that makes it possible to steal two-factor codes received by SMS. This type of attack is known as ‘Man-in-the-Mobile’.

The first detections of this malicious Android application that accompanies TrickBot date back to September 2019, as can be seen in this tweet published by the German CERT. It alerts users to an Android application that TrickBot requests users to install.

trickmo-mitm-01
Tweet from the German CERT with an alert about the TrickBot app

The application is designed to collect all the text messages received on the infected device and forward them to the control server, where its developers can check the messages and use the authentication and transaction authorization codes.

This behavior is not new; Man-in-the-Mobile attacks were detected in 2011, through the Zeus banking Trojan and its malicious component for Android called 'ZitMo'.

Those initial versions seem to have affected German banking entity users, although we can expect that they will soon include entities from the rest of Europe, the United States and the rest of the world.

 

Functioning

The malicious app operates simply, as its main function is to collect any text messages received and forward them to the attacker, so that they have the two-factor authentication codes. These codes will give them access to the victim's bank account and allow them to make and authorize transactions.

Two curious features of the application's functioning stand out. Messages aren't sent on right when they are received, and they may be sent either to the control server or by SMS to the attacker.

Unlike other banking Trojans that steal text messages and send them to the control server immediately, in this case they are dispatched every so often. An HTTP request is made in JSON format to the control server, which, in addition to the received messages, also sends basic information about the device. This includes the Android version, the phone number, the installed applications or the battery level:

trickmo-mitm-02Data about the device sent to the server

Communicating the victim's phone number allows attackers to use a functionality that isn't often seen in this type of malware: sending a control command via SMS. This way, attackers can send a text message to the infected mobile phone to make the malware perform some of the functions it is designed to do:

  • Update the control server URL
  • Send the new text messages that have been received
  • Update the time interval in which the Trojan wakes up to collect and send new messages
  • Uninstall the Trojan

These are the four commands that the Trojan can receive by SMS. In addition to these, it can also receive other commands from the responses received from the control server, such as:

  • Lock screen
  • Show a WebView with a specific URL
  • Send an SMS to the number indicated, with the text indicated
  • Steal pictures stored on the device

As we can see, although its main objective is the theft of received text messages, the developers have made sure to include enough functionality to be able to control the device effectively.

trickmo-mitm-03b
Code in charge of processing the SMS received

The above image shows the code that is executed every time a text message is received. As we can see, it obtains the ‘extras’ received, extracting both the identifier of the number that sends the message and the content of the SMS. And then it checks whether any of them contain the text string ‘Freischaltcode’.

trickmo-mitm-04

If any do contain this string, the malware will execute the processing of a possible command received by SMS from the attacker. SMS commands are encrypted using RSA and the application contains the private decryption key. As we can see in the image below, before processing the message with the command, it decrypts the message in line 58 of the code.

trickmo-mitm-05b
Processing of the SMS sent by the attacker

We can see that, among all the commands, if one starts with ‘sms://’ it calls a function that obtains all the new messages collected (in an SQLite database) and sends them via AES-encrypted SMS in response to the attacker’s message.

trickmo-mitm-06b
Code that obtains and sends the SMS collected

 

Conclusions

TrickMo is the new component used by the Windows TrickBot banker to steal the two-factor authentication codes that their victims receive via SMS. To accomplish this, the user is asked to install TrickMo, the malicious application for Android.

This app will wait for new text messages, which are stored locally on the device and sent every so often to the control server together with basic information about the device. Additionally, attackers include the possibility of sending SMS containing commands to be executed by the application, which allows them to control the mobile and steal messages even if it is not connected to the internet or in case the control server goes down.

Although it seems that recent TrickMo campaigns are affecting German users, it is possible that in the future we will see new versions with affected users from different countries. We may also start to see an increase in the popularity of this technique of sending control commands via SMS to other banking Trojans for Android, as it makes it possible to keep malware alive even if the control server becomes unresponsive.

 

IoCs

Control servers:

  • hxxp://mcsoft365[.]com/c
  • hxxp://pingconnect.net/c

Hash:

  • 284bd2d16092b4d13b6bc85d87950eb4c5e8cbba9af2a04d76d88da2f26c485c
  • 8ab1712ce9ca2d7952ab763d8a4872aa6a278c3f60dc13e0aebe59f50e6e30f6

 

Posted by David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.

DID YOU LIKE IT? SHARE IN YOUR SOCIAL COMMUNITIES.

 
We recommend you to read...

What did you think about this topic?

Leave your comments

 

Need to reduce fraud in your online banking?

Discover our holistic vision applied to online detection

Request demo