Recently, Check Point researchers have detected malware for Windows that uses the coronavirus (COVID-19) to infect its victims. This malware campaign has been dubbed 'Vicious Panda', and its main objective is the public sector in Mongolia.
The TrickBot banking Trojan has been identified for a long time; it was first detected in 2016. Since then, the Trojan has evolved to the point of being more than a banking Trojan, and in recent months it has mainly been used as a 'dropper' that downloads and installs ransomware on the infected device.
We have written on previous occasions about how this banking Trojan for Windows works. Now it's time to talk about one of the novelties that TrickBot has been incorporating for several months: an Android application that makes it possible to steal two-factor codes received by SMS. This type of attack is known as ‘Man-in-the-Mobile’.
The first detections of this malicious Android application that accompanies TrickBot date back to September 2019, as can be seen in this tweet published by the German CERT. It alerts users to an Android application that TrickBot requests users to install.
Tweet from the German CERT with an alert about the TrickBot app
The application is designed to collect all the text messages received on the infected device and forward them to the control server, where its developers can check the messages and use the authentication and transaction authorization codes.
This behavior is not new; Man-in-the-Mobile attacks were detected in 2011, through the Zeus banking Trojan and its malicious component for Android called 'ZitMo'.
Those initial versions seem to have affected German banking entity users, although we can expect that they will soon include entities from the rest of Europe, the United States and the rest of the world.
The malicious app operates simply, as its main function is to collect any text messages received and forward them to the attacker, so that they have the two-factor authentication codes. These codes will give them access to the victim's bank account and allow them to make and authorize transactions.
Two curious features of the application's functioning stand out. Messages aren't sent on right when they are received, and they may be sent either to the control server or by SMS to the attacker.
Unlike other banking Trojans that steal text messages and send them to the control server immediately, in this case they are dispatched every so often. An HTTP request is made in JSON format to the control server, which, in addition to the received messages, also sends basic information about the device. This includes the Android version, the phone number, the installed applications or the battery level:
Data about the device sent to the server
Communicating the victim's phone number allows attackers to use a functionality that isn't often seen in this type of malware: sending a control command via SMS. This way, attackers can send a text message to the infected mobile phone to make the malware perform some of the functions it is designed to do:
- Update the control server URL
- Send the new text messages that have been received
- Update the time interval in which the Trojan wakes up to collect and send new messages
- Uninstall the Trojan
These are the four commands that the Trojan can receive by SMS. In addition to these, it can also receive other commands from the responses received from the control server, such as:
- Lock screen
- Show a WebView with a specific URL
- Send an SMS to the number indicated, with the text indicated
- Steal pictures stored on the device
As we can see, although its main objective is the theft of received text messages, the developers have made sure to include enough functionality to be able to control the device effectively.
Code in charge of processing the SMS received
The above image shows the code that is executed every time a text message is received. As we can see, it obtains the ‘extras’ received, extracting both the identifier of the number that sends the message and the content of the SMS. And then it checks whether any of them contain the text string ‘Freischaltcode’.
If any do contain this string, the malware will execute the processing of a possible command received by SMS from the attacker. SMS commands are encrypted using RSA and the application contains the private decryption key. As we can see in the image below, before processing the message with the command, it decrypts the message in line 58 of the code.
Processing of the SMS sent by the attacker
We can see that, among all the commands, if one starts with ‘sms://’ it calls a function that obtains all the new messages collected (in an SQLite database) and sends them via AES-encrypted SMS in response to the attacker’s message.
Code that obtains and sends the SMS collected
TrickMo is the new component used by the Windows TrickBot banker to steal the two-factor authentication codes that their victims receive via SMS. To accomplish this, the user is asked to install TrickMo, the malicious application for Android.
This app will wait for new text messages, which are stored locally on the device and sent every so often to the control server together with basic information about the device. Additionally, attackers include the possibility of sending SMS containing commands to be executed by the application, which allows them to control the mobile and steal messages even if it is not connected to the internet or in case the control server goes down.
Although it seems that recent TrickMo campaigns are affecting German users, it is possible that in the future we will see new versions with affected users from different countries. We may also start to see an increase in the popularity of this technique of sending control commands via SMS to other banking Trojans for Android, as it makes it possible to keep malware alive even if the control server becomes unresponsive.