Researchers have identified a new version of the Gustuff Android banking trojan that employs its own scripting engine and adds several new capabilities to improve its ability to steal financial information from compromised devices.
Gustuff first emerged a few months ago and appeared to be built on top of the code base of Marcher, an older trojan that had been around for several years. The malware spreads mainly through text messages and is designed to harvest victims’ bank information through a handful of different techniques. It also steals the victim’s contact list and uses that to spread to the people on the list, giving it a self-propagation mechanism. Researchers with the Cisco Talos Intelligence Group first came across the Gustuff trojan in April and after they published an analysis of the malware, the operators of it took down the command-and-control infrastructure used in the campaign.
However, the attackers had a back-up C2 system and have the ability to send commands to infected devices through SMS. The original domains that the Gustuff trojan used were taken offline, but the operators didn’t disappear. Since the campaign earlier this year, the Gustuff operators have taken it upon themselves to run a few others, the latest one using a new version of the malware altogether.
“A new campaign was detected around June 2019, there were no significant changes the malware. The campaign was using Instagram, rather than Facebook, to lure users into downloading and installing malware,” Vitor Ventura and Chris Neal of Talos wrote in an analysis of the new malware.
“But a new campaign spun up at the beginning of this month, this time with an updated version of the malware. Just like in the previous version, any target that would be of no use as a potential target is still used to send propagation SMS messages. Each target is requested to send SMSs at a rate of 300 per hour. Even though the rate will be limited to the mobile plan of each target, this is an aggressive ask.”
The Gustuff trojan has a number of interesting features, including the ability to load a webview of a specific domain on command from the C2. A webview is a way for an app to display web content without using a fully functional browser. In one instance, the Talos researchers saw the Gustuff C2 send a command to an infected device to create a webview of a portal for the Australian government that hosts services for taxes and social security.
"A new campaign spun up at the beginning of this month, this time with an updated version of the malware."
“The command was issued before the local injections were loaded (using the changearchive command). The injections were loaded from one of the C2 infrastructure servers. This command is not part of the standard activation cycle and was not part of the injections loaded by the version we analyzed in April,” Ventura and Neal said.
“This represents a change for the actor, who now appears to be targeting credentials used on the official Australian government's web portal.”
Banking trojans have been a problem for many years, going back to the earliest days of online banking, and they have continued to evolve along with the sophistication of banking sites and apps. When online banking shifted to mobile devices, the malware authors followed suit, creating trojans to mimic legitimate banking apps and others like Gustuff that stay in the background. Many of these banking trojans tend to target Android devices because of the restrictions in the Apple ecosystem and the fact that Android users can install apps from third-party app stores.
The Gustuff operators, like most competent cybercrime groups, have adapted their tactics as they’ve progressed. In addition to modifying the C2 infrastructure, they also added some other functionality, including a feature that sends a list of banking and other apps to target to each infected device after the malware is installed. The trojan also dynamically loads a list of anti-malware apps to block. The operators also put in a new method for interacting with the malware on infected devices as a way to reduce the amount of traffic it sends over the network.
“The commands related to the socks server/proxy have been removed, as have all code related to its operation. This functionality allowed the malicious operator to access the device and perform actions on the device's UI. We believe this is how the malicious actor would perform its malicious activities. We believe that after collecting the credentials, using the webviews, the actor would use this connection to interactively perform actions on the banking applications,” Ventura and Neal said.
“This functionality is now performed using the command ‘interactive,’ which will use the accessibility API to interact with the UI of the banking applications.”