Tuesday, May 9, 2017

Tracking Android BankBot



Free stuff are great, aren’t they? Sure, but not always, especially when it comes to security and leaked source codes. Leaked or intentionally published source codes of malware can bring new variants of infiltrations. It was proved by leaked code of Zeus, NukeBot, GMBot, Mirai or BankBot. Every hacker wannabe can slightly change the code and spread it without any hard effort using someone else work to steal money from bank accounts and send subscription or premium-rate text messages.



In this blog post I will focus on Android BankBot and mainly I would like to update this blog post with new derivatives of BankBot including C&C’s, number of bots, APK samples or hashes, distribution vector if possible, targeted countries, targeted banking or financial institution apps or added new functionality. 

If you come across a new variant of Android BankBot and you don’t mind to share, feel free to let me know at Lukas and I will update this blog post with your catch and particular acknowledgement. 

Feel free to share it between Android security researchers to contribute.


Why?

Simply to spread awareness including infiltration details between security researchers, AV malware analyst or maybe even potential victims. Share malicious samples, URL’s and C&C’s to blacklist and of course to take down these botnets.

Never heard of Android BankBot?

BankBot variant distributed via SMS


Samples


[May 26, 2017]  
VT(25 /59): com.example.livemusay.myapplication
C&C: hxxp://a0138037.xsph.ru
Number of bots: ~? bots
Thanks to Nikolaos Chrysaidos



[May 26, 2017]
VT(15 /58): FlashPlayer.apk
C&C: hxxp://sh0wt1m3.gdn
Target: 31 Russian, Ukraine banking apps 
Number of bots: ~? bots

[May 25, 2017] 
C&C: hxxp://www.wewaha.mcdir.ru
Number of bots: ~? bots


[May 25, 2017]
VT(/): Flash Player.apk
Spread: hxxp://mamesikan.in.ua/Flash Player.apk
Target: 34 France, Germany, Turkish, Russian, Ukraine banking apps
C&C: hxxp://zaebis.mcdir.ru
Number of bots: ~? bots


[May 25, 2017] 
VT(12 / 61): FlashPlayer.apk
Target: 31 Russian, Ukraine banking apps
C&C: hxxp://b46.gdn
Number of bots: ~? bots


[May 25, 2017] 
VT(11 / 59): FlashPlayer.apk
Target: 31 Russian, Ukraine banking apps
C&C: hxxp://c0m3.gdn
Number of bots: ~? bots


[May 25, 2017] 
VT(14 / 60): FlashPlayer.apk
Target: 31 Russian, Ukraine banking apps
C&C: hxxp://r4al.gdn
Number of bots: ~? bots


[May 22, 2017]
VT(28 / 60): avito.apk
Sample: com.example.livemusay.Avito
Spread: hxxp://m.vidcp.ru/avito.apk
Target: 31 Russian, Ukraine banking apps 
C&C: hxxp://kolhoz124.ru
Number of bots: ~4 bots




[May 22, 2017]
VT(12 / 60): com.get.adobe.Flash 
Target: 27 Russian, Ukraine banking apps 
C&C: hxxp://b46.gdn
Number of bots: ~? bots



[May 20, 2017]
VT(): FEA11E5AF944C73328F81CEF0FF3768C4F78DF53
Target: 27 Russian, Ukraine banking apps + WhatsApp, Facebook, Viber, Skype
C&C: hxxp://popularappsgames.com
Number of bots: ~54 bots



[May 19, 2017]
VT(23 /61): app-release.apk
Target: 28 Russian, Ukraine and Polish banking apps
C&C: hxxp://zorg.byethost14.com/?cont=kliets&page=1
Number of bots: ~0 bots



[May 19, 2017]
VT(22 /58): app-release.apk
Target: 28 Russian, Ukraine and Polish banking apps
C&C: hxxp://adm.sesok.ru/?cont=kliets&page=1
Number of bots: ~13 bots
Kudos to Oscar




[May 19, 2017]
Probably testing version
VT(23 /57): app-release.apk
C&C: hxxps://zorg-apolo.000webhostapp.com
Number of bots: ~125 bots




[May 19, 2017]
VT(26 /57): Flash players
Spread using links:
hxxp://universitysurgical.com/download/adobe/flashplayer.apk
hxxp://universitysurgical.com/download/vk/VKFOTO.apk
hxxp://universitysurgical.com/download/vk/VKFOTO.apk
C&C: hxxp://62.213.67.124
Number of bots: ~? bots



[May 19, 2017]
VT(11 /61): com.get.adobe.Flash
Target: 27 Turkish banking apps
C&C: hxxp://awpdust.gdn
Number of bots: ~? bots



[May 19, 2017]
VT(11 /58): com.get.adobe.Flash
Target: 27 Turkish banking apps
C&C: hxxp://b3b3kl3r.gdn
Number of bots: ~? bots



[May 18, 2017]
Testing version for now
VT(23 /61): app-release.apk
C&C: hxxp://zorg.byethost14.com/index.php?cont=kliets&page=1
Number of bots: ~3 bots
Kudos to Fernando





[May 17, 2017]
VT(8 /60): FlashPlayer
C&C: hxxp://ch1pr0.gdn
Number of bots: ~? bots



[May 15, 2017]
VT(15 /60): turs.xrumersotre
Sample: turs.xrumersotre
C&C: hxxp://streser.ru
Number of bots: ~? bots
Kudos to Fernando


[May 15, 2017]
VT(11 /60): anu_bispro.app
C&C: hxxp://milfcheeks.com
Number of bots: ~? bots


[May 15, 2017]
VT(15 /60): 831393_0783d8_tmp_17666-menusim_3.2.51276366809.apk
C&C: hxxp://system-spy.ru
Number of bots: ~2 bots



[May 15, 2017] 
VT(25 / 61):  FotoAvito.apk
C&C: hxxp://amazingelectric.ca
Number of bots: ~29 bots
Gathered ~1502 phone numbers





[May 14, 2017]
Probably testing demo
VT(28 / 60):  com.example.livemusay.myapplication
C&C: hxxp://androixd.beget.tech
Number of bots: ~37 bots




[May 13, 2017]
VT(30 / 59): FlashPlayer.apk
Target: 27 Turkish banking apps
C&C: hxxp://ch4pr6.gdn
Number of bots: ~? bots


[May 12, 2017]
VT(12 / 58): FlashPlayer.apk
Target: 27 Turkish banking apps
C&C: hxxp://n0309.gdn
Number of bots: ~99 bots



[May 12, 2017]
VT(12 / 58): FlashPlayer.apk
Target: 27 Turkish banking apps
C&C: hxxp://ch0pr4.gdn
Number of bots: ~45 bots



[May 11, 2017]
VT(12 / 58): FlashPlayer.apk
Target: 27 Turkish banking apps
C&C: hxxp://t1lk1.gdn
Number of bots: ~78 bots



[May 9, 2017]
VT( / ): 19E9AA0DD18A97718C776B1B7C49F9E7
Koodous sample: com.inc.adobe.FlashPlayer.poh
Target: 31 Russian and Turkish banking apps
C&C: hxxp://n0309.gdn
Number of bots: ~24 bots



[May 9, 2017]
VT(23 /60 ): MKAntivirus.apk
Target: 31 Russian and Turkish banking apps
C&C: hxxp://softofmobi.lisx.ru
Number of bots: ~36 bots
Kudos to Fernando




[May 7, 2017]
Test or under development
VT( / ): FlashPlayer.apk
Koodous sample: 19B6D6DCF79FF165E870533F0ED8B94EB6D48319
Target: 31 Russian and Turkish banking apps
C&C: hxxp://t4l1sc4.gdn
Number of bots: ~0 bots


[May 7, 2017]
VT(22 / 59): FlashPlayer.apk
Target: 27 Turkish banking apps
C&C: hxxp://1nj3ct10n.gdn
Number of bots: ~113 bots


[May 7, 2017]
VT(20 /61 ): FlashPlayer.apk
Target: 31 Russian and Turkish banking apps
C&C: hxxp://r0n4ld4.gdn
Number of bots: ~90 bots



[May 6, 2017]
VT(27 / 61): FlashPlayer.apk
Koodous sample: 8a7d88126d9c703b240362bede023388
Target: 31 Russian and Turkish banking apps
C&C: hxxp://www.trolitrader.pw
Number of bots: ~88 bots





[May 6, 2017]
VT(22 / 61): FlashPlayer.apk
Koodous sample: 0da631ffa09a417904f582d8fa275b6d
Target: 27 Russian and Turkish banking apps
C&C: hxxp://tr4f0.pw
Number of bots: ~57 bots



[May 5, 2017]
Test or under development
Target: 28 Russian, Ukraine and Polish banking apps
C&C: hxxp://intraxisinfo.info/images/folder/private/


[May 4, 2017]
Under development
C&C: hxxp://bdwiki.ru



[May 1, 2017]
VT(29 / 60):  System Files
Target: 28 Russian, Ukraine and Polish banking apps
C&C: hxxp://firta.myjino.ru



[April 29, 2017]
VT(9 / 59): FlashPlayer.apk
Target: 31 Russian and Turkish banking apps
C&C: hxxp://ifc3yb3rs3cur1tych0.pw
Number of bots: ~56 bots




[April 25, 2017]
VT(30 / 58): MMS.apk
Target: 28 Russian, Ukraine and Polish banking apps
C&C: hxxp://atest.mcdir.ru
Number of bots: ~240 bots
Kudos to Fernando




[February 23, 2017]
VT (33 / 60): goodish.weather.apk
VT (29 / 59): follon.weather.apk
Koodous sample: goodish.weather
Koodous sample: follon.weather
Target: 68 European banking apps
C&C: hxxp://bigbustown.pw
Number of bots: ~2800 bots


 



No comments:

Post a Comment