ThiefBot

ThiefBot: A New Android Banking Trojan Targeting Turkish Banking Users

Introduction:

Recently an android banking bot is being advertised on a hacking forum named as ThiefBot which seems to be targeting Turkish banking users. In this blog, we will take you through the technical analysis of ThiefBot.

Fig 1. Hacking Forum Bot Ad
Fig 1. Hacking Forum Bot Ad

Technical Analysis:

Thiefbot masquerades as a play store application which while installing asks for permissions to send & receive SMS, access storage, read phone contacts, camera access and turn on accessibility service.

Fig 2. App Permissions
Fig 2. App Permissions

Once the app is installed and opened it asks for accessibility permission by opening the settings and displaying a toast message to enable google play in different languages depending on locale language.

Fig 3. Accessibility Permission

After granting all the permissions and privileges, Thiefbot performs enumeration on the infected device and downloads a zip file named inj.zip from the remote C&C server. It also sends a registration request along with the enumerated data to the C&C server and waits for the response command to execute while also being ready to perform overlay attacks.

Overlay Attacks:

Like Most of the Android banking Trojans, Thiefbot uses overlay attacks to trick the victims into providing Banking credentials and credit card information.

Fig 4. Javascript Injection
Fig 4. Javascript Injection

The injected page looks like a phishing page for Turkey based Papara Payment Service. It collects credit card credentials and exfiltrates it to C2 server via POST request.

Fig 5. Credentials Exfiltration
Fig 5. Credentials Exfiltration
Fig 6. Lock Screen
Fig 6. Lock Screen

Targeted Apps:

targeted apps

Remote Commands:

ThiefBot receives remote commands from the C2 server controlled by the attacker. The commands supported by ThiefBot are:

remote commands

ThiefBot also has the capability to spread itself via SMS like any other SMS worm by tweaking the Send_SMS command and manipulating contact users to download and install the app.

C2 Communication:

Thiefbot sends enumerated data to the C2 server and receives commands to be executed on the device via HTTP protocol. The sending data gets encrypted with AES encryption with hardcoded key LJH4bjl5hj9fdf6d followed by base64 encoding before sending to the server.

Fig 7. C2 communication
Fig 7. C2 communication

The commands received from the C2 server are also encrypted with AES and gets decrypted with the same key used to encrypt the data.

Fig 8. Receiving Commands from C2 server
Fig 8. Receiving Commands from C2 server

All the infected devices are managed by attackers through an admin panel as shown below,

Fig 9. C2 Login Panel
Fig 9. C2 Login Panel
Fig 10. C2 Panel
Fig 10. C2 Panel

The configuration parameters like C2 address, encryption key, whitelisted apps are stored in a separate class:

Fig 11. Config Class
Fig 11. Config Class

IOCs:

Domain: ravangame.beget.tech

Hash: 7bf12ce87f1be65f14289fe4f9a7fe4c79b145ec8dd8b1d88ce3faf9036b1836

Xunison Protection:

Xunison has detections in place to protect against this attack or vulnerabilities exploited, so customers with updated Xbrain intrusion prevention signatures are protected against this attack. Users should also ensure that they update their Xbrain regularly to prevent attackers from exploiting known vulnerabilities.

Xunison Signature:

INFECTED: THIEFBOT CNC CONNECTION DETECTED AND BLOCKED

We are always looking to hear from the technical community and customers, so if you have any suggestions, comments, questions or want to enquire about any cybersecurity solution or topics then please feel free to email us at security@xunison.com.

Author: Mitesh Wani

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp
Share on pinterest
Pinterest
Share on email
Email