Recently an android banking bot is being advertised on a hacking forum named as ThiefBot which seems to be targeting Turkish banking users. In this blog, we will take you through the technical analysis of ThiefBot.
Thiefbot masquerades as a play store application which while installing asks for permissions to send & receive SMS, access storage, read phone contacts, camera access and turn on accessibility service.
Once the app is installed and opened it asks for accessibility permission by opening the settings and displaying a toast message to enable google play in different languages depending on locale language.
After granting all the permissions and privileges, Thiefbot performs enumeration on the infected device and downloads a zip file named inj.zip from the remote C&C server. It also sends a registration request along with the enumerated data to the C&C server and waits for the response command to execute while also being ready to perform overlay attacks.
Like Most of the Android banking Trojans, Thiefbot uses overlay attacks to trick the victims into providing Banking credentials and credit card information.
The injected page looks like a phishing page for Turkey based Papara Payment Service. It collects credit card credentials and exfiltrates it to C2 server via POST request.
ThiefBot receives remote commands from the C2 server controlled by the attacker. The commands supported by ThiefBot are:
ThiefBot also has the capability to spread itself via SMS like any other SMS worm by tweaking the Send_SMS command and manipulating contact users to download and install the app.
Thiefbot sends enumerated data to the C2 server and receives commands to be executed on the device via HTTP protocol. The sending data gets encrypted with AES encryption with hardcoded key LJH4bjl5hj9fdf6d followed by base64 encoding before sending to the server.
The commands received from the C2 server are also encrypted with AES and gets decrypted with the same key used to encrypt the data.
All the infected devices are managed by attackers through an admin panel as shown below,
The configuration parameters like C2 address, encryption key, whitelisted apps are stored in a separate class:
Xunison has detections in place to protect against this attack or vulnerabilities exploited, so customers with updated Xbrain intrusion prevention signatures are protected against this attack. Users should also ensure that they update their Xbrain regularly to prevent attackers from exploiting known vulnerabilities.
INFECTED: THIEFBOT CNC CONNECTION DETECTED AND BLOCKED
We are always looking to hear from the technical community and customers, so if you have any suggestions, comments, questions or want to enquire about any cybersecurity solution or topics then please feel free to email us at firstname.lastname@example.org.