# Gustuff banking botnet targets Australia **[blog.talosintelligence.com/2019/04/gustuff-targets-australia.html](https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html)** [Vitor Ventura authored this post.](https://twitter.com/_vventura) ## Executive summary Cisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions. As the investigation progressed, Talos came to understand that this campaign ----- was associated with the ChristinaMorrow text message spam scam previously spotted in Australia. Although this malware's credential-harvest mechanism is not particularly sophisticated, it does have an advanced self-preservation mechanism. Even though this is not a traditional remote access tool (RAT), this campaign seems to target mainly private users. Aside from the credential stealing, this malware also includes features like the theft of users' contact list, collecting phone numbers associated names, and files and photos on the device. But that doesn't mean companies and organizations are out of the woods. They should still be on the lookout for these kinds of trojans, as the attackers could target corporate accounts that contain large amounts of money. The information collected by the malware and the control over the victim's mobile device allows their operators to perform more complex social engineering attacks. A motivated attacker can use this trojan to harvest usernames and passwords and then reuse them to login into the organization's system where the victim works. This is a good example where two-factor authentication based on SMS would fail since the attacker can read the SMS. Corporations can protect themselves from these side-channel attacks by deploying client[based two-factor authentication, such as Duo Security.](https://www.cisco.com/c/en/us/products/security/adaptive-multi-factor-authentication.html) One of the most impressive features of this malware is its resilience. If the command and control (C2) server is taken down, the malicious operator can still recover the malware control by sending SMS messages directly to the infected devices. This makes the taking down and recovery of the network much harder and poses a considerable challenge for defenders. ## The campaign The malware's primary infection vector is SMS. Just like the old-school mail worms that used the victim's address book to select the next victims, this banking trojan's activation cycle includes the exfiltration of the victim's address book. The trojan will receive instructions from the C2 to spread. ----- _Spread command from C2_ The victim receives the command sendSMSMass. Usually, this message targets four or five people at a time. The body contains a message and URL. Again, the concept is that new victims are more likely to install the malware if the SMS comes from someone they know. When a victim tries to access the URL in the SMS body, the C2 will check if the mobile device meets the criteria to receive the malware (see infrastructure section). If the device does not meet the criteria, it won't receive any data, otherwise, it will be redirected to a second server to receive a copy of the malware to install on their device. The domain on this campaign was registered on Jan. 19, 2019. However, Talos has identified that was used at least since November 2018. During the investigation, Talos was also able to determine that the same infrastructure has been used to deploy similar campaigns using different versions of the malware. ----- Distribution of victims. Talos assess with high confidence that this campaign is targeting Australian financial institutions based on several factors. Our Umbrella telemetry shows that the majority of the request comes from Australia and the majority of the phone numbers infected have the international indicative for Australia. Finally, the specific overlays are designed for Australian financial institutions, and Australia is one of the geographic regions that is accepted by the C2. _DNS queries distribution over time_ ----- The campaign doesn't seem to be growing at a fast pace. Our data shows, on average, about three requests per hour to the drop host. This request is only made upon installation, but there is no guarantee that it will be installed. This data, when analyzed with the number of commands to send SMSs that Talos received during the investigation, lead us to conclude that the malicious operator is aggressively spreading the malware, but that doesn't seem to result in the same number of new infections. _Examples of the overlays available to the malware_ Above, you can see examples of the injections that distributed to the malware as part of this specific campaign. While doing our investigation we were able to identify other malware packages with different names. Some of these might have been used on old campaigns or were already prepared for new campaigns. ## Malware technical details [During our investigation, researchers uncovered a malware known as "Gustuff." . Given the](https://www.cyberscoop.com/gustuff-malware-mobile-banking-apps/) lack of indicators of compromise, we decided to check to see if this was the same malware we had been researching. Our Threat Intelligence and Interdiction team found the Gustuff malware being advertised in the Exploit.in forum as a botnet for rent. The seller, known as "bestoffer," was, at some point, expelled from the forum. ----- _Gustuff advertising screenshot_ The companies advertised in the image above were from Australia, which matches up with the campaign we researched. The screenshots provided by the author align with the advertised features and the features that we discovered while doing our analysis. ----- _Admin panel_ The administration panel shows the application configuration, which matches the commands from the C2. _Country selection_ The administration console screenshots also show the ability to filter the results by country. In this case, "AU" is the code shown, which is Australia. ----- Based on this information, Talos assesses with high confidence that the malware is the same and this is, in fact, the Gustuff malware. ### Design In the manifest, the malware requests a large number of permissions. However, it doesn't request permissions like BIND_ADMIN. To perform some of its activities, the malware does not need high privileges inside the device, as we will explain ahead. _Permissions in the manifest_ This malware is designed to avoid detection and analysis. It has several protections in place, both in the C2 and the malware's code. The code is not only obfuscated but also packed. The packer, besides making the static analysis more complex, will break the standard debugger. _Manifest activity declaration_ ----- _Class list inside the dex file_ The main malware classes are packed, to a point where the class defined in the manifest has a handler for the MAIN category that does not exist in the DEX file. _Error when trying to debug the malware using the Android Studio IDE._ One of the side effects of this packer is the inability of Android Studio IDE to debug the code. This happens because the IDE executes the code from the Android debug bridge (ADB) by calling the activity declared in the manifest by name. Since the class does not exist at startup, the application does not run on the debugger. Although Talos analyzed the unpacked version of the code, the packer analysis is beyond the scope of this post. ----- _Check code for emulators_ As part of its defense, the malware payload first checks for emulators to prevent analysis on sandboxes. It checks for different kinds of emulators, including QEMU, Genymotion, BlueStacks and Bignox. If the malware determines that is not running on an emulator, it then performs additional checks to ensure that it won't be detected. _Code to check the existence of SafetyNet Google API_ It also checks if the Android SafetyNet is active and reporting back to the C2. This helps the ----- C2 define what actions it can do before being detected on the mobile device. _List of anti-virus packages that are checked_ The payload goes a long way to protect itself and checks for anti-virus software installed on the mobile device. The trojan uses the Android Accessibility API to intercept all interactions between the user and the mobile device. The Android developer documentation describes the accessibility event class as a class that "represents accessibility events that are seen by the system when something notable happens in the user interface. For example, when a button is clicked, a view is focused, etc." For each interaction, the malware will check if the generator is a package that belongs to the anti-virus list, the malware will abuse another feature of the Accessibility API. There is a function called "performGlobalAction" with the description below. Android documentation describes that function as "a global action. Such an action can be performed at any moment, regardless of the current application or user location in that application. For example, going back, going home, opening recents, etc." [The trojan calls this function with the action GLOBAL_ACTION_BACK, which equals the](https://developer.android.com/reference/android/accessibilityservice/AccessibilityService.html%23GLOBAL_ACTION_BACK) pressing of the back button on the device, thus canceling the opening of the anti-virus application. The same event interception is used to place the webview overlay when the user tries to access the targeted applications, allowing it to display its overlay, thus intercepting the credentials. The beaconing only starts after the application is installed and removed from the running tasks. ----- _Beaconing information_ The ID is generated for each installation of the malware, while the token remains unique. Some of the checks performed previously are immediately sent to the C2, like the safetyNet, admin and defaultSMSApp. The beaconing is sent to the URL http:///api/v2/get.php with an interval of 60 seconds. _Answer from the C2_ The C2 will check the country field, if it's empty or if the country is not targeted, it will reply with a "Unauthorized" answer. Otherwise, it will return a JSON encoded "OK," and if that is the case, the command to be executed. ----- _List of available commands_ The command names are self-explanatory. The command will be issued as an answer to the beaconing, and the result will be returned to the URL http:///api/v2/set_state.php ----- _Example of the command "changeServer"_ The commands are issued in a JSON format, and the obfuscation is part of the malware code and not added by the packer. It is a custom obfuscation partly based on base85 encoding, which is in itself unusual, in malware. Base85 encoding is usually used on pdf and postscript documentsThe configuration of the malware is stored in custom preferences files, using the same obfuscation scheme. ### Activation cycle As we have explained above, the malware has several defence mechanisms. Beside the obfuscation and the environment checks, the malware also has some interesting antisandbox mechanisms. After installation, the user needs to run the application. The user needs to press the "close" button to finish the installation. However, this won't close the application, it will send it to the background, instead. While the application is in the background, although the service is already running, the beaconing will not start. The beaconing will only start after the application is removed from the background, ultimately stopping it. This will be the trigger for the service to start the beaconing. As mentioned previously, the beaconing is done every 60 seconds. However, no command is received from the C2 until the inactiveTime field (see beaconing information image above) has at least the value of 2000000. This time resets every time the user performs some activity. After the checks, the malware becomes active, but first, it goes through seven steps, each one calling a different command: ----- 1. uploadPhoneNumbers: Exfiltrates all phone numbers that are in the contact list. Aside from the natural value of phone numbers associated with the names of their owners. Using the SMS has an initial infection vector is another possibility for the exfiltration. One of the purposes of the exfiltration of the contact list is to use them to attack other victims using SMS as an initial vector. 2. checkApps: Asks the malware to see if the packages sent as parameters are installed. The malware contains a list of 209 packages hardcoded in its source code. However, the C2 can send an updated list. _List of packages received from the C2_ 3. adminNumber: Setup of the admin phone number. In our case, the administrator phone number belongs to a mobile network in Australia. _Phone number for administration_ 4. changeServer: At this point, the malware changes the C2 to a new host, even though the API and communication protocol continues to be the same. ----- _Change server request_ The URL's for the new server is obfuscated, preventing easy network identification. 5. changeActivity: This command will set up the webview to overlay any of the target activities. _changeActivity command_ The webview injects are not hosted on the C2, they are hosted on a completely different server. 6. params: This command allows the malicious operator to change configuration parameters in the malware. During this stage of the activation cycle, the malware increases the beaconing time to avoid detection. _Command to change the beaconing_ 7. changeArchive: The final command of the activation cycle is the download of an archive. This archive is stored in the same host has the webviews. The archive is a ZIP containing several files, which is protected with a password. ----- _Change archive command_ After this activation cycle, the malware will start the collection of information activities and dissemination. ### Malicious activity Once the activation cycle ends, the trojan will start its malicious activities. These activities depend on the device configuration. Depending if the victim has any of the targeted applications, the anti-virus installed or geographic location, the malware can harvest credentials from the targeted applications, exfiltrate all personal information or simply use the victim's device to send SMS to spread the trojan The malware deploys overlaying webviews to trick the user and eventually steal their login credentials. These are adapted to the information the malicious operator wants to retrieve. The first webview overlay is created on step 6 of the activation cycle. _Pin request overlay_ ----- This overlay asks the user to provide their PIN to unlock the mobile device, which is immediately exfiltrated to the C2. The last step of the activation cycle is the download of a password-protected ZIP file. This file contains all HTML, CSS and PNG files necessary to create overlays. Talos found 189 logos from banks to cryptocurrency exchanges inside the archive, all of which could be targeted. The archive also contained all the necessary codes to target Australian financial institutions. The overlays are activated by the malicious operator using the command changeActivity, as seen on step 5 of the activation cycle. In this case, we can see that the HTML code of the overlay is stored in the C2 infrastructure. However, since the archive that is downloaded into the device has all the necessary information and the malicious actor has access to the device via SMS, the malicious operator can keep its activity even without the C2 infrastructure. ### Infrastructure The infrastructure supporting this malware is rather complex. It is clear that on all stages there are at least two layers. The infrastructure has several layers, although not being very dynamic, still has several layers each one providing some level of protection. All the IP addresses belong to the same company Hetzner, an IP-hosting firm in Germany. ## Coverage ----- [Cisco Cloud Web Security (CWS) or Web](https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html) Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. [Email Security can block malicious emails sent by threat actors as part of their campaign.](https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html) [Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation](https://www.cisco.com/c/en/us/products/security/firewalls/index.html) [Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity](https://meraki.cisco.com/products/appliances) associated with this threat. [AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security](https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html) products. [Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious](https://umbrella.cisco.com/) domains, IPs, and URLs, whether users are on or off the corporate network. Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading [the latest rule pack available for purchase on Snort.org.](https://www.snort.org/products) ## Indicators of compromise (IOCs) ### Domains Facebook-photos-au.su Homevideo2-12l.ml videohosting1-5j.gq ### URLs hxxp://88.99.227[.]26/html2/2018/GrafKey/new-inj-135-3-dark.html hxxp://88.99.227[.]26/html2/arc92/au483x.zip hxxp://94.130.106[.]117:8080/api/v1/report/records.php ----- hxxp://88.99.227[.]26/html2/new-inj-135-3-white.html hxxp://facebook-photos-au[.]su/ChristinaMorrow hxxp://homevideo2-12l[.]ml/mms3/download_3.php ### IP addresses 78.46.201.36 88.99.170.84 88.99.227.26 94.130.106.117 88.99.174.200 88.99.189.31 ### Hash 369fcf48c1eb982088c22f86672add10cae967af82613bee6fb8a3669603dc48 b2d4fcf03c7a8bf135fbd3073bea450e2e6661ad8ef2ab2058a3c04f81fc3f3e 8f5d5d8419a4832d175a6028c9e7d445f1e99fdc12170db257df79831c69ae4e a5ebcdaf5fd10ec9de85d62e48cc97a4e08c699a7ebdeab0351b86ab1370557d 84578b9b2c3cc1c7bbfcf4038a6c76ae91dfc82eef5e4c6815627eaf6b4ae6f6 89eecd91dff4bf42bebbf3aa85aa512ddf661d3e9de4c91196c98f4fc325a018 9edee3f3d539e3ade61ac2956a6900d93ba3b535b6a76b3a9ee81e2251e25c61 0e48e5dbc3a60910c1460b382d28e087a580f38f57d3f82d4564309346069bd1 c113cdd2a5e164dcba157fc4e6026495a1cfbcb0b1a8bf3e38e7eddbb316e01f 1819d2546d9c9580193827c0d2f5aad7e7f2856f7d5e6d40fd739b6cecdb1e9e b213c1de737b72f8dd7185186a246277951b651c64812692da0b9fdf1be5bf15 453e7827e943cdda9121948f3f4a68d6289d09777538f92389ca56f6e6de03f0 0246dd4acd9f64ff1508131c57a7b29e995e102c74477d5624e1271700ecb0e2 88034e0eddfdb6297670d28ed810aef87679e9492e9b3e782cc14d9d1a55db84 e08f08f4fa75609731c6dd597dc55c8f95dbdd5725a6a90a9f80134832a07f2e 01c5b637f283697350ca361f241416303ab6123da4c6726a6555ac36cb654b5c 1fb06666befd581019af509951320c7e8535e5b38ad058069f4979e9a21c7e1c 6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341 ## Additional information ### Packages monitored pin.secret.access com.chase.sig.android com.morganstanley.clientmobile.prod com.wf.wellsfargomobile com.citi.citimobile ----- com.konylabs.capitalone com.infonow.bofa com.htsu.hsbcpersonalbanking com.usaa.mobile.android.usaa com.schwab.mobile com.americanexpress.android.acctsvcs.us com.pnc.ecommerce.mobile com.regions.mobbanking com.clairmail.fth com.grppl.android.shell.BOS com.tdbank com.huntington.m com.citizensbank.androidapp com.usbank.mobilebanking com.ally.MobileBanking com.key.android com.unionbank.ecommerce.mobile.android com.mfoundry.mb.android.mb_BMOH071025661 com.bbt.cmol com.sovereign.santander com.mtb.mbanking.sc.retail.prod com.fi9293.godough com.commbank.netbank org.westpac.bank org.stgeorge.bank au.com.nab.mobile au.com.bankwest.mobile au.com.ingdirect.android org.banksa.bank com.anz.android com.anz.android.gomoney com.citibank.mobile.au org.bom.bank com.latuabancaperandroid com.comarch.mobile com.jpm.sig.android com.konylabs.cbplpat by.belinvestbank no.apps.dnbnor com.arkea.phonegap com.alseda.bpssberbank com.belveb.belvebmobile ----- com.finanteq.finance.ca pl.eurobank pl.eurobank2 pl.noblebank.mobile com.getingroup.mobilebanking hr.asseco.android.mtoken.getin pl.getinleasing.mobile com.icp.ikasa.getinon eu.eleader.mobilebanking.pekao softax.pekao.powerpay softax.pekao.mpos dk.jyskebank.mobilbank com.starfinanz.smob.android.bwmobilbanking eu.newfrontier.iBanking.mobile.SOG.Retail com.accessbank.accessbankapp com.sbi.SBIFreedomPlus com.zenithBank.eazymoney net.cts.android.centralbank com.f1soft.nmbmobilebanking.activities.main com.lb.smartpay com.mbmobile com.db.mobilebanking com.botw.mobilebanking com.fg.wallet com.sbi.SBISecure com.icsfs.safwa com.interswitchng.www com.dhanlaxmi.dhansmart.mtc com.icomvision.bsc.tbc hr.asseco.android.jimba.cecro com.vanso.gtbankapp com.fss.pnbpsp com.mfino.sterling cy.com.netinfo.netteller.boc ge.mobility.basisbank com.snapwork.IDBI com.lcode.apgvb com.fact.jib mn.egolomt.bank com.pnbrewardz com.firstbank.firstmobile wit.android.bcpBankingApp.millenniumPL ----- com.grppl.android.shell.halifax com.revolut.revolut de.commerzbanking.mobil uk.co.santander.santanderUK se.nordea.mobilebank com.snapwork.hdfc com.csam.icici.bank.imobile com.msf.kbank.mobile com.bmm.mobilebankingapp net.bnpparibas.mescomptes fr.banquepopulaire.cyberplus com.caisseepargne.android.mobilebanking com.palatine.android.mobilebanking.prod com.ocito.cdn.activity.creditdunord com.fullsix.android.labanquepostale.accountaccess mobi.societegenerale.mobile.lappli com.db.businessline.cardapp com.skh.android.mbanking com.ifs.banking.fiid1491 de.dkb.portalapp pl.pkobp.ipkobiznes pl.com.suntech.mobileconnect eu.eleader.mobilebanking.pekao.firm pl.mbank pl.upaid.nfcwallet.mbank eu.eleader.mobilebanking.bre pl.asseco.mpromak.android.app.bre pl.asseco.mpromak.android.app.bre.hd pl.mbank.mnews eu.eleader.mobilebanking.raiffeisen pl.raiffeisen.nfc hr.asseco.android.jimba.rmb com.advantage.RaiffeisenBank pl.bzwbk.ibiznes24 pl.bzwbk.bzwbk24 pl.bzwbk.mobile.tab.bzwbk24 com.comarch.mobile.investment com.android.vending com.snapchat.android jp.naver.line.android com.viber.voip com.gettaxi.android ----- com.whatsapp com.tencent.mm com.skype.raider com.ubercab com.paypal.android.p2pmobile com.circle.android com.coinbase.android com.walmart.android com.bestbuy.android com.ebay.gumtree.au com.ebay.mobile com.westernunion.android.mtapp com.moneybookers.skrillpayments com.gyft.android com.amazon.mShop.android.shopping com.comarch.mobile.banking.bgzbnpparibas.biznes pl.bnpbgzparibas.firmapp com.finanteq.finance.bgz pl.upaid.bgzbnpp de.postbank.finanzassistent pl.bph de.comdirect.android com.starfinanz.smob.android.sfinanzstatus de.sdvrz.ihb.mobile.app pl.ing.mojeing com.ing.mobile pl.ing.ingksiegowosc com.comarch.security.mobilebanking com.comarch.mobile.investment.ing com.ingcb.mobile.cbportal de.buhl.finanzblick pl.pkobp.iko pl.ipko.mobile pl.inteligo.mobile de.number26.android pl.millennium.corpApp eu.transfer24.app pl.aliorbank.aib pl.corelogic.mtoken alior.bankingapp.android com.ferratumbank.mobilebank com.swmind.vcc.android.bzwbk_mobile.app ----- de.schildbach.wallet piuk.blockchain.android com.bitcoin.mwallet com.btcontract.wallet com.bitpay.wallet com.bitpay.copay btc.org.freewallet.app org.electrum.electrum com.xapo com.airbitz com.kibou.bitcoin com.qcan.mobile.bitcoin.wallet me.cryptopay.android com.bitcoin.wallet lt.spectrofinance.spectrocoin.android.wallet com.kryptokit.jaxx com.wirex bcn.org.freewallet.app com.hashengineering.bitcoincash.wallet bcc.org.freewallet.app com.coinspace.app btg.org.freewallet.app net.bither co.edgesecure.app com.arcbit.arcbit distributedlab.wallet de.schildbach.wallet_test com.aegiswallet com.plutus.wallet com.coincorner.app.crypt eth.org.freewallet.app secret.access secret.pattern -----