{
	"id": "babf1cfe-3108-466c-8e54-8180b305f6c0",
	"created_at": "2026-04-06T00:06:11.137993Z",
	"updated_at": "2026-04-10T13:11:20.475077Z",
	"deleted_at": null,
	"sha1_hash": "827a314e8238f192ac09920ee9657e00af404228",
	"title": "Gustuff return, new features for victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1093425,
	"plain_text": "Gustuff return, new features for victims\r\nBy Vitor Ventura\r\nPublished: 2019-10-21 · Archived: 2026-04-05 19:22:48 UTC\r\nMonday, October 21, 2019 10:46\r\nBy Vitor Ventura with contributions from Chris Neal.\r\nExecutive summary\r\nThe Gustuff banking trojan is back with new features, months after initially\r\nappearing targeting financial institutions in Australia. Cisco Talos first reported on\r\nGustuff in April. Soon after, the actors behind Gustuff started by changing the\r\ndistribution hosts and later disabled its command and control (C2) infrastructure.\r\nThe actor retained control of their malware since there is a secondary admin\r\nchannel based on SMS.\r\nThe latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static\r\nfootprint when compared to previous versions. On the capability side, the addition of a \"poor man scripting\r\nengine\" based on JavaScript provides the operator with the ability to execute scripts while using its own internal\r\ncommands backed by the power of JavaScript language. This is something that is very innovative in the Android\r\nmalware space.\r\nThe first version of Gustuff that we analyzed was clearly based on Marcher, another banking trojan that's been\r\nactive for several years. Now, Gustuff has lost some similarities from Marcher, displaying changes in its\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 1 of 12\n\nmethodology after infection..\r\nToday, Gustuff still relies primarily on malicious SMS messages to infect users, mainly targeting users in\r\nAustralia. Although Gustuff has evolved, the best defense remains token-based two-factor authentication, such as\r\nCisco Duo, combined with security awareness and the use of only official app stores.\r\nCampaigns\r\nAfter Talos' initial report, the Gustuff operators changed their deployment\r\nredirections. When those were blocklisted, the actors eventually disabled the C2,\r\nbut they never totally stopped operations. Several samples were still around, but\r\nthe hardcoded C2 was not available. A new campaign was detected around June\r\n2019, there were no significant changes the malware. The campaign was using\r\nInstagram, rather than Facebook, to lure users into downloading and installing\r\nmalware.\r\nDomain hits in June\r\nThe Instagram-related domains are used for the initial infection, using the exact same method of operation as\r\nbefore.\r\nBut a new campaign spun up at the beginning of this month, this time with an updated version of the malware.\r\nJust like in the previous version, any target that would be of no use as a potential target is still used to send\r\npropagation SMS messages. Each target is requested to send SMSs at a rate of 300 per hour. Even though the rate\r\nwill be limited to the mobile plan of each target, this is an aggressive ask.\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 2 of 12\n\nDomain hits in October\r\nThis method of propagation has a low footprint, since it uses SMS alone, but it doesn't seem to be particularly\r\neffective, given the low number of hits we've seen on the malware-hosting domains.\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 3 of 12\n\nTargeted applications\r\nJust as before, this campaign mainly targets Australian banks and digital currency wallets. This new version seems\r\nto target hiring sites' mobile apps.\r\nOne of Gustuff's capabilities is the dynamic loading of webviews. It can receive a command to create a webview\r\ntargeting specific domains, while fetching the necessary injections from a remote server.\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 4 of 12\n\nRequest Result During our investigation, we received a command from the C2 to target the Australian\r\nGovernment Portal that hosts several public services, such as taxes and social security. The command was issued\r\nbefore the local injections were loaded (using the changearchive command). The injections were loaded from one\r\nof the C2 infrastructure servers. This command is not part of the standard activation cycle and was not part of the\r\ninjections loaded by the version we analyzed in April.\r\nThis represents a change for the actor, who now appears to be targeting credentials used on the official Australian\r\ngovernment's web portal.\r\nTechnical analysis\r\nThis new version of Gustuff seems to be another step in its planned evolution. This\r\nmalware is still deployed using the same packer, but\r\nthere are several changes in the activity cycle, which take advantage of functionalities which either where already\r\nthere or where being prepared. One of the changes in the behaviour is the state persistency across installations.\r\nID file\r\nDuring the activation process, the malware attempts to create a file called \"uu.dd\" in the external storage. If the\r\nfile exists, it will read the UUID value stored inside it that will be used as an ID for the C2. When this happens,\r\nthe malware won't go through all the activation process. Instead, it will receive commands from the C2\r\nimmediately. This file already existed in previous versions. However, the behaviour described above was never\r\nobserved.\r\nThe main API follows the same philosophy. Gustuff pings the C2 at a predetermined interval, which will either\r\nreply with an \"ok\" or it will issue the command to be executed.\r\nThe targeted applications are no longer hardcoded in the sample. They are now provided to the malware during the\r\nactivation cycle using the command \"checkApps.\" This command already existed on the previous version, but its\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 5 of 12\n\nusage during the activation cycle was not mandatory.\r\ncheckApps Command\r\nThe list of anti-virus/anti-malware software that Gustuff blocks as a self-defense mechanism is now also loaded\r\nduring the activation cycle.\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 6 of 12\n\nExample of applications is blocks (not full list)\r\nThese changes in the Gustuff activation cycle indicate that the actor decided to lower the malware static analysis\r\nfootprint by removing the hard-coded lists. Both commands already existed in the communication protocol and\r\ncould have been used in runtime.\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 7 of 12\n\nCommand                                                                                   Result\r\nDuring the activation cycle, the malware now asks the user to update their credit card information. The difference\r\nis that it does not immediately show a panel for the user to provide the information. Instead, it will wait for the\r\nuser to do it and — leveraging the Android Accessibility API — will harvest it. This method of luring the victim to\r\ngive up their credit card information is less obvious, increasing the chances of success, even if it takes longer.\r\nThe communication protocol now has a secondary command execution control. Each command is issued with a\r\nunique ID, which is then used by Gustuff to report on the command execution state.\r\nCommand execution control This allows the malicious actor to know exactly in which state the execution is, while\r\nbefore, it would only know if the command was received and its result. This new control mechanism also\r\ngenerated the asynchronous command capability. The malware operator can now issue asynchronous commands\r\nthat will receive feedback on its execution while performing other tasks — \"uploadAllPhotos\" and \"uploadFile\"\r\ncommands are two of such commands.\r\nWith these changes, the malicious actor is obtaining better control over the malware while reducing its footprint.\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 8 of 12\n\nThis version of Gustuff has substantial changes in the way it interacts with the device. The commands related to\r\nthe socks server/proxy have been removed, as have all code related to its operation. This functionality allowed the\r\nmalicious operator to access the device and perform actions on the device's UI. We believe this is how the\r\nmalicious actor would perform its malicious activities. We believe that after collecting the credentials, using the\r\nwebviews, the actor would use this connection to interactively perform actions on the banking applications.\r\nThis functionality is now performed using the command \"interactive,\" which will use the accessibility API to\r\ninteract with the UI of the banking applications. This method is less \"noisy\" on the network, since it takes\r\nadvantage of the C2 connection, rather than creating new connections.\r\nThe command \"script\" is also new. This is a very simple command with huge potential. Gustuff starts a\r\nWebChromeClient with JavaScript enabled. Afterward, it adds a JavaScript interface to the webview, which will\r\nallow the execution of methods defined in the malware code.\r\nJavaScript scripting\r\nBy default, the WebView object already has access to the filesystem, which is not an additional security risk in this\r\ncontext, allows the operator perform all kinds of scripts to automate its tasks, especially when the script also has\r\naccess to commands from the application.\r\nConclusion\r\nThis is an evolving threat, and the actor behind it seems to want to press on, no\r\nmatter the level of coverage this campaign gets. Instead, they changed the malware\r\ncode to have a lower detection footprint on static analysis, especially after being\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 9 of 12\n\nunpacked. Although there are no changes in the way it conducts the campaign,\r\nGustuff still changed the way it uses the malware to perform its fraudulent\r\nactivities. The main target continues to be banking and cryptocurrency wallets.\r\nHowever, based on the apps list and code changes, it is safe to assume that the\r\nactor behind it is looking for other uses of the malware.\r\nCoverage\r\nSnort SID: 51908-51922\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 10 of 12\n\nIOCs\r\nIP 88.99.174[.]142\r\n88.99.175[.]152\r\n88.99.170[.]43\r\n88.99.170[.]141\r\n78.46.201[.]36\r\n88.99.174[.]140\r\nDomains instagram-shared[.]pw\r\ninstagram-shared[.]store\r\ninstagram-shared[.]info\r\ninstagram-share[.]com\r\nintagram-share[.]com\r\ninstagram-shared[.]net\r\ninstagram-shared[.]com\r\nvideo-hd33[.]site\r\nvideo-hd30[.]site\r\nvideo-hd29[.]site\r\nvideo-hd24[.]site\r\nvideo-hd20[.]site\r\nvideo-hd18[.]site\r\nvideo-hd17[.]site\r\nhd-video5[.]site\r\nhd-video4[.]site\r\nvideo-hosting[.]site\r\nvideo-hd1[.]site\r\nvideo-hd[.]site\r\nhd-video1[.]site\r\nhomevideo641a[.]cf\r\nhomevideo651a[.]cf\r\nhomevideo5-23b[.]ml\r\nhomevideo631a[.]cf\r\nhomevideo611a[.]cf\r\nhomevideo4-23b[.]ml\r\nhomevideo641a[.]ga\r\nhomevideo3-23b[.]ml\r\nhomevideo54-1a[.]ml\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 11 of 12\n\nvideohosting32-e[.]cf\r\nvideohosting23c[.]cf\r\nvideohosting62-b[.]tk\r\nHashes 5981f8ec5b35f3891022f1f1cdbf092c56a9b0ac8acbcd20810cc22e7efb5e0b - SexyJassica.apk\r\n03d1a55ce6879d79239db32c2c8e83c4a3e10cb9123d513ce7fd04defb971886 - gscptzorx.jar\r\n3027fbd59b8dd25dcabd21800d8e8ab3222a1ae3e2d268857def4311bb01ea2e - gscptzorx.dex\r\nb13e6d70b07d6127d803d2374ebfb1e66a3b4cfd865cc2eb0e45455401be527e - flash\r\n65a7d4f9b3549198b008a089d0c8feb30c5409efc52e8a496f503fa262a6e922 - flash2\r\nSource: https://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nhttps://blog.talosintelligence.com/2019/10/gustuffv2.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/10/gustuffv2.html"
	],
	"report_names": [
		"gustuffv2.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433971,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/827a314e8238f192ac09920ee9657e00af404228.pdf",
		"text": "https://archive.orkl.eu/827a314e8238f192ac09920ee9657e00af404228.txt",
		"img": "https://archive.orkl.eu/827a314e8238f192ac09920ee9657e00af404228.jpg"
	}
}