{
	"id": "69f28273-bcf9-4da3-a592-b7bb970a1589",
	"created_at": "2026-04-06T00:10:07.230707Z",
	"updated_at": "2026-04-10T13:12:12.495345Z",
	"deleted_at": null,
	"sha1_hash": "add316028777d3a3db8a162870a25c811dd4579b",
	"title": "The Asacub Trojan: from spyware to banking malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 260880,
	"plain_text": "The Asacub Trojan: from spyware to banking malware\r\nBy Roman Unuchek\r\nPublished: 2016-01-20 · Archived: 2026-04-05 21:27:50 UTC\r\nWe were recently analyzing a family of mobile banking Trojans called Trojan-Banker.AndroidOS.Asacub, and\r\ndiscovered that one of its C\u0026C servers (used, in particular, by the earliest modification we know of, as well as by\r\nsome of the more recent ones) at chugumshimusona[.]com is also used by CoreBot, a Windows spyware Trojan.\r\nThis prompted us to do a more detailed analysis of the mobile banking Trojan.\r\nThe earliest versions of Asacub that we know of emerged in the first half of June 2015, with functionality that was\r\ncloser to that of spyware Trojans than to banking malware. The early Asacub stole all incoming SMS messages\r\nregardless of who sent them, and uploaded them to a malicious server. The Trojan was capable of receiving and\r\nprocessing the following commands from the C\u0026C:\r\nget_history: upload browser history to a malicious server;\r\nget_contacts: upload list of contacts to a malicious server;\r\nget_listapp: upload a list of installed applications to a malicious server;\r\nblock_phone: turn off the phone’s screen;\r\nsend_sms: send an SMS with a specified text to a specified number.\r\nNew versions of Asacub emerged in the second half of July 2015. The malicious files that we are aware of used\r\nthe logos of European banks in their interface, unlike the early versions of the Trojan, which used the logo of a\r\nmajor US bank.\r\nThere was also a dramatic rise in the number of commands that Asacub could execute:\r\nget_sms: upload all SMSs to a malicious server;\r\ndel_sms: delete a specified SMS;\r\nset_time: set a new time interval for contacting the C\u0026C;\r\nget_time: upload the time interval for contacting the C\u0026C to the C\u0026C server;\r\nmute_vol: mute the phone;\r\nstart_alarm: enable phone mode in which the device processor continues to run when the screen goes\r\nblank;\r\nstop_alarm: disable phone mode in which the device processor continues to run when the screen goes\r\nblank;\r\nblock_phone: turn off the phone’s screen;\r\nrev_shell: remote command line that allows a cybercriminal to execute commands in the device’s\r\ncommand line;\r\nintercept_start: enable interception of all incoming SMSs;\r\nintercept_stop: disable interception of all incoming SMSs.\r\nhttps://securelist.com/the-asacub-trojan-from-spyware-to-banking-malware/73211/\r\nPage 1 of 4\n\nOne command that was very unusual for this type of malware was rev_shell, or Reverse shell, a remote command\r\nline. After receiving this command, the Trojan connects a remote server to the console of the infected device,\r\nmaking it easy for cybercriminals to execute commands on the device, and see the output (results) of those\r\ncommands. This functionality is typical of backdoors and very rarely found in banking malware – the latter aims\r\nto steal money from the victim’s bank account, not control the device.\r\nThe most recent versions of Asacub – detected in September 2015 or later – have functionality that is more\r\nfocused on stealing banking information than earlier versions. While earlier versions only used a bank logo in an\r\nicon, in the more recent versions we found several phishing screens with bank logos.\r\nOne of the screenshots was in Russian and was called ‘ActivityVTB24’ in the Trojan’s code. The name resembles\r\nthat of a large Russian bank, but the text in the screen referred to the Ukrainian bank Privat24.\r\nhttps://securelist.com/the-asacub-trojan-from-spyware-to-banking-malware/73211/\r\nPage 2 of 4\n\nPhishing screens were present in all the modifications of Asacub created since September that are known to us, but\r\nonly the window with bank card entry fields was used. This could mean that the cybercriminals only plan to attack\r\nthe users of banks whose logos and/or names they use, or that a version of Asacub already exists that does so.\r\nAfter launching, the ‘autumnal version’ of the Trojan begins stealing all incoming SMSs. It can also execute the\r\nfollowing commands:\r\nget_history: upload browser history to a malicious server;\r\nget_contacts: upload list of contacts to a malicious server;\r\nget_cc: display a phishing window used to steal bank card data;\r\nget_listapp: upload a list of installed applications to a malicious server;\r\nchange_redir: enable call forwarding to a specified number;\r\nblock_phone: turn off the phone’s screen;\r\nsend_ussd: run a specified USSD request;\r\nupdate: download a file from a specified link and install it;\r\nsend_sms: send an SMS with a specified text to a specified number.\r\nhttps://securelist.com/the-asacub-trojan-from-spyware-to-banking-malware/73211/\r\nPage 3 of 4\n\nAlthough we have not registered any Asacub attacks on users in the US, the fact that the logo of a major US bank\r\nis used should serve as a warning sign. It appears the Trojan is developing rapidly, and new dangerous features,\r\nwhich could be activated at any time, are being added to it.\r\nAs for the relationship between Asacub and the Corebot Trojan, we were unable to trace any link between them,\r\nexcept that they share the same C\u0026C server. Asacub could be Corebot’s mobile version; however, it is more likely\r\nthat the same malicious actor purchased both Trojans and has been using them simultaneously.\r\nAsacub today\r\nVery late in 2015, we discovered a fresh Asacub modification capable of carrying out new commands:\r\nGPS_track_current – get the device’s coordinates and send them to the attacker;\r\ncamera_shot – take a snapshot with the device’s camera;\r\nnetwork_protocol – in those modifications we know of, receiving this command doesn’t produce any\r\nresults, but there could be plans to use it in the future to change the protocol used by the malware to\r\ninteract with the C\u0026C server.\r\nThis modification does not include any phishing screens, but banks are still mentioned in the code. Specifically,\r\nthe Trojan keeps attempting to close the window of a certain Ukrainian bank’s official app.\r\nCode used to close a banking application\r\nIn addition, our analysis of the Trojan’s communication with its C\u0026C server has shown that it frequently gets\r\ncommands to work with the mobile banking service of a major Russian bank.\r\nDuring the New Year holidays, the new modification was actively distributed in Russia via SMS spam. In just one\r\nweek, from December 28, 2015 to January 4, 2016, we recorded attempts to infect over 6,500 unique users. As a\r\nresult, the Trojan made the Top 5 most active malicious programs. After that, the activity of the new Asacub\r\nmodification declined slightly. We continue to follow developments related to this malware.\r\nSource: https://securelist.com/the-asacub-trojan-from-spyware-to-banking-malware/73211/\r\nhttps://securelist.com/the-asacub-trojan-from-spyware-to-banking-malware/73211/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/the-asacub-trojan-from-spyware-to-banking-malware/73211/"
	],
	"report_names": [
		"73211"
	],
	"threat_actors": [],
	"ts_created_at": 1775434207,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/add316028777d3a3db8a162870a25c811dd4579b.pdf",
		"text": "https://archive.orkl.eu/add316028777d3a3db8a162870a25c811dd4579b.txt",
		"img": "https://archive.orkl.eu/add316028777d3a3db8a162870a25c811dd4579b.jpg"
	}
}