# AbereBot Returns as Escobar **blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/** March 10, 2022 [During Cyble’s routine Open-Source Intelligence (OSINT) research, we came across a Twitter post](https://twitter.com/malwrhunterteam/status/1499390775775293454) wherein researchers mentioned a malware that has a name and icon similar to the legitimate anti-virus app, McAfee. While analyzing the malware we observed that the package name of the malicious app was _com.escobar.pablo. Further research helped us identify this malware as a new variant of the popular_ [banking Trojan, Aberebot. Besides stealing sensitive information such as login credentials using phishing](https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/) overlays, Aberebot has also targeted customers of 140+ banks and financial institutions across 18 countries. Cyble Research Labs has identified new features in this Aberebot variant, such as stealing data from Google Authenticator and taking the control of compromised device screens using VNC, etc. Threat Actors (TAs) have named the new variant as Escobar and published the feature details of the variant in a cybercrime forum, as shown in the figure below. ----- Figure 1- Darkweb Post About Escobar ## Technical Analysis ### APK Metadata Information App Name: McAfee Package Name: com.escobar.pablo SHA256 Hash: a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f Figure 2 shows the metadata information of an application. ----- Figure 2 – App Metadata Information The figure below shows the application icon and name displayed on the Android device. Figure 3 – App Icon and Name ## Manifest Description The malware requests users for 25 different permissions, of which it abuses 15. These dangerous permissions are listed below. **Permissions** **Description** READ_SMS Access SMSes from the victim’s device. RECEIVE_SMS Intercept SMSes received on the victim’s device READ_CALL_LOG Access Call Logs READ_CONTACTS Access phone contacts ----- READ_PHONE_STATE Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. RECORD_AUDIO Allows the app to record audio with the microphone, which has the potential to be misused by attackers ACCESS_COARSE_LOCATION Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi. ACCESS_FINE_LOCATION Allows the device’s precise location to be detected by using the Global Positioning System (GPS). SEND_SMS Allows an application to send SMS messages. CALL_PHONE Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. WRITE_EXTERNAL_STORAGE Allows the app to write or delete files in the device’s external storage READ_EXTERNAL_STORAGE Allows the app to read the contents of the device’s external storage WRITE_SMS Allows the app to modify or delete SMSes GET_ACCOUNTS Allows the app to get the list of accounts used by the phone DISABLE_KEYGUARD Allows the app to disable the keylock and any associated password security We observed a defined launcher activity in the malicious app’s manifest file, which loads the first screen of the application, as shown in Figure 4. Figure 4 – Launcher Activity ## Source Code Review Our static analysis indicated that the malware steals sensitive data such as Contacts, SMSes, Call logs, and device location. Besides recording calls and audio, the malware also deletes files, sends SMSes, makes calls, and takes pictures using the camera, etc., based on the commands received from the C&C server. The code snippet shown below is used by the malware to access the contacts data such as phone numbers and email addresses from the victim’s device, as shown in Figure 5. ----- Figure 5 – Code to Collect Contacts Data The code shown in Figure 6 is used by the malware to collect SMSes from the device‘s inbox and upload them to the C&C server. Figure 6 – Code to Collect Inbox SMSs The malware collects incoming SMSes from the device and uploads them to the C&C server, as shown in Figure 7. ----- Figure 7 – Code for collecting Incoming SMSs The code snippet shown below depicts the malware’s ability to collect call logs from the device and upload it to the C&C server. Figure 8 – Code to Collect Call Logs Figure 9 showcases the code that illustrates the malware‘s ability to steal application key logs. Figure 9 – Code to steal key logs In the below image, we see the code that is used by the malware to record audio from an infected device based on the TA’s command. ----- Figure 10 – Code to records Audio On the TA’s command, the malware tries to steal Google authenticator codes, as shown below. Figure 11 – Steals Google Authenticator Code The Escobar malware variant also uses VNC Viewer to remotely control the screens of an infected device, as shown below. Figure 12 – Uses VNC Viewer to Control Device Screen The malware can take pictures and also has the code to send text SMSes to a specific phone number or to all the contacts saved in the victim’s device without the user’s knowledge. Refer to figure 13 for the code used by the malware for this purpose. Figure 13 – Code to take Pictures and send SMSs ----- Acting to the commands given by the TAs C&C, the Escobar malware is capable of injecting URLs in the victim’s device, as shown below. Figure 14 – Injects URLs The malware can also steal media files from the victim’s device, as shown in the below code snippet. Figure 15 – Steals Files on the Device The image below depicts the malware’s ability to collect device location. Figure 16 – Code to Collects Device Location Figure 17 showcases the code snippet used by the Escobar malware to monitor the victim’s device notifications. Figure 17 – Code for monitoring device notifications The malware can also kill itself whenever it gets the commands from the C&C server. Figure 18 – Code to kill Itself Below are the commands used by the TAs to control the infected device: **Command** **Description** Take Photo Capture images from the device’s camera Send SMS Send SMS to a particular number Send SMS to All Contacts Send SMS to all the contact numbers saved in the device ----- Inject a web page Inject a URL Download File Download media files from the victim device Kill Bot Delete itself Uninstall an app Uninstall an application Record Audio Record device audio Get Google Authenticator Codes Steal Google Authenticator codes Start VNC Control device screen ## Conclusion Banking threats are increasing with every passing day and growing in sophistication. Escobar is one such example. The newly added features in the Escobar malware allow the malicious app to steal information from the compromised device. According to our research, these types of malware are only distributed via sources other than Google Play Store. As a result, practicing cyber hygiene across mobile devices and online banking applications is a good way to prevent this malware from compromising your system. ### Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: ### How to prevent malware infection? Download and install software only from official app stores like Google Play Store or the iOS App Store. Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. Use strong passwords and enforce multi-factor authentication wherever possible. Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. Be wary of opening any links received via SMS or emails delivered to your phone. Ensure that Google Play Protect is enabled on Android devices. Be careful while enabling any permissions. Keep your devices, operating systems, and applications updated. ### How to identify whether you are infected? Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices. Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. ### What to do when you are infected? Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data. Perform a factory reset. ----- Remove the application in case a factory reset is not possible. Take a backup of personal media Files (excluding mobile applications) and perform a device reset. ### What to do in case of any fraudulent transaction? In case of a fraudulent transaction, immediately report it to the concerned bank. ### What should banks do to protect their customers? Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSes, or emails. ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** **Initial Access** [T1476](https://attack.mitre.org/versions/v7/techniques/T1476/) Deliver Malicious App via Other Mean. **Initial Access** [T1444](https://attack.mitre.org/versions/v7/techniques/T1444) Masquerade as Legitimate Application **Execution** [T1575](https://attack.mitre.org/versions/v7/techniques/T1575/) Native Code **Collection** [T1433](https://attack.mitre.org/techniques/T1433) Access Call Log **Collection** [T1412](https://attack.mitre.org/techniques/T1412) Capture SMS Messages **Collection** [T1432](https://attack.mitre.org/techniques/T1432) Access Contact List **Collection** [T1429](https://attack.mitre.org/techniques/T1429) Capture Audio **Collection** [T1512](https://attack.mitre.org/techniques/T1512) Capture Camera **Collection** [T1533](https://attack.mitre.org/techniques/T1533) Data from Local System **Collection** [T1430](https://attack.mitre.org/techniques/T1430) Location Tracking **Command and Control** [T1436](https://attack.mitre.org/techniques/T1436) Commonly Used Ports ## Indicators of compromise **Indicators** **Indicator** **Type** **Description** **a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f** SHA256 Escobar APK **22e943025f515a398b2f559c658a1a188d0d889f** SHA1 Escobar APK **d57e1c11f915b874ef5c86cedb25abda** MD5 Escobar APK -----