{
	"id": "a7644460-8526-4167-8e03-9b5799f427ee",
	"created_at": "2026-04-06T00:14:50.795892Z",
	"updated_at": "2026-04-10T03:31:13.099111Z",
	"deleted_at": null,
	"sha1_hash": "edd892d4ccbd311857784017f4e1a79d77cfceb0",
	"title": "Geost botnet. The story of the discovery of a new Android banking trojan from an OpSec error",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 670550,
	"plain_text": "Geost botnet. The story of the discovery of a new Android banking\r\ntrojan from an OpSec error\r\nArchived: 2026-04-05 13:42:50 UTC\r\nSebastian García\r\nStratosphere Laboratory and Czech Technical University in Prague, Czech Republic\r\nMaria Jose Erquiaga\r\nStratosphere Laboratory and UNCUYO University, Argentina\r\nAnna Shirokova\r\nAvast Software, Czech Republic\r\nAbstract\r\nMaintaining a good operational security (OpSec) is difficult because it increases the cost of work and decreases\r\nthe speed of actions. This is true both for security analysts and for attackers. This paper describes a new botnet,\r\nwhich we called Geost, discovered thanks to multiple OpSec mistakes made by the attackers. The mistakes\r\nincluded: the use of the HtBot malware’s illegal proxy network; failing to encrypt the command-and-control\r\nservers; re-using security services; trusting other attackers that practise even less operational security; and failing\r\nto encrypt chat sessions. As far as we know, the Geost botnet has hundreds of malicious domains, 13 C\u0026C servers,\r\napproximately 800,000 victims in Russia, and potential access to several million Euros in bank accounts.\r\nMoreover, the operational security mistakes led to the discovery of the names of members of an underground\r\ngroup related to the Geost botmasters. It is seldom possible to gain such an insight into the decisions taken by\r\nattackers due to failures in their operational security. This paper summarizes the mistakes and the risks taken by\r\nthe botmasters, provides an overview of the botnet operation, an analysis of the victims, and a study of the social\r\nrelationships of the developers.\r\n1. Introduction\r\nIt has always been difficult to know exactly how botnet owners (botmasters) operate. It is a complex task to\r\nunderstand the details of their decisions, to see inside their command-and-control (C\u0026C) channels, and to glimpse\r\ninto their conversations. The three main reasons why it has been difficult to find this information are:\r\n1. Malware authors operate some degree of operational security (from now on OpSec) in order to hide\r\ninformation.\r\n2. The C\u0026C channels are implemented using evasive techniques, such as random domain names,\r\noverwhelming analysts with information.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 1 of 23\n\n3. It may not legally be possible for analysts to access data and communications in remote servers.\r\nWith all these obstacles combined, the security community rarely sees how botmasters operate, make decisions,\r\nand protect their communications.\r\nOpSec failures have been the reason for multiple important discoveries in cybersecurity. OpSec can be defined as\r\na ‘risk management process that encourages managers to view operations from the perspective of an adversary in\r\norder to protect sensitive information from falling into the wrong hands’ [1]. The consensus is that OpSec\r\ndecisions should be carefully designed to be effective against a certain risk. Problems in OpSec are not limited to\r\ntechnical mistakes but include mistakes made in the correct evaluation of the risks taken, and the countermeasures\r\napplied for protection.\r\nThis paper presents a very rare case of a chain of OpSec mistakes leading to the discovery of a new Android\r\nbanking botnet targeting Russian citizens. It is unusual because the discovery was made when the botmasters\r\ndecided to trust a malicious proxy network called HtBot. Our security laboratory had already been running\r\nsamples of the HtBot malware for months when a traffic analysis revealed a group of infected computers being\r\nused to manage infected Android phones. The HtBot malware provides a proxy service that can be rented to\r\nprovide secure connecting hosts for malicious activity. Our analysis of this HtBot communication led to the\r\ndiscovery and disclosure of a large operation infecting Android-based phones.\r\nAfter the initial discovery of the Geost botnet, the method of analysis consisted of extracting more information\r\nabout the attacks, the victims, the operations, its capabilities, and finally, about the group of developers related to\r\nthe Geost botnet. Using pivoting techniques of threat hunting it was possible to uncover the C\u0026C channels, the\r\ndomains and IP addresses. Given that more than 72,600 victims were uncovered in just one C\u0026C server, and there\r\nare at least 13 C\u0026C channels, a conservative estimate of the total number of victims was calculated at 871,200.\r\nThe OpSec failures of the Geost botmasters were significant enough to allow us to recover a large amount of\r\ninformation. First, the attackers had a flawed risk model when choosing the appropriate communication platform\r\nfor hiding their tracks. They picked up an illegal proxy network, not knowing that the network was being\r\nmonitored by our laboratory. Instead of trusting a good communication provider, they trusted the security of a\r\nbadly maintained illegal network. Second, the botmasters didn’t protect their communications with several layers\r\nof encryption protocols – making it possible for us to see the content of their communications. Third, there was a\r\nleaked document on a public website that detailed the chatting activities of a group of developers working on the\r\nC\u0026C website of the botnet. Since the chat was conducted over Skype, it is possible that it was leaked by a member\r\nof the group. Fourth, the chat log revealed that credentials were commonly passed unencrypted in the chat, giving\r\naccess to very important information about them. In summary, a chain of small mistakes was enough to disclose\r\nthe operation of a large Android banking botnet.\r\nThis paper makes the following novel contributions:\r\nDescribes for the first time and names the Geost botnet, unknown to the security community until now.\r\nProvides an analysis of the OpSec mistakes that led to the discovery of the activities of a cybercrime group\r\nacting in Russian-speaking countries.\r\nDescribes the complete infrastructure of the botnet and its victims.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 2 of 23\n\nPublishes indicators of compromise (IoCs) and information to enable the community to act upon the Geost\r\nbotnet.\r\nPerforms a social analysis of the cybercriminal group discovered.\r\nMakes available for the research community, upon request, all the datasets in reference to the discovery of\r\nthe Geost botnet.\r\nThe remainder of this paper is organized as follows: Section 2 analyses the previous work in this area; Section 3\r\ndescribes the discovery of the Geost botnet; Section 4 shows how the botnet operates; Section 5 analyses the\r\ninfrastructure of the botnet; Section 6 studies the victims of the botnet; Section 7 discusses the attackers,\r\nbotmasters and developers; and Section 8 presents our conclusions.\r\n2. Previous Work\r\nThere are several examples of mistakes made by malware authors that have led to the discovery of their identities.\r\nHowever, they are usually regarded as technical mistakes rather than OpSec problems [2]. Technical mistakes are\r\nusually discovered as a result of poor OpSec criteria, e.g. code review. OpSec problems are hard to mitigate and\r\nthey usually lead to the discovery of how botmasters operate or who they are [3]. Good OpSec can protect the\r\nuser, but depending on the adversary, small mistakes can be very costly. One of the most famous OpSec incidents\r\nwas that of Guccifer 2.0, the alleged persona that attacked the Democratic National Committee in the US, whose\r\nreal affiliation was supposedly confirmed when Guccifer 2.0 apparently failed to activate their VPN during one\r\nlogin process [3]. This is an example of how hard good OpSec can be, even for experienced attackers.\r\nA similar case of OpSec failure being taken advantage of by a powerful adversary was the identification of the\r\nowner of the Silk Road drug-selling site, Ross Ulbricht. Ulbricht was found because he used his personal email\r\naccount to register other accounts related to his illegal site [4]. Although good OpSec is possible [5],\r\ncybercriminals also make mistakes that put them in jeopardy.\r\nPractising good OpSec is hard, and it’s harder when others try to force mistakes. In 2009 the Mariposa botmasters\r\nwere captured because they connected to their servers directly from their homes. They usually used VPN services\r\nbut after the police took their servers down (to force their hand), the botmasters panicked and connected\r\ninsecurely. This paper provides an analysis of OpSec mistakes committed by a group of attackers while managing\r\npart of a botnet.\r\nRegarding previous work on the Geost botnet, the only previous unnamed reference found was a post from\r\nSeptember 2017 on the blog site Virqdroid [6]. This blog post analysed one of the malware’s APK files, showed its\r\ntechnical qualities, and reported the IoCs. However, the blog lacked data about the threat, the attackers and the\r\nvictims, and therefore conclusions could not be drawn as to the size of the operation or the identity of the Android\r\nbanking botnet.\r\nProbably the most well-studied part of Android banking trojans are the binaries themselves. This is because\r\nbinaries are the first contact with the security community and usually the only source of information. The number\r\nof binaries related to Android banking trojans suggest that these threats have been rising during 2017 [7] and 2018\r\n[8], although no scientific study has focused on a systematic analysis of the problem. Android banking malware is\r\ntoo numerous to describe, but a few important mentions can be made. In the early 2000s trojans Perkele and\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 3 of 23\n\nibanking were well known for using SMS as a communication channel [9]. From 2014 there was a new era of\r\nbanking botnets with the appearance of Slempo, Marcher, Shiz, BankBot and MazarBOT [9]. Their infection\r\ntechniques, C\u0026C protocols, and the attacks performed were significantly improved.\r\nAnalysing a malware binary is very useful, but the network traffic provides a different perspective. Even though\r\nsome binary analysis may reveal network traffic [10], it is very difficult to capture traffic from the botmaster’s\r\nactions. In this regard, this paper shows a novel discovery of real botmasters’ actions while using their C\u0026C\r\nservers.\r\n3. Discovery\r\nThe Geost Android banking botnet was discovered as part of a larger malware analysis operation in our laboratory.\r\nDuring an experiment in which a sample of the HtBot malware was executed [11], the traffic analysis revealed a\r\nvery unusual communication pattern that stood out from the rest.\r\nHtBot operates by converting its victims into unwilling private illegal Internet proxies. The infected victims relay\r\ncommunications from the HtBot users to the Internet. HtBot is regarded as an underground proxy network that is\r\ndifficult for security analysts to tap, since its traffic is continually redirected to new victims. The users of the\r\nHtBot network pay the HtBot botmasters to provide them with high-speed, semi-private communications for their\r\noperations.\r\nOur laboratory was running and monitoring HtBot bots that were communicating with the Internet. Since these\r\nbots offered illegal proxy connections it was possible to capture all the traffic coming from the illegal users to the\r\nInternet. During the analysis of the network traffic of the illegal users, a pattern was discovered; this turned out to\r\nbe the content of the C\u0026C communication channel of the new Geost botnet.\r\nFigure 1 shows the infrastructure operation of the HtBot malware and how it was used to find the new Geost\r\nbotnet. When the botmasters of the Geost botnet connected to the HtBot proxy network they sent all their traffic\r\nthrough our victim bot, and therefore through our monitoring service. Therefore, all the information collected\r\nabout Geost’s actions comes from looking at the traffic going through our computer.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 4 of 23\n\nFigure 1: Discovery of the\r\nGeost botnet. A monitored bot of the HtBot malware was used by the Geost botmasters. First, the Geost botmaster\r\nconnected to the HtBot network; second, the HtBot network relayed the data to our bot; third, our bot sent the\r\ntraffic to the Internet; fourth, the botmaster accessed the Geost C\u0026C server on the Internet.\r\nThe analysis of the HtBot malware traffic revealed the pattern shown in Figure 2. This pattern was discovered\r\nthanks to two features that stand out: the large amount of traffic transferred and the lack of encryption. Transfers\r\nof such large amounts of unencrypted data are not common in a normal network. The use of unencrypted web\r\nservers for the C\u0026C operation was the second OpSec mistake made by the botmasters. It is not clear why they\r\nneglected to use TLS encryption, since it is free and easy to install. The main hypothesis is that they may have had\r\na large number of C\u0026C servers and managing the certificates for them all would have been time consuming.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 5 of 23\n\nFigure 2: Unencrypted traffic pattern of the Geost botnet that helped to find it. This traffic was later found to\r\ncorrespond with the download of SMS messages from the Android phone victims.\r\nThe OpSec decision of the Geost botmasters to use the HtBot proxy botnet is believed to be based on the idea that\r\nan illegal proxy network may have better security than other alternatives, such as the Tor network [12], a\r\ncommercial VPN network, or their own compromised servers on the Internet. The Tor network was probably\r\ndiscarded as a bad OpSec choice since it is known to be monitored [13]. The option of a commercial VPN has the\r\ndisadvantage that the botmasters would be putting their trust in a private company that may be forced to submit its\r\nlogs to the authorities. The third option, of compromised servers, may be the best from an OpSec point of view,\r\nbut it would involve extending the current Android banking botnet with another layer of servers, infections,\r\nmalware, monitoring, and maintenance. This option is much more costly than the rest. The decision to use the\r\nHtBot network may have seemed wise since it does not belong to a company, it’s not usually monitored, and it\r\nhandles its own maintenance. In the end, though, the decision to use the HtBot network was the first operational\r\nsecurity mistake. It seems that the balance of probabilities and cost-benefit analysis were not correctly evaluated\r\nby the botmasters.\r\n4. Botnet operations\r\nThe main advantage of accessing the botmasters’ traffic while they were using the HtBot network was the\r\npossibility of a deep study of the attackers’ decisions and actions. The analysis helped to identify a large botnet\r\ninfrastructure, measure the size of the operation, and determine the goal of the botnet. Based on the evidence\r\nfound, the Geost operation seems to consist of a large number of APK Android applications related to several\r\ntopics, from banks and photo services, to fake social networks. Once the applications are installed it seems that\r\nthey may be able to interact directly with the web services of five banks in Eastern Europe. It seems that one of\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 6 of 23\n\nthe goals of the botnet is to access the personal information of the victims through their SMS messages, including\r\nthose messages sent by the banks. The rest of this section describes the actions of the botmasters and how they\r\nhelped identify each part of the Geost botnet. It is worth remembering that this was the traffic traversing our HtBot\r\ninstance.\r\nAccess and actions in the C\u0026C servers\r\nThe botmasters accessed the C\u0026C servers through a web server using port 80/TCP. The web server was running\r\nnginx version 1.12.2. The first connection seen in the traffic was made on Sat, 10 Mar 2018 11:54:08 GMT and it\r\nwas an access to the C\u0026C server with the following request (not complete):\r\nGET /geost.php?bid=c5d72910bd8a97aeb2ce\r\n 7336fbd78a1f HTTP/1.1\r\nHost: wgg4ggefwg.ru\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1;\r\n rv:48.0) Gecko/20100101 Firefox/48.0\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://wgg4ggefwg.ru/geost.php\r\nCookie: SSE=p6ee96ki2knqrtsahdv84cuj04;\r\n __lnkrntdmcvrd=-1\r\nFrom this request several things can be learned. First, that the botmaster was already logged in, because the cookie\r\nwas already set. Second, that the botmaster was probably using a Windows computer, given the User-Agent. Third,\r\nthat the domain was wgg4ggefwg.ru, and that the request was coming from the web page\r\nhttp://wgg4ggefwg.ru/geost.php. After this first request, the botmaster changed a note on one of the victims with\r\nthe following request:\r\nPOST /stuff.php?mode=change_notes\r\n(...)\r\nbid=c5d72910bd8a97aeb2ce7336fbd78a1f\u0026\r\nnotes=14.50+10.03+68.000\r\nThe fact that the botmasters put notes on individual victims suggests that they may have been after something\r\nmore than automatic access to their bank accounts. After changing the note for a victim, the botmaster requested a\r\nlist of SMS messages from a victim with the HTTP request POST /stuff.php?mode=showSmsList. The response to\r\nthis request was a long list of more than 900 SMS messages from one victim. The SMS messages are analysed in\r\nSection 6.\r\nThe original HTTP response with the SMS list was a JSON file using Unicode encoding (\\u chars) for transferring\r\nRussian characters. The following is an example:\r\n{\"response\": [{\"conversations\":\r\n{\"+900\":[{\"body\":\"\\u0421\\u043f\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 7 of 23\n\n\\u0438\\u0441\\u0430\\u043d\\u0438\r\nThe decoded text in Russian is as follows (the password was redacted):\r\nСписание средств: Platbox (RUB 120.00); пароль: 342365.Не сообщайте пароль НИКОМУ. Только м\r\nThe English translation of this message is:\r\nWithdrawal of funds: Platbox (RUB 120.00); password: 342365. Do not disclose the password to ANYONE.\r\nThis SMS seems to be a message from the Platbox Russian payment system saying that 120 Russian Rubles have\r\nbeen withdrawn. Despite our initial assumption that the botnet was only looking for two-factor authentication\r\nmessages, it is unclear why the botmasters are monitoring these messages. The first important remark is that the\r\nC\u0026C stores the complete list of SMS messages of all the victims since the moment they were infected. The second\r\nimportant remark is that the SMSs were processed offline in the C\u0026C server to automatically compute the balance\r\nof each victim. This can be seen in the C\u0026C web page shown in Figure 4.\r\nThe SMS messages stored and used by Geost contained highly sensitive information. For example, a victim\r\ninfected from July 2017 until March 2018 received the following SMS:\r\nTransfers in bank accounts:\r\n[redacted]Bank Online. Lada SE[name\r\nredacted]NA transferred to you 2500 RUB\r\nA message from a bank to a victim about money received.\r\nVISA balances:\r\nVISA5880 03/07/18 18:32 admission\r\n2500r Balance: 49866.86\r\nThis information about balances was analysed automatically by the C\u0026C channel.\r\nBotmaster access to the login page\r\nMore than eight days after the first access, a botmaster showed up again to access the Geost C\u0026C server. It may\r\nhave been a different botmaster because the User-Agent of their browser was different from the first time. The\r\nfirst time, the User-Agent was Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0, which is a\r\nWindows computer. The second time it was Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0,\r\nwhich is an older version of browser in a Windows computer. Since it’s very unlikely that the botmaster\r\ndowngraded the browser, the conclusion is that these are different computers.\r\nDuring this second access, it was possible to observe the complete login process and to obtain the master\r\npassword of the C\u0026C server. The long-term execution of the malware, which is standard policy in our laboratory,\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 8 of 23\n\nmade possible the capture of this important piece of information. This connection also reveals the third OpSec\r\nerror: the botmasters believed that it was safe to use the HtBot proxy network again. This is a huge\r\nunderestimation of the security risk of using the same service twice. A better approach would have been to change\r\nthe connection method every time.\r\nThe login request was sent as GET /geost.php and resulted in the login page shown in Figure 3. This page was\r\nreconstructed in our browsers by extracting the data from the traffic capture. The login page has an option to\r\nchange the language between Russian and English, which suggests that the botmasters may speak either of those\r\nlanguages.\r\nAfter the login page was presented, the botmaster logged in with the following request (not complete):\r\nPOST /stuff.php?mode=autorize HTTP/1.1\r\nHost: wgg4ggefwg.ru\r\nUser-Agent: Mozilla/5.0 (Windows NT\r\n 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\r\nX-Requested-With: XMLHttpRequest\r\nReferer: http://wgg4ggefwg.ru/geost.php\r\nContent-Length: 31\r\nCookie: SSE=epr0dr4qlejbgphtqppmmjrca0\r\npwd=[redacted]\u0026language=ru\r\nThe password used was 15 characters long and included nine numbers and six lower-case letters. The fact that the\r\npassword was leaked means that it would be possible for others to log into the C\u0026C server. The password is not\r\nincredibly complex since it lacked symbols and upper-case letters, but it is considered strong enough to resist the\r\ncasual brute-forcer. It is also worth noting that there is a typo in the name of the request parameter, which is\r\n‘autorize’ instead of authorize.\r\n Figure 3: Login page of the C\u0026C server of\r\nthe Geost botnet. No TLS was used and no username is requested, only a password.\r\nAfter logging in, the botmaster accessed the main panel of the C\u0026C, shown in Figure 4. The main C\u0026C web page\r\nis quite large, showing more than 7,500 infected phones and information about the version of the malware, IMEI\r\nof the phones, permissions of the malware, country of the phones, balance in the bank accounts, and much more.\r\nFigure 4 shows the following information for each victim:\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 9 of 23\n\nStatus: whether the victim is online.\r\nID: identification number of the victim assigned by the botnet.\r\nIMEI: code that identifies each cell phone.\r\nRights: probably whether the malware has admin rights, or only SMS access, or both.\r\nVersion: version of the Android operating system.\r\nOperator: phone operator.\r\nCountry: country of the phone – it is not clear how this is obtained, but probably using the phone number.\r\nBalance: balance in the bank of the user.\r\nCategory: it is not clear what is this menu for – the options are: Balance, Spam, Dead, Lok, Tupyat, Sliv,\r\nCredit, OTKLU4en, NULOVKI and ONLIKI.\r\nFlow: probably to identify how the phone was infected, given that the options are: marion1, dea and\r\nsitedub, which are related to APK applications.\r\nFigure 4: Main page of the C\u0026C server of the Geost botnet. The C\u0026C shows actions for injecting in banks and\r\nmanaging spam.\r\nFeatures of the C\u0026C\r\nBy looking at the options on the C\u0026C page it is possible to infer the goals of the botnet and its main activities.\r\nFrom the top menu it can be seen that the management of injects (specific applications for each bank) is important,\r\nas well as the management of spam, SMS and Tasks. Under the menu Поток, which means Flow or Stream, there\r\nare the following options:\r\nsvd2\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 10 of 23\n\niYl5i8 (Photo Youla). [Site youla.ru]\r\nEBtiym (Photo Avito). [Site www.avito.ru]\r\napkmontman\r\nCvKa5S (321)\r\n2s1Kb1 (Antivirus_PRO)\r\nmarion1\r\nsTPYWM (Установка) (means Installation)\r\nzGnI6m (Вконтакт) (translates to VKontakte, a Facebook-like Russian social network)\r\ndea\r\nУстановка installation\r\nУстановить to install\r\nsitedub\r\nBPg5nZ (123)\r\nwdbX4p (OK). OK.RU. https://ok.ru/\r\nq5Q9PR (Skype)\r\nQX3YrO (WhatsApp)\r\nGHf5Bt (Ula). https://youla.ru/\r\nI97CiN (Imo). ImoOnline.ru. Instant messaging app and VoIP.\r\nVAm5bd (VK)\r\n2SUeYJ (Viber)\r\nwsmQDO (Telegram)\r\n6NiFak (Yandex navigator)\r\nge4twN (Badoo)\r\nmHhP71 (Shazam)\r\nudc13a (QIWI)\r\ngEc0m2 (Aliexpress)\r\n9ObVTr (2GIS). https://2gis.ru/\r\nHaBxsX (ccleaner)\r\nRA6XMX (Clean Master)\r\nresur\r\nAll\r\nNEuVxP (updateplayer)\r\nbjAVX1 (updateplayer2018)\r\nThe meaning of this menu is not completely clear but we suspect that it refers to a filter as to how the victim was\r\ninfected, since all the options refer to Android applications. This theory was confirmed later when it was found\r\nthat each botnet operator has its own ‘Flow id’ to determine how many infections they produced. After accessing\r\nthe main C\u0026C web page the botmaster requested to filter the victims by their online status using the following\r\nrequest:\r\n/stuff.php?mode=filter_online\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 11 of 23\n\nAfter the victims were sorted by online status, the botmaster sorted them by balance amount using the following\r\nrequest:\r\n/stuff.php?mode=filter_balance\r\nThese two actions suggest that the intention was to see the online victims that have the largest balance of money,\r\nprobably to act on them in some way, but no action was witnessed.\r\nBanks attacked\r\nBy accessing the client-side source code of the web page in the network traffic, it was possible to identify which\r\nbanks were the focus of the Geost botnet. The fact that only five banks were listed suggests that there is a special\r\ntype of action that can only happen with those banks. It may seem as if the malware APKs or the C\u0026C code could\r\naccess and make transfers in accounts of those banks, but this hypothesis was not proven. For security reasons the\r\ncomplete list of banks will not be published until the banks acknowledge our contact with them. However, it is\r\npossible to provide the following characteristics of the targeted banks:\r\nThe first bank is a Russian commercial neobank. One of the top five providers of credit cards in Russia.\r\nThe second bank is one of the five largest private commercial banks in Russia and one of the top 1,000\r\nworld banks.\r\nThe third bank is one of the three largest banks in Russia and Eastern Europe, and one of the top 40 banks\r\nin the world.\r\nThe fourth bank is one of the 500 largest organizations in Europe and one of the leading banks in Russia.\r\nThe fifth bank is part of a large group of cooperatives with subsidiaries in more than 15 countries, being in\r\nthe top seven banks in Russia.\r\nThe sixth bank is a publicly traded Russian payment service provider operating electronic online payment\r\nsystems in Russia, Ukraine, Kazakhstan, Moldova, Belarus, Romania, the United States and the United\r\nArab Emirates.\r\n5. Botnet infrastructure\r\nThe infrastructure used by Geost is large but not extremely complex. To date, 13 C\u0026C IP addresses, more than\r\n140 domains, and more than 150 APKs files have been found. The domains seem to be randomly generated, but\r\nnot with a complete domain generation algorithm.\r\nRandomness in Geost\r\nDomain generation algorithms (DGAs) are algorithms that generate domains in a pseudorandom way. This is used\r\nas a mechanism to avoid detection and hide the C\u0026C server by resolving a new IP address very quickly. Since the\r\nalgorithm is unknown to the analyst, they are usually unpredictable. However, the malware author knows the\r\nalgorithm and therefore can predict which domain will be requested. The attacker then registers the domain with\r\nan IP address they control. There are usually three main ways to identify a DGA algorithm: (1) the domains seem\r\nrandom, (2) dozens of domains are requested very quickly, and (3) most of the domains do not have an IP assigned\r\nto them. However, in the case of Geost, the domain generation algorithm is very unusual. It looks random enough,\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 12 of 23\n\nbut each sample only attempts to contact one domain. Also, all the domains found so far do have an IP address\r\nassigned. It is not clear, then, how the domains are assigned to each sample, but it appears that each domain is\r\nassigned to one sample. The DGA used in the Geost botnet is character-based, uses letters and numbers, and the\r\nTLD is .ru or .xyz. The only domain that broke the rule was g877855hrg.ru.com.\r\nThe following is a sample list of Geost C\u0026C domains:\r\nw23t2t2tfwg.ru\r\nwg34gh34t.xyz\r\n32r3t23wef.ru\r\nijsdggrur.ru\r\nwgg4ggefwg.ru\r\n52t34tyt43.xyz\r\nAnother novel feature of Geost in reference to randomness is the use of an algorithm to generate PHP file names.\r\nThis is not strictly DGA since they are not domains, but the random principle is the same. The main difference\r\nbetween a classic DGA and the PHP file generation algorithm is the purpose. While classic DGAs are intended to\r\nprevent the discovery of the botnet domains and subsequent takedown, the PHP file generation algorithm prevents\r\nthe generation of signatures to find and block those names. It is not simple, for example, to create a YARA rule\r\nthat matches a DGA domain using a random PHP file. The PHP filenames are 32 characters long, the same as an\r\nMD5 string. The following is a sample list of the filenames for the domain 2ve3gh53h3yh.ru:\r\nm99h49wtp1g35b5721d64mfs5p8ese1x.php\r\nn7co2vpu098x85ctgdn689rf4d18n5jz.php\r\nfhdkqgyfux4gj2t6zwu434ptw0i0mefu.php\r\ncsbu72ow56i9qq7yg1ufbo3ql1phb1s6.php\r\nf8t8d5tnqvwwi1l2qf0itr97cdibre6i.php\r\nhgkvf2riqt49z33isl978pj17aivc0nw.php\r\nThe final characteristic of Geost domains is that some of them have a large number of subdomains. For instance,\r\nthe domain 2ve3gh53h3yh.ru has exactly 1,024 subdomains, such as 0hu, 00n, 03, 06p and 090.\r\nIP addresses\r\nAt least 13 IP addresses have been found so far. Table 1 shows a summary of the IP addresses with, for each one,\r\nthe Autonomous System (AS), country, number of domains related to the IP, and the number of APK hashes that\r\ncommunicate with it. It is worth noting that most IP addresses belong to Mauritius.\r\nIP AS Country WHOIS Domains Hash\r\n104.18.61.144 CloudFlare, Inc. US Cloudfare \u003e100 3\r\n104.24.109.180 CloudFlare, Inc. US Cloudfare \u003e100 19\r\n162.222.213.6 QuadraNet Enter US USWHSS.COM 14 20\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 13 of 23\n\n162.222.213.25 Admo.net US USWHSS.COM 20 20\r\n162.222.213.29 Admo.net US USWHSS.COM 8 20\r\n154.16.244.26 NetStack MU Madanambal Annauth 3 0\r\n154.16.244.27 NetStack MU Madanambal Annauth 9 2\r\n154.16.244.28 NetStack MU Madanambal Annauth 19 12\r\n154.16.244.30 NetStack MU Madanambal Annauth 8 0\r\n154.16.244.138 NetStack MU Madanambal Annauth 10 0\r\n154.16.244.139 NetStack MU Madanambal Annauth 3 0\r\n154.16.244.140 NetStack MU Madanambal Annauth 1 0\r\n81.177.6.88 OJSC RTComm RU Sergey Ulyashin 5 84\r\nTable 1: Summary of the IP addresses used as C\u0026C.\r\nAPK hashes\r\nThe Geost botnet is associated with at least 150 APK (Android package) files. Most APKs share some similarities\r\nwith each other: each one mostly communicates with only one domain, and each one accesses one unique random\r\nPHP file. Regarding the phone permissions, all of them requested access to read, receive, and send SMS messages,\r\nto write on the external storage, to access contacts, and to change Wi-Fi status. For the rest of this section we will\r\nrefer to the APK binaries with their MD5 hash. The list of SHA256 sashes for the APK files related to this paper\r\ncan be found in the Appendix.\r\nAn example of a Geost APK is the file with MD5 4e1af25f84200c7f63e315fe7ca07a9c, that, according to\r\nVirusTotal, communicated with the domain w23t2t2tfwg.ru and PHP file\r\nq15m9gdhybzfznkgexdld9lk3tigg08w.php.\r\nAnother example is the APK 9d8702dafbcad82a4603e1fd2e2869b4, which contacted the domain w23t2t2tfwg.ru\r\nand the PHP file pyh32o0ezfguw1xl4382wzm8tnr1tyng.php. The domain w23t2t2tfwg.ru is one of the most\r\ncommonly used by APK samples in Geost. Table 2 shows the complete list of 25 APK hashes that contacted the\r\ndomain w23t2t2tfwg.ru together with their detection ratio in VirusTotal: the number of anti-virus engines that\r\ndetected them positively on 23 February 2019 against the total number of anti-virus engines that checked the\r\nsample. For space reasons it was not possible to include the complete list of 150 APK hashes for the complete\r\nGeost botnet.\r\nSHA256 hash Detect / Total AVs\r\n1e13f46e3833e0a002c499a611b8f4b57b9716a0686b2a04ee701260c3f729e4 36 / 61\r\n1bc3a740bf994d49301fac2f976a7e6887a2f869a09a66d273538d44b2c990b6 34 / 59\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 14 of 23\n\n91c032d905a92a3dc69c2ba163dd9978ce843fbb2f434f2254a1b7d69b411aff 32 / 62\r\n4d73fc6eb4099bb4b27225ea6c19f7a1f5d276a540d42d244a1b38566aacdcea 26 / 62\r\ne31986c1309e9aae27fec1d3a279b816f6610e54c06c154589a4f72f694d1161 29 / 60\r\n34a01cedf6b94d4979a81275fa8cd4e99e9691b13339ce8763d2362d7fe8faec 32 / 62\r\n2dc56dc14d8c352813c3c6d7026f830a940a716ab291f90bd9aacdc9a236af69 29 / 63\r\n22bac0179306a5bfd7e1d90d458298f487c67d3f84b2ab9bd6f2e399c86cfdc7 27 / 62\r\n051a942a724fb1c5485f1e14f7899dc237c9bf1d7e4db900b0c03e2e3e42e8eb 32 / 61\r\n298601b71f2c4d5db132ad9d972cdabb61bdebb69980fac411fdd9a6e9275860 32 / 62\r\n8ddd48b104bd8805a1c5c98bc6fb7165924d3b3206ada973297c2b511ed2b555 27 / 62\r\ne26d52647bc345232aa904987dc872ee500a1278fdfd65fcfbae58be774dcc96 23 / 59\r\nc9a64286bc7e921d150a64e678705b4fcb99389eafc658c623455ba498009212 26 / 62\r\n56ed2cbb764748b95d893ba1b1c58d0dd801ef1a98958cd5a36eff0995d90999 35 / 62\r\n6d6d79f259943c02d1f39fa7212e0dc3c95650e5aab516e90d083120cff9ee60 32 / 62\r\n72808f79b8c1b5d26324e7c30a1ae61eba2775dbe68d92fa2c85cab7329b5d04 27 / 62\r\n781f84749667a9cc588b46671077111f5f433c4e3635c8e832ada54ee72a0421 38 / 63\r\n4c41694a957419fe79173f802f3167df865fbbe78d8a2747e15018acfbdfe86e 31 / 61\r\nccfff0a7d44fa7d0ff81029c3871be118dad82bc7012a4a5162e979798e2a6fc 19 / 63\r\nf9ae476484cf27a2fff5095f9c0a278debd9794aedefe986d912c95fc3e82f26 28 / 62\r\n4f6524c3748369228e381198213b7eab2fcffb29f4b01a0a6b4c3af2e06f5464 28 / 62\r\n7bea49e9e60beb5e7fe95c29d8f11da4a6ea36d7ab8787f442125ef111284811 32 / 60\r\nd305f1f13cdf9bbfb2c1fb16b73771d13a7ca0b6a417e93583ad3d0aa78fac2a 33 / 60\r\nd499e64697b9cf2ba61036acf389939ec91c2c2dae9d3672603fe60c80c85432 28 / 62\r\n78d2ed73571c9f39432143ece31cd92d05b39b7f6590b4841adf33764ac3f816 30 / 62\r\nTable 2: SHA256 hashes of APKs related to the domain w23t2t2tfwg.ru.\r\nAn example of an APK resolving several domains is 92a3a69c6c0922ace36ca3ac95fcbbb6, which was first seen\r\nin the wild in September 2017. The domains resolved by this sample were: 23r23e23er.xyz, fwefr434r3.xyz,\r\nrgrer43e2e.xyz, wef34r34rs.xyz and ge5t5t54trtr.xyz.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 15 of 23\n\nMost of the APK binaries of the Geost botnet are identified in VirusTotal as ‘Android Hqwar’ or ‘Banking Trojan’.\r\nHowever, both terms are generic and used to identify thousands of binaries that are protected by a software packer\r\nor an obfuscating method. Therefore, this particular botnet has not been identified by the community until now. As\r\nan example of how each APK was detected by VirusTotal, Table 2 shows a subsample of the total number of APKs\r\nand their detection ratios.\r\nRelationships in the infrastructure\r\nAmong the uncommon characteristics of the Geost infrastructure are: (i) each domain corresponds to a unique IP\r\naddress; (ii) no domain was ever seen without an IP address registered; (iii) each IP address has more than one\r\ndomain assigned to it; (iv) domains always refer to the same IP address. It is worth noting that the Geost malware\r\nused random generation of words at least in three places: (1) to generate its domain names, (2) to generate the\r\nnames of PHP files, and (3) to generate the names of the APK packages.\r\nAn example relationship between the pieces of the botnet’s infrastructure is the sample\r\n92a3a69c6c0922ace36ca3ac95fcbbb6. This sample communicated with the domain wef34r34rs.xyz, which\r\nresolved to the IP address 154.16.244.28. This sample targeted three of the top five Russian banks and the name of\r\nits package is ‘com.vuzbswbpv.ipapszyud’. The same IP address was also assigned to the domain t43r43r43.xyz\r\nthat is requested by the sample 92a8aa2c6dd86aeab67e687de2c9e6a9591bee17.\r\n6. Victims\r\nThe traffic generated by the botmasters when accessing the C\u0026C server revealed information about the victims of\r\nthis botnet. It seems that the botmasters kept a detailed summary of the victims, and that this summary was\r\nimportant for the operation of the botnet. The victims of this botnet not only probably lose money but they had\r\ntheir privacy and identity completely compromised. The minimum amount of information that the botmasters\r\nknow about each victim can be seen in the following list:\r\nIMEI of the phone\r\nBrand of the phone\r\nPhone service provider\r\nPhone number\r\nCountry of the phone number\r\nCurrent balance of bank accounts\r\nHistory of balance in each bank account (the history of the balance is not even available to the victims\r\nthemselves)\r\nWhether they have a credit card tied to the phone\r\nFrom the SMS of the victims:\r\nName of victim\r\nHome address\r\nSocial relationships\r\nReligion\r\nPurchases\r\nExpenses\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 16 of 23\n\nFinancial problems.\r\nRegarding the number of victims, it is only possible to speculate. In the C\u0026C server of the IP address\r\n162.222.213.28 there were 50 victims per page, and there were 1,452 pages, which gives an estimation of 72,600\r\nvictims in that C\u0026C alone. Extrapolating this to the 13 C\u0026C servers, a rough estimation of the total number of\r\nvictims may be 871,200. It is possible that even more victims exist, given that there may be more C\u0026C servers.\r\nAccording to the 50 victims shown in one of the C\u0026C screens, there is a column labelled ‘Balance’ that shows the\r\namount of money (in Rubles) in the bank accounts of the victims. The total sum of this column of 50 victims is\r\n1,129,152 Rubles, which is approximately 15,000 Euros. Extrapolating this number to the estimated 800,000\r\nvictims in this C\u0026C there may be an estimated maximum total amount of money close to 240,000,000 Euros.\r\nHowever, the real total for this C\u0026C could be much lower if we consider that the web page is sorted by balance.\r\nIMEI\r\nOf all the information stolen from the victims, the IMEI is important because it can be used to identify them. The\r\nIMEI is a unique code assigned to cell phones and, by searching for it online, it is possible to find out information\r\nabout the device. The IMEI number is divided into parts. The initial eight-digit portion of the IMEI, known as the\r\nType Allocation Code (TAC), details the phone model and origin. The remainder of the IMEI is manufacturer-defined, with a Luhn check digit at the end. Given the IMEI, it is possible to determine the victim’s phone model\r\nand characteristics. From the IMEI it was possible to learn the brands of the phones of the victims, which were all\r\nAndroid-based. From the IMEI numbers it was also possible to identify the victims’ phone operators, including\r\nTele2, MTS RUS, Beeline, MegaFon, Yota and Motiv. The last one is a Russian regional provider.\r\nSMS data\r\nThe access to SMS messages was probably one of the more invasive actions of the botnet. SMS messages\r\npotentially contain a lot of private information about the user. An analysis of the two SMS lists downloaded\r\nrevealed that users shared very private conversations with friends and lovers, the status of their financial accounts,\r\nand sensitive private data about themselves. It was particularly interesting to find that most of the private\r\ninformation was leaked by the phone operators, including users’ real name, birthday, the last four numbers of their\r\ncredit card, the amount of money in their balance, and the password for mobile banking applications. The\r\nfollowing is an example SMS stolen by the attackers (without personal information):\r\n07/03/18 18:59 VISA5880 purchase 120r\r\nMTS TOPUP 5635 Balance: 49746.86r\r\n7. Attackers\r\nOne of the most important breakthroughs of this analysis was the discovery of a file in a public web page that\r\nreferenced one of the Geost domains. This file proved to be the chat log of a group of people related to the Geost\r\nbotnet operation. It is not clear how the file was leaked, but since it was a Skype chat log it was probably created\r\n(whether on purpose or not) by one of the participants in the chat. The use of Skype as a communication medium\r\nis consistent with previous reports on the modus operandi of the Russian malware community [14]. The existence\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 17 of 23\n\nof this file marks another OpSec error on the part of the botmasters: they trusted part of the operation to a group of\r\nusers with very low or non-existent OpSec practices.\r\nIt was possible, then, to conduct an open-source intelligence (OSINT) investigation to find out more about the\r\ngroup in this chat log. The file has more than 6,200 lines, covering eight months of chats, and shows the private\r\nconversations of 29 people. Not all of them seem to be related to the Geost botnet since the group had several\r\nalternative streams of revenue. By analysing the top participants in the chat log it was possible to determine that\r\nthe user ‘powerfaer’ was the only one talking with all the participants, making this user the probable owner of the\r\nchat log.\r\nDuring the time period from 2017-06-11 11:14 to 2018-04-17 18:41, powerfaer held business discussions with the\r\nother 28 people in relation to different projects. The conversations between powerfaer and the user with the\r\nnickname ‘mirrexx777’ seem to be the most notable since they showed a connection with the Geost botnet. For\r\ninstance, on several occasions powerfaer and mirrexx777 exchanged links to the control panel of the Geost botnet,\r\nsharing information that nobody would possess unless they were insiders. The following is a human translation\r\nfrom Russian:\r\nOn 2017-10-18 07:24:07\r\nFrom powerfaer to mirrexx777:\r\n http://2[redacted]e.xyz/stats.php?sid=\r\n 7NDNI0aercTtwPA\r\n title:Statistics\r\n Re-crypt, Kaspersky got cleaned\r\nFrom mirrexx777 to powerfaer:\r\n ok. will do. according to the old\r\n recordings how many of them remains?\r\n i want to start to keep a record\r\nThe fact that they shared information from inside the C\u0026C channels – information that you need to be logged in to\r\nsee (the stats.php file) – and the fact that they discuss the need to fix them, is strong evidence that they possess\r\ninternal information with complete knowledge of its purpose. There were many pieces of evidence in the chat log\r\nshowing a relationship with malware actions, such as asking to re-encrypt links because Kaspersky was able to\r\ndetect them.\r\nIt seems that the user powerfaer has operated since 2010. This is supported by one conversation where there was a\r\nremark about the income from traffic in 2010 having been better (translated from Russian):\r\nOn 2017-12-06 18:14:46\r\nFrom powerfaer to mirrexx777:\r\n That would be nice to get back in to 2012\r\n Or 2010\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 18 of 23\n\nSome conversations in the chat got serious and resulted in the use of real names as a means to call the attention of\r\nthe other. This confirmed the names of some aliases. The following log confirmed the name of ‘taganchik.ru’\r\nwhen powerfaer talked to him (translated from Russian):\r\nAlexander, really, if we started together we need to finish it. Because for now this is working and w\r\nLater on, however, it seems that the user taganchik.ru tried to leave the group:\r\n2017-10-15l14:53\r\nFrom taganchik.ru to powerfaer:\r\n(...) But now im saying i am working but\r\nin fact I dont. I am getting demotivated\r\nand do not want to do anything\r\nFrom taganchik.ru to powerfaer:\r\ni thought about it, and im not in\r\nFrom powerfaer to taganchik.ru:\r\nUnderstand, ok. Shame. If you change\r\nyour mind write to me\r\nShowing a complete lack of OpSec, the chat log also revealed credentials for several servers and services, such as\r\nfttkit.com (an Android application protection service advertised on the Russian underground site crimina.la). The\r\nlog also disclosed the IDs of online wallets, and credit card numbers. This information helped us find sensitive\r\ninformation about the identity of some individuals. For instance, ‘taganchik.ru’, ‘elkol95’ and ‘dmitrixxx89’ all\r\nadvertise their services on the same web marketing forum, https://searchengines.guru/.\r\nThe user powerfaer also engaged in conversations with several money launderers. The log confirms that online\r\npayment systems such as WebMoney, Qiwi, and Yandex Money remain popular among Russian cybercriminals\r\n[15]. However, these services are not anonymous and it would be possible to see the payments through third-party\r\nmoney launderers. The following is an example chat with the user ‘cyberhosting.ru’:\r\nOn 2017-12-04 11:21\r\npowerfaer wrote to cyberhosting.ru\r\n And another question,\r\n can you exchange cash to BTC?\r\nA challenge for us during the analysis was to understand the Russian underground slang. For example, the term\r\nwhite accounting should be translated to Russian as Белая бухгалтерия. However, cybercriminals used the term\r\nбелка, which in English means squirrel. The same issue applies to other words like application, which translates\r\nto прила in Russian and has no direct translation in English.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 19 of 23\n\nAfter a deep OSINT analysis it was possible to infer a list of probable real names for the following nicknames:\r\n‘mirrexx777’, ‘powerfaer’, ‘cyberhosting.ru’, ‘taganchik.ru’, ‘doktorsaitov’, ‘dmitrixxx89’, and ‘maximchik700’.\r\nHowever, the names will not be published since their implication in the Geost operation has not been confirmed.\r\n8. Conclusion and future work\r\nThe discovery of the Geost Android banking botnet inside the traffic of another malware proxy shows that\r\noperational security is very hard to get right, and that simple mistakes can lead to deep understanding of the\r\noperations of malware authors. After the discovery of the Geost botmasters accessing their C\u0026C servers it was\r\npossible to find more and more pieces of their botnet infections, leading to a very large mapping of their attack\r\ninfrastructure, their APK binaries, the number of victims infected, and an estimation of the economic size of the\r\noperation. Finally, it was possible to use open-source intelligence to relate a group of developers to part of the\r\ninfrastructure-building process of the botnet. The developers do not seem to be the Geost botmasters, but an\r\nunderground group related to them.\r\nDespite operating since at least 2016, the Geost botnet remained unknown until its traffic was captured on the\r\nHtBot malware. This may suggest that the best OpSec may be to hide operations among thousands of other\r\nmalware. However, once the operation was found, it was clear that the group’s OpSec measures were not good\r\nsince there were several mistakes that have led to information about the operation.\r\nThe following is a summary of the operational security mistakes that led to the identification and understanding of\r\nthe botnet:\r\nUse of the illegal proxy network HtBot. Wrong estimation of the risk of using a service that was being\r\ntracked in a security laboratory.\r\nFailure to encrypt C\u0026C traffic. It was possible to identify the traffic and the content of the\r\ncommunications.\r\nUse of the same protection service multiple times. This allowed repeated monitoring of the attackers and\r\nthe capture of credentials.\r\nThe hiring of a group of developers with very low OpSec, who disclosed links, names and credentials in\r\ntheir chats.\r\nFailure to encrypting chats. This allowed a document to be leaked containing important information about\r\nthe privacy of some attackers and leads about their identities.\r\nThe amount of information collected on the Geost botnet was so large that it has not been possible to include all\r\nthe details of the infrastructure, the victims found, banks accounts disclosed, phones infected, credit cards used,\r\nand the very interesting view of the social relationships within a group of underground cybercriminals. Therefore,\r\nour analysis of the Geost botnet will continue in several directions. The name ‘Geost’ was selected after the only\r\nweb page that didn’t seem to change in the C\u0026C servers.\r\nAcknowledgements\r\nWe would like to thank Veronica Valeros for her help during the analysis and extraction of information. We also\r\nthank Professor Sebastian Garcia.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 20 of 23\n\nReferences\r\n[1] Zhang, E. What is Operational Security? The Five-Step Process, Best Practices, and More. Digital Guardian.\r\n2018. https://digitalguardian.com/blog/what-operational-security-five-step-process-best-practices-and-more.\r\n[2] Ilascu, I. Flaw in Telegram Reveals Awful OpSec from Malware Author. Bleeping Computer. 2017.\r\nhttps://www.bleepingcomputer.com/news/security/flaw-in-telegram-reveals-awful-opsec-from-malware-author/.\r\n[3] Newman, L.H. Yes, even elite hackers make dumb mistakes. Wired. 2018.\r\nhttps://www.wired.com/story/guccifer-elite-hackers-mistakes/.\r\n[4] Paul, K. How Silk Road’s Founder Could Have Avoided Getting Busted. Vice. 2015.\r\nhttps://motherboard.vice.com/en_us/article/ezvkg7/the-five-hidden-service-commandments.\r\n[5] Otten, B. Cybercriminal intent: When good OpSec met bad OpSec. Tech Beacon. 2016.\r\nhttps://techbeacon.com/security/cybercriminal-intent-when-good-opsec-met-bad-opsec.\r\n[6] Virqdroid. Mobile Threats targeting Russian Banks. https://www.virqdroid.com/?m=1.\r\n[7] Wei, F.; Li, Y.; Roy, S.; Ou, X.; Zhou, W. Deep ground truth analysis of current android malware. Lecture\r\nNotes in Computer Science, vol. 10327 LNCS, pp.252–276, 2017.\r\n[8] Štefanko, L. Android banking malware: sophisticated trojans vs. fake banking apps. ESET. 2019.\r\nhttps://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf.\r\n[9] Neto, P.D. The new era of Android banking botnets. https://www.botconf.eu/wp-content/uploads/2017/12/2017-Drimel-The_new_era_of_Android_Banking_Botnets.pdf.\r\n[10] Shishkova, T. The rise of mobile banker Asacub. Kaspersky. 2018. https://securelist.com/the-rise-of-mobile-banker-asacub/87591/.\r\n[11] White, J. ProxyBack Malware Turns User Systems Into Proxies Without Consent. Palo Alto Networks. 2015.\r\nhttps://unit42.paloaltonetworks.com/proxyback-malware-turns-user-systems-into-proxies-without-consent/.\r\n[12] McCoy, D.; Bauer, K.; Grunwald, D.; Kohno, T.; Sicker, D. Shining light in dark places: Understanding the\r\ntor network. In Privacy Enhancing Technologies, N. Borisov and I. Goldberg, Eds. Berlin, Heidelberg: Springer\r\nBerlin Heidelberg, 2008, pp.63–76.\r\n[13] Chakravarty, S.; Portokalidis, G.; Polychronakis, M.; Keromytis, A.D. Detecting traffic snooping in tor using\r\ndecoys. Lecture Notes in Computer Science, vol. 6961 LNCS, pp.222–241, 2011.\r\n[14] Terrelonge III, L. Cybercrime Economy. An Analysis of Criminal Communications Strategies. Flashpoint\r\n2017. https://forensicfocus.files.wordpress.com/2017/05/flashpoint_cybercrime_economy.pdf.\r\n[15] Goncharov, M. Russian Underground Revisited. Trend Micro. 2014.\r\nhttp://www.trendmicro.com/vinfo/us/security/special-report/cybercriminal-underground-economy-series.\r\nAppendix: SHA256 Hashes of Android APKs files related to Geost botnet\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 21 of 23\n\n70e6454910b1c4e1ff1a86a6e7506e6e5c234fca2fe77e44a00287aacc86853e\r\n0bf2fc434ae4ab98e0a25388042ae011048d54404e0b94bd513bd6927d9f918a\r\n934ae455b772165443580610916b3af352c3c46a83cb17cb7f380d6835d84552\r\nb9862f5f097e2c05577b602022ffd7429af448b5ff485bfa8f3d8919d819eec5\r\n299c3916838e527986c5d252322386add8c320a5da2138986a59e2b667a00945\r\n3d32fb91da5ed45ecc8e7880b85e817e05d2134f5ecd69f5b4478be8013ae2da\r\n5627c1d1ea942bab7134396dd7ba89009e6ff921c1e1a608a6dcdbdda2b14744\r\n2a307a34de0b9d33bfc225e60c393c380b981a9fc52ce1277fc30445237f151d\r\n6a7782b019566becbe0a7c06e56abbe54e3d72726f26b1bf95499b21b076d39e\r\n0367d4e913b28fad8c57a37ac21cac5cda347846bb2b0f5d505fa47696ba2f2a\r\n7d49950323cf0eae8b5ae36e4aefc688a1bfa1a651457382e9f9a4a4e28073c1\r\n302c2d88fba26235b3229dd1b146a767449d47ede008556ef0d79a3c7b44d382\r\n6e6dd2329188b334e519845804bef6e52454620dfb37ae46a457a81c478d2f77\r\ndddfcd90fbb5b02756ec03ea75d2d98b6d1f29e14fbdbebfe6e2c77026591056\r\n7659e30f3d8d45d7c595cb03ffe6ad6706b9c4b17d8c284a0fa6c90e226f44e6\r\nf265608593e47c25a6bbdf31179776b401e08f08c4930dcac50684be70aa8902\r\n4748c004a3e4b35b0daddd054e22c393c7c66aaa1d08ee3cba7c3bddc26b0a6f\r\n4727b7727ee4ae5d9f041dc7f066da70b8cfb7417d0904e34b7b4028c38f2c76\r\n8d1cd474f4aefcaf5f2fd6ce890ca49398194c796631b73c090fbcce2ed4f2dc\r\nc63e7ccf63feeaf145c0303bd91bf46f43a4b2170cba0b9939492eae88b0175a\r\nb1a376b1427a0373915f228d51eb26ea6cd009b4dd11796902f3fee6f8af122e\r\n18ab096f1d2cd8a2759204838114e5ab4ff82f07adc8efce393cf5a807790e4d\r\n04957fe15f8d9df2bf03f6660a55dbf57570416cdb4c225203b99a4e5c7d632b\r\nde963c011fad513f8ced3e2911b02bfe514ca8991be31b4338262e76939a5dfa\r\nf446e1c58cd7d8ebbfdfeaa2ae1eabf361e75ecd92dd5b9d9c09fa085949baf7\r\nc92c09e4aaf9c3f9531a92964077d6fa6b118f87f106ee1b7f430a43c783a7f6\r\n28c864aa54ab9c4f2b254258f3db807638becdacd11d23f793978f03863f065d\r\n931d011f1343979f233ec9767005a492e76c5434cf4fd863c9969e8b461c04dd\r\ncccb82d3b9f98b34678333c7f4e3e9fcf00cc2515a2c731965074af2c9f85f00\r\na70210a109aa4bd9eec9f495378027e9aadd83dc65d5344e26739e98b2e3aa7d\r\n13776897f46add32b1dda3f7862c53bb069ce839334f9b1d7cd7e93cc4b9a3b6\r\nba3ecf85544e09d4e31b912b19d47728767933ccdc4e1b7c337a7a18ade7aa7d\r\n77d88c936db100e77290abc4131cf41fdc092f77c8fcb488dfc1d08a3937b94c\r\n8c3ac248e798e6f1fb5e349cc558f0b62ed9a23393b4bf11117c1d9de19e57a6\r\n3fcec3bda7d044848a3aaf5f893a319982b545a7736adde036eb47c3bb4ea0d5\r\n2903067271823697876b4c153e0bbc222cb8fdbd1b936fb8cfd5f35ae8401dfa\r\n50c82f9ed9e91a1e10997cc707aec1587c8488c35e7dc76ac3d3d25eb60753b4\r\nbd9ef6aa820164ea76def200f47abad38edbb4a1df13aa602ee8673af85f6aea\r\n00a5f79d610759c6dd88e1c6108be24daad5b18187f0abde7bd9056e0d513ee2\r\n9ff5dc79a6d7d1369ee113b0250a75a5ce3ce9caeb66fc46f602564086c525b5\r\n45c7feeca4784dd6c5bc91d4e02a81d36f9ee56a954730ccc66c7e36671f1c3c\r\n9706ca42aa8fef8a8c9463d647e5ecf7671180024e78988c4e5a36c1d86e0615\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 22 of 23\n\nd36b04ae800000300c351cee1ee0f708340f9cb5b5da5a9a97799e8368a6a3c4\r\n513c649370052ee0934175854037eac7c2cf5eb147414fa61df42b35530babaf\r\n8fb1f54434f2966751d7ae221466c50e5deb5f51ed6e2a042fd71e3d2a53cf5b\r\ne2e8a472b3bdf1ba785d5e78bb12ecb31f14bfcb43d4d0043b6116fd197f6e33\r\n4f0e801a6d0f4898b0874da31d63d2dda0620e347d72b35f5086fb22cde9a9cd\r\n5f216ae10a3972b5a90d6178f4d6f0d2c995b4248a9f329edbc854ead89ce904\r\n2ba2a567c91086112c63f09ace11d725537dceba1cc56c14fc86d63d1c6585c8\r\ne8bf2615d8d9c3d768f687cd05d0f9305fd3118168d2b94eabdfc365fafc9d06\r\nSource: https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-er\r\nror/\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/\r\nPage 23 of 23\n\n https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/     \n162.222.213.25 Admo.net US USWHSS.COM  20 20\n162.222.213.29 Admo.net US USWHSS.COM  8 20\n154.16.244.26 NetStack MU Madanambal Annauth 3 0\n154.16.244.27 NetStack MU Madanambal Annauth 9 2\n154.16.244.28 NetStack MU Madanambal Annauth 19 12\n154.16.244.30 NetStack MU Madanambal Annauth 8 0\n154.16.244.138 NetStack MU Madanambal Annauth 10 0\n154.16.244.139 NetStack MU Madanambal Annauth 3 0\n154.16.244.140 NetStack MU Madanambal Annauth 1 0\n81.177.6.88 OJSC RTComm RU Sergey Ulyashin  5 84\nTable 1: Summary of the IP addresses used as C\u0026C.    \nAPK hashes      \nThe Geost botnet is associated with at least 150 APK (Android package) files. Most APKs share some similarities\nwith each other: each one mostly communicates with only one domain, and each one accesses one unique random\nPHP file. Regarding the phone permissions, all of them requested access to read, receive, and send SMS messages,\nto write on the external storage, to access contacts, and to change Wi-Fi status. For the rest of this section we will\nrefer to the APK binaries with their MD5 hash. The list of SHA256 sashes for the APK files related to this paper\ncan be found in the Appendix.     \nAn example of a Geost APK is the file with MD5 4e1af25f84200c7f63e315fe7ca07a9c,   that, according to\nVirusTotal, communicated with the domain w23t2t2tfwg.ru and PHP file   \nq15m9gdhybzfznkgexdld9lk3tigg08w.php.      \nAnother example is the APK 9d8702dafbcad82a4603e1fd2e2869b4,  which contacted the domain w23t2t2tfwg.ru \nand the PHP file pyh32o0ezfguw1xl4382wzm8tnr1tyng.php.  The domain w23t2t2tfwg.ru is one of the most\ncommonly used by APK samples in Geost. Table 2 shows the complete list of 25 APK hashes that contacted the\ndomain w23t2t2tfwg.ru together with their detection ratio in VirusTotal: the number of anti-virus engines that\ndetected them positively on 23 February 2019 against the total number of anti-virus engines that checked the\nsample. For space reasons it was not possible to include the complete list of 150 APK hashes for the complete\nGeost botnet.      \nSHA256 hash     Detect / Total AVs\n1e13f46e3833e0a002c499a611b8f4b57b9716a0686b2a04ee701260c3f729e4     36 / 61 \n1bc3a740bf994d49301fac2f976a7e6887a2f869a09a66d273538d44b2c990b6     34 / 59 \n  Page 14 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/"
	],
	"report_names": [
		"vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434490,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/edd892d4ccbd311857784017f4e1a79d77cfceb0.pdf",
		"text": "https://archive.orkl.eu/edd892d4ccbd311857784017f4e1a79d77cfceb0.txt",
		"img": "https://archive.orkl.eu/edd892d4ccbd311857784017f4e1a79d77cfceb0.jpg"
	}
}