Microsoft and partners cut off key Trickbot botnet infrastructure

Two weeks after someone (allegedly the US Cyber Command) temporarily interrupted the operation of the infamous Trickbot botnet, a coalition of tech companies headed by Microsoft has struck a serious blow against its operators.

Trickbot botnet

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” shared Tom Burt, corporate VP, Customer Security and Trust, Microsoft.

About Trickbot and the Trickbot botnet

Trickbot, which dates back to 2016, was originally a banking trojan, but due to its modular nature it is now capable of much more: gathering saved and entered credentials, browser histories, network and system information, installing a backdoor, harvesting email addresses, running various commands on a Windows domain controller to steal Active Directory credentials, launching brute force attacks against selected Windows systems running a RDP connection exposed to the Internet, and downloading and loading ransomware on the infected computer.

The malware is often delivered through spam and spear phishing campaigns, and occasionally through the Emotet botnet.

“In recent times, Trickbot has been implicated in targeted ransomware attacks, where credentials stolen by the malware were used by the Ryuk ransomware operators to compromise victims’ networks and encrypt all accessible computers. This assessment has been confirmed by Europol, which recently noted that ‘the relationship between Emotet [another botnet], Ryuk and Trickbot is considered one of the most notable in the cybercrime world’,” Symantec (Broadcom) researchers noted.

“Trickbot has infected over a million computing devices around the world since late 2016. While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives,” Burt explained, and noted that beyond infecting end user computers, Trickbot has also infected a number of IoT devices, such as routers.

Disruption attempts

Since late September, Trickbot has been hit twice by (then-unknown) attackers.

According to Brian Krebs, they first pushed out a new configuration file to Windows computers infected with Trickbot, instructing them to consider 127.0.0.1 (a “localhost” address) their new control server.

A week later, they did it again, but at the same time, “someone stuffed the control networks that the Trickbot operators use to keep track of data on infected systems with millions of new records,” apparently in an attempt to “dilute the Trickbot database and confuse or stymie the Trickbot operators.”

These efforts, which were subsequently revealed to have been mounted by the US Cyber Command, did not permanently affect the botnet.

But the technical and legal efforts lead by Microsoft and supported by FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Broadcom’s Symantec division are expected to considerably affect the botnet’s operation.

After gathering enough information about the botnet’s operation and C&C servers, Microsoft went to the United States District Court for the Eastern District of Virginia, which then court granted approval for Microsoft and partners to “disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.”

The operation will be followed by further action by ISPs and CERTs around the world, who will attempt to reach Trickbot victims and help them remove the malware from their systems.

“This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place,” Burt pointed out.

“While our work might not remove the threat posed by TrickBot, it will raise the cost of doing business for the criminal gang behind the botnet because they will be forced to divert resources away from exploitation activities in order to rebuild the parts of their infrastructure that we disrupted,” the Black Lotus Labs team noted.

Bit-and-piece DDoS attacks increased 570% in Q2 2020

Attackers shifted tactics in Q2 2020, with a 570% increase in bit-and-piece DDoS attacks compared to the same period last year, according to Nexusguard.

bit-and-piece DDoS attacks

Perpetrators used bit-and-piece attacks to launch various amplification and elaborate UDP-based attacks to flood target networks with traffic.

Analysts witnessed attacks using much smaller sizes—more than 51% of bit-and-piece attacks were smaller than 30Mbps—to force communications service providers (CSPs) to subject entire networks of traffic to risk mitigation. This causes significant challenges for CSPs and typical threshold-based detection, which is unreliable for pinpointing the specific attacks to apply the correct mitigation.

Improvements in resources and technology will cause botnets to become more sophisticated, helping them increase resilience and evade detection efforts to gain command and control of target systems. The evolution of attacks means CSPs need to detect and identify smaller and more complex attack traffic patterns amongst large volumes of legitimate traffic.

Switching to deep learning-based predictive models recommended

Analysts recommend service providers switch to deep learning-based predictive models in order to quickly identify malicious patterns and surgically mitigate them before any lasting damage occurs.

“Increases in remote work and study mean that uninterrupted online service is more critical than ever,” said Juniman Kasman, CTO for Nexusguard.

“Cyber attackers have rewritten their battlefield playbooks and craftily optimized their resources so that they can sustain longer, more persistent attacks. Companies must look to deep learning in their approaches if they hope to match the sophistication and complexity needed to effectively stop these advanced threats.”

In the past, attackers have used bit-and-piece attacks with a single attack vector to launch new attacks based on that vector. There was a tendency to employ a blend of offensive measures in order to launch a wider range of attacks, intended to increase the level of difficulty for CSPs to detect and differentiate between malicious and legitimate traffic.

Fileless worm builds cryptomining, backdoor-planting P2P botnet

A fileless worm dubbed FritzFrog has been found roping Linux-based devices – corporate servers, routers and IoT devices – with SSH servers into a P2P botnet whose apparent goal is to mine cryptocurrency.

Simultaneously, though, the malware creates a backdoor on the infected machines, allowing attackers to access it at a later date even if the SSH password has been changed in the meantime.

“When looking at the amount of code dedicated to the miner, compared with the P2P and the worm (‘cracker’) modules – we can confidently say that the attackers are much more interested in obtaining access to breached servers then making profit through Monero,” Guardicore Labs lead researcher Ophir Harpaz told Help Net Security.

“This access and control over SSH servers can be worth much more money than spreading a cryptominer. Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service; since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet and be the genie of its operators, fulfilling any of its malicious wishes.”

The worm’s targets

FritzFrog is a modular, multi-threaded and fileless SSH internet worm that attempts to grow a P2P botnet by breaking into public IP addresses, ignoring known ranges saved for private addresses.

The botnet has nodes around the globe:

Fileless worm P2P botnet

“While intercepting the FritzFrog P2P network, we’ve seen target lists which consist of sequential IP addresses, resulting in a very systematic scan of IP ranges in the internet,” Harpaz explained.

Since January 2020, it targeted IP addresses of governmental offices, educational institutions, medical centers, banks and numerous telecom companies, and successfully breached more than 500 SSH servers.

An advanced piece of malware

Written in Golang, the malware seems to be the work of highly professional software developers:

  • It’s fileless – it assembles and executes payloads in-memory, operates with no working directory, and also uses the fileless approach when sharing and exchanging files between nodes
  • Its brute-force attempts are aggressive, based on an extensive dictionary
  • It’s efficient – no two nodes in the network attempt to “crack” the same target machine
  • Its P2P protocol is proprietary and was written from scratch (i.e., not based on an existing implementation)
  • It creates a backdoor in the form of an SSH-RSA public key added to the authorized_keys file. With the secret private key, the attackers can access the compromise machine whenever they want, without needing to know the SSH password

Other things that allow the malware to fly under the radar:

  • It’s process runs under the names ifconfig, nginx or libexec (the latter is used when Monero-mining)
  • It tunnels its P2P commands over the standard SSH port by running a local netcat client on the infected machines. Any command sent over SSH is used as netcat’s input and transmitted to the malware

“Even with this creative way of sending commands, the process remains completely automated and under the malware’s control. Even after creating this P2P channel to the newly-infected host, the malware is the one which keeps feeding the victim with commands,” Harpaz noted.

“However, it is very likely that manual, human-operated commands are sent to network peers. Guardicore Labs has developed a tool which intercepts the network and is capable of sending and receiving commands on demand. The actor behind this campaign can do the exact same thing, and it is highly probable that the operator has the means for sending commands manually to certain (or all) nodes in the network.”

Check whether your machines are part of the botnet

Detecting a cryptominer on a machine running an SSH server is not proof that it’s been infected, as the malware checks whether the machine can expend power to mine and decides against it if it can’t.

Admins can use a detection script that searches for the aforementioned fileless processes, evidence of malware listening on port 1234 and of TCP traffic over port 5555 (network traffic to the Monero pool).

While a reboot of the affected machine/device will remove the malware from memory and terminate the malware process, since a victim is immediately ‘logged’ to the P2P network along with its login credentials, it will be re-infected in no time.

Instead, admins should:

  • Terminate the malicious processes
  • Change the SSH password to a strong one and use public key authentication
  • Remove FritzFrog’s public key from the authorized_keys file to “close” the backdoor
  • Consider changing routers’ and IoT devices’ SSH port or completely disabling SSH access to them if the service is not needed

New wave of attacks aiming to rope home routers into IoT botnets

A Trend Micro research is warning consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. The report urges users to take action to stop their devices from enabling this criminal activity.

home routers IoT botnets

The importance of home routers for IoT botnets

There has been a recent spike in attacks targeting and leveraging routers, particularly around Q4 2019. This research indicates increased abuse of these devices will continue as attackers are able to easily monetize these infections in secondary attacks.

“With a large majority of the population currently reliant on home networks for their work and studies, what’s happening to your router has never been more important,” said Jon Clay, director of global threat communications for Trend Micro.

“Cybercriminals know that a vast majority of home routers are insecure with default credentials and have ramped up attacks on a massive scale. For the home user, that’s hijacking their bandwidth and slowing down their network. For the businesses being targeted by secondary attacks, these botnets can totally take down a website, as we’ve seen in past high-profile attacks.”

Force log-in attempts against routers increasing

The research revealed an increase from October 2019 onwards in brute force log-in attempts against routers, in which attackers use automated software to try common password combinations.

The number of attempts increased nearly tenfold, from around 23 million in September to nearly 249 million attempts in December 2019. As recently as March 2020, Trend Micro recorded almost 194 million brute force logins.

Another indicator that the scale of this threat has increased is devices attempting to open telnet sessions with other IoT devices. Because telnet is unencrypted, it’s favored by attackers – or their botnets – as a way to probe for user credentials.

At its peak, in mid-March 2020, nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week.

Cybercriminals are competing with each other

This trend is concerning for several reasons. Cybercriminals are competing with each other to compromise as many routers as possible so they can be conscripted into botnets. These are then sold on underground sites either to launch DDoS attacks, or as a way to anonymize other attacks such as click fraud, data theft and account takeover.

Competition is so fierce that criminals are known to uninstall any malware they find on targeted routers, booting off their rivals so they can claim complete control over the device.

For the home user, a compromised router is likely to suffer performance issues. If attacks are subsequently launched from that device, their IP address may also be blacklisted – possibly implicating them in criminal activity and potentially cutting them off from key parts of the internet, and even corporate networks.

As explained in the report, there’s a thriving black market in botnet malware and botnets-for-hire. Although any IoT device could be compromised and leveraged in a botnet, routers are of particular interest because they are easily accessible and directly connected to the internet.

home routers IoT botnets

Recommendations for home users

  • Make sure you use a strong password. Change it from time to time.
  • Make sure the router is running the latest firmware.
  • Check logs to find behavior that doesn’t make sense for the network.
  • Only allow logins to the router from the local network.

Zyxel NAS, firewalls and LILIN DVRs and IP cameras conscripted into IoT botnets

A wide variety of Zyxel and LILIN IoT devices are being conscripted into several botnets, researchers have warned.

Users are advised to implement the provided firmware updates to plug the security holes exploited by the botmasters or, if they can’t, to stop using the devices altogether or to put them behind network firewalls.

OPIS

Zyxel devices affected

According to Palo Alto Networks’ Unit 42, botmasters using a new Mirai strain dubbed Mukashi are exploiting CVE-2020-9054, a pre-authentication command injection flaw, to compromise and “zombify” network-attached storage devices, firewalls, business VPN firewalls and unified security gateways.

CVE-2020-9054 is considered to be a critical vulnerability as it can be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.

The vulnerability was fixed in late February and Zyxel has provided firmware updates for the following affected devices that are still supported:

  • Network-attached storage devices (NAS326, NAS520, NAS540, NAS542)
  • Firewalls, business VPN firewalls and unified security gateways (ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, ZyWALL1100)

“Owners of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 as well as some other ZyXEL devices may not be able to install firmware updates, as these devices are no longer supported,” CERT/CC warned.

“Be cautious when updating firmware on affected devices, as the ZyXEL firmware upgrade process both uses an insecure channel (FTP) for retrieving updates, and the firmware files are only verified by checksum rather than cryptographic signature. For these reasons, any attacker that has control of DNS or IP routing may be able to cause a malicious firmware to be installed on a ZyXEL device.”

Workarounds available for those who can’t update the firmware include:

  • Blocking access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device
  • Restricting access to vulnerable devices (i.e., not exposing them on the internet).

“Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page,” CERT/CC added.

LILIN devices affected

LILIN digital video recorders (DVRs) and IP cameras have been under attack for months, by botmasters of the Chalubo, FBot and Moobot botnets, say researchers from Qihoo 360’s Netlab team.

They are exploiting a number of security flaws, including hard-coded login credentials, command injection (via NTP and FTP) and arbitrary file reading vulnerabilities.

According to the researchers, firmware running on a dozen LILIN devices is affected:

  • DVRs (LILIN DHD516A, LILIN DHD508A, LILIN DHD504A, LILIN DHD316A, LILIN DHD308A, LILIN DHD304A)
  • IP cameras (LILIN DHD204, LILIN DHD204A, LILIN DHD208, LILIN DHD208A, LILIN DHD216, LILIN DHD216A)

The manufacturer has released firmware that fixes the flaws (2.0b60_20200207) back in February.

Users of all the affected devices, both Zyxel’s and LILIN’s, are advised to update their device firmware or implement available workarounds.

Cyberattackers decreased their activity at the end of 2019, but only to change tactics

Attackers know that humans are still the weakest link. Across the board, malicious cyber-activity was down partly as a result of hectic holiday schedules and vacations with fewer employees around to interact with malicious activity.

cyberattackers activity

However, this decrease in activity also tracks to the heightened malicious activity Nuspire researchers saw at the beginning of 2019. Targeting employees returning to the office and digging through emails received over the holidays is a prime opportunity to strike.

“While we saw a reduction in known attacks in the 4th quarter, the frequency and severity of attacks will always fluctuate. However, the trends lines have always moved upwards.

“As an industry, we must stay diligent and focused on understanding what threat actors pose the biggest threat to your business, how they will attack you and what safeguards you have in place to detect and respond to malicious activity. We simply can’t afford to let our guard down”, said Lewie Dunsworth, CEO of Nuspire.

“Year over year, adversaries have demonstrated their ability to evolve and increase the sophistication of their attacks doing more harm, faster than ever. While organizations must continually refresh cybersecurity policies, stress hygiene best practices, and practice effective change management, it’s critical to have trusted partners that you can lean on to assist with both the response and remediation efforts.”

Cyberattackers are retooling methodologies

The decrease in botnet (22%), malware (19%) and exploit activity (12%) also suggests that cyberattackers are retooling methodologies in order to change tactics and techniques for 2020 as evidenced by other notable findings in the report including:

  • Sora, a variant of the notorious Mirai IoT botnet, despite almost completely ceasing activity by the end of the year, continues to reign supreme as the most prevalent botnet, followed by Andromeda, Necurs and Conficker.
  • njRAT detection increased by 89% from August to early October 2019 following the release of a new version.
  • Increased government attention and frequency of ransomware malspam campaigns as a delivery method this quarter correlated to the spike in malware detection in early Q4 2019.
  • Significant increase in exploit attempts for IFS Remote Code Execution furthered the point that attackers recycle through older attack methods to catch enterprises when they least expect it.
  • Visual Basics for Applications (VBA) scripts remained prevalent throughout Q4 and the entirety of 2019, dropping by a mere 5% in detections in Q4. These VBA scripts are what is embedded into malicious documents that when executed, perform malicious actions.

cyberattackers activity

“Unfortunately, 2020 will see the continued evolution of old, but tried and true, threats. Delivery will be through channels that look and seem safe but are vulnerable,” said Shawn Pope, Senior Security Analyst of Nuspire. “Organizations need to be vigilant in continually reminding and educating employees of their role as the first line of defense.”

Key security priorities for financial services: Preventing fraud and data leaks

The banking and financial services sector is struggling with a skills shortage along with the sheer volume of threats and alerts as it continues its ongoing battle against cybercrime, according to Blueliv.

security priorities financial services

With financial organizations a prime target for attacks, preventing fraud and data leakages is key to the sector’s security strategies – but it is getting harder as cyberthreats become increasingly diverse, sophisticated and malicious.

Rise in banking Trojans

Roughly a third of respondents are concerned about the impact banking Trojans (31 percent) and mobile malware (28 percent) will have on financial services organizations and their customers in 2020.

Tracking the latest evolving threats, researchers observed a 283 percent increase in botnets relating to Trickbot as well as a 130 percent increase in Dridex botnets. These botnets are linked to the distribution of banking Trojans and other malware families targeting the financial services sector.

The report also highlights that malware targeting mobile apps is one of the most rapidly developing threats to the financial services sector, with functionalities that allow criminals to gather user credentials as well as steal funds from mobile users’ bank accounts.

This is partly driven by the fact that cybercriminals can now easily buy malware builders in underground forums, and that these often include advanced evasion techniques so the malware remains undetected on infected devices.

Key security priorities for financial services include fraud prevention

While the financial services sector – by its very nature – has some of the most mature cyberdefense strategies and is ahead of many other industries in detecting and preventing economic crime, weak spots remain in some organizations’ fraud risk assessments. This is underlined by the fact that 35 percent of poll respondents named fraud prevention the most crucial element to an ongoing cybersecurity strategy.

Unauthorized transmission of data from within an organization to external recipients is another key concern, with 31 percent of respondents considering the prevention of data leaks the most important.

Just under a quarter (24 percent) would focus their security strategy around regulation and compliance requirements such as GDPR. In contrast to this, the same number of respondents (25 percent) named regulatory issues as the biggest challenge for financial services institutions developing ongoing security programs.

Visibility of threats is a challenge

According to the poll, financial services organizations encounter a range of issues as they build their security programs – the most pressing being a shortage of skills (28 percent), followed by the high volume of threats and alerts (26 percent) and a lack of visibility into cyberthreats (20 percent).

This is hardly surprising: as financial services institutions (FSIs) embrace digital processes and new customer interaction channels, so their attack surface grows, making it harder to keep on top of threats ranging from Point-of-Sale (PoS) to ATM malware, mobile apps malware to card skimmers.

“Organizations in the financial sector face a constantly changing threat landscape,” commented Daniel Solís, CEO and founder, Blueliv.

“Business priorities have shifted and digital risk management is now central. Because they are such high-value targets for cybercriminal activity, it is imperative that financial services organizations enhance their security priorities, and monitor what is happening both inside and outside their networks in real-time to create effective mitigation strategies before, during and after an attack.”

Solís continued, “FSI security teams can be easily overwhelmed by the number of threat alerts they receive which can very quickly result in alert fatigue and desensitization to real, preventable threats.

“Threat intelligence can address the cyber skills gap through continuous automated monitoring combined with human resource to provide context, helping FSIs develop highly-targeted threat detection, prevention and investigation capabilities.”

Stantinko botnet’s monetization strategy shifts to cryptomining

The versatile Stantinko botnet that’s been targeting former Soviet nations since at least 2012 has added a Monero cryptomining module to its arsenal.

Stantinko historically has perpetrated click fraud, ad injections, social network fraud and brute-force password stealing attacks, primarily targeting Russia, Ukraine, Belarus and Kazakhstan. But this latest module, discovered by researchers at ESET, has been a major source of Stantinko’s monetization since at least August 2018, ESET malware analyst Vladislav Hrcka notes in a Nov. 26 company blog post.

Described by ESET as a “highly modified version of the xmr-stark open source cryptominer,” Stantinko’s mining module, dubbed CoinMiner.Stantinko, is so powerful that it can “exhaust most of the resources of the compromised machine.”

CoinMiner.Stantinko is divided into four parts. The main component performs he actual mining, while the remaining parts are designed to, respectively, kill the functionalities of previously installed miners, detect security software and suspend mining activity if battery is low or the task manager utility is detected.

Instead of directly communicating with its mining pool, CoinMiner.Stantinko uses proxies with IP addresses that are derived from the description texts, of YouTube videos, ESET reports. The module finds these videos after receiving a video identifier in the form of a command-line parameter. (In earlier versions the video URL was hard-coded into the module.)

Communication with the proxies is encrypted by RC4 and takes places over TCP, the blog post continues. At the start of this communication, the code of the CryptoNight R. hashing algorithm is downloaded from the proxy and loaded into memory.

“Downloading the hashing code with each execution enables the Stantinko group to change this code on the fly. This change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to switch to mining other cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the moment of execution,” Hrcka explains. “The main benefit of downloading the core part of the module from a remote server and loading it directly into memory is that this part of the code is never stored on disk.”

According to ESET, YouTube removed the offending channels after it was alerted to the scam.

To remain stealthy and avoid detection, the actors behind CoinMiner.Stantinko removed certain strings and functions and heavily obfuscated the remainder. ESET notes that the module’s use of advanced obfuscation techniques is its most prominent feature.

“Our discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet they control,” Hrcka concludes. “This remotely configured cryptomining module, distributed since at least August of 2018 and still active at the time of writing, shows this group continues to innovate and extend its money-making capabilities.”

The post Stantinko botnet’s monetization strategy shifts to cryptomining appeared first on SC Media.

Free download: Botnet and IoT Security Guide 2020

The Council to Secure the Digital Economy (CSDE), a partnership between global technology, communications, and internet companies supported by USTelecom—The Broadband Association and the Consumer Technology Association (CTA), released the International Botnet and IoT Security Guide 2020, a comprehensive set of strategies to protect the global digital ecosystem from the growing threat posed by botnets, malware and distributed attacks. International Botnet and IoT Security Guide 2020 Botnets are large networks of compromised devices under the … More

The post Free download: Botnet and IoT Security Guide 2020 appeared first on Help Net Security.

Linux Webmin Servers Under Attack by Roboto P2P Botnet

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Researchers discover massive increase in Emotet activity

Emotet had a 730% increase in activity in September after being in a near dormant state, Nuspire discovered. Emotet, a modular banking Trojan, has added additional features to steal contents of victim’s inboxes and steal credentials for sending outbound emails. Those credentials are sent to the other bots in its botnet which are used to then transmit Emotet attack messages. When Emotet returned in September, it appeared with TrickBot and Ryuk ransomware to cause the … More

The post Researchers discover massive increase in Emotet activity appeared first on Help Net Security.

Android Trojan Compromises Credit Card Details and Then Locks Your Mobile

This nasty two-year-old Android trojan has evolved into an all-around threat.

trojan1An Android trojan detected by Russian security firm Dr.Web as Android.SmsSpy.88 evolved in the past two years from simple spyware to banking trojan, and now to a mobile ransomware threat.

First detected in April 2014, the trojan was initially distributed via SMS spam, and once it infected victims, it was capable of intercepting phone calls and SMS messages, usually used for two-factor authentication systems.

As time went by, the Android.SmsSpy trojan evolved and added the ability to phish for credit card details using a Google Play Store-like interface, as well as to show interstitials mimicking popular Russian bank logins.
“Android.SmsSpy came back stronger and more powerful than ever”

The biggest update happened at the end of 2015, when Dr.Web says the trojan gained the ability to phish for credentials from almost any bank around the world, along with the capacity to lock the user’s screen and ask for a ransom.

This increase of functionality also had an effect on its distribution model, which switched from SMS spam to fake apps posing as an Android version of Adobe Flash Player.

Dr.Web also noticed that the trojan started using a very customizable bank phishing popup system, which allows trojan operators to modify the popup’s content much more easily and target any bank or payment processor they’d like.

“Trojan is chock-full of features”

These latest versions of Android.SmsSpy need administrative privileges, a constant Internet connection, and are packed full of dangerous features.

These include the ability to send USSD requests, intercept MMS messages, send SMS spam to all phone contacts, exfiltrate SMS messages and more.

botnet1All of these are managed from C&C servers, and Dr.Web claims it detected over 50 different master servers, commanding as many different botnets.
“Android.SmsSpy is rented from underground cyber-crime forums”

The large number of different botnets is explained by the fact that Android.SmsSpy’s creator is extremely busy with advertising and renting out his infrastructure to other criminals on the Dark Web.

Dr.Web researchers claim that Android.SmsSpy made victims in 200 countries and infected at least 40,000 mobile devices. The hardest-hit country was Turkey, which accounted for nearly one-fifth of all infections, followed by India, Spain, Australia, Germany, and France.

The most targeted Android version was 4.4 (35.71%), but Android.SmsSpy also infected almost all Android version between 2.3 and 5.2.

“Android.SmsSpy.88.origin acts not only as a banking Trojan and a spyware program but also as a ransomware Trojan, allowing attackers to make more money on gullible users,” Dr.Web reported this week.
Geographical distribution of Android.SmsSpy victims

By Catalin Cimpanu