Podcasts
Research Saturday
Ep 388
Research Saturday 8.9.25
Ep 388 | 8.9.25

When malware plays pretend.

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us. [ Music ]

 

Nicolás Chiaraviglio: We have a pretty [inaudible 00:00:34] surveys at the moment, and we have some malware detection systems that are newly based in machine learning. We are constantly -- they're refining samples that we are detecting in the wild that are very different from things that we've seen before. So as part of that process, we found some samples that caught our attention, and then we started checking valid sources if we found similar samples.

 

Dave Bittner: That's Nicolás Chiaraviglio⁠. He's Chief Scientist from Zimperium's zLabs. The research we're discussing today is titled "Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed." [ Music ]

 

Nicolás Chiaraviglio: So that's how we found around 35 different samples for this campaign. We start from, like, different periods in time of the same kind of thing, so we can see kind of the evolution.

 

Dave Bittner: And what is it that made the DoubleTrouble banking trojan stand out compared to others that you've seen before?

 

Nicolás Chiaraviglio: There are a couple of new techniques used by these folks. Mostly to avoid detection. I'm not sure how familiar you are with traditional banker trojans work, but they do incremental [inaudible 00:01:55] capabilities. We can discuss them if you want.

 

Dave Bittner: Yes, let's do it.

 

Nicolás Chiaraviglio: Okay. So yes. Let's do that. So recently you had actually an interview with Selena Larson in which you discussed all the info stealers of this family. So banker trojans are a type of info stealers, but are focusing on financial data and bank data. So the way they usually do it is they abuse accessibility service on a mobile device in order to be able to tamper with the UI while the user is interacting with a banking application. And the most common attack is what is called an overlay attack. So when the banking app is started, the malware takes control over the UI and puts in front of the bank UI what is called an overlay. So the victim thinks that it's interacting with the regular banking app, but in reality what is happening is that it's interacting with this fake UI. So all the data that is being entered, they are like credentials, or like account information, is actually sent to through a command and control server. So this is like the traditional attack. In this case, what they did is they added for example screen recording capabilities. The reason why they are doing this is because now a lot of malware detection engines are trying to detect [inaudible 00:03:24] to see if there is an application that is, for example using an overlay. So that is something that can be detected. So that when there is a traditional banking attack [inaudible 00:03:35] affected. So in this case, what these guys are doing something different which is to actually record the screen. So they get framework by frame of what the victim is doing. So by doing that, they can reconstruct everything that happened in the UIs, and steal credentials [inaudible 00:03:50]. I really think that this is pretty similar to an overlay attack, but from the internal server how it works is completely different. It's something that goes fully under the radar. So this is what makes the DoubleTrouble more effective than traditional bankers that we've seen up there.

 

Dave Bittner: Now one of the things you highlight in the research is that this has evolved over time. In earlier variants, it was distributed a certain way, and that's changed. Can you walk us through the evolution of the distribution methods?

 

Nicolás Chiaraviglio: Yes, sure. So initially what they were doing were a traditional phishing attack. So the victim had to go to the -- usually on [inaudible 00:04:38] or on the mobile device, but you know, browsing the web. They had to go to a phishing site that looked very similar to the bank that they were targeting. And basically the user in that social engineer attack was tricked to download an app that was later installed on the device, right? So that was, like, a traditional method. But in that case, the targets were more limited, right? So if you were opening Bank A, then you were downloading that app, and you were basically expecting that app to be similar to Bank A. So now what they're doing is, they are just hosting apps in many different places, and not necessarily as banking apps. For example, there was [inaudible 00:05:23] apps in Discord. So any app repository can contain one of these [inaudible 00:05:28] applications, and the good thing about this is that you don't need to be targeting one specific banking app where you can get the payload afterward. And this is something that we see quite often. So because of the way all the OS protection works, if you download an app from the internet, you won't be -- and you sign in on your device, you won't be able, for example, to [inaudible 00:05:53] service, which is something that is critical for this malware [inaudible 00:05:57] in order to operate properly. But what these guys do is, like, a two-stages attack. So first you get this app from one of these bogus repositories, or it can be any deceptive website [inaudible 00:06:09] targeting a bank. And this is what we call a dropper, right? So the dropper has a different application inside that will be installed in a way that is called a session-based installation. And the way to do that or the benefit of doing that is that the APK, the actual authentication will never be on disc. So if you're a security vendor that are inspecting that, you won't be detecting that, because the app will never be there. And now with this dropper, you can kind of like dynamically generate the target. You can contact a [inaudible 00:06:43] control server and say hey, this device, Bank A, B, and C install here, so please give me the payloads that I need in order to target these banks.

 

Dave Bittner: Why are they making use of Discord specifically? What are the benefits for the attackers there?

 

Nicolás Chiaraviglio: That's a very good question. And sometimes with this research, we don't have all the answers. This is one of them. I guess that they are just targeting like a popular social network. So we see a lot of malware being distributed through [inaudible 00:07:16] channels, Discord channels, so our guess is that they are, like, infiltrating specific groups, you know, playing like, you know, the still-good part of the internet in which people help each other without asking for a [inaudible 00:07:32]. Check this and it will help you. And then basically getting some malicious payload with one of these purposes.

 

Dave Bittner: I see. Well, the research mentions the use of what you call random two-word method names throughout the code. Can you tell us what that means? And my understanding is that that complicates traditional static analysis.

 

Nicolás Chiaraviglio: Yes, exactly. So it's basically an obfuscation methodology that they are using. Before -- in the complying process of the app, what they do is they get all classes and method names, and they change the name by two random words that they select for each class and each method. Why that complicates static analysis, because if you -- usually once they give it to researchers, they create what we call signature, right? Some heuristic. So if you see this pattern in the code, then it's likely that this is a [inaudible 00:08:35]. And -- but if that pattern is random and it does start to keep changing, then it's very difficult to break that signature. So that's what they are doing. In this case, it's pretty unusual, but they chose to do this. Like the obfuscation methodologies replacing classes and method names by two random names. Each class and each method with a different tool, convention of the words. [ Music ]

 

Dave Bittner: We'll be right back. [ Music ] And what is the range of capabilities of DoubleTrouble? What sort of things can it do?

 

Nicolás Chiaraviglio: It can do quite a lot, actually. So we discuss already, like, the tradition overlay attack. So that is fully [inaudible 00:09:29] here. And on top of that, it can steal locking patterns. So they have the capability of spawning either the pattern or the PIN code or any password that the user uses to [inaudible 00:09:47] steal how you are unlocking your device. And this is interesting, because there is -- [inaudible 00:09:53] recents to that, but one possibility is that they want to evolve in the future to do something like ransomware, right? So ransomware on mobile devices is discussed a lot, but we haven't seen, like, any big attack yet. But one way to perform a ransomware attack would be to change the PIN code in front of your eyes, right? So if I lock you out of your device, and I just display some message saying hey, send this amount of crypto to this address, that would be like an analogy to traditional ransomware attacks. And that [inaudible 00:10:25] has the capability of getting the PIN, or the pattern to unlock the device. At the same time, it's a keylogger. So it can record every keystroke on the device. So from there you can also reconstruct for example credentials or any information that you see on the images that I mentioned before. As I mentioned also would also have this screen recording feature where basically what they do is they are constantly taking pictures frame by frame, and then they are encoding that as base 64, so now we transform images to text, and they put that inside of a JSON payload that is being sent to a command and control server with a lot of [inaudible 00:11:10] device. So that attack can reconstruct everything that happened. And also it has a remote control capabilities. So things that are necessary for example to grant the application more permissions, so we mentioned that [inaudible 00:11:26] select up to stage infection. First we have a dropper, and then we have the payload. And the dropper needs to have elevated privileges in order to perform [inaudible 00:11:36] actions. Not the [inaudible 00:11:38] sorry. Accessibility and permission to do [inaudible 00:11:42] actions. So once they have that, they have specific commands to control the device, right? They can exercise the UI as if they were -- they have total control of it. And the last thing that they can do also is they can block and crash legitimate applications. So it's also unclear why they do that, because usually if you're performing an overlay attack, you want the app to be running and you don't want to see any crash, but what they do is they crash the real application and they display a system error message saying hey, this app is crashing for xy reason. And after that, they can exploit a different attack. But this is not completely clear what's the purpose of that stage yet.

 

Dave Bittner: And what insights do you have on their command and control functionality and infrastructure?

 

Nicolás Chiaraviglio: So usually we don't poke much on the [inaudible 00:12:39] so I don't have a lot of information. I think in the research also, we didn't show much on that. We kind of like got [inaudible 00:12:49] analysis on [inaudible 00:12:51] commands that they can do, but not -- we don't have much information on there actually [inaudible 00:12:55].

 

Dave Bittner: Okay. Yes, fair enough. Who do they seem to be targeting here? Are there any patterns of who they're going after?

 

Nicolás Chiaraviglio: So the first version of this was starting within specifically at European banks, only European banks. The latest version, as I said, it's quite dynamic, right? So even if today we see only banks targeted or only European banks targeted, it can happen in the next week, that extend it a lot. So they have screen recording functionalities. So basically they can target any app, right? So if someone in South Africa is opening this, and there is suddenly a stream of information from a South African bank, well they can go and use it, right? Because they just have all the -- even the keystrokes and all the images. And it's quite common that we see this evolving. Like for example, a couple of days ago, an [inaudible 00:13:52] published a blog about a UI [inaudible 00:13:57] or something like that. And they claimed that they found 300 banks targeted. So we did, like, further research for it, went and found more samples, and we found that the targets grew from 300 to 3,000, right? So we only found this amount of new targets in just couple of weeks. So this is a pretty fast-evolving ecosystem sometimes. And since they have control of the device, remote control of the device, the payload can be quite dynamic and the number of banks targeted can grow pretty fast.

 

Dave Bittner: Well, what are your recommendations then for organizations to best protect themselves? What sort of things do they need to have in place?

 

Nicolás Chiaraviglio: So in this case, disabling third-party sources is critical. So most of these applications are always coming through unvetted sources. So I would say that that's the critical part to it. Never install apps that are through unknown sources or through third-party app stores. Things that are not trusted. Second, having a comprehensive [inaudible 00:15:11] detection. It's kind of critical. Something that can detect even [inaudible 00:15:16] is not, you know, enforced. And third, in a enterprise environment, having something like application vetting in order to start a comprehensive understanding of what applications you're installing and user base are doing with [inaudible 00:15:36].

 

Dave Bittner: Looking at the research that you've done here, what does DoubleTrouble tell you in terms of where we might be headed in the future when it comes to these mobile banking threats?

 

Nicolás Chiaraviglio: That's a very good question, and I think that we can guarantee that this trend will continue. So this is a cat and mouse game. So attackers will adapt, and we'll have to adapt to new kinds of attacks. And we will have to do it in a much more restricted ecosystem every time. So for sure these attacks will grow in complexity. [inaudible 00:16:16] the extensive adoption of AI will also help to increase the number of targets. So now, it's pretty simple for attackers to, you know, extend the range of their attacks. So pretty much, I would say that's where we are going, right, like, wider targets and always evolving techniques. [ Music ]

 

Dave Bittner: Our thanks to Nicolás Chiaraviglio from Zimperium for joining us. The research is titled, "Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed." We'll have a link in the show notes. And that's "Research Saturday," brought to you by N2K CyberWire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show notes. Please do check it out. This episode was produced by Liz Stokes, remixed by Elliott Peltzman and Tré Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ] [ Sound effect ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.