The Gustuff banker, after receiving the update, it attacks Android devices again, and now collects not only credentials of financial accounts, but also information from job search applications.
This concluded Cisco Talos experts, as they have been monitoring malware activity since March of this year.Researchers found that the author of the Trojan abandoned the previous method of connecting residents with the command server and changed the program code so that it left fewer characteristic traces on the hacked smartphone.
Gustuff first appeared in the field of view of researchers in the spring of 2019. The malware was spread via SMS containing a link to a website owned by cybercriminals.
“The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS”, — report Cisco Talos experts.
Messages on the command were sent from infected devices to all subscribers in the victim’s address book. Attackers expected that the user is more likely to switch to a criminal resource if he receives a message from friends.
Once on the target device, the trojan intercepted the management of SMS messages, and also tried to steal the victim’s credentials while working with banking applications and financial resources of Australia.
Read also: Criminals distribute RevengeRAT and njRAT Trojans through ODT files
To do this, the malware dynamically generated a fake login or bank card data entry window when it recorded the corresponding user activity. The list of programs and sites to which Gustuff reacted was hardwired in its code, which made it easy to track its operation.
A new phase of the campaign began in October this year. According to analysts, the author of the Trojan made significant changes to its code in order to attract less attention from antivirus applications. The cybercriminal turned off the control center specified in the source code of the program and discovered by the researchers. Now the identifier of the command server is assigned when Gustuff is activated, and interaction is carried out through the malware’s own API.
Read also: Vulnerabilities in NTLM Could Allow Domain Compromise
After installing the trojan, the operators receive a list of the programs installed on the device and try to deactivate the detected security scanners. The malicious application also acquired its own JavaScript engine, which allows you to run scripts received from the command center on your smartphone. Cybercriminals can load tools to create the necessary dialogs dynamically, depending on the installed banking applications.
As security experts found out, early versions of Gustuff were based on the ExoBot banker code, one of the most technically sophisticated malware for Android. At the end of 2017, the author of the program sold its source code on one of the darknet forums, which could be the starting point for creating new trojans.
How to protect yourself from Gustuff?
Today, Gustuff still relies primarily on malicious SMS messages to infect users, mainly targeting users in Australia. Although Gustuff has evolved, the best defense remains token-based two-factor authentication, such as Cisco Duo, combined with security awareness and the use of only official app stores.
