Aberebot-2.0 is coming to banking apps and crypto wallets


Cybercrime, Cybercrime as a Service, Endpoint Security

A newer, better performing variant of the Aberebot banking Trojan for sale for $ 7,000 on the Dark Web

Soumik Gosh •
December 1, 2021

Subset of targeted applications present in the code of Aberebot-2 (Source: Cyble)

A new variant of the Aberebot banking malware, targeting 213 banking apps and nine crypto wallet apps in 22 countries, has been discovered by researchers. Named Aberebot-2.0, the Telegram-based malware is the new version of the Aberebot Android banking Trojan discovered in July 2021.

See also: Live Chat | Driving Business Growth: The Path to 24/7 Threat Detection and Response

Aberebot-2.0 uses Telegram APIs to communicate with operators and is able to steal sensitive information, including users’ financial and personal data, using phishing web pages, according to researchers at the cybersecurity company. Cyble.

Telegram bot API is used as command and control server because Telegram bots cannot be deleted like web servers and because the messaging platform does not share user information with law enforcement forces. ‘order, the report said, citing a note from the creator of Aberebot. which is published on the dark web.

The malicious bot runs on Android versions 9 through 12 and is for sale on a dark web forum for $ 7,000, the creator’s note says. The source code, the note says, is also for sale as the creator says it is “moving on to new projects.” Cyble says the source code price on the dark web is $ 3,000.

Malware delivery

The new version of the Aberebot malware is spread through the Croatian FinaCertifikat website, according to researchers at Cyble.

The sideload feature available on Android devices to install apps from sources other than the Google Play Store allows the installation of malware, Kaustubh Medhe, head of intelligence and research at Cyble, told Information Security Media. Group.

“By emulating the name of a legitimate application, the threat actor tricks users into installing the malicious APK using the sideload feature,” Medhe explains.

Cyble’s report shows that Aberebot-2.0 downloads phishing pages from targeted apps based on the victim’s country of residence. The malware continually runs in the background and monitors all device activity, the researchers add.

When the victim opens a banking or crypto application in the malware target list, the malware displays a phishing page on the legitimate application. Once the victim logs in, the malware steals the originating app’s cookies, they note.

Aberebot-2.0 file collection code (Source: Cyble)

Aberebot-2.0 capabilities

A month after Cyble researchers first discovered the Aberebot banking Trojan, a cybersecurity company Cyclone agrees with Cyble’s findings, calling the malware a “dangerous new project” capable of displaying phishing overlays when victims interact with a banking app. Cyclonis researchers say the overlays were intelligently designed and all data captured by the target was passed on to the Aberebot operators.

Based on the claim of the creator of Aberebot-2 and the findings of Cyble, the new variant of the banking malware appears to have multiple capabilities. It can steal information like text messages, contact lists, and device IP addresses, and it can also perform keystroke logging and detection evasion by disabling Play Protect – Google’s security check designed to detect bogus apps, researchers say.

Cyble claims that the “new and improved” version of the banking Trojan can steal messages from email and Gmail apps, inject values ​​into financial apps, collect files from the victim’s device, and inject URLs to steal cookies.

Medhe says that Aberebot-2.0 has 18 different permissions, including internet permission, and 11 of the permissions are dangerous.

A key difference between the previous version and the latest version of the Aberebot malware, he says, is the use of the Telegram API. “In the new version, the malware author has included features such as the ability to inject or change values ​​in request forms, such as recipient details or amount during financial transactions. spy on the victim’s devices using GPS, ”he said.

Cyble’s analysis shows that the malware creator incorporated the “QUERY_ALL_PACKAGES” permission, which was introduced in the recent version of Android 11.

Aberebot-2.0 is capable of carrying out fraudulent activity by injecting values ​​into user fields of banking, crypto and social applications on the device, according to the Cyble report.

Medhe says that although Aberebot-2.0 has obfuscation and anti-detection techniques, it has an “anti-sandbox technique” whereby the malware automatically terminates if it detects that the bogus application is performed in a sandbox environment.

Targeted banks and crypto wallets

While Aberebot-1.0 targeted 140 apps from 18 countries, the latest variant of the banking Trojan integrates details of 230 banking, digital payment and crypto wallet apps from 22 different countries.

Its target list includes 12 U.S. banks – the main ones being Capital One, Chase, Wells Fargo, SunTrust and US Bank, according to the Cyble report.

Among European banks, Aberebot-2.0 targets 32 Polish banks, 15 German banks, 14 Italian, 12 French and 11 Spanish. Turkey is a top target with 29 banks on the target list, including the country’s largest banks – Ziraat Bank, Isbank and Garanti.

In the UK, the main banks on the target list include the Royal Bank of Scotland, NatWest, Barclays and Santander.

In the Australasia region, the banking Trojan includes 18 banking websites, including ANZ Bank, Bank of Queensland, and Citibank Australia. It is also targeting four New Zealand banks.

In Asia, Aberebot-2.0 targets 10 Indian banking and digital payment applications, including the State Bank of India, HDFC, Union Bank and MobiKwik. The Asia list also includes eight Hong Kong-based banks, including Bank of China, Hang Seng, and DBS Hong Kong, as well as six Japanese and two Malaysian banks.

Among crypto wallet applications, Cyble researchers found that Aberebot-2.0 poses a threat to leading wallets including Coinbase, BitMarket, Bitfinex, Unocoin, and Oxigen.

The threat of banking Trojans

In 2020, IBM Trusteer researchers found that cybercriminals were using 20 emulators to mimic more than 16,000 phones and compromising bank information, resulting in “millions of dollars leaking in days,” news platform Wired reported.

Banking Trojans have been on the radar of security researchers for some time now, but the attack mechanism and the distribution of malware are rarely different.

The cybersecurity company Heimdal Security listing Notable Banking Malware Families shows that most malware is designed to steal sensitive information, such as system passwords and banking credentials, which cybercriminals use to attempt to perform unauthorized transactions. authorized through a complex network of systems and servers.

Heimdal’s report shows that many banking Trojans, including Zeus or Zbot, are created using Trojan horse creation toolkits that can be purchased online. While banking malware like SpyEye uses the keylogging feature to retrieve login information, specialized software like Shylock is designed to perform fraudulent transactions and only work by creating a domain generation algorithm. .

While newer versions of banking Trojans such as Bizzaro and Aberebot-2.0 have been customized to target crypto wallet apps in addition to banking apps, others like Kronos gained notoriety thanks to their advanced obfuscation abilities. Kronos creator Marcus Hutchins, a 22-year-old British researcher, has been hailed for arresting the 2017 Want to cry cyber attack.


Comments are closed.