Gustuff Android Banker Switches Up Technical Approach

An Instagram-initiated campaign using the Gustuff Android mobile banking trojan has rolled out in October, featuring an updated version of the malware that lowers its detection profile.

How the cybercriminals are rolling out the campaign is the same as a previous offensive seen in June, according to researchers at Cisco Talos: Instagram posts designed to lure users into downloading and installing malware are the initial attack vector. Once infected, SMS messages from the device are used to propagate the trojan to others in the victim’s contact lists.

And, just as before, the campaign mainly targets Australian banks and digital currency wallets, looking to steal credentials and financial data.

The application target pool has widened, however: This new version of Gustuff is also looking to harvest user names and passwords for hiring sites’ mobile apps, and interestingly, credentials used on the official Australian government’s web portal, according to the researchers.

“During our investigation, we received a command from the [command-and-control server] C2 to target the Australian Government Portal that hosts several public services, such as taxes and social security,” according to an analysis posted on Monday. “The command was issued before the local injections were loaded (using the changearchive command). The injections were loaded from one of the C2 infrastructure servers. This command is not part of the standard activation cycle and…this represents a change for the actor.”

From a technical perspective, Cisco Talos researchers said that the malware is still deployed using the same packer that has been seen in previous campaigns, but many other aspects of the latest version of Gustuff have seen significant changes.

One of the main functionality evolutions is the fact that it no longer contains hardcoded lists of things to look for. Ditching hardcoded names “dramatically lowers the static footprint” that can be used by white hats for analysis, the researchers noted.

For instance, the applications targeted by the malware are no longer hardcoded in the sample, but are rather provided to the malware during the activation cycle using the command “checkApps,” according to the analysis. Similarly, the list of antivirus and antimalware software that Gustuff blocks as a self-defense mechanism is now also loaded on the fly during the activation cycle.

Another notable change is the addition of a scripting engine, initiated via a new command called “script.” Once issued, the command causes the malware to start a WebChromeClient with JavaScript enabled. Afterward, it adds a JavaScript interface to the WebView feature, which allows mobile apps for Android to display content from the web within their interfaces.

“By default, the WebView object already has access to the filesystem, which…allows the operator to perform all kinds of scripts to automate its tasks, especially when the script also has access to commands from the application,” according to Cisco Talos. “The addition of a ‘poor man scripting engine’ based on JavaScript provides the operator with the ability to execute scripts while using its own internal commands backed by the power of JavaScript language. This is something that is very innovative in the Android malware space.”

Another change is that another new command, “interactive,” uses the accessibility API to allow the malware to interact with banking applications. The accessibility API is also in use elsewhere: The malware no longer shows a panel for the user to provide their credit-card information.

“Instead, it will wait for the user to do it [in a monitored app] and — leveraging the Android Accessibility API — will harvest it,” the researchers noted. “This method of luring the victim to give up their credit card information is less obvious, increasing the chances of success, even if it takes longer.”

And finally, the C2 issues each command with a unique ID now, which is then used by Gustuff to report on the command execution state.

“This allows the malicious actor to know exactly in which state the execution is, while before, it would only know if the command was received and its result,” according to the analysis. “The malware operator can now issue asynchronous commands that will receive feedback on its execution while performing other tasks — ‘uploadAllPhotos’ and ‘uploadFile’ commands are two of such commands.”

Overall, the malware code has evolved to have a lower detection footprint, and, based on the apps list and code changes, it is “safe to assume that the actor behind it is looking for other uses of the malware,” Cisco Talos researchers warned.

What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming freeThreatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.”Click here to register.