Recently, researchers have identified a new Android malware family capable of exfiltrating financial and personal information after taking control of infected devices. Named by researchers as MaliBot, the malware poses as a cryptocurrency mining application, but may also pretend to be a Chrome browser or another app. On infected devices, the threat focuses on harvesting financial information and stealing banking, finance, cryptocurrency and Personally Identifiable Information PII.
The malware uses a VNC server implementation that allows it to control the infected devices, and was also designed to steal and bypass multi-factor authentication (MFA). According to investigators, MaliBot's command and control (C&C) is in Russia, using the same servers that were previously used to distribute the Sality malware. Since June 2020, the IP has been used to launch various other malicious campaigns.
Early versions of Sality used entry point obscuration (EPO) to hide in a Windows system. They would insert a command somewhere in the middle of an infected file’s code. When a Windows system read the infected file and tried to execute it, the system would “jump” to and execute the malware’s code instead.
Here is what happens during a Sality attack:
- Sality executes a malicious payload once it is installed on a Windows system.
- The actions performed vary based on the malware variant.
- Most Sality viruses try to terminate system processes, including those that execute security programs.
- They can also attempt to open connections to remote sites, download and activate malicious files, and steal user data.
Today’s Sality viruses infect executable files on local, shared, and removable drives. It adds malicious code to the end of an infected (or host) file. This code is polymorphic, too, which makes it challenging to identify and analyze.
The analysis of MaliBot has revealed a variety of capabilities, including support for web injections and overlay attacks, the ability to run and delete applications, and the ability to steal a great deal of information, including cookies, MFA codes, and SMS messages, and more.
MaliBot is being distributed via fraudulent websites attempting to trick intended victims into downloading the malware instead of the popular cryptocurrency tracker app “TheCryptoApp,” or via smishing. For most of its malicious operations, MaliBot abuses the Android Accessibility API, which allows it to perform actions without user interaction and also lets it maintain persistence on the infected devices.
The malware can also bypass Google’s 2FA mechanism, by validating Google prompts using the Accessibility API. It also steals the 2FA code and sends it to the attacker, and then inputs the code on the victim device. When registering an infected device with the C&C server, the malware also sends out the applications list, which is used to identify overlays/injections that can be used on top of applications that the user is launching.
Having permissions to use the Accessibility API, MaliBot can also implement a VNC server to provide attackers with full control over the infected device. This malware can also send SMS messages on demand (mainly for smishing), can log exceptions, and keeps its background service running by registering itself as a launcher (which also allows it to be notified when an application is launched).
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings