Researchers: Rajat Goyal Aazim and Bill SE Yaswant
Discovery Date: August 2024
Senior Reviewers: Gianluca Braga
Executive Summary
On Aug 8th, Cyble shared a blog regarding connections between Gigabud and Golddigger malware campaigns. Through further research, we’ve uncovered additional details that shed more light on this threat. This blog will discuss a broader range of targeted financial institutions, a stronger link between Spynote and Gigabud, and provide deeper insights into the threat actor’s activities.
While this campaign is mainly targeting consumer-focused banking apps, the spyware capabilities add a layer of risk to corporate apps as well. Once on the device the attacker could potentially exfiltrate data from critical enterprise applications from the victim’s employer.
Connected Threats
During our investigation, we found a significant link between the Gigabud and Spynote malware families. Domains with really similar structure (using the same unusual keywords as subdomains) and targets used to spread Gigabud samples and were also used to distribute Spynote samples. This overlap in distribution shows that the same threat actor is likely behind both malware families, pointing to a well-coordinated and broad campaign.
Spynote, a sophisticated Android RAT, grants attackers remote control over compromised devices, enabling them to steal sensitive data, record media, and track the device’s location. It’s often disseminated through deceptive tactics, such as phishing campaigns.
Conversely, Gigabud is a banking Trojan specifically designed to target financial institutions. It intercepts banking app login credentials and other sensitive data to facilitate fraudulent transactions. Gigabud often masquerades as legitimate apps or updates, tricking users into granting it extensive permissions that allow it to intercept and manipulate data.
Widespread and targets
Several malware samples in the campaign were shielded by a packer known as Virbox, designed to hinder analysis and evade detection by standard malware detection engines..
Our analysis also uncovered 11 C&C and 79 phishing websites that played a pivotal role in the campaign spreading. These sites impersonated reputable brands, including major airlines, e-commerce platforms, and Vietnamese government services. Many mimicked the Google Play Store or government loan websites, facilitating the distribution of both Gigabud and Spynote malware. The scale of this operation was staggering, targeting not only Vietnamese entities but also global brands like Ethiopian Airlines and DSTV. This widespread impersonation underscores the sophistication and global reach of this phishing campaign.
Fig 1. Sample Play store Phishing webpage, distributing Gigabud & Spynote samples
Additionally to the previous findings, we also found that over 50 financial apps, including more than 40 banks and 10 cryptocurrency platforms, were specifically targeted in this campaign. This suggests a shift in the threat actor’s focus from government impersonations to directly targeting financial institutions.
The following table contains the list of the targets found in the current malware campaign.
Fig. Targeted Bank And Crypto Apps
Package Name of Targeted Appsvn.com.techcombank.bb.appcom.vnpay.bidvcom.VCBcom.vietinbank.ipaycom.vnpay.Agribank3gmobile.acb.com.vncom.vnpay.vpbankonlinecom.tpb.mb.gprsandroidsrc.com.sacombankcom.mbmobilecom.vnpay.hdbankvn.com.msb.smartBankingcom.ocb.omniextracom.mservice.momotransfercom.bbl.mobilebankingcom.cimbthai.digital.mycimbcom.mobilife.gsb.mymocom.scb.phonecom.TMBTOUCH.PRODUCTIONktbcs.netbankcom.bcp.innovacxion.yapeappcom.dbbl.mbs.apps.maincom.vnpay.Agribank3gcom.mbmobilecom.tpb.mb.gprsandroidmobile.acb.com.vncom.vnpay.vpbankonlinecom.vnpay.bidvcom.vietinbank.ipayvn.shb.mbankingvn.com.msb.smartBankingcom.bitpieim.token.appio.metamaskvip.mytokenpocketcom.binance.devpro.huobicom.bybit.appcom.okinc.okex.gpcom.bcaid.danaovo.idcom.vnpay.SCBcom.vib.myvib2ops.namabank.com.vncom.sacombank.ewalletxyz.be.cakevn.com.vng.zalopaycom.UCMobile.intlvn.com.lpb.lienviet24h
Zimperium vs Gigabud
Customers using either Zimperium’s Mobile Threat Defense (MTD) or our MAPS zDefend SDK, or both, are protected from these newly shared indicators of compromise. Zimperium’s on-device, dynamic detection engine continues to protect our customers with zero-day protection associated with this malware campaign.
Indicators of compromise (IOCs)
Indicators of compromise can be found here.
The post A Network of Harm: Gigabud Threat and Its Associates appeared first on Zimperium.
Article Link: A Network of Harm: Gigabud Threat and Its Associates – Zimperium
1 post – 1 participant
Researchers: Rajat Goyal Aazim and Bill SE Yaswant
Discovery Date: August 2024
Senior Reviewers: Gianluca Braga
Executive Summary
On Aug 8th, Cyble shared a blog regarding connections between Gigabud and Golddigger malware campaigns. Through further research, we’ve uncovered additional details that shed more light on this threat. This blog will discuss a broader range of targeted financial institutions, a stronger link between Spynote and Gigabud, and provide deeper insights into the threat actor’s activities.
While this campaign is mainly targeting consumer-focused banking apps, the spyware capabilities add a layer of risk to corporate apps as well. Once on the device the attacker could potentially exfiltrate data from critical enterprise applications from the victim’s employer.
Connected Threats
During our investigation, we found a significant link between the Gigabud and Spynote malware families. Domains with really similar structure (using the same unusual keywords as subdomains) and targets used to spread Gigabud samples and were also used to distribute Spynote samples. This overlap in distribution shows that the same threat actor is likely behind both malware families, pointing to a well-coordinated and broad campaign.
Spynote, a sophisticated Android RAT, grants attackers remote control over compromised devices, enabling them to steal sensitive data, record media, and track the device’s location. It’s often disseminated through deceptive tactics, such as phishing campaigns.
Conversely, Gigabud is a banking Trojan specifically designed to target financial institutions. It intercepts banking app login credentials and other sensitive data to facilitate fraudulent transactions. Gigabud often masquerades as legitimate apps or updates, tricking users into granting it extensive permissions that allow it to intercept and manipulate data.
Widespread and targets
Several malware samples in the campaign were shielded by a packer known as Virbox, designed to hinder analysis and evade detection by standard malware detection engines..
Our analysis also uncovered 11 C&C and 79 phishing websites that played a pivotal role in the campaign spreading. These sites impersonated reputable brands, including major airlines, e-commerce platforms, and Vietnamese government services. Many mimicked the Google Play Store or government loan websites, facilitating the distribution of both Gigabud and Spynote malware. The scale of this operation was staggering, targeting not only Vietnamese entities but also global brands like Ethiopian Airlines and DSTV. This widespread impersonation underscores the sophistication and global reach of this phishing campaign.
Fig 1. Sample Play store Phishing webpage, distributing Gigabud & Spynote samples
Additionally to the previous findings, we also found that over 50 financial apps, including more than 40 banks and 10 cryptocurrency platforms, were specifically targeted in this campaign. This suggests a shift in the threat actor’s focus from government impersonations to directly targeting financial institutions.
The following table contains the list of the targets found in the current malware campaign.
Fig. Targeted Bank And Crypto Apps
Package Name of Targeted Appsvn.com.techcombank.bb.appcom.vnpay.bidvcom.VCBcom.vietinbank.ipaycom.vnpay.Agribank3gmobile.acb.com.vncom.vnpay.vpbankonlinecom.tpb.mb.gprsandroidsrc.com.sacombankcom.mbmobilecom.vnpay.hdbankvn.com.msb.smartBankingcom.ocb.omniextracom.mservice.momotransfercom.bbl.mobilebankingcom.cimbthai.digital.mycimbcom.mobilife.gsb.mymocom.scb.phonecom.TMBTOUCH.PRODUCTIONktbcs.netbankcom.bcp.innovacxion.yapeappcom.dbbl.mbs.apps.maincom.vnpay.Agribank3gcom.mbmobilecom.tpb.mb.gprsandroidmobile.acb.com.vncom.vnpay.vpbankonlinecom.vnpay.bidvcom.vietinbank.ipayvn.shb.mbankingvn.com.msb.smartBankingcom.bitpieim.token.appio.metamaskvip.mytokenpocketcom.binance.devpro.huobicom.bybit.appcom.okinc.okex.gpcom.bcaid.danaovo.idcom.vnpay.SCBcom.vib.myvib2ops.namabank.com.vncom.sacombank.ewalletxyz.be.cakevn.com.vng.zalopaycom.UCMobile.intlvn.com.lpb.lienviet24h
Zimperium vs Gigabud
Customers using either Zimperium’s Mobile Threat Defense (MTD) or our MAPS zDefend SDK, or both, are protected from these newly shared indicators of compromise. Zimperium’s on-device, dynamic detection engine continues to protect our customers with zero-day protection associated with this malware campaign.
Indicators of compromise (IOCs)
Indicators of compromise can be found here.
The post A Network of Harm: Gigabud Threat and Its Associates appeared first on Zimperium.
Article Link: A Network of Harm: Gigabud Threat and Its Associates – Zimperium
1 post – 1 participant
Read full topic