LONDON — A powerful Android botnet dubbed Geost has been spotted targeting Russian citizens, with the end goal of distributing a banking trojan to victims.
The botnet has infected more than 800,000 Android devices, controlling several million Euros held in five banks, according to researchers from Czech Technical University, UNCUYO University and Avast that discovered the botnet.
Researchers noted that the botnet would likely still be undiscovered if it weren’t for a series of lapses in the cybercriminals’ operational security (OpSec) – including using unencrypted chat logs found as part of the investigation, and the use of a leaky proxy network that fails in its mission to provide anonymization.
“A rare chain of OpSec mistakes lead to the discovery of a new Android banking botnet,” according to the research, presented at Virus Bulletin 2019 in London on Wednesday. “The unusual discovery was made when the botmasters decided to trust a malicious proxy network built by a malware called HtBot. The HtBot malware provides a proxy service that can be rented to give users a pseudo-anonymous communication to the internet. The analysis of the HtBot network communication led to the discovery and disclosure of a large malicious operation.”
HtBot operates by turning victims into unwilling private illegal internet proxies. The infected victims relay communications from the HtBot users to the internet; and, the traffic is continually redirected to new victims, making it hard to track.
However, “since these bots offered illegal proxy connections it was possible to capture all the traffic coming from the illegal users to the internet,” according to the research. “During the analysis of the network traffic of the illegal users, a pattern was discovered; this turned out to be the content of the command-and-control (C2) communication channel of the new Geost botnet.”
Adding insult to injury, Geost’s botmasters also failed to encrypt their communications, giving researchers a direct view into the adversaries’ internal workings. This includes technical details such as how they accessed servers, brought new devices into the botnet, and how they evade antivirus software; as well as clues about how the members of the group interact with each other.
“In one conversation, a member of the ring wants to leave the group but the leader encouraged him to stay, saying, ‘Alexander, really, if we started together we need to finish it. Because for now this is working and we can earn money. Not every day we are getting 100K for promotion,'” according to the team’s report.
Other conversations revolved around money laundering and infiltrating victims’ bank accounts; it turns out that lower-level operatives are responsible for bringing devices into the botnet, while higher-level operatives determine how much money was under their control.
Propagation and Reach
The Geost botnet consists of infected Android phones, which are victimized by the botnet via malicious, fake applications. These include fake banking apps and fake social networks. Once infected the phones connect to the botnet and are remotely controlled.
“The usual actions of the attackers seem to be accessing the SMS, sending SMS, communicating with banks, and redirect the traffic of the phone to different sites,” explained the team. “The botmasters also access a great deal of personal information from the user.”
Following the infection, the C2 stores the complete list of SMS messages of all the victims starting with the moment the device becomes infected.
In terms of its infrastructure, Geost is quite complex. “The Geost botnet proved to have hundreds of malicious domains generated by a DGA algorithm, at least 13 C2 IP addresses in six countries, at least 800,000 victims in Russia, and access to several million Euros in the bank accounts of the victims,” the team noted in its paper. “We could see the screens of the C2 servers, lists of victims and SMSs of the victims. The botnet could directly connect to the top five banks in Russia to operate, and deployed more than 200 Android APKs to fake dozens of applications.”
The research team has contacted the five affected Russian banks and are working with them to shut down the campaign.
One is one of the top five providers of credit cards in Russia. The second bank is one of the largest private commercial banks in that country. The third is one of the three largest banks in Russia and Eastern Europe and the fourth bank is one of the 500 largest organizations in Europe. A fifth is part of a large group of cooperatives with subsidiaries in more than 15 countries.
“The fact that only five banks were listed suggests that there is a special type of action that can only happen with those banks,” according to the research. “It may seem as if the malware APKs or the C&C code could access and make transfers in accounts of those banks, but this hypothesis was not proven.”
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.
