Ghimob Trojan Banker: What it is, how it works and how to prevent it | Malware spotlight
Introduction
Malware is a popular term used to classify software with bad proposes that is part of our lives these days. Ghimob Trojan Banker is one of the most recent malwares in the wild. It was discovered and published by Kaspersky on November 9th, 2020.
In this article, we will discuss how this malware is propagated; the techniques, tactics and procedures used by criminals; and some deep details on how it can exfiltrate sensitive data from victims’ devices. Prevention measures to mitigate mobile malware, in general, will also be provided towards the end of the report.
Introduction
Ghimob is a Trojan malware that is targeting mobile devices around the globe. Kaspersky discovered this piece of malicious software. According to its analysis report, Ghimob can steal data from a total of 153 Android applications, including banks, fintechs, cryptocurrencies and exchanges.
“When monitoring Windows campaigns from Guildma banking malware, researchers noticed that some found URLs were distributing not only a malicious ZIP file for Windows but also a malicious file that appeared to be a downloaded to install Ghimob”, said Kaspersky.
The Trojan is able to infect a large range of victims from different countries, including Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique.
Figure 1: Ghimob detections: Brazil for now, but ready to expand abroad (source).
Threat dissemination
Ghimob is disseminated via phishing campaigns, with the malicious app posing as an installer of popular apps, including Adobe Reader and GoogleDocs. It is not available in the Google Play store; the app is distributed from untrusted sources instead. Domains registered by criminals propagate the threat in the wild. The email sent lures the victim with some kind of debt and also includes a link where more information can be found.
Figure 2: Phishing template (in Portuguese) and samples used during this analysis.
Diving into the details
After downloading the APK, it sends a message about the successful infection to the Command and Controler (C&C) server. The message includes the phone model, whether it has lockscreen security and a list of all installed apps that the malware can target.
Trojan persistence
Once installed on the victim’s device, Ghimob tries to detect common emulators and checks for the presence of a debugger attached to the process and the manifest file, as well as a debuggable flag.
Figure 3: Anti-debug and VM validations found during the analysis of the samples.
After this, the malware abuses of the Accessibility Mode to gain persistence, disable uninstallation, and allows to capture data, including manipulating the screen content (windows overlay), providing full remote control — a very typical activity also observed on Windows desktop Trojans, such as the URSA Trojan.
In addition, the malware also blocks the user from uninstalling it, restarting or shutting down the device as a persistence mechanism.
Obfuscation layer and target apps
By analyzing the malware activity during the infection process, it’s possible to see all the legitimate apps monitored and targeted. According to the Kaspersky report: “these are mainly institutions in Brazil (where it watches 112 apps), but since Ghimob, like other Tétrade threat actors, has been moving toward expanding its operations, it also watches the system for cryptocurrency apps from different countries (thirteen apps) and international payment systems (nine apps). Also targeted are banks in Germany (five apps), Portugal (three apps), Perú (two apps), Paraguay (two apps), Angola, and Mozambique (one app per country).”
As shown below, the malware uses an obfuscation layer to difficult the static analysis. In detail, the strings are encrypted with static functions hardcoded inside the APK and finally stored and encoded in Base64.
Figure 4: Obfuscated strings and templates.
C&C communication and full control of the victim’s device
During the malware operation, it tries to hide its presence by hiding the icon from the app drawer. After that, the malware decrypts a list of hardcoded C&C addresses providers from the configuration file and contact each of them to receive the real IP address — a technique known as fallback-channels.
Figure 5: Example of hardcoded functions used by malware to decrypt the obfuscated content.
All of the communication is done via the HTTP/HTTPS protocol with the C&C server. Figure 6 shows the remote back office used by criminals to access the victim’s details exfiltrated during the malware infection.
Figure 6: Control Panel used by Ghimob for listing infected victims (source).
Ghimob does not record the used screen via Media Projection API like other malwares this nature. This Trojan sends accessibility-related information from the current active window, as shown below from the output of the “301” command returned from the C2.
Figure 7: Exfiltrated Information by Ghimob and sent to the C&C server.
With this kind of technique in place, criminals can send lots of information from time to time consuming less bandwidth than sending a screen recording in real time.
Final thoughts
Criminals continue to improve their malware code in order to bypass detection mechanisms and target the maximum number of possible victims around the world. From this point of view, user education against this type of threat should be seen as the best way to prevent malware infections and keep users on alert.
Some measures to reduce the risk of these kinds of malwares includes:
- Only download apps from official stores
- Do not click on suspicious links from untrusted emails
- Think before executing something unfamiliar
For instance, when the malicious APK of Ghimob is installed on the target device, the app requests some permissions:
In this way, you should always analyze if the application needs to access the requested modules and validate whether the application you are accessing is the official app from your bank and the same available on the Google Play store.
Sources
Ghimob analysis, Kaspersky
Ghimob news, ThreatPost
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Ghimob Trojan Banker: What it is, how it works and how to prevent it | Malware spotlight
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis