Ghimob Trojan Banker: What it is, how it works and how to prevent it | Malware spotlight
Malware is a popular term used to classify software with bad proposes that is part of our lives these days. Ghimob Trojan Banker is one of the most recent malwares in the wild. It was discovered and published by Kaspersky on November 9th, 2020.
In this article, we will discuss how this malware is propagated; the techniques, tactics and procedures used by criminals; and some deep details on how it can exfiltrate sensitive data from victims’ devices. Prevention measures to mitigate mobile malware, in general, will also be provided towards the end of the report.
Ghimob is a Trojan malware that is targeting mobile devices around the globe. Kaspersky discovered this piece of malicious software. According to its analysis report, Ghimob can steal data from a total of 153 Android applications, including banks, fintechs, cryptocurrencies and exchanges.
“When monitoring Windows campaigns from Guildma banking malware, researchers noticed that some found URLs were distributing not only a malicious ZIP file for Windows but also a malicious file that appeared to be a downloaded to install Ghimob”, said Kaspersky.
The Trojan is able to infect a large range of victims from different countries, including Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique.
Figure 1: Ghimob detections: Brazil for now, but ready to expand abroad (source).
Ghimob is disseminated via phishing campaigns, with the malicious app posing as an installer of popular apps, including Adobe Reader and GoogleDocs. It is not available in the Google Play store; the app is distributed from untrusted sources instead. Domains registered by criminals propagate the threat in the wild. The email sent lures the victim with some kind of debt and also includes a link where more information can be found.
Figure 2: Phishing template (in Portuguese) and samples used during this analysis.
Diving into the details
After downloading the APK, it sends a message about the successful infection to the Command and Controler (C&C) server. The message includes the phone model, whether it has lockscreen security and a list of all installed apps that the malware can target.
Once installed on the victim’s device, Ghimob tries to detect common emulators and checks for the presence of a debugger attached to the process and the manifest file, as well as a debuggable flag.
Figure 3: Anti-debug and VM validations found during the analysis of the samples.
After this, the malware abuses of the Accessibility Mode to gain persistence, disable uninstallation, and allows to capture data, including manipulating the screen content (windows overlay), providing full remote control — a very typical activity also observed on Windows desktop Trojans, such as the URSA Trojan.
In addition, the malware also blocks the user from uninstalling it, restarting or shutting down the device as a persistence mechanism.
Obfuscation layer and target apps
By analyzing the malware activity during the infection process, it’s possible to see all the legitimate apps monitored and targeted. According to the Kaspersky report: “these are mainly institutions in Brazil (where it watches 112 apps), but since Ghimob, like other Tétrade threat actors, has been moving toward expanding its operations, it also watches the system for cryptocurrency apps from different countries (thirteen apps) and international payment systems (nine apps). Also targeted are banks in Germany (five apps), Portugal (three apps), Perú (two apps), Paraguay (two apps), Angola, and Mozambique (one app per country).”
As shown below, the malware uses an obfuscation layer to difficult the static analysis. In detail, the strings are encrypted with static functions hardcoded inside the APK and finally stored and encoded in Base64.
Figure 4: Obfuscated strings and templates.
C&C communication and full control of the victim’s device
During the malware operation, it tries to hide its presence by hiding the icon from the app drawer. After that, the malware decrypts a list of hardcoded C&C addresses providers from the configuration file and contact each of them to receive the real IP address — a technique known as fallback-channels.
Figure 5: Example of hardcoded functions used by malware to decrypt the obfuscated content.
All of the communication is done via the HTTP/HTTPS protocol with the C&C server. Figure 6 shows the remote back office used by criminals to access the victim’s details exfiltrated during the malware infection.
Figure 6: Control Panel used by Ghimob for listing infected victims (source).
Ghimob does not record the used screen via Media Projection API like other malwares this nature. This Trojan sends accessibility-related information from the current active window, as shown below from the output of the “301” command returned from the C2.
Figure 7: Exfiltrated Information by Ghimob and sent to the C&C server.
With this kind of technique in place, criminals can send lots of information from time to time consuming less bandwidth than sending a screen recording in real time.
Criminals continue to improve their malware code in order to bypass detection mechanisms and target the maximum number of possible victims around the world. From this point of view, user education against this type of threat should be seen as the best way to prevent malware infections and keep users on alert.
Some measures to reduce the risk of these kinds of malwares includes:
- Only download apps from official stores
- Do not click on suspicious links from untrusted emails
- Think before executing something unfamiliar
For instance, when the malicious APK of Ghimob is installed on the target device, the app requests some permissions:
In this way, you should always analyze if the application needs to access the requested modules and validate whether the application you are accessing is the official app from your bank and the same available on the Google Play store.
Ghimob analysis, Kaspersky
Ghimob news, ThreatPost