SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Android Mazarbot spreads via phishing pages for Raiffeisen Bank (Sep 15, 2017)



Description


SonicWall Capture Labs Threat Research team observed yet another Android malware campaign that targets a bank , this time the target being Raiffeisen Bank. This campaign uses the Android banking trojan MazarBot - which first made its appearance in 2016 - to infect the victim's device. This malware has capabilities of executing a number of hard-coded commands which are focused on stealing the victim's personal information.

Infection Cycle - Stage I

The victim receives a spam email requesting him to enter the Raiffeisen banking login credentials. The credentials are stolen and sent to the attacker if the user is not careful enough and trusts the fake webpage to be authentic. The next page requests the victim to install an Android security app related to Raiffeisen, which is essentially Mazarbot in disguise. The app was hosted on the following URL which has now been taken down:

hxxp://banking.raiffeisen.at.updateid0891203.pw/download.php

Infection Cycle - Stage II

The malware app requests for the following permissions during installation:
  • change network state
  • uses policy force lock
  • bluetooth
  • internet
  • access fine location
  • send sms
  • write sms
  • access network state
  • write external storage
  • get package size
  • read external storage
  • receive boot completed
  • vibrate
  • call phone
  • write settings
  • read phone state
  • read sms
  • battery stats
  • access wifi state
  • wake lock
  • change wifi state
  • receive sms
  • read contacts
  • use sip
Upon execution the malware requests for Device Administrative privileges:

We analyzed a couple of malicious samples belonging to this campaign, the code in each one of them follows different format. However every sample shares a common trait - the code is confusing to follow because of jumbled class and variable names:

There are a number of hardcoded commands in these samples, for one such sample the malware masquerades these commands in the code by appending **83Y**:

De-obfuscating this part of the code reveals a number of hardcoded commands indicating that this malware follows a bot structure, some of the interesting findings are as follows:
  • aT = a("Bot is not able to run that command");

  • Grab device related information
  • bc = a("get_packages");
  • bd = a("get_device_model");
  • be = a("get_os_ver");
  • bf = a("get_number");
  • bg = a("get_operator");
  • bh = a("get_imei");
  • bi = a("get_country");
  • bj = a("get_contacts");
  • bk = a("get_language");
  • dj = a("imei");
  • dl = a("getSimOperatorName");
  • dm = a("getNetworkOperatorName");

  • Capture Credit Card related information
  • bn = a("mastercard");
  • bo = a("visa");
  • bp = a("amex");
  • bq = a("Incorrect credit card number");
  • cf = a("send_card_number");
  • cg = a("number");
  • ch = a("month");
  • ci = a("year");
  • cj = a("cvc")

  • Monitor specific apps
  • ck = a("com.paypal.android.p2pmobile"); - Paypal
  • cl = a("com.android.vending"); - Google Play

  • Capture SMS messages related commands
  • cV = a("base_sms_intercept");
  • cW = a("createFromPdu");
  • cX = a("processIncomingMessages");
  • dk = a("getMessageBody");

  • Tamper contacts detail
  • cS = a("UploadContactsRequest");
  • cT = a("inject_id");
  • cU = a("body");

  • Check if the malware is being run on a virtual environment/debugger
  • es = a("isDeb");
  • et = a("generic");
  • eu = a("unknown");
  • ev = a("google_sdk");
  • ew = a("Emulator");
  • ex = a("Android SDK built for x86");
  • ey = a("Genymotion");
  • ez = a("sdk");
  • eA = a("sdk_x86");
  • eB = a("vbox86p");
  • eC = a("golfdish");
  • eD = a("ranchu");
  • eE = a("android|emergency calls only|fakecarrier");
  • eF = a("Debug");
  • eG = a("ugger");
  • bB = a("screen_lock");

Overall this campaign uses phishing pages for Raiffeisen Bank to spread its infection. It focuses on stealing sensitive user related information which is stored on the infected device. It is likely that this campaign spreads via other phishing webpages belonging to other banks/establishments.

SonicWall Capture Labs Threat Research team provides protection against this threat via the following signatures:
  • GAV: AndroidOS.Banker.RF (Trojan)
  • GAV: AndroidOS.Banker.TN (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.7 | S2MSW01