Recently, researchers from the Czech Technical University, UNCOYO University based in Argentina and Avast Security have found an Android botnet named Geost by collaborating in on the investigations and have presented it at the Virus Bulletin 2019 conference held in London.
It was uncovered initially when its traffic was captured by a HtBot Malware on the server. The malware in question was being used to access millions of Euros in bank accounts based in Eastern Europe & Russia compromising more than 800,000 victims.
The connection between Geost and HtBot (Image credit: Avast)
The botnet was basically composed of numerous Android phones which were were infected by getting them to download malicious applications that had been uploaded by attackers on third-party Android stores.
Using access to text messages on these phones, the malware took advantage of a common practice of Russian banks to send users plaintext passwords via SMS.
In cases where this technique did not work, other methods such as the apps asking for login credentials were used.
With the help of 13 command and control servers, over 140 domains and over 140 APKs at its disposals, things were going pretty well for them – since 2016 – until the group members started making basic mistakes.
These were those that you could reasonably expect from newbies but our cybercriminals here didn’t fail to disappoint either.
Among these, they trusted a malicious proxy network, used their command and control server along with chatting without encryption and kept on using the same services lest caring to cover their tracks.
One such chat session on Skype when accessed gave insight into the workings and the mindset of the group going along the lines of:
Member 1: “Alexander, really, if we started together we need to finish it. Because for now this is working and we can earn money.”
Member 2:”I thought about it, and I’m not in.”
Member 1: “Understand, ok. Shame. If you change your mind write to me.”
According to Avast,
“These involved more than 6,200 lines, covering eight months of chats, and showed the private conversations of 29 people involved in different operations.”
The takeaway from this is best summed up by realizing that not all malware has to be complex and neither do hackers always have to be boxed up in super security facilities typing away on a green screen. Sometimes, to achieve the short term goal of earning quick cash, necessary security protocols are not followed resulting in such incidents.
Our advice remains the same as for the majority of such cases, if users avoid downloading applications and other files from untrusted sources, they wouldn’t be prey to any such malware inlet.
Propagation and Reach
The Geost botnet consists of infected Android phones, which are victimized by the botnet via malicious, fake applications. These include fake banking apps and fake social networks. Once infected the phones connect to the botnet and are remotely controlled.
“The usual actions of the attackers seem to be accessing the SMS, sending SMS, communicating with banks, and redirect the traffic of the phone to different sites,” explained the team. “The botmasters also access a great deal of personal information from the user.”
Following the infection, the C2 stores the complete list of SMS messages of all the victims starting with the moment the device becomes infected.
In terms of its infrastructure, Geost is quite complex. “The Geost botnet proved to have hundreds of malicious domains generated by a DGA algorithm, at least 13 C2 IP addresses in six countries, at least 800,000 victims in Russia, and access to several million Euros in the bank accounts of the victims,” the team noted in its paper. “We could see the screens of the C2 servers, lists of victims and SMSs of the victims. The botnet could directly connect to the top five banks in Russia to operate, and deployed more than 200 Android APKs to fake dozens of applications.”
The research team has contacted the five affected Russian banks and are working with them to shut down the campaign.
One is one of the top five providers of credit cards in Russia. The second bank is one of the largest private commercial banks in that country. The third is one of the three largest banks in Russia and Eastern Europe and the fourth bank is one of the 500 largest organizations in Europe. A fifth is part of a large group of cooperatives with subsidiaries in more than 15 countries.
“The fact that only five banks were listed suggests that there is a special type of action that can only happen with those banks,” according to the research. “It may seem as if the malware APKs or the C&C code could access and make transfers in accounts of those banks, but this hypothesis was not proven.”