Banking Malware Gigabud RAT targets various countries

Customers of multiple financial institutions in Thailand, Indonesia, Vietnam, the Philippines, and Peru are attacked by an Android banking malware named Gigabud RAT.

When the user passes the Login form, Gigabud requests two 6-digit invitation codes as shown. With this, fraudsters can verify the victim, making it more difficult for search by malware analysts, and trick users into believing that they are dealing with a legitimate application. pic.twitter.com/DTl6mI0riE

— YOZZO (@Yozzo) August 15, 2023

Alert news: One distinctive aspect of Gigabud RAT is delaying malicious actions until a fraudster authorizes the user into the malicious app. This strategy makes detection more challenging, as researchers Pavel Naumov and Artem Grischenko from Group-IB highlighted.

“Unlike HTML overlay attacks, Gigabud RAT relies mainly on-screen recording to collect sensitive information.”

Do we have an acquaintance with Gigabud?

Gigabud RAT came into focus in January 2023 when Cyble discovered it, masquerading as bank and government apps to steal sensitive data. Its presence in the wild dates back to at least July 2022.

More versions to be aware of

Another version of the malware is named Gigabud.Loan was identified by the Singapore-based company. This variant poses as a loan application, extracting user-input data to offer a low-interest loan. Victims are deceived into sharing personal info during the application process.

Mode of action

Phishing websites are the primary distribution method for both malware versions. 

• Links are sent via SMS or social media messages. Gigabud.Loan is also directly distributed as APK files through WhatsApp messages.
• Victims approached on social media are often tricked into visiting these sites by suggesting a tax audit and refund process.

How do they surpass your firewall?

While Android devices usually block installations from unknown sources, certain apps like web browsers and messaging apps can request special permissions that allow the installation of rogue APK files, bypassing this security measure.

What damages can you expect?

Gigabud RAT behaves like other Android banking trojans by seeking accessibility service permissions for screen capture and keystroke logging. It can also manipulate clipboard data and conduct remote automated fund transfers.

Source: Malware abusing Accessibility service to start screen recording feature

In contrast, Gigabud.Loan aims to gather personal information like full name, identity details, photos of identification documents, digital signatures, education, income, bank card data, and phone numbers, posing as a loan application.

Cyber threats through Mobile apps are the new trend

This discovery follows the identification of 43 rogue apps on the Google Play Store, which displayed ads when the device’s screen was off. With a combined 2.5 million downloads, developers removed or updated the apps to remove the ad fraud component.

McAfee noted that the adware requested permission to exclude itself from battery-saving measures and overlay other apps, making the device vulnerable to further attacks like background ad loading and phishing pages.

The ad fraud library used by these apps employed delay tactics to avoid detection and could be remotely modified by operators via the Firebase messaging service.

The timing coincides with a warning from the U.S. FBI about scammers pretending to be recovery and tracing companies, targeting victims of cryptocurrency investment scams. These fraudsters request upfront fees and may disappear or provide incomplete reports.

#McAfee #thunderbird pic.twitter.com/ltJWts38s9

— Gabriel Sampol (@EA6VQ) August 6, 2023

Additionally, cybercriminals are embedding malicious code in mobile beta-testing apps posing as legitimate cryptocurrency investment apps to steal personal and financial data.

These criminals use phishing or romance scams to establish communication and encourage victims to download pre-release versions of apps. The victims unknowingly send funds to criminals instead of investing in cryptocurrencies. Sophos had previously highlighted the misuse of Apple’s TestFlight beta testing framework for similar scams.

The slogan of the day: We must also be the stakeholders in our security with Malware Mitigation Program

Malware Mitigation involves Google, ESET, Lookout, McAfee, Trend Micro, and Zimperium. The purpose of this collaboration is to enhance the safety of Google Play. The collective goal is to swiftly identify Potentially Harmful Applications (PHAs) and prevent their entry into Google Play.

Under this program, Google Play Protect’s detection systems engage directly with the scanning engines of each partner. This process generates fresh insights into app risks while apps are in line for publication. 

The Malware Mitigation initiative establishes secure two-way communication between Google and partners. This enables the prompt sharing of threat information and new samples as they emerge. As a result, early detection and mitigation of PHAs are achieved. 

Although, the transparent exchange between Google Play Protect and other partners is beneficial for all parties involved, particularly for safeguarding Android users. But, with evolving threats, there must be a common-person tutorial to guide us about the emerging threats.