The operators of Gustuff Android banking trojan have launched an Instagram-initiated campaign featuring an updated version of the malware with a host of new capabilities. The new operation was spotted by Cisco Talos’ researchers at the beginning of October. The team first reported on Gustuff in April and soon after its operators changed distribution hosts and then moved to disable the command and control (C&C) infrastructure, but continued to control the malware via a secondary administration channel based on SMS.
Threat actor uses Instagram posts to trick users into downloading and installing the malware. Just as before, Gustuff trojan targets mainly Australian banks and digital currency wallets in order to steal credentials and financial data and uses malicious SMS messages to propagate to other devices.
The first version of Gustuff was based on the Marcher banking trojan, but the new variant has lost some its similarities, the researchers say. Similarly to the previous versions, the updated Gustuff Trojan continues to leverage targets of little interest to send propagation SMS messages — each target sends around 300 SMS messages per hour. One of the Gustuff’s new capabilities is the support of the dynamic loading of WebViews, meaning it can receive a command to create a webview targeting specific domains, while fetching the necessary injections from a remote server.
During their investigation the researchers observed a command from one of the C&C infrastructure servers to target the Australian Government Portal that hosts several public services, such as taxes and social security. The command was issued before the local injections were loaded (using the changearchive command).
“This represents a change for the actor, who now appears to be targeting credentials used on the official Australian government's web portal,” the report points out. “This new version of Gustuff seems to be another step in its planned evolution. This malware is still deployed using the same packer, but there are several changes in the activity cycle, which take advantage of functionalities which either where already there or where being prepared. One of the changes in the behaviour is the state persistency across installations.”
The list of targeted applications, as well as the list of anti-virus/anti-malware software that the Trojan attempts to block, is provided during the activation cycle.
“During the activation cycle, the malware now asks the user to update their credit card information. The difference is that it does not immediately show a panel for the user to provide the information. Instead, it will wait for the user to do it and — leveraging the Android Accessibility API — will harvest it,” the team explains.
Yet another addition to trojan’s functionality is a secondary command execution control. Each command is issued with a unique ID, which is then used by Gustuff to report on the command execution state, allowing the attacker to track in which state the execution is.
Gustuff’s interaction with the device was also modified, with commands related to the socks server/proxy, along with code related to operations, removed. These commands allowed the attackers to interactively perform actions on the banking applications, but now that functionality is provided by the command ‘interactive’, which leverages the accessibility API to interact with the UI of the banking apps.
“This is an evolving threat, and the actor behind it seems to want to press on, no matter the level of coverage this campaign gets. Instead, they changed the malware code to have a lower detection footprint on static analysis, especially after being unpacked. Although there are no changes in the way it conducts the campaign, Gustuff still changed the way it uses the malware to perform its fraudulent activities. The main target continues to be banking and cryptocurrency wallets. However, based on the apps list and code changes, it is safe to assume that the actor behind it is looking for other uses of the malware,” Cisco Talos concludes.