A new botnet, dubbed “SharkBot,” is targeting Italy, the U.K., and the U.S., including banking applications and cryptocurrency exchanges.
The Cleafy TIR team discovered the Android banking Trojan in October 2021. The botnet uses the ATS (Automatic Transfer System) technique to initiate money transfer from infected devices and evade multi-factor authentication.
“Once SharkBot is successfully installed in the victim’s device, attackers can obtain sensitive banking information through the abuse of Accessibility Services, such as credentials, personal information, current balance, etc., but also to perform gestures on the infected device,” the researchers at Cleafy said.
SharkBot has a very low detection rate due to the implementation of string obfuscation routine, emulator detection, and a domain generation algorithm (DGA) for its network communication. It executes an Overlay attack to filch login credentials and credit card information. The Trojan also has the potential to intercept legitimate banking communications sent through SMS.
The malware for SharkBot has been written from scratch and is anticipated to be at an early stage of development.
SharkBot Explained
Per Cleafy, the ATS technique has recently been noticed in other banking Trojans, such as Gustuff, which enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from compromised devices.
“Contrary to TeaBot and Oscorp/UBEL where a live operator is required to insert and authorize a money transfer, with ATS technique threat actors can scale up their operations with minimum user intervention. We assume that SharkBot is trying to bypass behavioral detection countermeasures (e.g., biometrics) put in place by multiple banks and financial services with the abuse of Android Accessibility Services, also bypassing the need of a “new device enrollment,” said Cleafy.
SharkBot’s Features
- Perform classic Overlay Attacks against multiple applications to steal login credentials and credit card information
- Intercept/hide SMS messages
- Enable key-logging functionalities
- Obtain full remote control of an Android device (via Accessibility Services)
The malicious app is installed on the user’s device using the side-loading technique and social engineering schemes. The application also apes icons and commonly used app names of banking applications. After a successful installation, the Trojan activates fake pop-ups like “Allow Media Player” to take complete control of the device.
How SharkBot Evades Detection
- Strings obfuscation: To slow down the static analysis and “hide” all the commands and important information used by the malware.
- Anti-Emulator: When the malicious application is installed on the device, it checks if the device is an emulator or a real phone. This technique is usually used to bypass sandboxes or common emulators used by researchers during the dynamic analysis.
- External ATS module: Once installed, the malware downloads an additional module from the C2. The external module is a “.jar” file that contains all the functionality used to perform the ATS attacks.
- Hide the icon app: Once installed, SharkBot hides the icon of the app from the device screen.
- Anti-delete: Like other malware, SharkBot uses Accessibility Services to avoid that the user uninstalling the malicious application from the settings options.
- Encrypted communication: All the communication between the malware and C2 is encrypted and encoded with Base64. In addition to this, SharkBot uses a Domain Generator Algorithm (DGA).
Automatic Transfer System
Recently Emotet, a banking-trojan-turned-botnet, was in the news for resurfacing after a hiatus of 10 months. Another version which was spotted in 2014, also used the ATS technique to rob victims’ bank accounts. The version then had a modular structure, including an installation module, banking module, spam bot module, a module for stealing address books from Microsoft Outlook, and a module for organizing distributed denial-of-service (DDoS) attacks. Due to its harvesting capability, the technique is popular as it initiates direct financial transfers rather than stealing credentials and then using the stolen data to pilfer.
