Sophisticated Android Malware Strikes Users in Thailand, Philippines, and Peru

Cyble Research & Intelligence Labs (CRIL) discovered a phishing website, hxxp://lionaiothai[.]com, that was impersonating the genuine Thai Airline – Thai Lion Air, and tricking victims into downloading a malicious application.

The downloaded malicious application is a Remote Access Trojan (RAT) which receives commands from the Command and Control (C&C) server and performs various actions. The RAT has advanced features such as screen recording and abusing the Accessibility Service to steal banking credentials.

During our investigation of the RAT, we discovered that the certificate used to sign this malicious application was found in more than 50 similar malicious samples that use the same source code. These samples posed as government agencies, shopping apps, and banking loan applications from Thailand, the Philippines, and Peru.

Since the discovered RAT is a new and unknown variant, we will refer to it as “Gigabud” due to the consistency of the certificate issuer name across all identified malicious applications.

The Gigabud RAT malware has been specifically targeting individuals in Thailand since July 2022, and its spread has been increasing each month to other countries. Despite the growing number of known samples, no antivirus software detected this malware at the time of writing this blog, suggesting that the Threat Actor (TA) behind the RAT successfully stayed under the radar.

Additionally, in July 2022, the Department of Special Investigation (DSI) Thailand issued a warning against the phishing site impersonating the DSI website and spreading the same Android RAT. Later in September 2022, the Thailand Telecommunication Sector Cert (TTC-Cert) discovered the malware “Revenue.apk” associated with the same campaign and issued a technical advisory on its behavior.

After the discovery of the Gigabud RAT by TTC-Cert in September, we observed that the TA began distributing the malware in various countries, such as Peru and the Philippines. The malware disguises itself using the icons of government agencies from these countries to trick victims into giving away sensitive information.

The below figure shows the different icons used by Gigabud RAT.

These malicious applications impersonate below entities:

1. Banco de Comercio – A Peruvian Bank
2. Advice – A IT company from Thailand
3. Thai Lion Air – Thailand Airline
4. Shopee Thailand
5. SUNAT – An organization from Peru
6. DSI – Department of Special Investigation Thailand
7. BIR – Bureau of Internal Revenue Philippine
8. Kasikornbank Thailand

In this analysis, we will look at the sample “BANCO DE COMERCIO.apk” (a940c9c54ff69dacc6771f1ffb3c91ea05f7f08e6aaf46e9802e42f948dfdb66) which is impersonating a medium-scale Peruvian Bank and stealing sensitive information by offering the fake loan service. The in-depth analysis of this malicious sample can be found in the technical analysis section.

Technical Analysis

APK Metadata Information 

• App Name: BANCO DE COMERCIO
• Package Name: com.cloud.loan
• SHA256 Hash: a940c9c54ff69dacc6771f1ffb3c91ea05f7f08e6aaf46e9802e42f948dfdb66

The below figure shows the metadata information of the application. 

Once installed, the malware displays a login screen that prompts users to enter their mobile number and password. The login screen is designed to mimic the user interface of a legitimate bank and uses an icon to deceive the victim into thinking the application is genuine.

The malware sends the entered mobile number and password to the C&C server hxxp://bweri6[.]cc and receives the response code 400 with an error message, as shown in the below figure.

TA behind the Gigabud has implemented a server-side verification process to ensure the mobile number entered during registration is legitimate and to limit malicious activity for invalid users. It could be the reason for the delayed detection of the malware.

During registration, the malware prompts the victim to provide their name and ID number and also allows them to select a bank name from a list received from the Command-and-Control server with the cardholder’s name and number.

Once the victim successfully logs in or registers to the malicious app, Gigabud begins gathering information about the installed applications on the device and then runs a service called “OpenService,” which connects to the Command-and-Control server to receive commands, as illustrated in the figure below.

Once the registration or login is complete, the malware displays a fake loan contract received from the server and then prompts the victim to confirm their information.

It also shows a withdrawal activity, as depicted in the figure below.

Malware does not show any malicious activity until the final stage, where it presents a “Real Name Authentication” page and prompts the victim to press a “click to activate” button to apply for a loan. Once the button is clicked, the malware requests the victim to grant accessibility permissions, including permission for screen recording and screen overlay.

After the victim grants the accessibility permission, the malware starts exploiting it by automatically enabling the screen recording feature. Additionally, the malware requests permission to display over other apps.

Gigabud uses WebSocket connections to send the recorded screen content to a server hxxp://8.219.85[.]91:8888/push-streaming?id=1234.

The malware sends the recorded content every second through the WebSocket connection, as shown in the figure.

The malware connects to the C&C server hxxp://bweri6[.]cc/x/command?token=&width=1080&height=1920 to receive commands and executes various actions such as creating a floating window service, receiving targeted bank details, sending text messages from the infected device, opening targeted application and many other.

The malware receives the “bankName”, “bankImg” and “bank_id” along with action code “15” from the C&C server. The “bankName” is the name of the targeted banking application whose credentials the malware will steal. Upon receiving this command, the malware displays a fake dialog box using the “bankName” and “bankImg” received from the server on top of the targeted banking application and prompts the victim to enter their password.

The entered password by the victim will be sent to the server using the retrofit object.

The below figure shows the endpoints and the stolen data sent to the server.

The malware receives the mobile number, the message text, and the action code “5” from the C&C server to send the text message from an infected device.

The malware also receives the server’s bank card number and action code “29” and sets it to the clipboard. We suspect that the bank card number could be the TA’s account or card number, which can be used to perform on-device fraud.

Conclusion

Our analysis indicates that the Threat Actor has been actively running the campaign since July 2022, mainly targeting victims in Thailand. Later, the campaign expanded to target victims in other countries like Peru and the Philippines. The malware specifically targets genuine victims and conceals its malicious activity from invalid victims. The TA has employed a unique technique to evade detection and sustain the campaign for an extended period.

We also noticed that the Gigabud RAT utilizes screen recording as a primary method for gathering sensitive information instead of using HTML overlay attacks. It also abuses the Accessibility service, like other banking trojans.

The Threat Actor behind the Gigabud is continuously developing new variants of the malware intending to target different countries. New malware variants will likely be discovered in the future, featuring new targets and capabilities.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Download and install software only from official app stores like Google Play Store or the iOS App Store.
• Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
• Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
• Government agencies or other legitimate organizations never ask for a Card PIN or password with other banking information, and avoid sharing such information on any suspicious application.
• Use strong passwords and enforce multi-factor authentication wherever possible.
• Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
• Be wary of opening any links received via SMS or emails delivered to your phone.
• Ensure that Google Play Protect is enabled on Android devices.
• Be careful while enabling any permissions.
• Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Initial Access	T1476	Deliver Malicious App via Other Means.
Initial Access	T1444	Masquerade as a Legitimate Application
Discovery	T1418	Application discovery
Collection	T1513	Screen Capture
Credential Access	T1411	Input Prompt
Impact	T1582	SMS Control
Impact	T1510	Clipboard Modification
Command and Control	T1436	Commonly Used Port
Exfiltration	T1567	Exfiltration Over Web Service

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
a940c9c54ff69dacc6771f1ffb3c91ea05f7f08e6aaf46e9802e42f948dfdb66	SHA256	Hash of analyzed malicious APK
1012a7627b6b82e3afb87380bbfda515764ce0a6	SHA1	Hash of analyzed malicious APK
ca6aa6c5a7910281a899695e61423079	MD5	Hash of analyzed malicious APK
hxxp://8.219.85[.]91:8888/push-streaming?id=1234	URL	C&C server used to send screen recording content
hxxp://bweri6[.]cc/x/command?token=&width=1080&height=1920	URL	C&C server used to receive commands and send stolen data
ec1e2ff5c72c233f2b5ad538d44059a06b81b5e5da5e2c82897be1ca4539d490	SHA256	Hash of malicious LionAir APK
ea5359c8408cdb4ebb7480704fe06a8e3bfa37c3	SHA1	Hash of malicious LionAir APK
b2429371b530d634b2b86c331515904f	MD5	Hash of malicious LionAir APK
hxxp://lionaiothai[.]com	URL	Malware distribution site
hxxp://cmnb9[.]cc	URL	C&C server used to receive commands and send stolen data