Latest GoatRAT variant implements ATS Framework
Over the last six months, several Android Banking Trojans, including BrasDex, Xenomorph, and PixPirate, have incorporated an Automatic Transfer System (ATS) framework, allowing attackers to conduct unauthorized money transfers on infected devices. Like these sophisticated malware variants, Cyble Research & Intelligence Labs (CRIL) observed a new banking Trojan that utilizes the ATS framework to execute fraudulent transactions.
Recently, CRIL identified a malicious shortened URL hxxps[://]bit[.]ly/nubankmodulo – which redirects users to the GoatRAT URL –hxxps://goatrat[.]com/apks/apk20.apk. This website hosts Android malware, and the downloaded APK file is named “apk20.apk,” which pretends to be associated with a Brazilian bank known as NU bank.
Upon analyzing the malicious APK file, we discovered that the malware uses the certificate “38661ea0b53f278f620a3f2c8db6da8ef8ca890e”, which is also found in other malicious applications related to GoatRAT. Furthermore, the domain hxxps[://]goatrat[.]com, from which the APK is downloaded, serves as the administrative panel for GoatRAT, as depicted below.
GoatRAT was originally created as an Android Remote Administration Tool to seize control of a victim’s device. However, a new version of GoatRAT functions as a Banking Trojan, specifically aimed at Brazilian banks.
Like other types of Banking Trojans, GoatRAT utilizes the Accessibility service to implement an Automatic Transfer System (ATS) framework, which enables the transfer of money from the victim’s account using the PIX key. The PIX key is used to perform the instant payment. This malware currently targets three Brazilian banks: NUBank, Banco Inter, and PagBank.
Technical Analysis
APK Metadata Information
- App Name: Módulo de Segurança
- Package Name: com.goatmw
- SHA256 Hash: 6583a9b6b83738e0bf2a261fc04483e18772da3241e467fdef37a8e27b1869a7
The below figure shows the metadata information of the application.
Once installed, the malware initiates a service named “Server,” which establishes contact with the Command and Control (C&C) server to obtain the PIX Key required to carry out fraudulent transactions. The following image illustrates this process.
The malware requests the victim to allow Accessibility service and overlay permission. Once granted, the malware exploits these permissions to execute Automatic Transfer System (ATS) and creates an overlay on the specific banking application being targeted.
Automated Transfer System (ATS) Implementation
The malware employs a four-step sequence to perform ATS, as illustrated in the accompanying image.
Checking the targeted application’s package name
The malware misuses the Accessibility Service to verify that the name of the active package matches one of the targeted application package names listed below and starts a further infection, as shown in Figure 6.
- br.com.intermedium
- com.nu.production
- br.com.uol.ps.myaccount
Creating an overlay window on a targeted banking application
After identifying the targeted application, the malware creates a fake banking overlay window that appears above the legitimate application, concealing its malicious actions from the victim. The figure below depicts the code used to add an overlay window.
Performing ATS
The malware saves the data related to Accessibility nodes in an iterable variable and utilizes the getText() function to extract text from the targeted application. This enables the malware to covertly enter the amount to transfer and PIX key into the legitimate application without alerting the victim.
Initially, the malware checks for the specific text string “CPF, CNPJ, celular, e-mail ou aleatória”, indicating that the genuine application is anticipating the entry of the PIX key. After detecting this, the malware retrieves the PIX key using the getPIX() function and then inserts it into the designated field, as shown in the figure below.
The malware also attempts to locate the string associated with the transfer amount, which is typically “0,00”. This indicates that the legitimate application is waiting for the amount to be entered.
Subsequently, the malware inserts the value saved in the “money” variable into the designated field.
Lastly, the malware introduces an automatic clicking mechanism for the “Confirm” and “Pay” buttons to complete the instant money transfer. Similar to the previous actions, the malware scans for the text strings “Pagar” and “CONFIRMAR” and then utilizes the performAction() function to execute the clicks automatically, as shown in the below figure.
Removing overlay from the targeted banking application
The malware uses the code in the below figure to remove the overlay window from the top of the target banking application once the money transfer is completed.
The ATS framework mentioned earlier was specifically developed for the “Banco Inter” mobile banking application. Likewise, the malware has incorporated various functions to carry out ATS for other banking applications such as NUBank and PagBank.
Conclusion
There has been a recent increase in the use of Android Banking Trojans that are specifically targeting Brazilian banks that use the PIX instant payment platform. A new version of GoatRAT has been observed that only uses the ATS framework to carry out fraudulent money transactions.
Furthermore, we observed that GoatRAT lacks any other banking Trojan features like the ability to steal authentication codes or incoming SMS messages. Instead, it relies solely on the Accessibility service to execute the ATS framework, which is adequate in itself to conduct fraudulent financial transactions.
This new variant highlights that in the current technological landscape, there is an elevated risk of cyberattacks that do not require multiple permissions or many Banking Trojan functionalities to execute financial fraud.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Means. |
| Initial Access | T1444 | Masquerade as a Legitimate Application |
| Discovery | T1418 | Application discovery |
| Impact | T1516 | Input Injection |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 6583a9b6b83738e0bf2a261fc04483e18772da3241e467fdef37a8e27b1869a7 | SHA256 | Hash of analyzed malicious APK |
| 60358f26853ccba6f137901c57147442e868041b | SHA1 | Hash of analyzed malicious APK |
| 9a8e85cf1bbd32c71f0efa42ffedf1a0 | MD5 | Hash of analyzed malicious APK |
| hxxps://bit[.]ly/nubankmodulo | URL | Shortened malware distribution URL |
| hxxps://goatrat[.]com/apks/apk20.apk | URL | Malware distribution URL |
| hxxp://api.goatrat[.]com:3008 | URL | C&C server to receive PIX key |
