Cybercrime , Cybercrime as-a-service , Endpoint Security

Report: Aberebot-2.0 Hits Banking Apps and Crypto Wallets

Newer, More Capable Aberebot Banking Trojan Variant on Sale for $7,000 on Dark Web
Report: Aberebot-2.0 Hits Banking Apps and Crypto Wallets
Subset of targeted apps present in the code for Aberebot-2 (Source: Cyble)

A new variant of the Aberebot banking malware, targeting 213 banking apps and nine crypto wallet apps in 22 countries, has been uncovered by researchers. Named Aberebot-2.0, the Telegram-based malware is the new version of the Aberebot Android banking Trojan discovered in July 2021.

See Also: Check Kiting In The Digital Age

Aberebot-2.0 uses Telegram APIs to communicate with operators and is capable of stealing sensitive information, including users' financial and personal data, using phishing webpages, according to researchers at cybersecurity company Cyble.

The Telegram bot's API is used as a command-and-control server, as Telegram bots cannot be taken down like web servers and because the messaging platform does not share user information with law enforcement agencies, the report says, citing a note by Aberebot’s creator that is published on the dark web.

The malware bot works on Android versions 9 through 12 and is for sale on a dark web forum for $7,000, the creator's note says. The source code, the note claims, is also up for sale as the creator says they are "moving on to new projects." Cyble says that the price of the source code on the dark web is $3,000.

Malware Delivery

The new version of the Aberebot malware is spreading through Croatian website FinaCertifikat, according to Cyble researchers.

The sideloading feature available in Android devices to install apps from sources other than Google Play Store allows for the malware installation, Kaustubh Medhe, head of intelligence and research at Cyble, tells Information Security Media Group.

"By emulating a legitimate app's name, the threat actor tricks users into installing the malicious APK using the sideloading feature," Medhe says.

Cyble's report shows that Aberebot-2.0 downloads phishing pages of targeted applications based on the country the victim resides in. The malware continually runs in the background and monitors all device activities, the researchers add.

When the victim opens up a banking or crypto app in the malware's target list, the malware displays a phishing page over the legitimate app. Once the victim logs in, the malware steals the cookies of the original application, they note.

Aberebot-2.0 file collection code (Source: Cyble)

Aberebot-2.0 Capabilities

A month after Cyble researchers first discovered the Aberebot banking Trojan, cybersecurity firm Cyclonis agreed with Cyble's findings, calling the malware "a dangerous new project" capable of displaying phishing overlays when victims interacted with a banking app. Cyclonis' researchers say that the overlays were cleverly designed, and any data entered by the target was transferred to Aberebot operators.

Based on the Aberebot-2 creator's claim and Cyble's findings, the banking malware's new variant appears to have multiple capabilities. It can steal information such as SMS, contact lists and device IPs, and it also can perform keylogging and detection evasion by disabling Play Protect - Google's safety check that is designed to detect spurious apps, according to the researchers.

Cyble says the "new and improved" version of the banking Trojan can steal messages from messaging apps and Gmail, inject values into financial applications, collect files on the victim's device and inject URLs to steal cookies.

Medhe says that Aberebot-2.0 has 18 different permissions, including internet permission, and 11 of the permissions are dangerous.

One key difference between the earlier and the latest version of the Aberebot malware, he says, is the use of the Telegram API. "In the newer version, the malware author has included features such as the ability to inject or modify values in application forms, such as receiver details or the amount during financial transactions. It also has a keylogging functionality, the ability to intercept clipboard data and spying on the victim's devices using GPS," he says.

Cyble's analysis shows that the malware creator incorporated the "QUERY_ALL_PACKAGES" permission, which was introduced in the recent Android 11 version.

Aberebot-2.0 is capable of carrying out fraudulent activities by injecting values into user fields in banking, crypto and social applications on the device, the Cyble report says.

Medhe says that although Aberebot-2.0 has some obfuscation and anti-detection techniques, it has an "anti-sandbox technique" by which the malware auto-terminates if it detects that the fake app is being executed in a sandbox environment.

Targeted Banks and Crypto Wallets

While Aberebot-1.0 targeted 140 applications from 18 countries, the latest variant of the banking Trojan incorporates details of 230 banking, digital payment and crypto wallet applications from 22 different countries.

Its target list features 12 U.S. banks - the major ones being Capital One, Chase, Wells Fargo, SunTrust and US Bank, the Cyble report says.

Among European banks, Aberebot-2.0 targets 32 Polish banks, 15 German, 14 Italian, 12 French and 11 Spanish banks. Turkey is a prominent target with 29 banks in the hit list, including the country's largest banks - Ziraat Bank, Isbank and Garanti.

In the U.K, the prominent banks on the target list include the Royal Bank of Scotland, NatWest, Barclays and Santander.

In the Australasian region, the banking Trojan includes 18 banking websites, including the ANZ Bank, Bank of Queensland and Citibank Australia. It also targets four banks from New Zealand.

In Asia, Aberebot-2.0 targets 10 Indian banking and digital payment apps, including the State Bank of India, HDFC, Union Bank and MobiKwik. The Asia list also includes eight Hong Kong-based banks, including Bank of China, Hang Seng and DBS Hong Kong, plus six Japanese and two Malaysian banks.

Among crypto wallet apps, Cyble researchers found Aberebot-2.0 posing a threat to prominent wallets including Coinbase, BitMarket, Bitfinex, Unocoin and Oxigen.

The Threat of Banking Trojans

In 2020, IBM Trusteer researchers found that cybercriminals used 20 emulators to mimic more than 16,000 phones and compromised banking information that resulted in "draining millions of dollars in a matter of days," news platform Wired reported.

Banking Trojans have been on security researchers' radar for some time now, but the attack mechanism and malware delivery is rarely different.

Cybersecurity firm Heimdal Security's list of the most notable banking malware families shows that most malware is built to steal sensitive information such as system passwords and banking credentials, which cybercriminals use to attempt to make unauthorized transactions through a complex network of systems and servers.

Heimdal's report shows that many banking Trojans, including Zeus or Zbot, are created using Trojan-building toolkits that can be purchased online. While banking malware such as SpyEye uses the keylogging feature to retrieve login credentials, specialized ones such as Shylock are designed to carry out fraudulent transactions and only work by creating a domain-generation algorithm.

While newer versions of banking Trojans such as Bizzaro and Aberebot-2.0 have been customized to target crypto wallet apps in addition to banking apps, others such as Kronos gained notoriety owing to their advanced obfuscation capabilities. Kronos' creator Marcus Hutchins, a 22-year-old British researcher, was hailed for stopping the 2017 WannaCry cyberattack.

About the Author

Soumik Ghosh

Soumik Ghosh

Former Assistant Editor, Asia

Prior to his stint at ISMG, Ghosh worked with IDG and wrote for CIO, CSO Online and Computerworld, in addition to anchoring CSO Alert, a security news bulletin. He was also a language and process trainer at [24] Ghosh has a degree in broadcast journalism from the Indian Institute of Journalism & New Media.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.