Alert: $3K DroidBot RAT Targets Banks And Crypto Exchanges

Recent media reports have claimed that a total of 77 banks, crypto exchanges, and national organizations have been targeted by a new Android remote access trojan (RAT). The DroidBot RAT primarily functions based on a combination of hidden VNC and overlay attack techniques. 

In this article, we’ll dive into the details of the attack, the countries that were targeted, and more. Let’s begin! 

DroidBot RAT: Overview Of The Attacks

Before we dive into the attack details, those keen on ensuring protection must know that the DroidBot RAT is an advanced trojan. Two of its most common capabilities include a classic hidden VNC and attack overlaying. The trojan is known for combining these capabilities with features commonly associated with spyware.

Apart from this the DroidBot RAT, includes a keylogger and can monitor routines which enables user interaction interception. Both these capabilities make it a powerful tool for stealing credentials and surveillance. In addition, one of its most distinctive characteristics includes a dual-channel communication mechanism. 

Using this mechanism, outbound data from the infected devices is transmitted using the MQTT protocols. Whereas, inbound commands including the overlay target specifications are communicated over HTTPS. Having such a communication mechanism allows the DroidBot RAT to have increased resilience and operational flexibility. 

Cybersecurity experts who have analyzed the DroidBot RAT attacks have stated that: 

“Analysis of DroidBot samples has also revealed its Malware-as-a-Service (MaaS) infrastructure, with 17 distinct affiliate groups identified, each assigned unique identifiers. Interestingly, multiple affiliates were found to be communicating over the same MQTT server, suggesting that some groups may collaborate or participate in demonstration sessions showcasing the malware’s capabilities.”

It’s also worth mentioning that the DroidBot RAT is believed to be under active development and certain functions like root checks only exist as a placeholder. Whereas, the nature of certain features like obfuscation and multi-stage unpacking varies between samples. Given these inconsistencies, experts have stated that hackers are either refining the trojan or tailoring it to specific environments. 

DroidBot Attack: Trojan Breakdown 

The DroidBot RAT functions by luring victims into downloading and installing the DroidBot. In some cases, the malware has been seen disguised as generic security applications, Google services, or other common banking apps. Similar to others, the DroidBot RAT relies heavily on the abuse of Accessibility Services for implementing malicious practices. It’s worth noting that the DroidBot appears to have been developed using the B4A framework which is commonly used for developing native Android applications. 

In addition, the framework is commonly used for malware development by Brazilian TAs like Brata. The Accessibility Services that are exploited are typically requested during the early stages of the installation. Various functionalities offered by the DroidBot RAT, also commonly found in other banking malware, include:  

• SMS Interception – The malware is capable of monitoring SMS messages that are often used by financial institutions. These are monitored for delivering transaction authentication numbers (TANs) which allows attackers to bypass two-factor authentication mechanisms.
• Key-Logging – After exploiting the Accessibility Services, the DroidBot captures sensitive information that is either displayed on the screen or entered by the user. Common examples of such data include login credentials, personal data, or account balances. 
• Overlay Attack – This DroidBot RAT approach involves showing bogus login pages over legitimate banking applications. These pages are primarily used for intercepting valid credentials. 
• VNC-Like Routine – The RAT is also known for periodically taking screenshots of devices that are targeted and compromised. These images provide the hackers with ongoing visual data which offers a real-time overview of the device’s activity. 
• Screen Interaction – The DroidBot RAT is also capable of remotely controlling the infected devices. The control acquired by the hackers spans executing commands for the simulation of user interaction. Common examples of such interaction include tapping buttons, filling out forms, and navigating apps.

As far as the DroidBot RAT C2 panel is concerned, a simple interface is used for interacting with the target devices. By using this method, hackers have the ability to: 

• Collect valid banking credentials. 
• Interact with phone calls by forcing hang-outs or redirecting a specific call to a different number. 
• Gain remote access to the compromised devices using VNC capabilities by having the support of a black screen that is used for masquerading malicious activities.  
• Having the ability of sending push notifications. 
• Retrieving the data from SMS messages, keylogger, and more. 

Countries Targeted By The Android Trojans

Cybersecurity experts have investigated the attack’s infrastructure for identifying potential targets. To further narrow down the target regions, experts analyzed the nationality of those who were targeted. Based on this analysis, it was revealed that the key target regions are within the European area.

Apart from this, the threat actors’ main focus appears to be on France, Italy, Spain, and Turkey. Providing further insights about the target locations, cybersecurity experts have stated that:  

“The same results also emerge from analysing a file in the malware called security.html, which contains a security page warning users that “The application cannot be uninstalled for security reasons”. Within the code, we can see that this information is customised for 4 main languages: English, Italian, Spanish, and Turkish.”

Malware-as-a-Service Exposed 

Those keen on ensuring protection must know that the Malware-as-a-Service (MaaS) is a business model used in the online threat landscape. This approach mirrors the structure of legitimate Software-as-a-Service (SaaS) platforms. 

This enables users to access and utilize malware without needing to create or maintain it themselves, often through subscription-based services. Commenting on the MaaS model, experts have said that:  

“The malware’s creators develop and maintain the malicious software while providing it to “affiliates” or “botnet operators” who pay for access. By examining DroidBot Command-and-Control (C2) infrastructures and malware configurations, evidence emerged suggesting the existence of a private MaaS network. This network operates with a sophisticated structure, enabling “affiliates” or “botnet operators” to access DroidBot and its advanced capabilities.”

Given the scope and capabilities of online threats like the DroidBot RAT it can be stated that users should be cautious when it comes to downloading apps from sources that appear to be malicious. 

Conclusion

In light of the DroidBot RAT‘s sophisticated features and the growing prevalence of Malware-as-a-Service (MaaS), it’s clear that cybercriminals are continually advancing their tactics. With capabilities like overlay attacks, keylogging, and remote device control, the DroidBot poses a serious threat to financial institutions, crypto exchanges, and unsuspecting users. 

Its reliance on abused Accessibility Services and multi-layered communication channels highlights the importance of vigilance in app downloads and device security. The targeted nature of the attacks, particularly in European regions, underscores the need for localized awareness campaigns and robust cybersecurity measures. 

As malware evolves, staying informed and proactive is the best defense. Always verify app sources, avoid granting excessive permissions, and invest in reputable security solutions to safeguard personal and financial data from sophisticated threats like DroidBot.

The sources for this piece include articles in The Hacker News and Cleafy.