December 5, 2024 at 08:29AM
A new Android remote access trojan (RAT) named DroidBot targets 77 banks and exchanges, primarily in Europe, with plans to expand to Latin America. It features advanced capabilities like keylogging and overlay attacks, distributed via fake security apps. Offered as malware-as-a-service, affiliates can manage infected devices for various malicious actions.
### Meeting Takeaways
1. **Discovery of DroidBot**: A new Android Remote Access Trojan (RAT) named DroidBot has been discovered, targeting 77 banks, cryptocurrency exchanges, and national entities.
2. **Geographical Focus**: The RAT has been mainly active in Europe, with significant targeting in France, Italy, Spain, and Turkey, and has also shown activity in the UK and Portugal. There are indications that it may expand its reach to Latin America.
3. **Capabilities**:
– DroidBot possesses advanced functionalities, including:
– Hidden VNC for remote access
– Overlay attack techniques
– Spyware features like keylogging and user monitoring
– A dual-channel communication mechanism for operational flexibility.
4. **Distribution Method**: The malware is disguised as legitimate applications (security, banking, and Google services) and exploits Android’s Accessibility Services for its malicious activities.
5. **Malicious Actions**: Once installed, DroidBot can:
– Intercept SMS messages to acquire transaction authentication numbers (TANs).
– Capture sensitive credentials from the screen.
– Display fake login screens over real banking apps.
– Take periodic screenshots of the device.
6. **Command and Control (C&C)**: It’s distinctively using a dual-channel communication system:
– MQTT protocol for outbound commands.
– HTTPS for incoming commands.
7. **MaaS Model**: DroidBot operates under a malware-as-a-service (MaaS) model, with 17 identified affiliate threat actors, some collaborating with each other.
8. **Affiliate Program**: The malware is marketed on cybercrime forums with a subscription model costing $3000 per month. Affiliates receive tools to manage their infected devices and can customize the malware to evade detection.
9. **Development Status**: DroidBot is still under active development, with several features in progression, some lacking full implementation, indicating ongoing enhancements.
10. **Signs of Ongoing Threats**: Continuous monitoring of threats like DroidBot is crucial, particularly regarding its evolving functionality and geographical targeting expansion.