{"id":18961,"date":"2022-05-06T01:40:10","date_gmt":"2022-05-06T09:40:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/06\/news-12694\/"},"modified":"2022-05-06T01:40:10","modified_gmt":"2022-05-06T09:40:10","slug":"news-12694","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/06\/news-12694\/","title":{"rendered":"Warning: GRIM and Magnus Android Botnets are Underground"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The lifecycle of an Android banking botnet typically consists of two stages: <b>rise<\/b> and <b>fall<\/b>. During the rising phase, the malware author promotes their new code and rents it underground\u2014MaaS (Malware as a Service). As the botnet gains popularity, it evolves with new features and pricing. At some point, though, an issue occurs, triggering its fall. For example, the author gets caught (e.g <a href=\"https:\/\/twitter.com\/threatfabric\/status\/1162283463891750913\">Anubis<\/a>) or its source code gets released on underground forums (either willingly by the authors themselves, by a competitor, or perhaps an unhappy customer). As a result, the botnet gradually dies. And unfortunately, others pop up on the market to take its place.<\/p>\n<p>As malware analysts, the <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/spring-parade-for-refreshed-android-marcher\">Android\/Marcher<\/a>, Locker, and Anubis malware we used to see have been replaced by <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/android-bianlian-botnet-mobile-banking\">BianLian<\/a>, Cerberos, and Flubot (and still Anubis). A year ago, threat actor(s) started advertising a newcomer, the <a href=\"https:\/\/twitter.com\/bank_security\/status\/1363930541372891137\">Huracan botnet<\/a>. We haven\u2019t seen it in the wild yet\u2014or if we have, we haven\u2019t recognized it (it\u2019s not always obvious to match underground names with the samples we analyze).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--1\">      <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Underground advertisement<br \/> <\/h2>\n<p>The <b>Magnus<\/b> Botnet has been repeatedly advertised underground by a threat actor named <i>whit3_d3vil<\/i> since February 2022.\u00a0 It is unclear whether <i>whi3_d3vil<\/i> is the author or just a reseller. The botnet implements all the typical features that banking trojans currently have: overlay injection over mobile banking applications, sending SMS, SMS interception, 2FA bypass, remote administration via VNC, etc. And unlike BianLian, <b>communication with C2s is encrypted using AES<\/b>.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/grim-magnus-android-botnets\/_jcr_content\/root\/responsivegrid\/image.img.png\/1651592382150\/img1.png\" alt=\"Screenshot of Magnus bot advertised on an underground forum\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Magnus bot advertised on an underground forum<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The botnet can be rented for <i>1,000 USD per month<\/i>.<\/p>\n<p>Should we be amused or anxious that malware are being sold like boxes of cookies on the web? There are even <b>sales<\/b> (prices marked down from 1,600 USD to 1,000 USD), watermarked screenshots (against competitors?), and <b>videos<\/b> demonstrating the product!<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/grim-magnus-android-botnets\/_jcr_content\/root\/responsivegrid\/image_821079353.img.png\/1651592453118\/img2.png\" alt=\"Screenshot of Magnus bot advertisement with lowered price\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Magnus bot advertisement with lowered price<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The <b>Grim<\/b> botnet is less expensive: only 500 USD\/month. It is being advertised on a specialized Telegram channel. It implements more or less the same features as the Magnus bot. Prices for underground botnet packages are freely fixed by the authors\/resellers. They don\u2019t necessarily match features. A lower price for Grimbot can mean the malware has less notoriety, for instance, rather than fewer features.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/grim-magnus-android-botnets\/_jcr_content\/root\/responsivegrid\/image_746120124.img.png\/1651592498657\/img3.png\" alt=\"Screen capture of a demo video of Grimbot exhibiting its injection features on various mobile banking apps (targets)\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Screen capture of a demo video of Grimbot exhibiting its injection features on various mobile banking apps (targets)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>How does this concern me?<\/h2>\n<p>If you are a <b>malware analyst<\/b>, be on the lookout for <b>a new banking botnet whose communication with its C2 is encrypted with AES (Magnus) or a botnet with tags such as \u201cgrim\u201d that poses as a \u201cSecurity\u201d application<\/b>.<\/p>\n<p>Fortunately, if you are protected by Fortiguard Antivirus (e.g. FortiGate, FortiClient, FortiMail, FortiWeb, FortiProxy), you are automatically protected against many Android banking trojans.<\/p>\n<p>\u00a0However, there are a few other precautions you should take:<\/p>\n<ol>\n<li>Android banking trojans typically pose as famous applications: Video Player, Play Store, Flash Player, etc. Be sure to download such applications only from a trusted marketplace. <b>Never follow a link (email or SMS) to download the app<\/b>, even if it comes from a presumed friend. <b><i>Important:<\/i><\/b> Note that banking trojans do not usually pose as a mobile banking app. Rather, they pose as another app, detect when you use your (genuine) mobile banking app, and display (overlay) malicious windows on top of the real ones.<\/li>\n<li>All those banking trojans also <b>abuse Android Accessibility Services<\/b>. Accessibility Services are meant to help people with disabilities. <b>Do not grant such rights<\/b> to any other application!<\/li>\n<\/ol><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/grim-magnus-android-botnets\/_jcr_content\/root\/responsivegrid\/image_1355553933.img.png\/1651592578000\/img4.png\" alt=\"Standard alert screen on Android shows when an application tries to use Accessibility Services\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: This is the standard alert screen on Android that shows when an application tries to use Accessibility Services. You should **not** accept this. Instead, click Cancel immediately, uninstall the corresponding app, and scan your smartphone<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/grim-magnus-android-botnets\/_jcr_content\/root\/responsivegrid\/image_846544758.img.png\/1651592659290\/img5.png\" alt=\"Screenshot of an infection by Android\/BianLian\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: This screen is a very good indicator of an infection by Android\/BianLian. Do not activate accessibility services! Uninstall the application immediately and scan your smartphone for viruses with AV for higher security<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Fortinet Protection<\/h2>\n<p>Fortinet products detect malware discussed in this blog:<\/p>\n<p>Anubis<\/p>\n<ul>\n<li>Android\/Anubis.AOG!tr<\/li>\n<li>Android\/Anubis.CST!tr<\/li>\n<li>Android\/Anubis.BIR!tr<\/li>\n<li>Android\/Anubis.AMB!tr<\/li>\n<\/ul>\n<p>Marcher<\/p>\n<ul>\n<li>Android\/Marcher.X!tr<\/li>\n<\/ul>\n<p>Locker<\/p>\n<ul>\n<li>Android\/Locker.KV!tr<\/li>\n<li>Android\/Agent.BFQ!tr<\/li>\n<li>Android\/Agent.BDH!tr<\/li>\n<\/ul>\n<p>BianLian<\/p>\n<ul>\n<li>Android\/BianLian.10484!tr<\/li>\n<\/ul>\n<p>Cerberus<\/p>\n<ul>\n<li>Android\/Cerberus.DF!tr<\/li>\n<li>Android\/Agent.DDF!tr<\/li>\n<\/ul>\n<p>Flubot<\/p>\n<ul>\n<li>Android\/Flubot.G!tr<\/li>\n<li>Android\/Agent.HWW!tr<\/li>\n<\/ul>\n<div><i>\u00a0<\/i><\/div>\n<div><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/div>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-b2dxtopzidsdt3fkzfsv-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/grim-magnus-android-botnets\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/grim-magnus-android-botnets\/_jcr_content\/root\/responsivegrid\/image.img.png\/1651592382150\/img1.png\"\/><br \/>Since the beginning of 2022, there are more Android botnet newcomers. FortiGuard Labs has seen two new banking botnets: GRIM and Magnus. Read our blog to find out more.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18961","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18961"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18961\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18961"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}