The PhishLabs Blog

BankBot Continues Its Evolution as AgressiveX AndroBot

Posted by Joshua Shilko on Sep 5, '17
Find me on:

PhishLabs researchers recently came across BankBot Android Banking Trojan samples which have a redesigned Administration Panel and new URL paths in their C2 infrastructure. The actor may be customizing BankBot to his or her liking, or perhaps re-packaging the leaked software for sale under another name. The use of the branded domain, agressivex[.]com, supports the latter. The new panel login screen is displayed below next to a more typical BankBot Maza-in panel. 

Bankbot Figure 1.pngFIgure 1: AgressiveX AndroBot Panel Login Screen

  Bankbot Figure 2.png

Figure 2: BankBot Maza-in Panel Login Screen

The source code for the entire BankBot project was leaked in late 2016.  Since that time, a wide variety of BankBot variants have been seen in the wild with various targets and functionality. The new panel’s creator appears to be attempting to rebrand BankBot as Agressivex AndroidBot by Agressor. The organizations which are targeted by the version of BankBot associated with this new panel are typical of an actor who has typically used the Maza-in strain of BankBot in the past, as seen below:  

Bankbot Figure 3.pngFigure 3: Targeted Applications

The BankBot sample itself does not appear to be heavily modified.  The command and control structure specified in the app appears to be a mix of the old syntax and new, with different paths for PHP files that are commonly stored together in earlier versions. It is unclear whether this mixed nomenclature was purposeful or an artifact of testing. In fact, the samples were not functional at the time they were discovered and they are widely detected by anti-virus companies.  

Bankbot Figure 4.pngFigure 4: Virustotal Detections1

Whatever the motivation for the re-designed administration panel and updated C2, it is an interesting development that our researchers will continue to track.

SHA256 Hashes:
ecb347518230e54c773646075e2cc5ea269dcf8304ad102cee4aae75524e4736
870e3eb7f1637f040bcfbf7bf449ffc95a7d1aab52db895500707aff589952cc

Network IoCs:
hXXp://test.agressivex.com/
hXXp://test.agressivex.com/core/functions.php
hXXp://test.agressivex.com/private/add_log.php
hXXps://centrume.ru/
hXXps://centrume.ru/core/functions.php
hXXps://centrume.ru/private/add_log.php 

1 https://www.virustotal.com/#/file/ecb347518230e54c773646075e2cc5ea269dcf8304ad102cee4aae75524e4736/detection


Need to fight back against rogue mobile apps that abuse your brand? Click below to find out how PhishLabs can help.

Fight Back!


 

Topics: Mobile Crimeware

    

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Upcoming Events

Calendar_Mock_

Posts by Topic

see all