PhishLabs researchers recently came across BankBot Android Banking Trojan samples which have a redesigned Administration Panel and new URL paths in their C2 infrastructure. The actor may be customizing BankBot to his or her liking, or perhaps re-packaging the leaked software for sale under another name. The use of the branded domain, agressivex[.]com, supports the latter. The new panel login screen is displayed below next to a more typical BankBot Maza-in panel.
FIgure 1: AgressiveX AndroBot Panel Login Screen
Figure 2: BankBot Maza-in Panel Login Screen
The source code for the entire BankBot project was leaked in late 2016. Since that time, a wide variety of BankBot variants have been seen in the wild with various targets and functionality. The new panel’s creator appears to be attempting to rebrand BankBot as Agressivex AndroidBot by Agressor. The organizations which are targeted by the version of BankBot associated with this new panel are typical of an actor who has typically used the Maza-in strain of BankBot in the past, as seen below:
Figure 3: Targeted Applications
The BankBot sample itself does not appear to be heavily modified. The command and control structure specified in the app appears to be a mix of the old syntax and new, with different paths for PHP files that are commonly stored together in earlier versions. It is unclear whether this mixed nomenclature was purposeful or an artifact of testing. In fact, the samples were not functional at the time they were discovered and they are widely detected by anti-virus companies.
Figure 4: Virustotal Detections1
Whatever the motivation for the re-designed administration panel and updated C2, it is an interesting development that our researchers will continue to track.
Need to fight back against rogue mobile apps that abuse your brand? Click below to find out how PhishLabs can help.