PhishLabs has recently observed a technique change implemented by a threat actor tracked by our Research, Analysis, and Intelligence Division (R.A.I.DTM). This actor is utilizing a variant of the Marcher Android banking trojan to target clients of financial institutions, payment companies, auction sites, retailers, email providers, and social media companies, primarily located in North America.
Overview of Marcher
Marcher is a family of malicious Android applications that run in the background on an infected device and monitor its operation to detect the launch of specific applications or websites. When a targeted application or site is opened, Marcher overlays the screen with a customized phishing site which mimics the look and feel of the targeted institution. Marcher first appeared in 2013, and there are a number of variants in the wild with varying levels of functionality. Some samples contain only the web overlay and credential theft capability, while others extend functionality to include the ability to intercept and send SMS messages, lock the screen, steal system data, detect and hide anti-virus software, and even utilize the infected device as a SOCKS proxy.
Join our upcoming live webinar on Mobile Banking Trojans for a deep dive on how banking trojans operate, how they have evolved, and how they threaten enterprises.
Phishlabs tracks threat actors and proactively detects crimeware samples as a part of our Mobile Fraud and Crimeware Protection service. One of these threat actors uses a consistent set of infrastructure to deliver Marcher samples to Android users. The social engineering elements utilized to deliver the malware, the targeted organizations, and the web overlay functionality associated with this actor have remained consistent. This attacker presents the potential victim with a download that claims to be Adobe Flash Player, even though support for Flash on Android has long been abandoned. The user has also been observed delivering apps masquerading as the Optus MMS application. The user is provided with instructions on how to enable unknown sources.
Figure 1.1 Social engineering elements utilized by actor.
Figure 1.2 Social engineering elements utilized by actor.
Once the malware has been installed, Marcher requests Device Admin access and displays a success message on the victim’s device. Some data about the infected device is exfiltrated to the attacker and from this point forward, if the user opens one of the targeted applications, a phishing web overlay will be displayed on top of the application.
Figure 2 Web overlay example.
Recently, this threat actor made a significant change to their methodology for delivering configuration and targeting data to infected devices. Formerly, data about targeted organizations was embedded directly in the malicious APK file as a JSON-formatted resource file.
Figure 3 Configuration file within APK.
This file also contained the corresponding URL for the web overlay to be displayed for each organization, making it trivial to determine the organizations being targeted and the infrastructure being used. Recent samples from this actor have been amended so that the targeting data is no longer packaged in the APK. Following infection, the sample checks in with a command and control server and then retrieves a ZIP archive which contains all of the web overlays for targeted organizations.
Figure 4 Retrieval of web overlay archive.
This archive is then unzipped and stored directly on the infected device. Rather than accessing the overlays from a remote location on the web, overlays are now served directly from the device storage.
Figure 5 Web overlay archive contents and overly HTML snippet.
The following are SHA256 hash values for samples that exhibit the behavior change described above:
Why Threat Actors Shift?
The two central reasons that threat actors make changes like these to their malicious software are to improve success and avoid detection:
- The actor may have been unsatisfied with the success rate of the existing technique.
This change allows for the overlays to remain persistent and accessible on the infected device, even after the web overlay download server has been mitigated. This means that the overlays will still be displayed even if the victim does not access a targeted application until days or weeks after the initial infection.
- The change may also be an attempt to avoid detection or thwart analysis.
The command and control infrastructure that was previously hard-coded into the APK is now obfuscated and updated at the time of infection. Code changes such as this often break rules and scripts created by researchers to detect and automate the analysis of malware families.
PhishLabs RAID Team is constantly monitoring threat actors and associated malware families for changes in tactics, techniques, and procedures. This allows us to respond quickly in order to continue to proactively detect, analyze, and mitigate threats that target our clients.
If you would like to discuss the report or learn more about how PhishLabs helps our customers fight back against threats targeting their organizaton, contact us.