- Joined
- May 15, 2016
- Messages
- 14,093
- Likes
- 2,643
- Points
- 1,730
The botnet was discovered due to errors in the operational security of cybercriminals.
Researchers from Czech Technical University, National University of Cuyo (Argentina) and Avast have discovered one of the largest banking botnets, called Geost. At least 800 thousand owners of Android devices in the Russian Federation became victims of the malicious campaign, in particular, attackers gained access to their bank accounts, which totaled several million euros.
According to the researchers, the botnet could go unnoticed if it were not for the cybercriminals' operational security errors (OpSec), including the use of unencrypted chat logs discovered during the investigation, and an unsecured proxy network that could not provide anonymity.
“The rare chain of errors at OpSec has led to the discovery of a new banking Android botnet. An unusual discovery was made when the criminals decided to trust the proxy network created by the HtBot malware. HtBot offers a proxy rental service that provides users with pseudo-anonymous communication on the Internet. An analysis of the network interaction of HtBot led to the discovery and disclosure of a large malicious operation, ”the researchers explained.
HtBot works by turning victims into private illegal Internet proxies. Infected victims send messages from HtBot users to the Internet. Traffic is constantly being redirected to new victims, making tracking difficult.
Cybercriminals were also unable to encrypt their messages, allowing researchers to observe their actions. The information included technical details of accessing servers, introducing new devices into the botnet, methods of evading anti-virus solutions, and details of the relationship between attackers. Specialists found that lower-ranking operators are responsible for putting devices into the botnet, and high-ranking ones determine how much money is under their control.
The Geost botnet consists of Android devices infected through malicious and fake programs, including fake banking applications and social networks. After infection, the phones are connected to the botnet and managed remotely. As the researchers explained, attackers can gain access and send SMS messages, communicate with banks and redirect phone traffic to different sites. The botnet could directly connect to the five largest banks in Russia to work and deploy more than 200 Android APKs to fake dozens of applications.
The research team contacted the affected Russian banks and together with them takes measures to neutralize the malicious campaign.