Researchers who discovered one of the largest Android banking botnets to date also found its attackers' chat log, which they have been watching for nearly a year to learn the inner workings of this cybercrime operation, how its illicit business is structured, and how members interact.
The botnet, dubbed "Geost," was first detected in 2018. A team of security researchers representing Czech Technical University in Prague, UNCUYO University, and Avast Software noticed one of Geost's botmasters logging into a C2 domain while using the insecure proxy network created by HtBot malware. Machines infected with HtBot create an illegal network of proxies later sold to customers; the researchers' lab had one HtBot instance capturing traffic.
What they found was a massive botnet targeting Russian citizens. Geost has nearly 1 million victims, 15 C2 servers, thousands of domains, and thousands of malicious Android application packages (APKs), which are used to distribute and install applications on the Android OS. It has connections to victims' SMS data and direct links to the systems of five major European banks. Geost also sells and redirects traffic, harvests data, and accesses premium SMS services.
The discovery of Geost was made possible, in part, due to several OpSec failures by the attackers, says Avast Software researcher Anna Shirokova. One of their first mistakes was relying on proxies: "They assumed by default that it was secure," she explains. "They didn't expect researchers like us were going to be watching." This slip-up helped the research team uncover not only this banking botnet, but other criminal groups as well, she adds.
Geost's operators also failed to use encryption, Shirokova continues, and all of their chat ..
Support the originator by clicking the read the rest link below.
