Businessman working on laptop and analysing the financial information at his office. Close up of male hands typing on computer keyboard

Avira Labs Research Reveals Hydra Banking Trojan 2.0 targeting a wider network of German and Austrian banks

The Avira Threat Protection Labs team is a dedicated team, with team members based around the world, which also has its own research arm – this research arm focuses on emerging and developing threats.

The Hydra Banking Trojan malware has been targeting Android banking customers since 2019. Now, researchers in Threat Protection Labs have identified a new pattern and technique in use, seeing this malware being poised and ready to be deployed to target a wider set of Android users. The research team have seen that Hydra Banking Trojan 2.0, is now preparing to target crypto apps, having previously focused on financial services and banking customers – its evolution shows it as poised to target consumers via over 200 apps.

This new threat was first spotted in January 2022 by Avira’s Threat Protection team, leading to a deep dive with conclusions reached in March 2022, shared below.

1. Introduction

While checking one internet monitoring cyber threat intelligence feed we noticed quite a strange URL. The host was just an IP, no domain, ending with the mundane ’download.php‘. Simple yet surprising when noticing it was serving an APK with a hash not seen anywhere else before.

Figure 1: The URL serving malicious APKs

At that moment, little did we know it would lead to the discovery of an ongoing Hydra campaign targeting ~50 million German and Austrian banking customers and potentially many other targets.

Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.

2. Ongoing Campaign

The campaign appears to have been running since the last quarter of 2021 and is still ongoing at the time of writing this, March 2022

The host (172.121.14[.]62) from which this research started seems to have served more than 30 different samples (at the time of writing this) related to this campaign.

Figure 2: List of malicious samples served by 172.121.14[ .]62
Looking at the domains being hosted on that IP we also notice a lot of phishing domains targeting BAWAG P.S.K. and CommerzBank users, masquerading as reputable organisations to trick consumers:

Figure 3: List of phishing URLs served by 172.121.14[.]62
The Avira technology is successfully detecting this malware and quarantining it – as per the detection names below which appear when Avira picks up the malware, samples shown below – while we continued to research this malware and establish its course:

3. Dynamic analysis

Moving forward to the analysis of the sample, the first step was to send it to our in-house Dynamic Analysis Android Sandbox, aka DANY. After getting the behavioral report we noticed some interesting things.

The Avira Dynamic analysis report revealed the following behaviour:

  1. Accessibility service is used
  2. Drops a DEX which gets deleted afterwards
  3. Hides launcher icon
  4. Saved preferences contain a list of other banking apps’ package names
  5. Accesses an .onion DarkWeb URL
  6. Drops a zip file from URL

 

What we mean by an .onion DarkWeb URL

The dark web, also known as the deep web or dark net, is a privacy-focused part of the internet, running on the Tor Network. It’s harder to access, accessed through the Tor Browser, or through connection to the network using a special library to handle the necessary steps.

An .onion is a hidden service, a website running on the Tor Network. These domains usually have random characters and end with the .onion extension. They can’t easily be taken down by a central authority and the server hosting the website is difficult to locate. Their appeal to those people behind the Hydra Banking Trojan 2.0, is that they function on a private key mechanism. This means that anybody with the private key can keep that website up and maintain control, so even if the server hosting the website was found and taken down, in a short space of time the person with the private key could simply start it up once again.

1. The app’s name is BAWAG PSK Security and the logo is similar to one used by an Austrian Bank. Right off the bat it asks for accessibility permission.

Figure 4: First thing you see after opening the app

Usually banking apps don’t ask you for that kind of permission, some even refuse to operate if you have a rooted phone, thus we can assume that this sample may be banker malware looking to steal some credentials.

Banking malware has been going around for a long time and is here to stay, the Covid pandemic has hugely accelerated the adoption of internet banking apps.

2. Nowadays, dropping a DEX file and deleting it is a practice used both by malware for hiding reasons, but also by clean apps in an obfuscation attempt. But we’ll take note of it and check it later

Figure 5: Full path of the dropped DEX file (danyleted means the folder/file was deleted)

3. Now, hiding the app’s icon after giving the accessibility may also be a red flag, but it’s a technique again, also used by clean apps, yet they announce this to you beforehand so there’s nothing hidden under the table (or at least the good ones).

4. Looking over the Shared Preferences we notice a list of other banking and security apps’ package names under a key containing the word “injects”. We’re now highly suspicious.

Figure 6: Shared Preference with a key containing “injects” in itself, the value being a list of mostly banking apps

5. Looking at the URLs accessed, we can see something really fascinating – an actual working request to an .onion Tor (DarkWeb) URL. (Taking a small explanatory break: to access an .onion URL you need to connect to the Tor network).

Now, when building DANY we didn’t add any Tor support by default, so unless it became sentient, the sample downloaded what it needed to perform such a connection

Figure 7: List of accessed URLs
Figure 8: Process initiating a Tor network connection

Following the network trail, we can see that the sample downloaded Tor libraries from a now inactive GitHub URL, then made a request to the .onion

Figure 9: The .onion and its base64 encrypted payload

the response being another url on the clearnet.

Figure 10: Decrypted base64 payload

By using an .onion to get the “real” URL the malware authors minimize their losses. When the “real” URL’s domain gets taken down, another one can be set up and the response from the .onion will simply be updated, as the .onion, by design, can only be taken down by the one who holds its private key.

This way, if someone downloads the sample after a few years and the initial “real” URL was banned, the infection will still be effective.

6. Continuing with the network path, the “real” URL is used to download a zip file.

Figure 11: Zip archive served by the “real” URL

What is in that archive you ask? Well that’s actually the core of the entire sample.

Figure 12: Contents of the malicious archive

Inside the inj folder is a list of folders containing phishing html kits, whereby the malware is masquerading as reputable major banks in Germany and Austria such as: Volksbank, Bank Austria, BAWAG P.S.K., CommerzBank, Deutsche Bank, easybank, Santander Consumer Bank and some pin apps of Huawei and Samsung phones.

Figure 13: Phishing HTML for Bank of Austria login page

We observed some of them in a state of “TODO”, indicating they are the most probable next targets.

Figure 14: “TODO” Phishing HTML masquerading as a CommerzBank login page

What is even more concerning is what was found in the other folder of the archive

Figure 15: Contents of icons folder

We came upon a stash of more than 200 icons belonging to European banking apps, Crypto apps and other popular apps. All the indications point in conclusion towards this malware campaign evolving throughout 2022, not only targeting a larger network of European banks, but also targeting the crypto realm.

Based on this information alone we could label the sample as malware and write a behavioral rule to detect this type of family, ensuring our systems maintain their high detection rates. In addition to this, we’re now going the extra mile into the static analysis realm – as there may be other dormant behavior or IoCs which could help us in finding other samples and employ even better clustering techniques, to route this malware out.

4. Static analysis

Let’s take a look over the dropped dex, shall we?

Strings Encryption

The first thing we notice are the strings encrypted using XOR and a per class lookup table, in a similar way Flubot does, thus using the same decryption method.

Figure 16: Encrypted strings, decryption key and decryption meth

Now that we can better understand what’s going on, let’s take a look over what is happening with those icons and phishing html files at the code level.

Figure 17: onFcmmessageReceived methods checking the received message is a notification calling another method onInjectNotificationReceived, passing the data along

The intercepted notification is now sent to the CC and also displayed without any change. But what is up with that dropped folder with lots of apps icons? Well, due to some limitation of Android, you can only get the launcher icon of an installed app, not the one displayed inside the notification (yes, they are different). Thus, the malware authors made a big list of icons for the intercepted notifications. Even though the notifications’ text is not manipulated in any way now, in the near future it could be and the list of the dropped notification icons may be the list of targets for that.

Figure 18: onInjectNotificationReceived code and exfiltration to the CC

When an app is started it will be checked to see if it is indeed one of the targets and our research tells us that if that’s the case, the dropped html files will be used as a phishing login page to collect the victims’ credentials.

Figure 19: Checking if the app is one of the phishing targets

Some other interesting capabilities include:

Exfiltrating all sent & received SMS text messages

Figure 20: Every received SMS is exfiltrated along with the sender’s phone number to the CC at device/SMS endpoint
Figure 21: Every sent SMS is exfiltrated to the CC to the device/read-SMS endpoint

Cutting the internet connection surely will stop the malware from stealing my stuff, right?

Figure 22: Methods used for starting Wi-Fi/Mobile Data

There is no benefit to cutting the connection, so that is not an option to stop this malware in its tracks. The malware goes to the settings and enables the Wi-Fi/Mobile Data on its own.

The malware also checks if the execution environment is a popular Android emulator like AVD, Genymotion or VirtualBox or a real Android device as shown in Figure 23.

Figure 23: Checks against popular emulator fingerprints (Genymotion, AVD, Virtualbox)

Hiding the app from the launcher

Figure 24: The empty website, with the warning from the browser

‘What if we just delete the malware by going to the Settings and uninstall it, even if it doesn’t have an icon?’

Figure 25: On line 889, the samples checks if its name aka “BAWAG PSK Security” is present on the screen, does some sanity context checks (e.g. the text is not coming from the sample itself being displayed, or the installer, etc) and clicks on the necessary button to instantly get out of there)

Unfortunately that won’t help a consumer. Every time you manage to get there and click Uninstall, it circumvents this tactic as you will discover you’re sent back to the Home screen.

Exfiltrating the unlocking pin to the CC

Figure 26: The samples monitor events relating to the unlocking of the screen and intercepts the pin code, exfiltrating it to its CC

Sending bulk SMS text messages to all the contacts

Figure 27: Functionality for bulk sending a SMS text message to all victim’s contacts

TeamViewer integration, in case the malware authors want to see/do some custom actions on the infected devices

Figure 28: TeamViewer functionality, finding the on screen displayed username and password

Last but not least, one artifact which may unfortunately reflect reality:

Figure 29: A sad reality reflecting string or just trolling

MITRE Mobile ATT&CK v10 Techniques

TacticIDName
collectionT1409Access Stored Application Data
collectionT1410Network Traffic Capture or Redirection
collectionT1412Capture SMS Messages
collectionT1413Access Sensitive Data in Device Logs
collectionT1417Input Capture
collectionT1432Access Contact List
collectionT1433Access Call Log
collectionT1513Screen Capture
collectionT1517Access Notifications
collectionT1533Data from Local System
collectionT1616Call Control
command-and-controlT1437Standard Application Layer Protocol
command-and-controlT1438Alternate Network Mediums
command-and-controlT1509Uncommonly Used Port
command-and-controlT1616Call Control
credential-accessT1409Access Stored Application Data
credential-accessT1410Network Traffic Capture or Redirection
credential-accessT1411Input Prompt
credential-accessT1412Capture SMS Messages
credential-accessT1413Access Sensitive Data in Device Logs
credential-accessT1416URI Hijacking
credential-accessT1417Input Capture
credential-accessT1517Access Notifications
defense-evasionT1406Obfuscated Files or Information
defense-evasionT1444Masquerade as Legitimate Application
defense-evasionT1447Delete Device Data
defense-evasionT1508Suppress Application Icon
defense-evasionT1516Input Injection
defense-evasionT1523Evade Analysis Environment
defense-evasionT1576Uninstall Malicious Application
defense-evasionT1604Proxy Through Victim
defense-evasionT1618User Evasion
discoveryT1424Process Discovery
discoveryT1523Evade Analysis Environment
executionT1402Broadcast Receivers
executionT1603Scheduled Task/Job
exfiltrationT1437Standard Application Layer Protocol
exfiltrationT1438Alternate Network Mediums
impactT1447Delete Device Data
impactT1448Carrier Billing Fraud
impactT1516Input Injection
impactT1582SMS Control
impactT1616Call Control
initial-accessT1444Masquerade as Legitimate Application
initial-accessT1476Deliver Malicious App via Other Means
network-effectsT1439Eavesdrop on Insecure Network Communication
network-effectsT1463Manipulate Device Communication
persistenceT1402Broadcast Receivers
persistenceT1603Scheduled Task/Job
privilege-escalationT1401Device Administrator Permissions
remote-service-effectsT1468Remotely Track Device Without Authorization

Conclusion & further assumptions

In a nutshell, combining third-party cyber threat intelligence sources with Avira’s Behavioral Analysis Android Sandbox, aka DANY, and some manual analysis we were able to gain a better look at an ongoing malware campaign targeting users from major banks of Germany and Austria.

While currently this campaign targets banking users from Central Europe, the artifacts found make us believe they will soon expand to the rest of Europe, as Hydra Banking Trojan 2.0 attempts to spread its tentacles. Moreover, at Avira our research highlights that it will be aiming squarely at the crypto space, targeting even more people, as they access crypto apps.

2022 may be the year of crypto malware. This type of malware has been on the rise and this new research indicates just how crypto malware is set to aggressively target more unsuspecting victims across Europe this year.

Recommendations

Sometimes, fast adoption of technology is a good thing, but being fast sometimes means skipping steps in your growth. If you have people around you who are new to the realm of Internet Banking like your parents or grandparents, please be patient and share some of your internet behavior knowledge with them.

Also, here are some recommendations for being safe while doing banking from your phone:

  1. Always keep your device up to date
  2. Use a reputable mobile security solution for Android (such as Avira Antivirus Security, Norton Mobile Security, or any other trustworthy solution), to help you avoid malware, it’s certainly worth considering the free versions available.
  3. Official Banking Apps are always on Google Play Store (or the equivalent official store from your region), do not install apps by clicking on random links.
  4. When in doubt, seek professional help.
  5. Don’t click links in sketchy text messages. They can take you to spoof sites that look real but will steal your personal information or install malware on your device.

IoCs

URLs
hxxp://176.121.14[.]62/apk/psk/download.php <

hxxp://loa5ta2rso7xahp7lubajje6txt366hr3ovjgthzmdy7gav23xdqwnid[.]onion/api/mirrors

hxxps://raw.githubusercontent[.]com/dyd1y/tor-files/main/all_tor.zip

hxxps://yuuzzlllaa[.]xyz/storage/zip/kB2xjRKM2JcaZ6vmAVVkY5aNVtjyYozXMNn4taGj.zip

hxxps://babosiki[.]buzz

hxxps://trustpoopin[.]xyz

hxxps://trygotii[.]xyz

hxxps://trytogoi[.]xyz

Hashes
b3572431c29f5d942a11d6eeed332f22b541ead431b1e2a5b76ee9dc7482d2da
d1f96474168d3f712c93482972a629c0b27d59c72bdd42acccc7a9776d6d347d
21927dca6d36fb51ed87f42f925bde7ac18a28d0896f64b572e36ce7ba86c012
68a7db00684e7ea754c9d2f1d26c242059567ae6750ea2b264ef1e7d92c5a019
d213631f26bf4970164ba08baab5b5f8718dd5d9cb6ffe4704dc12e463745566
ef05c7bf79a177f153260d34f3f8c4446960ca486eeeb04e58ca5625498ba0e4
a93d66a127091d11090f544514d7e677c24db69d361008e60fffc5200331a1fe
5a8faa90a1b947ae55fc981d051840628983705c6433002e1cc8444a7e8526fd
b4dadf3553bb82499c4d0b6be96c47c46abc6904b611376d75c844ffb83725c6
460882326e78aaad6457180909ce01ab3a88607ea885798173322d210cb1af4b
580b2dca744c6f30f5f1222f3f1cce7cd25765cbe306844dab269a6e526ffd0e
63907ab37b4d39b645fa1bef4821f2bccfa4fa26a484a5ade792075abd235716
77b62979b466467a00deb74ada61d5d8ba349edb763e1f11bb993fbb2b24d543
eabb9dd3e9dad713b517bb576e979e85c1d7630fe398cf42d3d92cd1264726f8
5f07fd5f9bae3d67496be866e6035926faaef8df7b50c69ee38651bd0c7b660b
8daba255898f93cb348cc1b59dd25223bd459443a41784f423cbb0cee653d846
6e5b7c860358dfc9ad679cecc37668eb98c1d815ec0c3f9a7e180f8213ba8220
e2bf4069cb1056681287e2165e2b23c2aec313a55d6823ffc0c3f9af13081d35
7a10575b8a9a0cdfccb4585ab32ed568c07c69c05bd9b329750839959cb5be15
9d793019580da230f3583021dc5b571523745c525a96d1d67f3e693c10b0c260
d781680e473405d58eff13c4154cd43b8f56ccc677c54b150aa9b5e19032c895
617ec9a28b66d534af9618cd73d93f2703528551b19e8a96671b2bf1ee2c21b8
f42d620a30e299a3a5393a3c6d6452de88e52375a1e8814525c99bc4d50a5771
f5ec3c21987ea44b11a5894c2f8eb68e6dff2c2710875ee94cc9e93bf434152a
4457337649604203ebd38672733bfba4f727e2d614e2518e544693ff4bf3ea86
7b28f3c7172209d74e21c4359f56269d7cb65a24684580524c00b56a0650d5ba
da45d415c8e7b6293c8f5bbd9ad1443fa54f0661008c9cd0b8e5052730735eda
cb8c66be084885dd88353e6725d48dca46286d757e70e55d9c568ceaeb91453a
f48bb168c6904b7bed1bccb9f505eae2a85d7eaeaae4d84ecf7881c44ae16791
8601cfffef535dd68dea6fff720d70bbb7ca5ea9e5f20ee2d7f88355d8c74489
ff3164a1c89f020367105045ee195a5c922154c5472a9fc8ccc8152ea54f6610
de3e82705f19a16b62209ac96811b2101560656249dde4ec2b8b8def755ac127
af27b354c20280567357f5ec779d14e95ec6e04dc10625ef9d4dc99cc55b9eed
a3c34975e0f8791acfe1b7b5e3dac3d92fa1623aefa5101e5185c944bbbf10ac
3b56b9c0d98c475c5f3f3ad98f8a56709f211f8b14a0bec3aba32791ebc647f0
184ea57eb7c01ce4de824c21a8627065ad7001dd09c849663e3ff5bbd4e554fe

Exit mobile version