Analysis of Ghimob banking trojan

Guildma is a member of the Tétrade banking trojan family, which is active and under continuous development. Recently, their new malware Ghimob banking has begun to infect mobile devices, targeting mainly banking, FinTech, exchanges, and cryptocurrency applications in Brazil, Paraguay, Peru, Portugal, Germany, Angola, and Mozambique.

After Ghimob infection is completed, hackers can remotely access the infected device and complete transactions using the victim's phone. If the user has set a screen lock, Ghimob can record the screen and playback to unlock. When the attacker performs transactions, the trojan uses WebView to overlay the main screen or open a website in full screen, while the user is viewing the screen, the attacker performs transactions in the background using financial applications.

Multi-platform Financial Attacks

During the monitoring of Guildma Windows malware activity, links to ZIP files and APK files used to spread malware were found, and all file download links pointed to the same URL. If the user who clicks on the malicious link uses an Android browser, the download is Ghimob APK. The APK is hosted in multiple malicious domains registered by Guildma, and after installation, the application will use 'Accessibility Mode' to persistently control the target.

1605659604_5fb46bd4f38fea9e73cf2.png!small?1605659605119

Distribution of infected countries/regions:

1605659637_5fb46bf53c0bf73695469.png!small?1605659637474

To entice victims to install malicious files, a link to view detailed information is provided in the email, and the recipient can view more content through the link. The application itself is disguised as Google Defender, Google Docs, WhatsApp Updater, etc. The malware will check for a debugger upon startup, and if one is present, it will terminate itself.

1605662190_5fb475ee34e08e20e4ded.png!small?1605662190443

After infection, the malware sends a message to the server containing the phone model, whether there is a screen lock, and a list of installed applications. Ghimob monitors 153 applications, mainly from banks, fintech, cryptocurrencies, and exchanges.

Remote Control

After installation, Ghimob will hide the application icon, decrypt the hardcoded C2 list, and access all C2s to receive the real C2 addresses.

In the analyzed samples, the C2 providers are the same, but the real C2 differs between samples, and all communications are completed through HTTP / HTTPS protocols.

1605661393_5fb472d14a0232aae1e0b.png!small?1605661393488

Victim List

InFinancial Threat Intel PortalThe report describes all the commands used by the RAT.

Client:[TARGETED APP]
ID: xDROID_smg930a7.1.125_7206eee5b3775586310270_3.1
Date:Sep 24
2020 3:23:28 PM
Ref:unknown SAMSUNG-SM-G930A 7.1.1 25
KeySec:true KeyLock:false DevSec:true DevLock:false
com.sysdroidxx.addons - v:3.1
Activate Google Docs
=======================================
Connection Link:hxxp://www.realcc.com
8-digit password:12345678
6-digit password:123456

=======================================
============== LOG GERAL ==============
=======================================
22{< x >}[com.android.launcher3]--[TEXT: null]--[ID: com.android.launcher3:id/apps_list_view]--[DESCRICAO: null]--[CLASS: android.support.v7.widget.RecyclerView]
22{< x >}[com.android.launcher3]--[TEXT: null]--[ID: com.android.launcher3:id/apps_list_view]--[DESCRICAO: null]--[CLASS: android.support.v7.widget.RecyclerView]
22{< x >}[com.android.launcher3]--[TEXT: null]--[ID: com.android.launcher3:id/apps_list_view]--[DESCRICAO: null]--[CLASS: android.support.v7.widget.RecyclerView]
16{< x >}[targeted app]--[TEXT: ]--[ID: null]--[DESCRICAO: Password of 8 digits]--[CLASS: android.widget.EditText]
0{< >}[targeted app]--[TEXT: null]--[ID: null]--[DESCRICAO: null]--[CLASS: android.widget.FrameLayout]
1{< >}[targeted app]--[TEXT: null]--[ID: null]--[DESCRICAO: null]--[CLASS: android.widget.LinearLayout]
2{< >}[targeted app]--[TEXT: null]--[ID: android:id/content]--[DESCRICAO: null]--[CLASS: android.widget.FrameLayout]
3{< >}[targeted app]--[TEXT: null]--[ID: null]--[DESCRICAO: null]--[CLASS: android.widget.FrameLayout]


=======================================
================ BALANCES ===============
=======================================
[DESCRICAO: Rolando Lero Agency: 111. Digit 6. Current account: 22222. Digit .7]--
[TEXT: Account Rolando Lero]
[DESCRICAO: Agency: 111. Digit 6. Current account: 22222. Digit .7]--[TEXT: 111-6 22222-7]
[DESCRIPTION:Available balance]
R$ 7000,00]--
[DESCRIPTION:7000,00]--[TEXT:R$ 7000,00]
[TEXT:Available balance]
[DESCRIPTION:Scheduled until 04/Oct
R$ 6000,00 ]--
[DESCRIPTION:6000,00 ]--[TEXT:R$ 6000,00 ]
[TEXT:Scheduled until 04/Oct]

Ghimob does not monitor the screen in real time but reads text information from the target application for selective attacks. It monitors the following words in Portuguese: saldo (balance), investimento (investment), empréstimo (loan), extrato (statement).

IOC

17d405af61ecc5d68b1328ba8d220e24
2b2752bfe7b22db70eb0e8d9ca64b415
3031f0424549a127c80a9ef4b2773f65
321432b9429ddf4edcf9040cf7acd0d8
3a7b89868bcf07f785e782b8f59d22f9
3aa0cb27d4cbada2effb525f2ee0e61e
3e6c5e42c0e06e6eaa03d3d890651619
4a7e75a8196622b340bedcfeefb34fff
4b3743373a10dad3c14ef107f80487c0
4f2cebc432ec0c4cf2f7c63357ef5a16