A New Variant Of Hydra Banking Trojan Targeting European Banking Users

by chebbi abir

There has been a significant increase in digital transactions over the past year, particularly due to the COVID-19 pandemic, which has forced people to rely heavily on online services. However, this increase in digital traffic has not gone unnoticed. Cybercriminals have seen it as an opportunity to target users. Recently, we came across several scenarios where cyber frauds target bank customers. We have covered one such incident in this report.

Cyble researchers came across a phishing campaign targeting CommerzBank. This campaign came to our attention via a researcher’s Twitter Post.

Commerzbank Aktiengesellschaft is a major German bank that has global operations, headquartered in Frankfurt am Main.

In the Twitter post, the researcher mentioned that Android malware is spreading through a page posing as the official CommerzBank page. It is also highlighted that the Threat Actor(s) (TA) has registered multiple domains on the same IP and the fake website is spreading malicious apps posing as CommerzBank app.

Refer to Figure 1.

The IP of the phishing domain:  91.214.124[.]225

Figure 1: List of Phishing domains registered on the IP (Ref: VirusTotal)

Cyble’s Research Labs has collected samples related to this campaign and analyzed them thoroughly. Based on our analysis, we determined that the malware is a variant of Hydra, an Android Banking Bot initially found in early 2019.

From our analysis, alongside standard banking trojan behavior such as creating an overlay for stealing credentials, Hydra has evolved. It now incorporates TeamViewer functionality, similar to S.O.V.A. malware, and is also using different encryption techniques to evade detection and using Tor for communication.

Our research team also observed that there are HQwar Banking trojans posing as CommerzBank mobile apps.

Technical Analysis Of Hydra

The Hydra malware shares the same icon and app name as the CommerzBank Mobile app as shown below.

Figure 2: APK File Info

APK File Information

  • APP Name: Commerzbank Security
  • Package Name: com.qcavvlvk.woucngh
  • SHA256: 5e9f31ecca447ff0fa9ea0d1245c938dcd4191b6944f161e35a0d27aa41b102f

Manifest Description

The fake app requests 21 different permissions, of which the TA abuses 10 permissions. The dangerous permissions are:

Permission Name Description
CHANGE_WIFI_STATE Modify Device’s Wi-Fi settings
READ_CONTACTS Access to phone contacts
READ_EXTERNAL_STORAGE Access device external storage
WRITE_EXTERNAL_STORAGE Modify device external storage
READ_PHONE_STATE Access phone state and information
CALL_PHONE Perform call without user intervention
READ_SMS Access user’s SMSs stored in the device
REQUEST_INSTALL_PACKAGES Install applications without user interaction
SEND_SMS Allows the app to send SMS messages
SYSTEM_ALERT_WINDOW Allows to display system alerts over other apps
Table 1: List of Dangerous Permission

The Hydra malware requests for two extremely dangerous permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN.

Accessibility Service is a background service running on the device to aid users with disabilities. BIND_ACCESSIBILITY_SERVICE permission allows the app to access the Accessibility Service.

Malware authors abuse this service to intercept and monitor all activities happening on the device’s screen. For example, using Accessibility Service, malware authors can intercept the credentials entered on another app.

BIND_DEVICE_ADMIN is a permission that allows fake apps to get admin privileges on the infected device. Hydra can abuse this permission to lock the device, modify or reset the screen lock PIN, etc.

Upon enabling these permissions, the malware performs activities such as:

  1. Collecting contacts and SMSs.
  2. Stealing credentials such as OTPs, device lock screen PIN etc.
  3. Modifying device settings.
  4. Spying on user activities.
  5. Sending bulk SMSs to victim’s contacts.

Manifest Analysis

The malware has multiple entry points declared in the application’s manifest file:

  1. com.gameloft.titanic.k: The class which executes initially when the victim launches the app.
  2. com.qcavvlvk.woucngh.MainActivity: The class which executes and shows the first page of the application.
  3. com.qcavvlvk.woucngh.bot.receivers.MainReceiver:  A listener class to start the malware behavior upon device reboot.
Figure 3: APK’s manifest file with the classes

Our investigation of the sample revealed that the APK file is missing some classes mentioned in the manifest (shown in Figure 3).

Some of the missing classes are listed in the below table.

Missing classes Class description
com.qcavvlvk.woucngh.MainActivity Launcher class
com.qcavvlvk.woucngh.bot.receivers.MainReceiver Listener triggered on device reboot
com.qcavvlvk.woucngh.bot.components.injects.system.
InjAccessibilityService
Class used to handle Accessibility Service
com.qcavvlvk.woucngh.bot.HelperAdmin$MyHomeReceiver Class to handle Device Admin service
Table 2: Some of the Missing classes

Source Code Analysis

Upon inspecting the APK file, we observed that the MainActivity, MainReceiver, and various other classes mentioned in the table are missing in the APK file. The malware uses a custom packer to evade signature-based detection.

The fake app hides these classes inside a DEX file with the help of a custom packer. The DEX file is encrypted and stored in a file in the APK’s assets folder. The fake app unpacks and loads the classes from the DEX file during the execution phase. The APK file is shown in the figure below.

Figure 4: File in assets folder containing the encrypted DEX file

By reverse-engineering the sample, we decrypted and extracted the DEX file. This file contains all the missing classes, and upon inspection, we observed that these classes have malicious functionalities such as:

  1. Collecting personal information such as contacts, SMSs.
  2. Sending bulk SMSs.
  3. Creating overlay over other apps using SYSTEM_ALERT_WINDOW permission.
  4. Disabling Android’s built-in security feature – Google Play Protect.
  5. Screencast the device screen to TA’s system.
  6. Performing a phone call to TA’s provided number.
  7. Subscribing to premium WAP services through SMSs or phone calls.
  8. Uploading hardware information of the infected device.

The below code in Figure 5 shows how Hydra malware collects contacts to upload to Command and Control (C&C) server.

Figure 5: Code to collect contacts for upload

Figure 6 shows the code to collect phone numbers from the infected device contacts and send SMSs with the text provided by the TA.

Figure 6: Code to send SMSs to the phone number in the victim’s contact

Execution Behavior

Upon starting the fake app, Hydra malware initially requests the user to enable Accessibility permission. Once this permission is enabled, the malware enables other permissions such as Device Admin permission, Contacts permission, etc.

The below figure shows the execution flow of the malware in the initial stages.   

Figure 7: Initial Execution behavior of the malware

We also observed that the malware hides its icon post-launch as shown in Figure 8.

Figure 8: Device screenshot and code depicts that the malware hides the icon

The malware also checks whether the execution environment is an emulator or an actual Android device using the checks shown in Figure 9.

Figure 9: Code used for emulator check

Cyble Research Labs evaded this anti-sandboxing technique during our analysis with the help of hooking techniques using Frida scripts.

Accessibility Abuse

Hydra malware abuses the Accessibility feature to perform multiple malicious activities such as:

  1. Collecting user inputs and user interactions on the device screen.
  2. Enabling all permissions without user interaction.
  3. Restricting the user from modifying the malware’s capabilities from Settings app.
  4. Performing TeamViewer functionality with the help of screencast APIs and Accessibility service.
  5. Stealing device lock screen PIN during user unlock.
  6. Injecting values in fields for user input.

The code used for the above activities is shown below.

Figure 10: Code to abuse accessibility service

From our analysis, we observed that Hydra uses the TeamViewer functionality by abusing the Accessibility service.

The malware can act as a TeamViewer app for the TA. The fake app casts the device screen using the Screencast APIs. The TA’s interactions are converted to screen with the help of the Accessibility service.

The code using Accessibility to perform TeamViewer activity is shown below.

Figure 11: Code using Accessibility to perform TeamViewer activity

Hydra collects and uploads all the collected information to the C&C server. The malware performs these activities based on the commands from the TA.

C&C Server

The malware initiates a TOR communication and accesses a TOR URL. The TOR URL acts as a proxy and provides the C&C URL encoded in Base64.

TOR URL: hxxp://db4z37rzfrhgaazp[.]onion/api/mirrors

The response from the TOR URL is shown below.

Figure 12: Screenshot from TOR Proxy URL

Decoded C&C URL:  hxxps://hastztafc66[.]xyz

Upon accessing the C&C URL, the webpage opens a login panel as shown below.

Figure 13: C&C URL with the login panel

New Features Found In Hydra (Undocumented Features)

In 2019, Hydra malware behaved as a normal Banking bot which created an overlay on targeted apps with the help of SYSTEM_ALERT_WINDOW permission.

In the latest version that we have analyzed, the TA behind this campaign has incorporated enhancements to the Hydra malware.

These enhancements are listed below:

  1. TeamViewer functionality (explained in Accessibility Abuse section).
  2. TOR communication and TOR Proxy Server for delivering the C&C URL.
  3. Enabling SOCKS Proxy to redirect device’s traffic for inspection.
  4. Disabling Play Protect – an inbuilt Android security feature.

The code used to enable SOCKS Proxy is shown below.

Figure 14: Code to enable SOCKS Proxy

Cyble Research Labs has observed that the TA is spreading another malware variant through the same IP. Upon analysis, we observed that the malware is also posing as a CommerzBank mobile app, and we found that the fake app is a variant of HQwar malware.

Conclusion

Recently, we have observed an increase in Android Banking Trojans being distributed through various campaigns. We have covered several such campaigns in our Cyble Research Lab blogs. This new variant of Hydra malware is the latest among the trojans spreading through phishing campaigns.

We have also observed that the malware authors of Hydra are incorporating new technology to steal information and money from its victims. Alongside these features, the recent trojans have incorporated sophisticated features. We observed the new variants have TeamViewer or VNC functionality and TOR for communication, which shows that TAs are enhancing their TTPs.

Based on this pattern that we have observed, malware authors are constantly adding new features to the banking trojans to evade detection by security software and to entice cybercriminals to buy the malware. To protect themselves from these threats, users should only install applications from the official Google Play Store.

Our Recommendations

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

  1. If you find this malware in your device, uninstall using adb uninstall or perform a factory reset.
  2. Use shared IoCs to monitor and block malware infection. 
  3. Keep your anti-virus software updated to detect and remove malicious software. 
  4. Keep your Operating System and applications updated to the latest versions. 
  5. Use strong passwords and enable two-factor authentication.
  6. Download and install software only from registered app stores.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name
Defense Evasion T1406 Obfuscated Files or Information
Defense Evasion T1444   Masquerade as Legitimate Application
Defense Evasion T1523 Evade Analysis Environment
Credential Access T1412 Capture SMS Messages
  T1409 Access Stored Application Data
 Discovery T1421    System Network Connections Discovery
Discovery T1418 Application Discovery
Discovery T1016 System Network Configuration Discovery
Discovery T1424 Process Discovery
Collection T1507 Network Information Discovery
Collection T1412 Capture SMS Messages
Collection T1432 Access Contact List
Collection T1513 Screen Capture
Command and Control T1571 Non-Standard Port
Command and Control T1573 Encrypted Channel
Command and Control T1090 Proxy
Command and Control T1090.003 Multi-hop Proxy
Impact T1447 Delete Device Data
Impact T1448 Carrier Billing Fraud

Indicators Of Compromise (IoCs):  

Indicators Indicator type Description
5e9f31ecca447ff0fa9ea0d1245c938dcd4191b6944f161e35a0d27aa41b102f SHA256 Hash of the Hydra sample1
55af70f1d700bb8f18c425c5cf57837d7b552d81e5ca33796d01c6a116b8f72f SHA256 Hash of the Hydra sample2
1999431a84f10eea1ea0fcae0413ee7346d8c6f70d59451d0d88eba8b7a1d1e4 SHA256 Hash of the Hqwar sample
91.214.124[.]225 IP IP where the Phishing pages are hosted and used to spread trojans
hxxp://db4z37rzfrhgaazp[.]onion/api/mirrors URL TOR Proxy server URL
hxxps://hastztafc66[.]xyz URL C&C URL

To read the original article:

https://blog.cyble.com/2021/09/30/a-new-variant-of-hydra-banking-trojan-targeting-european-banking-users/

 

Top

Interdit de copier  ce contenu