evolui de malware rapidamente, e assim fazer os objetivos de criminosos cibernéticos. portanto, um dever mais fundamental que pesquisadores de segurança está observando de perto peças de malware. equipe de pesquisa da Kaspersky Lab foi cuidadosamente estudando um pedaço de malware específico apelidado Asacub. Asacub started out as a simple spyware piece and currently appears to be a fully-equipped banking Trojan.
How Has Asacub Started Out?
As pointed out by Kaspersky’s Roman Unuchek, the first known version of the malware – Trojan-Banker.AndroidOS.Asacub – appeared in the beginning of June 2015. Naquela época, Asacub was more of a spyware Trojan than a banking one.
What the early variant of Asacub did was stealing incoming SMS messages from the victim’s phone, and uploading them to a malicious server. além do que, além do mais, this early variant could also gather information (such as the user’s list of applications, histórico de navegação, lista de contatos), send SMS messages, or turn off the user’s screen.
Então, em julho 2015, researchers registered new versions of Asacub to which new commands were added, tal como:
get_sms: upload all SMSs to a malicious server;
del_sms: delete a specified SMS;
set_time: set a new time interval for contacting the C&C;
get_time: upload the time interval for contacting the C&C to the C&servidor C;
mute_vol: mute the phone;
start_alarm: enable phone mode in which the device processor continues to run when the screen goes blank;
stop_alarm: disable phone mode in which the device processor continues to run when the screen goes blank;
block_phone: turn off the phone’s screen;
rev_shell: remote command line that allows a cybercriminal to execute commands in the device’s command line;
intercept_start: enable interception of all incoming SMSs;
intercept_stop: disable interception of all incoming SMSs.
Asacub’s Evolution to Banking Malware
The malware didn’t stop there – each next month new commands and capabilities were added to its code, with its most notable evolution being registered in September. This is when Asacub was updated to display phishing screens for a number of banking applications. Those most recent versions of Asacub seem to be more focused on stealing banking information than its earlier versions. Em comparação, earlier versions used a bank logo in an icon, and later versions use phishing screens with bank logos.
Mais tarde, Asacub was crafted to forward phone calls, make USSD requests, and download and activate various apps from the Web.
Agora, let’s jump to December 28 2015, when Asacub attacks became aggressive and wide-spread. During this peak of attacks, researchers noticed new features added to Asacub’s set of capabilities:
GPS_track_current – get the device’s coordinates and send them to the attacker;
camera_shot – take a snapshot with the device’s camera;
network_protocol – in those modifications we know of, receiving this command doesn’t produce any results, but there could be plans to use it in the future to change the protocol used by the malware to interact with the C&servidor C.
Users should know that Asacub’s communication with its command and control server revealed that it regularly receives commands to work with the mobile banking service of a major Russian bank. atualmente, US banks don’t appear to be targeted by the malware but this could change quickly, as the agenda of the malware operators may quickly take another direction.
Asacub is an all-in-one hacker asset. It could be used for phishing, malware distribution or even blackmailing. As it looks now, the adversaries are just testing out the available toolset, and there are reasons we should anticipate massive campaigns.