Malware evolves quickly, and so do the goals of cyber criminals. Thus, one most crucial duty that security researchers have is closely observing malware pieces. Kaspersky Lab’s research team has been carefully studying one particular malware piece dubbed Asacub. Asacub started out as a simple spyware piece and currently appears to be a fully-equipped banking Trojan.
How Has Asacub Started Out?
As pointed out by Kaspersky’s Roman Unuchek, the first known version of the malware – Trojan-Banker.AndroidOS.Asacub – appeared in the beginning of June 2015. Back then, Asacub was more of a spyware Trojan than a banking one.
What the early variant of Asacub did was stealing incoming SMS messages from the victim’s phone, and uploading them to a malicious server. In addition, this early variant could also gather information (such as the user’s list of applications, browsing history, contact list), send SMS messages, or turn off the user’s screen.
Then, in July 2015, researchers registered new versions of Asacub to which new commands were added, such as:
get_sms: upload all SMSs to a malicious server;
del_sms: delete a specified SMS;
set_time: set a new time interval for contacting the C&C;
get_time: upload the time interval for contacting the C&C to the C&C server;
mute_vol: mute the phone;
start_alarm: enable phone mode in which the device processor continues to run when the screen goes blank;
stop_alarm: disable phone mode in which the device processor continues to run when the screen goes blank;
block_phone: turn off the phone’s screen;
rev_shell: remote command line that allows a cybercriminal to execute commands in the device’s command line;
intercept_start: enable interception of all incoming SMSs;
intercept_stop: disable interception of all incoming SMSs.
Asacub’s Evolution to Banking Malware
The malware didn’t stop there – each next month new commands and capabilities were added to its code, with its most notable evolution being registered in September. This is when Asacub was updated to display phishing screens for a number of banking applications. Those most recent versions of Asacub seem to be more focused on stealing banking information than its earlier versions. In comparison, earlier versions used a bank logo in an icon, and later versions use phishing screens with bank logos.
Later, Asacub was crafted to forward phone calls, make USSD requests, and download and activate various apps from the Web.
Now, let’s jump to December 28 2015, when Asacub attacks became aggressive and wide-spread. During this peak of attacks, researchers noticed new features added to Asacub’s set of capabilities:
GPS_track_current – get the device’s coordinates and send them to the attacker;
camera_shot – take a snapshot with the device’s camera;
network_protocol – in those modifications we know of, receiving this command doesn’t produce any results, but there could be plans to use it in the future to change the protocol used by the malware to interact with the C&C server.
Users should know that Asacub’s communication with its command and control server revealed that it regularly receives commands to work with the mobile banking service of a major Russian bank. Currently, US banks don’t appear to be targeted by the malware but this could change quickly, as the agenda of the malware operators may quickly take another direction.
Asacub is an all-in-one hacker asset. It could be used for phishing, malware distribution or even blackmailing. As it looks now, the adversaries are just testing out the available toolset, and there are reasons we should anticipate massive campaigns.