BlackRock – Banking Malware Evolved
Analysts from ThreatFabric have uncovered a new strain of banking malware which they have dubbed BlackRock. BlackRock itself which seems to have code derived from the Xerxes banking malware, which is a strain of the LokiBot android banking malware. The code for Xerxes was made public back in May 2019. This trend of malware code being made public is often followed by similar malware that uses the public malware code, branching out into different strains. This occurrence is also like how CometBot, Razdel and Anubis followed the public code release of the Bankbot trojan.
BlackRock is slightly different from other attempts to revitalized old malware, something commonly that new threat actors try with old malware code. BlackRock boasts an increased target list which focus on android mobile applications both financial and non-financial, and some which are well established. Some of the target apps are social, networking, communication, and dating apps, most of which have not been observed in any other target lists of malicious banking campaigns. The authors of the article believe that the increase in social traffic due to the pandemic maybe the reason for this strategy of targeting social apps.
BlackRock is a descendant of Xerxes, which is a part of the LokiBot strain that has other variants. LokiBot started out as rented malware of malware as a service, which spawned MysteryBot with upgrades for newer Android versions. Then ‘Parasite’ was created as a successor to MysteryBot. Xerxes is directly based off Parasite, which was unable to be sold on underground forums and thus was leaked publicly. Until now, it had been mostly dormant with it resurfacing as BlackRock.
Black Rock works by hiding in the app drawer and asking for Accessibility Privileges, posing as a Google Update service. Once privileges are acquired from the user, additional privileges are acquired by the app itself to function without any more user input, establishing command and control and ready to preform overlay attacks. Things it can do are, send SMS, flood SMS, spam contacts, become admin, hide notifications, key log, and much more. A unique feature that ThreatFabric notes it the how the malware utilizes the Android work profiles, which is used by developers to define a device policy controller (DPC), in order to control and apply policies to their mobile fleet. This is what is used to gain admin privileges, “by creating a profile and applying it which has the admin privileges”. The overlay attack is used to pop an overlay onto the screen and phish for credentials, one overlay is generic while others are specific per targeted app. Most of the social networking category of apps are targeting by overlays to steal credit card information. Overlays that did credential theft targeted banks that are based in Europe, Australia, the United States of America, and Canada. Various other countries are targeted as well for non-banking credentials, such as Spain, U.K., Turkey, Australia, Germany, Poland, Italy, U.S, France, Canada, Croatia, Hungary, Austria, Belgium, and Bulgaria.
ThreatFabric’s take on the threat landscape of 2020 is that trojan RATs are on the rise and some of them bring innovative features that make them more malicious. They do not classify BlackRock as very innovative, but the increased risk comes from the large number of international apps they are targeting. ThreatFabric expects the second half of 2020 to have more banking trojans with improvements and attempts to revive and update older ones. “The most important aspect to take care of is securing the online banking channels, making fraud hard to perform, therefore discouraging criminals to make more malware.” Organizations can consider implementing people policies and awareness as well or client-side protection tools. Read more at ThreatFabric’s website for IOC’s and visuals.
Sources: