Androkins hits Colombia

 

A few weeks ago we wrote about Androkins (1). Since then we have been actively monitoring Androkins activity, and we are periodically seeing new and new botnets added to the list.

Androkins botnets have an internal name which can be extracted from the malware. This is what we do in order to classify our samples and keep everything very well organized. Some of the well known botnet IDs were: trade, wienna, moon, travel, maven… (full list in the mentioned blog post). And the majority of attacked  countries were mostly from Europe with an exception to Canada.

In these days, we have observed an introduction of a new botnet called “coins”.  This one was specially crafted for possibly victims that reside in Colombia or have an operating bank account at one of these Banks:

  • Banco de Bogota
  • BBVA Net Cash
  • Banco Davivienda
  • Banco de Occidente

It uses MitB (Man-in-the-Browser) technique to deceive victims, and it displays a similar message to this:

Excerpt from the malware’s javascript code part

The performed steps by the attack are:

  • Right after logging in, meanwhile the malware is doing some background operations, a message instructs the user to wait. (Por favor espere un momento estamos validando sus datos)
  • Next, an alert is shown about security and safety and it instructs the victim to validate herself using her TOKEN. Of course the introduced token is captured used for malicious intent other than validation. (Pensando en usted, el Banco de bbva aumentado el nivel de seguridad de su Portal de Internet, a través de la implementación de un esquema de validación de Clave de Token)
  • As a last deceiving step, a message about an error that a given task could not be accomplished is displayed to the user. (no fue posible realizar su transacción le invitamos a intentarlo más tarde)

We advise our Colombian readers to be extremely careful when similar messages are noted during online banking.


UPDATE

Sample:

9f6fbdea9e46e19f5170fd8812f7dc88

Main C&C:

hxxp://amellet.bit/itm/

C&C (webinjects)

hxxps://www.habladours.com/cinp/bbva.js
hxxps://www.habladours.com/cinp/davi.js

hxxps://www.habladours.com/cinp/occired.js
hxxps://www.habladours.com/cinp/bancolombia.js
hxxps://www.habladours.com/cinp/bancolombia_personas.js
hxxps://www.habladours.com/cinp/davi-personas.js


(1) https://www.s21sec.com/en/blog/2017/07/androkins/

Recent Posts

Leave a Comment