Botconf Author Listing

In this talk we analyze a prevalent malware family Formbook and its successor XLoader from different angles, including OSINT and technical sides. XLoader is a logical step in Formbook’s evolution, it is now able to target not only Windows but macOS as well.

Our aim is to help the listeners understand how the malware topped up prevalence lists, which approaches and tools to use for the analysis of this and other cases and how to stay protected from this threat.

The FluHorse malware features several malicious Android applications that mimic legitimate applications each with more than 100,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.
Quite surprisingly, no custom implemented tricks are used inside FluHorse, as the malware authors relied solely on an open-source framework for the development process of malicious functionality. It is implemented with Flutter – an open-source UI software development kit created by Google and is used to develop cross-platform applications for various platforms, including Android and iOS for mobile devices, with a single codebase. What makes Flutter an appealing choice for malware developers is the use of a custom virtual machine to support different platforms and its ease of use for creation of GUI elements. Analyzing such applications is complicated, due to the custom VM, which makes this framework a perfect solution for Android phishing attacks, as it turned out to be.
In our research, we describe different targeted markets in several countries and compare phishing applications with the legitimate ones – differences are pretty hard to spot at first glance. We give credits to the available tools for Flutter-application analysis while also providing the enhancements that resulted in our open-source contribution: https://github.com/Guardsquare/flutter-re-demo/pull/4. We go through all the pitfalls encountered during our research and provide solutions on how to bypass them. Finally, we give an overview of Command-and-Control communication of the malware as well as dive deeply into the details of the network infrastructure analysis.

When malware actors want to enter the business, they can choose markets where their profit is almost guaranteed to be worth the effort – according to past results. The malware does not need to be high profile, just careful selection of the audience and the right market can be enough.

This is the exact case that we observed in South Korea when we encountered an Android Trojan named FakeCalls. This malware can masquerade as one of more than 20 financial applications and imitate phone conversations with bank or financial service employees – perform the attack called voice phishing, or vishing.

Vishing attacks have a long history in the South Korean financial market. The problem was so serious that it even drew the attention from the government that resulted in a careful investigation and subsequent report: financial losses due to voice phishing constituted approximately 600 million USD in 2020, with the number of victims reaching as many as 170,000 people in the period from 2016 to 2020. Knowing these facts, we understand why exactly this country and this market were chosen by FakeCalls.

We discovered more than 3500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented several new anti-analysis techniques. In our presentation we describe all of the encountered anti-analysis techniques, and show how to mitigate them, refer to the history of South Korean vishing attacks and speak about the key details of the malware functionality.