New version of Octo Trojan detected in malicious APK spreading campaign

Description

 

Octo is an Android banking Trojan evolved from ExoCompact (2019-2021), which in turn was based on the ExoBot Trojan, was released in 2016 and whose source code was leaked online in the summer of 2018. Currently, a campaign distributing a new version of the Trojan, called Octo2, has been observed targeting Italy, Poland, Moldova and Hungary. However, as the Octo Malware-asa-Service (MaaS) platform has already been used in attacks around the world, it is likely that we will soon see campaigns of this banking malware in other regions.

 

 

Technical Details

 

The new variant features improved operational stability, more advanced anti-analysis and anti-detection mechanisms and a domain generation algorithm (DGA) system for resilient command and control (C2) communications. These changes are detailed below:

 

• Increased RAT stability: The developers updated the RAT capabilities to increase stability and decrease connection latency during remote sessions. They introduced a specific remote session setting ‘SHIT_QUALITY’ that can be specified by an operator to decrease the amount of data transmitted over the Internet to the C2 and increase connection stability even on networks with a poor connection. This setting will cause Octo2 to lower the quality of the screenshots sent to the C2 by encoding each pixel with half the usual number of bytes.

 

• Improved anti-analysis and anti-detection techniques: The developers implemented a sophisticated process of obfuscation of malicious code compared to previous variants. The execution process consists of several steps, including decryption and dynamic loading of an additional native library, which is responsible for decrypting the payload, generating encryption keys and C2 domain names.

 

• Communication with C2 and Domain Generation Algorithm (DGA): Uses a Domain Generation Algorithm (DGA) to generate the real name of the C2 server. This technique allows cybercriminals to update domain names on the fly without the need to regenerate samples, as well as to easily set up new servers with new names after known ones are deleted.

 

The key derivation for encrypting data sent to C2 has also been updated: instead of a static encrypted key, the malware generates a new key for each request to C2. The cryptographic ‘salt’ is shared as part of the request so that the C2 server can derive the same key on its side to decrypt the data.

 

In the most recent operations, threat actors use APK files that pretend to be fake NordVPN and Google Chrome apps, as well as a Europe Enterprise app, which is likely to be a decoy used in targeted attacks. Octo2 uses the Zombider service, an application distributed on the Dark Web that allows linking malware to legitimate Android apps to add the malicious payload to these APKs, circumventing Android 13 (and later) security restrictions.

 

 

Techniques used

 

INITIAL ACCESS

Supply Chain Compromise: Compromise Software Dependencies and Development Tools.T1195.001

 

EXECUTION

User Execution: Malicious File.T1204.002

Scheduled Task/Job: Scheduled Task.T1053.005

 

DEFENSE EVASION

Masquerading: Masquerade File Type.T1036.008

Process Injection: Dynamic-link Library Injection.T1055.001

 

COMMAND & CONTROL

Dynamic Resolution: Domain Generation Algorithms.T1568.002

Protocol Tunneling.T1572

 

COLLECTION

Input Capture: Keylogging.T1056.001

Screen Capture.T1113

 

EXFILTRATION

Supply Chain Compromise: Compromise Software Dependencies and Development Tools.T1195.001

Recommendations