Analysis Summary

A new strain of Android malware, known as Ajina.Banker, has targeted bank customers in the Central Asian region since November 2023 at the latest, intending to steal bank data and intercept messages about two-factor authentication (2FA).

Researchers, who identified the threat in May 2024, stated that the malware spreads through a network of Telegram channels that the threat actors have set up, hiding behind applications purporting to be genuine banking, payment, government, or everyday utility services. The attacker targets common users with Android banker malware, which is distributed via a network of affiliates driven by financial gain.

Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan are among the nations that are the targets of the current campaign. Evidence exists to imply that, to increase efficiency, several steps in the malware dissemination process utilizing Telegram may have been automated. The many Telegram accounts are made to send carefully constructed messages to unsuspecting recipients that include APK downloads and connections to other Telegram channels or external sites.

A further advantage of using links connecting to Telegram channels hosting the infected files is that they get over the limitations and security precautions put in place by many community conversations, which helps the accounts avoid being banned when automatic moderation kicks in. The method entails circulating the malicious files in local Telegram chats by disguising them as giveaways and promotions that promise financial prizes and exclusive access to services, in addition to abusing users' trust in legitimate services to maximize infection rates.

In regional community discussions, the usage of themed messaging and tailored promotion tactics proved to be especially successful. Ajina increased the chances of successful infections by adjusting its strategy to the needs and interests of the local people. The threat actors have also been seen using numerous identities to flood Telegram channels with messages, sometimes even at the same moment. This suggests a concerted effort that probably makes use of an automated distribution technique.

The malware is quite simple in and of itself; once installed, it connects to a remote server and asks to be granted access to several things, including SMS messages, phone number APIs, and current mobile network data. A list of installed financial apps, SIM card information, and SMS messages can all be obtained by Ajina.Banker and then exfiltrated to the server.

To gather financial information, new malware variants are also designed to display phishing pages. They can also misuse Android's accessibility services API to block uninstallation and give themselves greater permissions, as well as access call records and contacts. Google informed that Google Play Protect, which is turned on by default on Android devices with Google Play Services, protects Android users from danger and that it has not discovered any indication of the malware spreading through the Google Play Store.

The tool is under active development and has the backing of a network of associated personnel, as evidenced by the hire of Java developers who constructed a Telegram bot in exchange for a financial offer. The fact that Telegram bot creators hired Java programmers in exchange for a pay raise suggests that the tool is actively being developed and has the backing of a network of related personnel. Researchers made the revelation after discovering connections between two families of Android malware that are tracked as SpyNote and Gigabud (a member of the GoldFactory family that also contains GoldDigger).

Targets and domains with strikingly similar structures (using the same peculiar keywords as subdomains) were employed to disseminate SpyNote samples in addition to Gigabud samples. This distribution overlap indicates that both malware families are most likely the work of the same threat actor, suggesting a well-planned and extensive operation.

Impact

• Sensitive Data Theft
• Financial Loss
• Unauthorized Access
• Data Exfiltration

Indicators of Compromise

IP

• 79.137.205.212
• 46.226.160.19
• 109.120.135.42
• 77.105.166.215
• 5.42.77.147
• 147.45.42.85
• 79.137.202.32
• 77.221.136.21
• 46.226.167.24
• 45.15.157.38

MD5

• 34a42857113ab2c856d533105494eb41
• 7f2e9aa66f802727a52eeec72ed2d458
• 00241d7334d78340cd5eb721f40b8682
• fb41060737b7dde21970998760ea111a
• e72d85fc9e0bb16b06db6ef527d6acf7
• de62de8c65420c726805b499514070db

SHA-256

• 1e531605566061e47153f53bba14451eb4b182251f328c62dd7240a19b7fe6e3
• 8269b64b8cf38bdaa1b632968dc69172fcc830e9ad0c00cd6bebc586dec4af1f
• 2e592aacdad946249111ac6ecaa1614fe55091adcf00495936b106cd5707ca35
• e99dd4441e2d6a56ab3a61acb103c893a0fba73b9a24d4f5677f5b3387897a4e
• 444320781d5c03491d4c96a891d5410a7922102e8b126aed5046e424d1f1bf81
• 7fd624b2076a124c21c90b0ec29ba00b182b5f1a05850c94d9470a17578f523c

SHA1

• 8a3c5e0c0438588640fbf4afe3a9c176a8204eec
• 84af2ce3a2e58cc8a70d4cc95916cbfe15f2169e
• 15de15a6f4af9c32cccbee23d99b80d33f3dcb50
• 9fbdcb5dd8ed85b1ec20e7546794d8b6d92ab7f6
• c98ae2491ae7df9f08b9028bdb35af5f62a34aca
• 2358fcbf48036f2f080b29b1e79110c56dbe06d4

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.