Analysis Summary

Cybersecurity researchers have identified a new variant of the Android banking trojan known as Octo, now called Octo2. This upgraded malware boasts enhanced capabilities for conducting device takeover (DTO) attacks and executing fraudulent transactions.

Campaigns distributing Octo2 have been observed across several European countries, including Italy, Poland, Moldova, and Hungary. The improvements made by the malware developers focus on bolstering the stability of remote actions necessary for successful DTO attacks. According to the report, Octo was initially flagged in early 2022 as the creation of a threat actor, identified as a direct descendant of Exobot, which was first detected in 2016.

The original Exobot targeted financial institutions across various countries, including Turkey and Germany, before a 'lite' version emerged, known as ExobotCompact. The recent emergence of Octo2 has been attributed to the leak of Octo's source code earlier this year, prompting other cybercriminals to develop multiple malware variants.

Another notable development is Octo's evolution into a malware-as-a-service (MaaS) model, allowing its developers to monetize the malware by offering it to other criminals seeking to conduct information theft. The owner of Octo announced that Octo2 would be available to existing Octo1 users at the same price, encouraging those previously using Octo to upgrade to the new variant. This transition will likely expand Octo2's reach within the global threat landscape, posing increased risks to mobile banking users.

Significantly, Octo2 introduces a Domain Generation Algorithm (DGA) to create command-and-control (C2) server names, enhancing its resilience against takedown efforts. This DGA capability enables threat actors to seamlessly shift to new C2 servers, rendering domain name blocklists ineffective. The malware is distributed through trojanized legitimate apps utilizing a known APK binding service, Zombinder, which facilitates the installation of Octo2 disguised as a necessary plugin. Currently, there is no evidence that Octo2 is propagated via the Google Play Store, indicating that users are likely downloading it from untrusted sources or falling victim to social engineering tactics.

Impact

• Sensitive Information Theft
• Unauthorized Access
• Financial Loss

Indicators of Compromise

MD5

• e32eeea3676874431571f976d044a816
• c508d432e3d521acaa6215934f609b2a
• 11cb1b221952268fcd6000e563752d79

SHA-256

• 83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae
• 6cd0fbfb088a95b239e42d139e27354abeb08c6788b6083962943522a870cb98
• 117aa133d19ea84a4de87128f16384ae0477f3ee9dd3e43037e102d7039c79d9

SHA1

• d40169c63e74d86cc0d02c638401bcd9ccdb621b
• 5e44ba99e81c6673b000519755e041c2d4082ae8
• d4a85997999a975848b60fd52597538baf652daf

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.