After the source code of the Android banking Trojan GM Bot was leaked online, a new version of the threat appeared in the wild.
In February, the experts at IBM X-Force threat intelligence discovered the source code for Android malware GM Bot was leaked on an underground. The source code was leaked in December 2015, it includes the bot component and the control panel.
Of course, the code rapidly spread within the criminal ecosystem, it now that is available online for free malware developers started to work on it.
GM Bot appeared in the wild in 2014, when the authors were offering it in the Russian underground as a powerful instrument for mobile phishing.
The malware implements a number of features to target Android users, including intercepting SMS messages. The malware allows attackers to gain control of the targeted device, including the customization of fake screens.
In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:
The original creator of the Android malware sold the rights to distribute GM Bot v1 (aka MazarBot) to other cyber criminal organizations that are offering it for $5000.
Other variants of GM Bot are known as MazarBot, SlemBunk, Bankosy, Acecard and Slempo.
The new GM Bot v2 variant, which is currently in a testing phase, was developed from scratch by the original developer using the moniker “GanjaMan.”
“After news from IBM X-Force about the leak of Android malware GM Bot’s source code, the author of GM Bot released a second version of the malware. News of v2 came from the official GM Bot developer and vendor, a user going by the alias GanjaMan in venues where the malware is sold.” wrote Limor Kessem, cybersecurity evangelist at IBM.
“According to an underground forum post authored by GM Bot’s vendor, it took six months’ worth of work for this updated version of GM Bot. GanjaMan adds that v2 was “written from scratch,” perhaps in order to emphasize that it does not use the previous version’s code, which was recently leaked by one of its dubious customers.”
According to the experts at the IBM Security, GanjaMan explained that GM Bot v2 includes three different Android exploits that can be used to infect mobile devices. The exploits have been already fixed by Google, so it is likely GanjaMan will add other exploits in the coming variants.
The developer announced also significant improvements for the malware, including rootkit features and the use of the Tor communication channel.
The new GM Bot v2 variant that includes all the available packages and exploits costs $15,000 and an additional $2,000 monthly rental fee that must be paid starting with the second month of use.
Cybercriminals can decide to not pay for the exploits, in this case GM Bot v2 goes for $8,000 and a $1,200 monthly rental fee.
“Judging by past cases of underground malware vendors, the monthly rental fees are most likely technical support fees. Trojan vendors have been known to run into debilitating operational issues as a result of having to provide support to their buyers without getting paid for the extra time spent on resolving issues, bugs and technical questions. The monthly fee concept helps the developers hire tech support agents to handle requests while they continue to develop and sell the malware,” continues Kessem.
GanjaMan is also searching for peers pay-per-install accomplices and cybercriminals who can help with directing Web traffic in countries his buyers would be interested in targeting.
(Security Affairs – Botnet, GM Bot v2)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.