Thursday, July 20, 2023

FantasyMW, a brazilian banking trojan

Update: Apparently this is a rebrand from an existing malware family called GoatRat and it was named as FantasyMW. More details at: https://www.opencti.net.br/goatrat-ressurge-com-um-novo-nome-fantasymw-android-banking-trojan-40dbbba8e7d9

Sample seen from MalwareHunterTeam's tweet.

The sample is written in kotlin and under a Windows host OS. This is possible to guess because the strings hint to Windows paths. At the time of the analysis the domains were not resolving. It seems to be a new or under development banking trojan, as hinted by the path strings:


C:/Users/55119/Documents/NewBankingTrojan/production/app/src/main/java/com/fuck/thepolice/MainActivity.kt 


This is not the first ITW sample of this developer. The first ITW sample was seen on 2023-06-06 13:25:28 UTC and uses a different path for development: 


C:/Users/nuke/Documents/FantasyMalware/BasicVersion/


The path differs from the latest spotted sample. Since this is a brazilian malware, I chose to dub it as Casanossolar from the package name instead of FantasyMalware. 


This malware requests accessibility permissions and overlay permissions to perform its activities. A complete list of permissions requested:


android.permission.ACCESSIBILITY_SERVICE

android.permission.BIND_ACCESSIBILITY_SERVICE

android.permission.INTERNET

android.permission.POST_NOTIFICATIONS

android.permission.READ_PHONE_STATE

android.permission.RECEIVE_BOOT_COMPLETED

android.permission.SYSTEM_ALERT_WINDOW

com.fuck.thepolice.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION


The sample contains URLs pointing to a ping endpoint and an initialization URL. On initialization, the device information such as hwid, device model, manufacturer is sent to the C2. The CLIENT_ID hardcoded in each sample is sent on each ping attempt.


https://api.robodopix[.]online/devices/init

https://api.robodopix[.]online/devices/ping


It currently targets only 6 applications, but all of them are bank applications from Brazil/Portugal. It calls PackageManager.getInstalledPackages to obtain the list of installed applications. Each targeted application has a separate class for each of them with shared methods. It applies overlays to steal credentials when the user tries to access their bank application.



Complete list of targeted applications as of 2023-07-20.

  • com.nu.production
  • com.picpay
  • com.santander.app
  • com.itau.iti
  • com.c6bank.app
  • br.com.intermedium



The first versions don't feature emulator checks on startup. However the latest samples contain emulator checks on startup and attempts to detect Android x86, Android Emulators, and XPosed among others:


  • goldfish

  • ranchu

  • google_sdk

  • Emulator

  • Android SDK built for x86

  • Genymotion

  • sdk_google

  • google_sdk

  • sdk

  • sdk_x86

  • vbox86p

  • emulator


It also makes use of RootBeer to verify if there is root available on the device:




One of the first samples contains an image presumably from the developer, referring to himself as "Sicko", mentioning that you are being hacked and a identifier to purchase his malware. Reverse image search returns nothing, so it seems to be handcrafted by the author.


In in one of the first versions seen in the wild, there is a Discord webhook URL and the Discord webhook module is also present in the code. Since the latest spotted samples exclude the Discord hooks, it points to the author relying only on their backend.



There are different builds of the same code with different icons, in an attempt to deceive users to install the application in their device or be trusted.



Overall, it looks like a family still in development. I will update this post with any updates and update the sample collection as well.

IOCs


Virustotal Collection: https://www.virustotal.com/gui/collection/f5d99ff71a0048e789ed5ea16ca23c4ad6098508d90acaa3a70f2f4e5841430a

SHA256:


495cbabda9da0171af3d1d44388ff648f961b9326cc88daed173dffe519344be

aa546c11bbae2eecb9ac24facc872aedf08743363d8dd71e843bb85537b6cf52

5ed97f720d4925d87c198aeaf2ebbf6bbfc1ecd4c7f3f08d3c328ce9fee7cfcb

29f7c1e1193abd4d90bce08c6164764b765494e9904eed9bb493e010e1c4af3b

a8c03dde8bda11b848f4eee5b9e21e70bcdc9ace8c6e1bb16ee24990cba155e5


URLs:


https[:]//api.theworldismagic[.]online/devices/init

https[:]//api.theworldismagic[.]online/devices/ping

https[:]//api.robodopix[.]online/devices/init

https[:]//api.robodopix[.]online/devices/ping


2023

Every year I start writing about a wrap-up of my year but I never end up finishing it. Hope this year is different. I'm starting with th...