Octo2 (Trojans) – Malware

Overview

In 2024, a new and highly sophisticated variant of the well-known ExobotCompact malware family has emerged, named Octo2. This malware has already begun to target European financial institutions, and its developers have demonstrated a clear intent to expand its reach globally. Octo2 is not just a simple update to its predecessors but a highly refined and capable version that poses significant threats to mobile banking users. The rapid development of such a variant highlights the growing challenges in the fight against mobile banking fraud and cybercrime, as well as the increasing sophistication of malicious actors in the cyber landscape.

The Exobot malware family has been active since 2016, primarily targeting mobile banking applications to steal users’ credentials and hijack financial transactions. The earlier variants, including ExobotCompact, gained notoriety for their capability to perform overlay attacks, intercept SMS messages, and manipulate push notifications. However, the Octo variant, introduced in 2022, marked a turning point in the evolution of this malware. With the release of Octo2, the malware family has entered a new phase, offering enhanced features such as advanced obfuscation techniques, better remote access capabilities, and improved methods for avoiding detection by cybersecurity professionals.

Targets

Individuals

How they operate

Infection and Initial Setup

Octo2 typically begins its operation through the use of Zombinder, a malicious component that acts as the first stage of infection. Zombinder is designed to bypass the security restrictions of Android 13+ and other recent updates. Once the victim installs the Zombinder app, it requests permission to install an additional plugin. This plugin is actually the Octo2 payload itself. By using Zombinder, the malware sidesteps Android’s installation restrictions and can gain access to the system without raising immediate suspicion. The use of Zombinder to initiate the Octo2 infection allows the malware to penetrate deeper into the system, establishing a foothold from which it can proceed to exploit the victim’s device.

Upon successful installation, Octo2 configures itself using a set of parameters communicated from its C2 server. The “block_push_apps” setting is one such parameter, which instructs Octo2 to target specific applications by intercepting their push notifications. The malware identifies these apps based on a predefined list and ensures that push notifications from these apps are suppressed. This feature indicates that Octo2 is specifically designed to target mobile banking applications, preventing users from receiving critical notifications related to transactions and security alerts.

Remote Access and Device Control

One of the key features of Octo2 is its enhanced Remote Access Trojan (RAT) capabilities, which allow attackers to control the infected device remotely. Unlike its predecessors, Octo2 has been optimized to provide more stable remote sessions, even in environments with low bandwidth. The malware achieves this by using the “SHIT_QUALITY” setting, which reduces the amount of data transmitted between the infected device and the C2 server. When enabled, Octo2 lowers the quality of screenshots and other media sent to the attacker, reducing the load on the network and increasing the stability of the connection. This makes it more difficult for the victim to notice any lag or disruption in device performance, while the attacker can continue controlling the device and collecting sensitive information.

The RAT functionality allows the attacker to perform various malicious actions on the device, including exfiltrating passwords, stealing banking credentials, and executing other forms of social engineering attacks. The remote control capabilities of Octo2 are more efficient and resilient than its predecessors, providing the cybercriminal with full access to the device’s functions, including the ability to intercept SMS messages, record calls, and monitor app activity.

Anti-Detection Techniques and Obfuscation

A key aspect of Octo2’s effectiveness lies in its ability to evade detection. The malware uses advanced obfuscation techniques that make it more challenging for security software to analyze and identify its components. One of the most notable improvements in Octo2 is the use of a multi-step decryption process. Upon execution, Octo2 first decrypts a native library responsible for further malicious actions. This library is dynamically loaded during runtime and is tasked with decrypting the main payload, generating encryption keys, and determining the appropriate C2 server domain names.

In addition to the decryption mechanism, Octo2 also implements a Domain Generation Algorithm (DGA) to secure its communications with the C2 server. The DGA allows the malware to generate multiple domain names, ensuring that the C2 server remains operational even if some domains are blocked or taken down by security researchers. The DGA is based on a proprietary date-based algorithm, which makes it more difficult for security researchers to predict future C2 domains. This decentralized and continuously evolving communication model ensures that the malware remains functional and adaptable, even as its infrastructure is disrupted.

Communication with the Command-and-Control (C2) Server

The communication between Octo2 and its C2 server is encrypted using a novel cryptographic method. Instead of relying on a static encryption key, Octo2 generates a new key for each request made to the C2 server. This key is derived from a cryptographic salt that is shared as part of the request. The C2 server uses this salt to derive the same key on its side, allowing it to decrypt the communication. This dynamic encryption method increases the security of the communication channel, making it more resistant to interception and analysis by security tools.

Furthermore, Octo2 is designed to be highly flexible in terms of its C2 infrastructure. If the primary C2 domain is taken down, the malware can automatically switch to a new domain generated by the DGA, ensuring uninterrupted communication between the infected device and the attacker. This continuous adaptability makes Octo2 a persistent threat, as it can easily evade conventional blocking and filtering mechanisms.

Conclusion

The technical sophistication of Octo2 sets it apart from many other mobile banking Trojans. With advanced RAT capabilities, improved obfuscation methods, and an evolving C2 communication system, Octo2 is a formidable tool in the hands of cybercriminals. Its ability to evade detection, bypass security measures, and persist in the face of takedown efforts makes it a significant threat to mobile banking users worldwide. As the malware continues to evolve, it will require more advanced detection methods and proactive defense strategies to mitigate its impact. Understanding how Octo2 operates is crucial for organizations and individuals seeking to protect themselves from this rapidly spreading mobile threat.

MITRE Tactics and Techniques

1. Initial Access

Phishing (T1566): Octo2 is often delivered via phishing methods, such as social engineering or smishing, where victims are tricked into downloading a malicious app or clicking on a compromised link.

Exploitation for Privilege Escalation (T1068): If there are any vulnerabilities in the Android system, Octo2 could exploit them for further access or privilege escalation.

2. Execution

Command and Scripting Interpreter (T1059): Octo2 executes its payload using scripting commands, leveraging Android’s ability to run code within its environment, allowing it to activate malicious functions once the app is installed.

3. Persistence

Startup Items (T1547): The malware establishes persistence by modifying startup components, ensuring that it continues to operate even after the device is restarted or powered off.

Application Layer Protocol (T1071): Octo2 maintains communication with its command-and-control (C2) servers to receive further instructions, ensuring its persistence over time.

4. Privilege Escalation

Exploitation for Privilege Escalation (T1068): Although primarily designed for remote access, Octo2 may exploit vulnerabilities within the device’s Android system to escalate privileges, providing the attacker with greater control over the infected device.

5. Defense Evasion

Obfuscated Files or Information (T1027): Octo2 uses sophisticated obfuscation techniques, including encryption and code packing, to hide its presence from security software and detection tools.

Indicator Removal on Host (T1070): The malware might engage in removing traces of its activity, erasing logs or other indicators of compromise to avoid detection by forensic analysis.

6. Credential Access

Input Capture (T1056): Octo2 can capture user input, including passwords, by intercepting keystrokes or monitoring sensitive applications such as banking apps. This enables the malware to steal login credentials and sensitive information.

Account Manipulation (T1098): It can manipulate or steal credentials stored in applications, providing attackers with access to various accounts on the victim’s device.

7. Collection

Screen Capture (T1113): Octo2 can take screenshots of the victim’s device, capturing sensitive information or personal data that may be displayed on the screen.

8. Exfiltration

Exfiltration Over C2 Channel (T1041): After capturing sensitive data such as passwords, banking information, or screenshots, Octo2 exfiltrates this information to the attacker’s C2 servers via encrypted communication channels.

9. Command and Control (C2)

Application Layer Protocol (T1071): Octo2 communicates with its C2 server using HTTP/HTTPS, ensuring that its activity remains stealthy and difficult to detect.

Domain Generation Algorithm (T1071.001): It uses a Domain Generation Algorithm (DGA) to generate domain names for C2 communication, making it more resilient to takedowns or blocking of known C2 servers.

10. Impact

Data Destruction (T1485): While Octo2 primarily focuses on data exfiltration, it could potentially destroy or corrupt data to impede forensic investigation, thus making it harder to analyze the extent of the infection.

References

• Octo2: European Banks Already Under Attack by New Malware Variant