A series of operational security (OpSec) failures on the part of attackers enabled researchers to discover the Geost botnet.

In mid-2018, Virus Bulletin researchers Sebastian Garcia, María José Erquiaga and Anna Shirokova discovered Geost, one of the largest Android banking botnets known today, while analyzing another malware family called HtBot. The researchers found that HtBot converted victims into unwilling proxies that received traffic from the malware’s network and then sent it to the web. While analyzing that traffic, they observed someone logging into the command-and-control (C&C) panel of what was then a previously undocumented botnet.

Dubbed Geost, the botnet contained hundreds of thousands of malicious domains generated by a DGA algorithm along with 13 C&C IP addresses spread across six countries. This infrastructure enabled the botnet to connect to the top five banks in Russia and deploy more than 200 malicious APKs masquerading as fake mobile banking apps. Through these techniques, the Geost botnet successfully infected over 800,000 people living in Russa and gained access to several million Euros residing in their bank accounts.

Garcia, Erquiaga and Shirokova learned all of this and more because several OpSec failures made it possible for the researchers to access a chat log of an underground team hired by Geost’s controllers. This log provided insight into the creation of Geost, the development of new features and the use of victims’ stolen data. In so doing, the log also revealed just how spectacularly the Geost botmasters had failed to secure their creation.

As the researchers explained in a blog post:

Maintaining a good OpSec is difficult both for security analysts and attackers trying to hide. The discovery of the Geost botnet was possible because of several OpSec mistakes, including the use of the HtBot illegal proxy network, not encrypting their command-and-control servers, re-using security (Read more...)