The article examines the rise of Android banking trojans, notably Antidot and Triada, and how they target mobile devices to steal banking credentials, MFA data, and other sensitive information. It highlights Triada’s modular architecture, its complex C2 communications, evasion techniques, and the need for advanced security and anomaly detection to defend against these mobile threats. #Antidot #Triada #YoWhatsApp #FMWhatsApp
Keypoints
- There is a significant uptick in Android malware, especially banking trojans targeting financial credentials and online accounts.
- Antidot disguises as legitimate software, such as an update page for Google Play, to gain footholds on devices.
- Triada is a modular trojan that targets banking and messaging apps, and can intercept texts, steal credentials, and manipulate in-app actions.
- Triada uses C2 communications, exfiltrates data, and can install additional malicious modules on compromised devices.
- Triada evades detection by modifying the Zygote process and concealing its modules, enabling persistence across reboots and factory resets.
- The malware communicates with algorithmically generated hostnames over SSL/HTTPS, often from unusual ports, and employs data exfiltration patterns.
- Darktrace highlights the need for advanced detection systems and anomaly-based approaches to identify these sophisticated mobile threats.
MITRE Techniques
- [T1001] Data Obfuscation – Used to conceal the data being exfiltrated. “Used to conceal the data being exfiltrated.”
- [T1571] Non-Standard Port – Malware communicates over unusual ports to evade detection. “Malware communicates over unusual ports to evade detection.”
- [T1071] Web Protocols – Utilizes standard protocols to communicate with C2 servers. “Utilizes standard protocols to communicate with C2 servers.”
- [T1568.002] Domain Generation Algorithms – Employs algorithmically generated hostnames for C2 communication. “hostnames had never previously been observed on the customers’ networks and appear to be algorithmically generated.”
- [T1568.001] Fast Flux DNS – Uses fast flux techniques to obscure the location of C2 servers. “Uses fast flux techniques to obscure the location of C2 servers.”
- [T0849] Masquerading – Disguises itself as legitimate applications to avoid detection. “Disguises itself as legitimate applications to avoid detection.”
- [T1185] Man in the Browser – Interception of web traffic to steal credentials. “Interception of web traffic to steal credentials.”
Indicators of Compromise
- [Hostname] Triada C2 Endpoint – is5jg.3zweuj.com, 68u91.66foh90o.com, and other hostnames
- [IP Address] Triada C2 Endpoint – 8.222.219.234, 8.222.244.205, and other IPs
- [URI] Triada C2 URI – /iyuljwdhxk, /gvuhlbzknh, and other URIs