DroidBot: Insights from a new Turkish MaaS fraud operation

Dec. 9, 2024, 10:32 p.m.

Description

DroidBot is an advanced Android Remote Access Trojan combining hidden VNC and overlay capabilities with spyware features. It uses dual-channel communication, transmitting data via MQTT and receiving commands through HTTPS. The malware targets 77 entities, including banks and cryptocurrency exchanges, in countries like the UK, Italy, France, Spain, and Portugal. Evidence suggests Turkish-speaking developers and a Malware-as-a-Service operation with 17 distinct affiliate groups. DroidBot is under active development, showing inconsistencies across samples. Its sophisticated features, diverse target list, and MaaS infrastructure make it a significant threat to financial institutions and government entities across multiple regions.

External References

https://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation
https://otx.alienvault.com/pulse/67576dbae3f225116177efb4
Tags
android
banking trojan
2024-12-09
droidbot

Date

  • Created: Dec. 9, 2024, 10:22 p.m.
  • Published: Dec. 9, 2024, 10:22 p.m.
  • Modified: Dec. 9, 2024, 10:32 p.m.

Indicators

  • e0e8dce9af3a7d54e7a24db95eb3b61582da436d5e795ebebf06b9926073ce59
  • cc9a45540262aaa9b733384e218512eb596092ef698ba12beb9d239f98e8bbf6
  • ie721f2d.ala.dedicated.aws.emqxcloud.com
  • k358a192.ala.dedicated.aws.emqxcloud.com
  • dr0id.best
Download all indicators here!

Attack Patterns

  • DroidBot
  • T1059.004
  • T1071.001
  • T1204.002

Additional Informations

  • Finance
  • Government
  • Portugal
  • Spain
  • Italy
  • France
  • Germany
  • United Kingdom of Great Britain and Northern Ireland