S0406 Gustuff
Gustuff is mobile malware designed to steal users’ banking and virtual currency credentials.1
| Item | Value |
|---|---|
| ID | S0406 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 03 September 2019 |
| Last Modified | 14 October 2019 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | Gustuff communicates with the command and control server using HTTP requests.1 |
| mobile | T1533 | Data from Local System | Gustuff can capture files and photos from the compromised device.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | Gustuff hides its icon after installation.2 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | Gustuff abuses accessibility features to intercept all interactions between a user and the device.1 |
| mobile | T1417.002 | GUI Input Capture | Gustuff uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. Gustuff can also send push notifications pretending to be from a bank, triggering a phishing overlay.12 |
| mobile | T1516 | Input Injection | Gustuff injects the global action GLOBAL_ACTION_BACK to mimic pressing the back button to close the application if a call to an open antivirus application is detected.1 |
| mobile | T1406 | Obfuscated Files or Information | Gustuff obfuscated command information using a custom base85-based encoding.1 |
| mobile | T1406.002 | Software Packing | Gustuff code is both obfuscated and packed with an FTT packer.1 |
| mobile | T1644 | Out of Band Data | Gustuff can use SMS for command and control from a defined admin phone number.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | Gustuff can collect the contact list.1 |
| mobile | T1636.004 | SMS Messages | Gustuff can intercept two-factor authentication codes transmitted via SMS.1 |
| mobile | T1418 | Software Discovery | - |
| mobile | T1418.001 | Security Software Discovery | Gustuff checks for antivirus software contained in a predefined list.1 |
| mobile | T1426 | System Information Discovery | Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.1 |
| mobile | T1422 | System Network Configuration Discovery | Gustuff gathers the device IMEI to send to the command and control server.1 |
References
-
Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019. ↩↩