The Anatomy of a Banker Malware - Unraveling Marcher

Recently, the Check Point research team had the opportunity to analyze a mobile banker malware attack from end-to-end. Our team managed to lay hands on the infiltration vector, the malware itself, and the attacker’s Command and Control (C&C) servers. This attack gave us a rare chance to understand the full flow of an attack from infiltration to theft.

The malware we observed is the notorious Marcher banker. This malware has greatly evolved since it first appeared in 2013, targeting Russian Google Play users by stealing their credit card information. It has developed a capability to steal bank credentials as well, and was offered for rent as a Malware-as-a-Service, achieving global reach. The malware targets Android users across the whole spectrum of in-market versions, including Marshmallow.

Phishing for a way in

Marcher begins its attack using a phishing mail, encouraging a user to install a Flash update. If the user clicks the link, Marcher initiates a three-stepped process, deceives the user into enabling installation from unknown sources (outside Google Play) and then downloads the malicious app. The app will then request specific privileges which will enable Marcher to accomplish its malicious purpose.

One of these permissions is the ability to read SMSs. This is crucial for the malware to bypass the Two Factor Authentication (2FA) protection. This capability is becoming more common among mobile banker malware, as more banks implement 2FA.

The plot thickens - Stealing the credentials

The malware steals a list of all apps installed on a device, and if the list contains a targeted app, the malware sends the user a fake notification that a transaction in the user’s account has occurred. Once the user enters the app, Marcher displays an overlay of the login page and steals the credentials entered by the user. In the specific campaign we analyzed, Marcher targeted several Australian banks and PayPal. Other samples were reported to target a broad range of banks across various countries.

Behind the scenes – A look into the C&C

The C&C server used by the attackers revealed some interesting details. The database includes the list of applications installed on each infected device and the notifications sent to lure the users to enter the targeted apps. Also, the attackers keep records of the victims’ identity, stolen credit card information (including CVC), stolen credentials and SMSs. We even found a rather ironic SMS from a security app, stating that the user’s device is still secure.

This is merely an example of the growing threat mobile malware poses to users. Bankers are far from being the worst tool in the hands of the attackers, though. Mobile malware has already compromised sensitive military and business related information. Enterprises should take this threat seriously and close any gaps in mobile security to avoid breaches of sensitive information.

For more information about Marcher, be sure to read the Checkpoint blog: http://itspm.ag/1SJ94SR