Cyble Research & Intelligence Labs (CRIL) found a new GoatRAT banking trojan that can make money transfers from breached systems.
According to the report, scammers were using the banking trojan with Automatic Transfer System (ATS) framework that helped them transfer funds from Brazilian banks. Three Brazilian banks namely, NUBank, Banco Inter, and PagBank were targeted using the GoatRAT banking trojan.
CRIL researchers found that the GoatRAT banking trojan was initially created as an Android remote administration tool to gain access and control of targeted devices. However, it is now being used to make fraudulent monetary transactions using PIX keys. The use of PIX keys enables fraudulently instant money transfers.
How the GoatRAT banking trojan steals money
Users were redirected to the GoatRAT URL – hxxps://goatrat[.]com/apks/apk20.apk via the shortened website URL – hxxps[://]bit[.]ly/nubankmodulo. The malicious website hosts Android malware and downloads the APK file ‘apk20.apk’
Users are misled into believing that this URL belonged to a legitimate Brazilian bank. Once installed, the GoatRAT banking trojan triggers a service called ‘Server’ that establishes contact with the command-and-control server to gain access to the PIX key to do the fraudulent money transfers.
Unsuspecting users are then asked to give dubious permissions on the device, which are exploited to execute Automatic Transfer Systems. An overlay appearance of the targeted banking app lets the user think that it is a part of the legitimate banking app.
Sample names of active package that are matched with the legitimate banking applications package:
- com.intermedium
- com.nu.production
- br.com.uol.ps.myaccount
Technical details about the GoatRAT banking trojan
Once the façade is created, GoatRAT banking trojan hides itself. It then saves the accessibility nodes’ data in an iterable variable and uses the getText() function to extract text from the legitimate banking app.
The GoatRAT banking trojan then enters the amount from the target’s app for the illegal transaction without letting the user know.
Once the user is asked to select either ‘Confirm’ or ‘Pay’ to successfully transfer the money, GoatRAT banking trojan uses the text strings ‘Pagar’ and ‘CONFIRMAR’ as shown below to self-executive the payment-related clicks automatically for successful money laundering.
After the amount reached the scammer, the GoatRAT banking trojan removed the overlay from the legitimate banking app.
Researchers noted that several Brazilian banks have been targeted lately with similar malware.
While the GoatRAT banking trojan only had the capability to misuse the accessibility service unlike similar malware that also had access to messages, GoatRAT could still conduct monetary transactions.
- The malware spreading link was – hxxps://goatrat[.]com/apks/apk20.apk
- The shortened malware distributing URL was – hxxps://bit[.]ly/nubankmodulo
- The command and control server was found to be – hxxp://api.goatrat[.]com:3008.
- Certificate of the malware – 38661ea0b53f278f620a3f2c8db6da8ef8ca890e
- The Admin panel and domain linked to the GoatRAT banking trojan was – hxxps[://]goatrat[.]com
