New Gigabud Android RAT Bypasses 2FA, Targets Financial Orgs


  • New Malware Variant: Gigabud introduces a fresh wave of sophisticated cyber danger.
  • Global Operation: Gigabud has targeted at least 25 companies, financial institutions, and government departments across several countries.
  • Bypasses 2FA: Gigabud malware can adeptly circumvent two-factor authentication (2FA).
  • Targets Financial Giants: Financial institutions face a growing threat from Gigabud’s focused attacks.
  • Gigabud family: Gigabud.Loan variant presents itself as a fake loan application, luring victims with promises of low-interest loans.
  • Emerging Cyber Risk: The rise of Gigabud underscores the evolving landscape of financial cyber threats.

A new banking trojan named Gigabud has emerged as a formidable adversary, posing a persistent danger to financial institutions worldwide. Originating as an Android Remote Access Trojan (RAT), Gigabud first came to the attention of security experts in September 2022 when it targeted a Thailand-based financial organization and its customers across the Asia-Pacific region.

Group-IB’s experts, in response to a customer’s request, undertook a comprehensive analysis of the malware to decode its intricate tactics. The defining feature of Gigabud is its cautious approach to executing malicious actions.

Unlike conventional malware that acts immediately upon infiltration, Gigabud waits for user authorization within the malicious application, a strategy that makes it notably elusive. Instead of relying on HTML overlay attacks, Gigabud employs screen recording to gather sensitive information, further complicating its detection.

One standout feature of Gigabud is its use of accessibility services, which allows it to perform actions on the victim’s device remotely. This capability, known as “TouchAction,” enables the attacker to perform gestures on the user’s device, giving them the power to evade defence mechanisms, including two-factor authentication (2FA).

Gigabud RAT has targeted at least 25 companies, financial institutions, and government departments across several countries, aiming to mimic their identities and deceive users.

Researchers also uncovered a parallel threat within the Gigabud family: Gigabud.Loan. This variant presents itself as a fake loan application, luring victims with promises of low-interest loans. Once users engage with the app, they are coerced into providing sensitive personal information, which can later be exploited by the threat actors.

Gigabud.Loan’s modus operandi involves impersonating fictional financial institutions from various countries, such as Thailand, Indonesia, and Peru.

The distribution strategy for both Gigabud.RAT and Gigabud.Loan centers around phishing websites. These websites are disseminated through tactics like “smishing,” where victims are sent misleading messages via instant messengers, SMS, or social networks, leading them to malicious links. In certain cases, the malware is even delivered directly through messages on platforms like WhatsApp.

Watch as Group-IB’s researchers looks into Gigabud RAT

Over the course of 2022 to 2023, Group-IB’s researchers detected over 400 Gigabud RAT samples and more than 20 Gigabud.Loan samples using advanced hunting techniques. 

To counteract the threat posed by Gigabud, Group-IB suggests a multi-pronged defence strategy. Organizations should prioritize proactive monitoring of user sessions, prioritize client education on safe online practices, and employ digital protection tools.

Users, in turn, are advised to exercise caution when clicking on links, refrain from downloading risky apps, and utilize reliable VPNs on public Wi-Fi networks.

  1. FakeTrade Android Malware Attack Steals Crypto Wallet Data
  2. Android banking malware distributed with fake Google reCAPTCHA
  3. New Android banking malware Xenomorph found in Play Store apps
  4. Experts concerned over emergence of Android banking trojan S.O.V.A.
  5. Iranian Stalkerware ‘Spyhide’ Steals Data from 60,000 Android Devices



Source link