Discovery of Geost Botnet Made Possible by Attacker OpSec Fails

Posted on October 3, 2019
New Microsoft Spear-Phishing Attack Uses Exact Domain Spoofing Tactic
A series of operational security (OpSec) failures on the part of attackers enabled researchers to discover the Geost botnet.
index-37.png
In mid-2018, Virus Bulletin researchers Sebastian Garcia, María José Erquiaga and Anna Shirokova discovered Geost, one of the largest Android banking botnets known today, while analyzing another malware family called HtBot. The researchers found that HtBot converted victims into unwilling proxies that received traffic from the malware's network and then sent it to the web. While analyzing that traffic, they observed someone logging into the command-and-control (C&C) panel of what was then a previously undocumented botnet. Dubbed Geost, the botnet contained hundreds of thousands of malicious domains generated by a DGA algorithm along with 13 C&C IP addresses spread across six countries. This infrastructure enabled the botnet to connect to the top five banks in Russia and deploy more than 200 malicious APKs masquerading as fake mobile banking apps. Through these techniques, the Geost botnet successfully infected over 800,000 people living in Russa and gained access to several million Euros residing in their bank accounts. Garcia, Erquiaga and Shirokova learned all of this and more because several OpSec failures made it possible for the researchers to access a chat log of an underground team hired by Geost's controllers. This log provided insight into the creation of Geost, the development of new features and the use of victims' stolen data. In so doing, the log also revealed just how spectacularly the Geost botmasters had failed to secure their creation. As the researchers explained in a blog post:
Maintaining a good OpSec is difficult both for security analysts and attackers trying to hide. The discovery of the Geost botnet was possible because of several OpSec mistakes, including the use of the HtBot illegal proxy network, not encrypting their command-and-control servers, re-using security services, trusting other attackers with less OpSec ,and [sic] not encrypting their chat sessions.
Unfortunately, security professionals can't consistently rely on OpSec failures and other mistakes to learn from and thereby defend against new digital threats. That's why they should consider investing in a solution capable of blocking known malware threats and potential zero-day attacks. Learn how Tripwire can help.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!