Threat Research

Pulling back the curtain on a banking botnet

Jeff Elder, 2 October 2019

Security mistakes exposed a criminal syndicate that accessed millions of Euros in the bank accounts of an estimated 800,000 victims

A bunch of coworkers on Skype chat about the good old days, how much money they make now, and sagging morale. “I am getting demotivated, and do not want to do anything,” one tells the group. 

Another day in the life of tech workers? In some ways, with one big difference. This group worked to support a malicious botnet that accessed millions of euros in the bank accounts of an estimated 800,000 victims. 

The Avast Threats Lab team has helped to pull back the curtain on the Geost botnet, which used 13 command-and-control servers to run hundreds of malicious domains. The botnet plundered bank accounts in Russia until – in an ironic twist – cybersecurity lapses exposed the entire operation, including what developers working on the criminal enterprise said to each other online. 

“We really got an unprecedented view into how an operation like this functions,” said Anna Shirokova, a researcher at Avast who helped to expose the criminal group. “Because this group made some very poor choices in how it tried to hide its actions, we were able to see not just samples of the malware, but also delve deep into how the group works.”

The Geost botnet used a complex infrastructure of infected Android phones that were connected to the botnet and controlled remotely. The attackers accessed texts, sent texts, communicated with banks, and redirected the traffic of the phones to different sites. 

A research paper by Shirokova, Sebastian Garcia of the Czech Technical University in Prague, and Maria Jose Erquiaga of UNCUYO University provides a rare view into a cybercrime operation falling apart due to its own operations security mistakes. 

The hackers trusted a malicious proxy network, failed to encrypt command-and-control servers; re-used security services; trusted other attackers that practiced even less operational security; and failed to encrypt chat sessions.

“In summary, a chain of small mistakes was enough to disclose the operation of a large Android banking botnet,” the authors wrote in the research paper. 

Those chat sessions provide a fly-on-the-wall opportunity to listen in on human beings inside a vast internet criminal syndicate. In the case of the “demotivated” worker, a colleague urges him to keep going with a rewarding gig:

“Alexander, really, if we started together we need to finish it. Because for now this is working and we can earn money.” 

But his entreaties fall flat, and his coworker declares, “i thought about it, and im not in.”

The encouraging colleague replies, “Understand, ok. Shame. If you change your mind write to me.” 

“The very interesting view of the social relationships within a group of underground cybercriminals” involved more than 6,200 lines, covering eight months of chats, and showed the private conversations of 29 people involved in different operations. 

Despite operating since at least 2016, the Geost botnet remained unknown until its traffic was captured by HtBot malware on the malicious server. The researchers are presenting their paper at the Virus Bulletin conference in London. The Avast Threats Lab will continue to monitor different aspects of the operation.