When Computer Science and Criminology meet, an exciting cybercrime investigation is born. Our security researchers uncovered an Android banking botnet and explored the world of underground attackers, informal online forums, and the economy of encrypting malware-as-a-service. Read about their 5-year-long investigation in an extensive blog post.

Five years ago, an execution of a sample of HtBot malware in the Stratosphere Laboratory led a student to find traces of an Android banking botnet that we named Geost. This discovery was the beginning of five large research inquiries, each one providing new insights on the operation of cybercrime. This article, originally published at the Stratosphere blog, describes how a curious research experiment lead a student into an interesting cybercrime investigation. It  shows how cross-disciplinary research between computer science and criminology can truly generate valuable insights, especially when industry and academia collaborate.

We also recommend our research paper on this project titled Cybercrime Specialization: An Expose of a Malicious Android Obfuscation-as-a-Service (IEEE 2021).

The Beginning: Investigating the HtBot Proxy Malware

This journey started with Radhika Gupta, a bachelor student from Carnegie Mellon University, who did a 2-month summer internship at the Stratosphere Laboratory in Prague. She investigated the traffic of HtBot malware, a malicious software that turned infected computers into an Internet proxy. Those behind HtBot sold proxy access from the infected victims to customers wishing to hide their location for malicious purposes. Radhika found that these customers were involved in fraud webspam advertisement, social network dating scams, Twitter login brute forcing, and an what looked like an unknown web access.

Poster of Radhika Gupta on HtBot Malware.

Dissecting the Geost Botnet

Indeed, the unknown web access was, in the end, a command and control panel for an Android banking botnet. At the time, Sebastian Garcia (Director at StratosphereIPS), Anna Shirokova (Avast Software) and Maria Jose Erquiaga (then an analyst at Stratosphere Labs and now in Cisco Systems) teamed up to investigate this finding. They ended up exposing the botnet’s infrastructure! In short, the Geost botnet represented a huge operation with:

  • hundreds of malicious domains generated by a DGA algorithm,
  • at least 13 command and control (C&C) panels in six countries,
  • at least 800,000 mobile phone victims in Russia,
  • and over 200 Android APKs that faked dozens of applications.
The attackers behind the operation had access to several million Euros in the bank accounts of the victims.

While the team was working on exposing the botnet’s domains, C&C commands and malicious APKs at various conferences, another Stratosphere member, Veronica Valeros, made an incredible discovery. She found on VirusTotal a file that was a private Skype chat log containing discussions between individuals involved in spreading malicious mobile applications related to the Geost botnet. This was confirmed because, within the discussions, the individuals shared C&C IP addresses, internal commands, passwords and freshly infected APKs related to Geost. How such a chat log ended up on VirusTotal still remains a mystery for somebody to solve. We may never know if it was the work of a government operation, a security company or a gang member getting revenge.

Private Chats related to Geost Operations

Following this new opportunity, the team moved from technically understanding the botnet to analysing the conversations of real individuals involved in its operations. What a gold mine! The conversations were written in Russian, but luckily one team member, Anna Shirokova, speaks Russian and accepted to translate every interaction (thank you Anna!).

This private chat log exposed a group of people discussing numerous underground projects and activities. It gave a unique insight into the human aspect of the malicious operation, including daily routine tasks and motivational issues. Check out how attackers seemed bored in these discussions:

Actor 1: “maybe you can still try to pull yourself together?”
Actor 2:  “No”
Actor 1: “Shame, we had such great plans.”... “Ok, think it over one more time. Look at all pros and cons. The motivation we have is not working for other boss. At the end of the month i will pay you a good amount of money. Please understand it is important”
Actor 2 “No, I don't want” … “I can’t do it”...

Wouldn’t you think that hacking and managing botnets are fun? Well, it does not look like it based on these conversations. At that time, much more could be done with this private chat log: so rarely do researchers have this kind of information! And when the team had no idea how to continue, a PhD student in criminology and cybersecurity researcher at GoSecure, Masarah Paquet-Clouston joined the team to move them forward.

A New Hope: A Perspective on Informal IT Workers Helping Cybercrime Operations

Altogether, the new team got their hands in systematically analyzing the conversations through a thematic analysis. The analysis revealed that these attackers were amateurs, with a lenient attitude towards criminality, and although they were highly motivated by economic independence, they were facing an adverse environment. These individuals were not the masterminds offenders behind the Geost botnet, but rather the informal IT workers supporting the daily most boring activities of the botnet. They were part of the workers that are indispensable to cybercrime operations. Basically, they built Android portal websites, re-encrypted the Geost malicious APK, added the Geost malicious APK on the web page, and then got paid for each malicious application downloaded via their websites. However, getting this done was far from easy. In the end, the results hinted towards the idea that:

Masterminds behind cyberattacks need minions to do the boring stuff surrounding the operations.

Where can we find these minions? Well, it seems that internet marketing forums are just the place. Indeed, Searchengines[dot]guru, a Russian- and English-speaking forum dedicated to Internet marketing optimization was a place where these amateurs systematically discussed.

Given the discovery of this new public forum, hosting thousands of potential minions available for cybercrime operations, the team decided to pivot its research inquiries into analyzing this forum. The research question was to find how many others are like those individuals in the private chat log. To do this, the data scientist Serge-Olivier Paquette joined the team because of the scale of the dataset available. With access to the Flare Systems database (a company monitoring online forums), the team developed a research methodology to measure and understand the likelihood of the users in this forum to participate in cybercrime operations. Various data science techniques were used to understand the forum population (informal IT workers), including Uniform Manifold Approximation Projection (UMAP), and group-based trajectory modeling (GBTM). The team found that an overlap exists between the searchengines.guru population and cybercrime forums.

There are minions who wade in both worlds: criminal and informal, just like the ones studied in the private chat log.
The research was presented at a number of conferences including Blackhat USA 2021, Virus Bulletin 2021, WACCO 2021 and other. Recording of our talk at Botconf 2020 is available on YouTube.

The Revenge of the Malware: A Deep Dive in Obfuscation-as-a-Service

While all these research inquiries were happening, one last sub-project took place in parallel. Within the private chat log, the team found one unique line of conversation where the attackers discussed how to ‘crypt’ a malicious APK on the Internet. Curious, they followed the lead and found a webpage offering obfuscation-as-a-service for Android APKs (a site called fttkit.com). Indeed, the individuals in the private chat log paid and used this service to obfuscate and encrypt the malicious APKs and therefore hide the intent of the Geost APK from Antivirus.

Considering that no research so far had investigated this type of specialized service, the team decided to take a deep dive into the service’s obfuscation techniques and business reality. To help them with the technical analysis, they partnered with the researcher and malware reverser Vit Sembera from Trend Micro.

The analysis illustrated that the obfuscation service was not so good and the quality of its protection was average at most. The service had a small clientele of large-scale attackers who used the service to decrease AntiVirus detections of highly malicious applications, thus increasing their chances of compromising phones. The operators of the service were estimated to have made a minimum revenue ranging from USD 5,100 (conservative) to USD 61,160 (optimistic) for a six-month operation. These findings were surprising… Indeed.

Who would think that a service specialized in obfuscating malicious applications would be average -at most!-? Why aren’t they making millions of dollars too?

Concluding Remarks  

Overall, it took five years and multiple team members to work on various research inquiries that all started with Radhika Gupta’s first findings. These five years were filled with difficulties, uncertainties and steep learning curves. Yet, they were also filled with surprises, laughs, amazing conferences and success feelings. From our experience, we advise never to be afraid to ask for help and collaborate. Adding new team members to the group, crossing disciplines and being open minded is what made this research both fun and go a long way!

Right now, at Stratosphere IPS Lab, we are working on a deep analysis of the private chat log, a research on the motivations of attackers, and the final paper on the mass effect of informal workers in the cybersecurity community. If you would like to research at this intersection of computer sciences and criminology, contact the stratosphere team at stratosphere@aic.fel.cvut.cz. Don’t hesitate to contact us if you are curious and want to know more about them!