Threat actors used the Gigabud RAT to spoof government agencies

A new cybercriminal campaign uses a new Android malware called Gigabud RAT to impersonate different organisations, such as financial institutions and government agencies in the Philippines, Peru, and Thailand.

Based on reports, the threat actors deceive targets into downloading malicious applications that spoof government applications, banking loan apps, and shopping apps.

Researchers explained that once a target installs a malicious app, it will display a legitimate-looking login screen instructing the user to enter their mobile number and password.

 

The Gigabud RAT uses a verification process to ensure the legitimacy of the credentials inputted on the fake login screen.

 

An investigation showed that the Gigabud RAT exploits a server-side verification process to check the mobile number’s legitimacy given by a victim.

Subsequently, the malware sends a target with a fake loan contract and alerts them to confirm the information from the login screen. The malware will not show any red flags until the final phase of the attack, during which they will request the victim to grant them accessibility permissions.

Researchers confirmed that the screen recording and overlay are added to the accessibility permissions. Once the actors obtain accessibility privileges, they can steal banking credentials and ask for other permissions for displaying over the applications.

The threat actors have used a phishing site that impersonates the website of Thailand’s Department of Special Investigation (DSI) and spread Gigabud after the DSI disseminated a notice in July last year.

In addition, the Gigabud RAT mimicked the Ministry of Finance, the Government Savings Bank, the Government Housing Bank, the Government Lottery Office, the Ministry of Finance, the Student Loan Fund, Bank of Thailand, the Excise Department, Shopee Thailand, Advice (an IT company), the Islamic Kasikornbank Thailand, and Thai Lion Air.

The Gigabud RAT operators have improved their operation to spread their malware significantly in new regions of the globe. The group has also employed new TTPs, like the server-side verification method, to bypass security solutions and improve their infection mechanics. These attackers have also discovered a way to prolong their stay on an infected user.

Experts claimed that this malware campaign would expand its attack scope and capabilities as it constantly develops new variants.