Ghimob - New Infostealer in the Cyber Arena

Guildma, the threat actor the Tétrade malware family, is always on the lookout for new TTPs and victims to target. Recently, the threat actor has built the Ghimob banking trojan, aptly described as a full-fledged pocket spy.

The scoop

The trojan has been infecting mobile devices and targeting financial apps from exchanges, banks, cryptocurrencies, and fintech companies based in Brazil, Peru, Portugal, Paraguay, Mozambique, Angola, and Germany. The Android app is hosted outside of Google Play Store and allows the threat actor to gain login credentials to a user’s bank after installation of the said app. 

The noteworthy bits

  • Ghimob is capable of spying on 153 mobile apps from various financial and banking institutions.
  • Following the completion of the infection, the trojan can remotely access the device. Subsequently, it completes the financial transaction from the victim’s device, thus, evading machine detection, security implementations, and antifraud behavioral systems.
  • The banking trojan uses C2 servers with fallback protected by Cloudflare, hiding the real C2 with DGA. 

Gaining persistence

  • The malware terminates itself in the presence of common emulators, debugger, and a debuggable flag, which it detects upon installation.
  • Subsequent to the execution of the infection, an infection notification message is sent to the notification server. The message consists of the phone model, whether the device has activated screen lock, and a list of the apps that can be targeted. 
  • Furthermore, Ghimob blocks the victim from uninstalling the app and restarting or shutting down the device.

Banking customers beware

Ghimob has been discovered to be the first Brazilian mobile banking trojan that is determined to expand to other countries. In addition, the protocol used in the trojan is similar to the one used for the Windows version. Financial institutions are recommended to keep a lookout for these threats and reinforce their authentication process.