Gustuff Trojan Returns With Updated Features

• The Gustuff banking trojan has returned with a set of new features. It uses malicious SMS messages to compromise systems.
• This banking trojan targets Australian banks and cryptocurrency wallets.

The initial version of Gustuff recorded several similarities with another banking trojan, Marcher. The latest version has been observed to have shed a few of the similarities.

The campaign details

The start of this month saw a new campaign that delivers the latest version of this banking trojan.

• It has been observed to primarily target Australian banks and digital currency wallets, just like the older campaigns.
• However, this new campaign also has hiring sites' mobile apps on its radar.
• Targets, that are not of use as potential targets, are usually chosen to send SMS messages for propagation.

“This method of propagation has a low footprint, since it uses SMS alone, but it doesn't seem to be particularly effective, given the low number of hits we've seen on the malware-hosting domains,” say the researchers.

Features and capabilities

Gustuff can dynamically load webviews targetting specific domains based on the received commands. During this process, it can also fetch the required injection from a remote server.

• It blocks a number of anti-virus and anti-malware software to prevent detection.
• This trojan has also been noted to ask the user to update credit card information, that it steals.
• The new Gustuff version does not have the commands and code related to the socks server or proxy, as opposed to the earlier version.
• This is believed to allow the malicious actors behind this trojan to perform activities on the UI of the infected device.
• However, researchers say that there is no difference in the way the campaign is run.

“On the capability side, the addition of a "poor man scripting engine" based on JavaScript provides the operator with the ability to execute scripts while using its own internal commands backed by the power of JavaScript language. This is something that is very innovative in the Android malware space,” note researchers.