The initial version of Gustuff recorded several similarities with another banking trojan, Marcher. The latest version has been observed to have shed a few of the similarities.
The campaign details
The start of this month saw a new campaign that delivers the latest version of this banking trojan.
“This method of propagation has a low footprint, since it uses SMS alone, but it doesn't seem to be particularly effective, given the low number of hits we've seen on the malware-hosting domains,” say the researchers.
Features and capabilities
Gustuff can dynamically load webviews targetting specific domains based on the received commands. During this process, it can also fetch the required injection from a remote server.