Recently, we came across a detection in our telemetry report named “com.goatmw” which gained our attention. We decided to investigate further and the malware was found to be a banking trojan. 

GoatRAT banking trojan is an Android Remote Administration Tool to gain access and control targeted devices which carries out fraudulent money transactions using PIX key. The domain goatrat[.]com (Fig.1) serves as the admin panel (which is not live as of writing this blog) and contains telegram ids in its contact (Fig.2 and Fig.3).

 Fig.1: Admin Panel (goatrat[.]com)
Fig.2: Telegram ID 
Fig.3: Telegram ID 

Technical Analysis

Once “com.goatmw” is  installed, the malware initiates a service named “Server” (Fig.4) which establishes contact (Fig.5) with the C2 server (Fig.6) to obtain the PIX Key required to carry out fraudulent transactions. 

Fig.4: Service is initiated
 Fig.5: Establishes connection to C2
   Fig.6: C2 server

PIX key is used to make instant money transfer and is generated by encrypting personal data such as Taxpayer ID number (CPF for individuals, CNPJ for companies) telephone number and email address (Fig.7).

 Fig.7: PIX Key

The RAT then requests users to grant accessibility and overlay permission (Fig.8). Overlay permission enables it to present an overlay screen on targeted banking applications, making it look like a legitimate app’s screen so that the user enters their valid credentials without suspecting, which is then used to perform fraudulent money transfers.

           Fig.8: Permissions requested

This malware targets certain Brazilian banks (Fig.9). When the user opens a banking application it checks the package name with the targeted banking application’s package name.

Fig.9: Targeted banks

When the targeted application is opened, the malware displays an overlay window that appears above the legitimate banking application (Fig.10). This overlay screen gets all the valid credentials and sends it to C2 and it initiates the money transfer based on the bank balance available (“Saldo disponivel” – balance available) in the user’s account (Fig.11).

   Fig.10: Add Overlay screen
         Fig.11: Balance available

Once the malware takes control, it requests a PIX key to initiate transfer (Fig.12). The malware then enters the amount and PIX key to enable the money transfer and executes the clicks and confirmation automatically “Pagar”- Pay, “CONFIRMAR” – Confirm (Fig.13), from the user logged in bank account without the user’s knowledge.

Fig.12: Request PIX key
  Fig.13: Confirm and Pay

Once the money transfer is done using PIX key, the malware removes the overlay window from the targeted legitimate application (Fig.14).

Fig.14: Removes Overlay 

Android Banking Trojans are increasing rapidly. Malware authors are finding new techniques to steal money from the users. One such technique was seen exploiting the PIX instant payment platform targeting Brazilian banks. This GoatRAT uses the ATS framework to carry out fraudulent money transactions. ATS is an Automated Transfer System, a new technique employed by banking malware wherein once the user logs in to a banking app and enters their credentials, the malware would take control and automatically enter the amount and initiate the transaction without the user’s knowledge. We protect users from all these threats. Users are requested to install a reputable security product such as “K7 Mobile Security” and keep it updated to stay safe from such threats.

IOCs

PACKAGE_NAMEDETECTION_NAMEAPK_MD5
com.goatmwTrojan(0001140e1)ba5833b49e2c6501f5bbce90b7948a85

Targeted banking applications 

br.com.intermedium

com.nu.production

br.com.uol.ps.myaccount

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “GoatRAT Attacks Automated Payment Systems”