Geost botnet. The discovery story of a new Android banking trojan from an OpSec error

Wednesday 2 October 15:00 - 15:30, Green room

Sebastian Garcia (Czech Technical University in Prague)
Maria Jose Erquiaga (UNCUYO University)
Anna Shirokova (Avast)

In mid-2018 we came upon one of the largest reported Android banking botnets know to date. The discovery was unusual because we found the botnet while analysing the traffic of another piece of malware. As part of the Stratosphere laboratory we execute malware to analyse their attacks. In this case it was HtBot, a piece of malware that converts the infected victim into an unwilling and illegal proxy that receives traffic from the underground HtBot network and sends it to the Internet. HtBot sells this service. During the analysis of the traffic capture of our HtBot bot we saw a user of the proxy accessing the command and control of a new botnet. We dubbed this new botnet Geost and it proved to be a new and very large Android banking botnet operation targeting Russian citizens.

The Geost botnet proved to have hundreds of malicious domains generated by a DGA algorithm, at least 13 C&C IP addresses in six countries, at least 800,000 victims in Russia, and access to several million Euros in the bank accounts of the victims. We could see the screens of the C&C servers, lists of victims and SMSs of the victims. The botnet could directly connect to the top five banks in Russia to operate, and deployed more than 200 Android APKs to fake dozens of applications. More importantly, huge operational security mistakes made by the botmasters led us to the discovery of the chat log files of an underground group hired by the Geost botmasters to develop the C&C system. From that moment on we could read how they decided upon the development of new features and the use of private sensitive details of the victims.

Maintaining a good OpSec is difficult both for security analysts and attackers trying to hide. The discovery of the Geost botnet was possible because of several OpSec mistakes, including the use of the HtBot illegal proxy network, not encrypting their command-and-control servers, re-using security services, trusting other attackers with less OpSec ,and not encrypting their chat sessions. This research describes the Geost infrastructure, provides an analysis of the profiles of the victims and a study of the social relationships of the group of attackers. It is seldom possible to observe the decisions taken by attackers due to failures in their operational security.


Related links



Sebastian Garcia

Sebastian is a malware researcher and security teacher who has extensive experience in machine learning applied to network traffic. He created the Stratosphere IPS project, a machine-learning-based, free software IPS dedicated to protecting civil society. He likes to analyse network patterns and attacks with machine learning. As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has taught in several countries and universities and worked on penetration testing for both corporations and governments. He has been lucky enough to talk at industry events including Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, Virus Bulletin, BSides Vienna, HITB Singapore and CACIC. As a co-founder of the MatesLab hackspace he is a free software advocate who has worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra) and biohacking.




María José Erquiaga

María José is a malware researcher from Argentina. She is a researcher and teacher at the University of Cuyo, Mendoza Argentina. She has been a collaborator in the Stratosphere laboratory since 2015. She is a member of the Aposemat project, a joint project between the Stratosphere laboratory and Avast. This project aims to execute malware and capture it from honeypots. Maria's work has been focused on executing and analysing malware for IoT devices.




Anna Shirokova

Anna is a security researcher from Russia, currently based in Prague, Czech Republic. She joined Avast's IoT research team where she focuses on the IoT threat landscape. She is also a collaborator in the Stratosphere IPS Aposemat project. This is a joint project with Avast to create, publish and analyse malware attacks on IoT devices.


   Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Keynote address: Tales from the NCSC: the daily battle to defend a country in cyberspace

Paul Chichester (National Cyber Security Centre, UK)

Attor: spy platform with curious GSM fingerprinting

Zuzana Hromcová (ESET)

DNS on fire

Warren Mercer (Cisco Talos)
Paul Rascagneres (Cisco Talos)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.