An illegal proxy paired with chat log leaks betrays the Geost gang

Researchers lift the lid on the Geost botnet at Virus Bulletin Conference

UPDATE A series of gross operational security mistakes have lifted the veil on the practices of botmasters and other associated crooks behind Geost, a banking botnet agent that affects Android devices.

With hundreds of malicious domains and 13 command-and-control (C&C) servers, the Geost botnet has claimed approximately 800,000 victims in Russia and has potential access to several million euros in bank accounts, according to research presented at the Virus Bulletin conference on Wednesday.

Geost is typically delivered via fake applications that, if installed, allows crooks to loot financial accounts tied to banking apps accessed via a compromised Android smartphone or tablet.

Geost made use of the HtBot malware’s illegal proxy network. This meant that crooks were effectively trusting other attackers that practice even less operational security (OpSec).

Three researchers – academics Sebastian García and Maria Jose Erquiaga, who worked together with Anna Shirokova of Avast – had been running traffic analysis of the HtBot malware for some months, allowing them to discover when a group of infected computers were being used to manage infected Android phones, leading to the discovery of the Goest botnet.


YOU MIGHT ALSO LIKE 20 years of DDoS attacks: What has changed?


The HtBot malware has been used to provide a platform for a proxy service that can be rented to provide supposedly secure connecting hosts for malicious activity.

“Despite operating since at least 2016, the Goest botnet remained unknown until its traffic was captured on the HtBot malware,” the researchers explain, adding that the crooks wrongly estimated the risk of using a service that was being tracked in a security laboratory.

Worse yet, the operators of the botnet hired a group of developers with very low OpSec, who disclosed links, names, and credentials in their chats. A portion of these Skype chats were leaked.

“There was a leaked document on a public website that detailed the chatting activities of a group of developers working on the C&C website of the botnet,” the researchers explain. “Since the chat was conducted over Skype, it is possible that it was leaked by a member of the group.

“The chat log revealed that credentials were commonly passed unencrypted in the chat, giving access to very important information about them,” they added.

More on the content of the leaked chat logs, as well as a link to the paper, can be found in a blog post by Avast.

In addition, the miscreants behind Geost failed to encrypt the C&C servers, making it possible to identify the traffic and the content of the communications.

Lastly, the attackers used the same protection service multiple times. This allowed repeated monitoring of the attackers and the capture of credentials.

A chain of small mistakes was enough to disclose the operation of a large Android banking trojan botnet.

I ain’t afraid of no Geost

These various operational security mistakes exposed the probable real names of members of an underground group behind Geost botmasters.

These names remain unconfirmed and have not been published by the researchers.

“As far as we’re aware, there have been no criminal prosecutions against these people,” Avast's Shirokova told The Daily Swig.

“We have contacted Russian CERT alerting them of the discovery but have yet to receive a response, so no further information has been disclosed at this stage.”

Russian police will also be notified, Shirokova said.

“So far, we have found a lot of fraudulent WebSpam advertisement, brute-forcing of Twitter logins, and a social network and dating scams,” she added.

“And of course the Geost botnet.”

OpSec can be viewed as a risk management process that involves an assessment of practices from the perspective of a potential adversary in order to prevent sensitive information falling into the wrong hands.

The methodology can be applied to ethical security operations as much as it can to something more nefarious.

Maintaining good OpSec, in general, is difficult because it increases the cost of work and decreases the speed of actions.

It’s a hassle but its importance is illustrated by how the many OpSec mistakes made by the crooks behind Geost betrayed their secrets.


This article has been updated to include comment from Anna Shirokova.


RELATED Region-specific software offers rich pickings for state-sponsored attackers