Security Researchers Publish Gigabud Banking Malware Analysis

Written by

Cybersecurity researchers have published a new analysis of the elusive Gigabud banking malware. 

Originating as an Android Remote Access Trojan (RAT), Gigabud was first observed in September 2022, causing ripples of concern across financial institutions in the Asia-Pacific region. 

Answering a request from a Thailand-based financial organization customer, Group-IB’s experts started deciphering the malware’s distinctive modus operandi shortly after receiving the request.

According to an advisory published by the Group-IB Malware Analysis team earlier today, unlike conventional malware, Gigabud doesn’t execute its malicious actions immediately, but waits for user authorization, making it substantially harder to detect. 

“Instead of using HTML overlay attacks, Gigabud RAT gathers sensitive information primarily through screen recording,” reads the report.

“With screen capturing, Gigabud is a powerful remote device access tool allowing the threat actor to access the victim’s account. It allows the threat actor to perform gestures on the user’s device. This leads to the possibility of evading defense, authentication (including two-factor authentication), and creating automated payments from the victim’s device.”

Read more on malware relying on screen capture features: Android App ‘iRecorder – Screen Recorder’ Trojanized with AhRat

Further investigation revealed a two-pronged threat within the Gigabud family. Gigabud RAT, targeting several businesses and institutions across nations, aims to mimic trusted entities. Meanwhile, Gigabud Loan poses as fictional financial institutions, tricking users into revealing sensitive information under the guise of loan applications.

Notably, Gigabud.Loan has been posing as fictitious financial institution apps originating from Thailand, Indonesia and Peru since at least July 2022.

Further, the versions of Gigabud that Group-IB security experts have previously detailed encompass traits of both RAT and Loan. 

“Both Gigabud RAT and Gigabud Loan have the same architecture and share the same certificate, which is why Group-IB researchers attribute them to the same Gigabud family,” reads the advisory.

“From 2022 to 2023, Group-IB detected more than 400 Gigabud RAT samples and more than 20 Gigabud Loan samples based on VirusTotal hunting rules.”

The malware tools are distributed through phishing websites across Thailand, Indonesia, Vietnam, the Philippines and Peru. Perpetrators employ smishing tactics, using instant messengers, SMS or social networks to deliver links to victims, coercing them to access phishing websites under the pretext of undergoing a tax audit and claiming a tax refund. 

To counter Gigabud malware, Group-IB suggested financial firms monitor sessions, educate clients and deploy digital protection tools. Users should avoid risky links, cautious app downloads and use VPNs on public Wi-Fi, among other things. A complete list of recommendations is available in the Group-IB advisory.

What’s hot on Infosecurity Magazine?