The recently discovered mobile-banking trojan SlemBunk is proving more resilient than first thought and is actively being used in several on-going campaigns.
Originally spotted by FireEye in mid December, the research firm said it has continued to study what it called a “nasty Android banking malware.” Their additional effort has unearthed several additional features, including a much longer attack chain that helps it stay hidden.
“Before the invocation of the actual SlemBunk payload, up to three apps have to land on the device in order to fire the last deadly shot. This makes it much harder for analysts to trace the observed attacks back to their actual origin, and thus the malware can have a more persistent existence on the victim's device,” the researchers stated.
FireEye sketched out a typical attack scenario:
- A drive-by download uses what FireEye calls a SlemBunk dropper to install the initial payload.
- The downloader logic is unpacked.
- The command and control server is contacted
- The payloader is installed and uses a fake user interface to steal banking credentials.
Other facts uncovered by the on-going investigation indicate the campaign is well organized and evolving.
“First, the administrative interface hosted on the CnC server implies that the CnC server is customizable and that the SlemBunk payload can easily adapt per the attacker's specifications. Second, the timeline information for the domains associated with this attack showed that this campaign is very recent, still ongoing, and very likely to continue evolving into different forms. We will keep a close eye on its development,” the study said.
With that said, the FireEye researchers believe the malware will continue to change and develop over time.