The GM Bot v2 released after source leak, it is more expensive of v2

After the source code of the Android banking Trojan GM Bot was leaked online, the new version GM Bot v2 was offered for sale.

The availability of the source code of a malware in the criminal underground represents a great opportunity for crooks that can customize the threat allowing its evolution in an unpredictable way.

After the source code of the Android banking Trojan GM Bot was leaked online, a new version of the threat appeared in the wild.

In February, the experts at IBM X-Force threat intelligence discovered the source code for Android malware GM Bot was leaked on an underground. The source code was leaked in December 2015, it includes the bot component and the control panel.

Of course, the code rapidly spread within the criminal ecosystem, it now that is available online for free malware developers started to work on it.

GM Bot appeared in the wild in 2014, when the authors were offering it in the Russian underground as a powerful instrument for mobile phishing.

The malware implements a number of features to target Android users, including intercepting SMS messages. The malware allows attackers to gain control of the targeted device, including the customization of fake screens.

In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:

They launch fake overlay windows that mimic bank applications to steal user credentials and payment card details.
They control the device’s SMS relay to eavesdrop, intercept and send out SMS messages.
They can forward phone calls to a remote attacker.
They have spyware features and can control the device via remote commands.

The original creator of the Android malware sold the rights to distribute GM Bot v1 (aka MazarBot) to other cyber criminal organizations that are offering it for $5000.

Other variants of GM Bot are known as MazarBot, SlemBunk, Bankosy, Acecard and Slempo.

The new GM Bot v2 variant, which is currently in a testing phase, was developed from scratch by the original developer using the moniker “GanjaMan.”

“After news from IBM X-Force about the leak of Android malware GM Bot’s source code, the author of GM Bot released a second version of the malware. News of v2 came from the official GM Bot developer and vendor, a user going by the alias GanjaMan in venues where the malware is sold.” wrote Limor Kessem, cybersecurity evangelist at IBM.

“According to an underground forum post authored by GM Bot’s vendor, it took six months’ worth of work for this updated version of GM Bot. GanjaMan adds that v2 was “written from scratch,” perhaps in order to emphasize that it does not use the previous version’s code, which was recently leaked by one of its dubious customers.”

According to the experts at the IBM Security, GanjaMan explained that GM Bot v2 includes three different Android exploits that can be used to infect mobile devices. The exploits have been already fixed by Google, so it is likely GanjaMan will add other exploits in the coming variants.

The developer announced also significant improvements for the malware, including rootkit features and the use of the Tor communication channel.

The new GM Bot v2 variant that includes all the available packages and exploits costs $15,000 and an additional $2,000 monthly rental fee that must be paid starting with the second month of use.

Cybercriminals can decide to not pay for the exploits, in this case GM Bot v2 goes for $8,000 and a $1,200 monthly rental fee.

“Judging by past cases of underground malware vendors, the monthly rental fees are most likely technical support fees. Trojan vendors have been known to run into debilitating operational issues as a result of having to provide support to their buyers without getting paid for the extra time spent on resolving issues, bugs and technical questions. The monthly fee concept helps the developers hire tech support agents to handle requests while they continue to develop and sell the malware,” continues Kessem.

GanjaMan is also searching for peers pay-per-install accomplices and cybercriminals who can help with directing Web traffic in countries his buyers would be interested in targeting.

Stay Tuned.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Botnet, GM Bot v2)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.