I’ve stumbled into an iBanking sample with an active C&C, despite being well known. So I decided to give a peek inside.

Ip is 192.227.181.203 which currently resolves to bxateca[.]net .

Inside there are evidence of other domains associated and overall this very same server should have been pointed by these domains too in the past:

security-otp[.]com seznam-security[.]com android-security[.]com otp-security[.]com mynamesmith[.]com guniches[.]net izbura[.]net bxateca[.]net

Some screenshots:

There are 10 operators (users) associated to different “projects” (botnets). for a grand total of ~1400 bots. The infected mobile numbers appear to be from Czech republic.

Botnets names:

Features:

Logs show recent activity:

28-02-2015 (13:12:29) : http://guniches.net/iBanking/sms/sync.php command: none 28-02-2015 (13:13:24) : http://guniches.net/iBanking/sms/sync.php command: none 28-02-2015 (13:14:32) : http://guniches.net/iBanking/sms/sync.php command: none [...] 18-03-2015 (19:35:47) : makeSoundOn return 18-03-2015 (19:35:47) : makeSoundOn return 18-03-2015 (19:41:15) : wwwService onCreate 18-03-2015 (19:41:16) : AlarmService onStartCommand 18-03-2015 (19:41:19) : Send init sms OK 18-03-2015 (19:41:19) : Send sms OK | +79153559431 | i am (89701010063819255095 + Samsung SM-G900F) 18-03-2015 (19:41:20) : http://izbura.net/iBanking/sms/sync.php command: sms list 20-03-2015 (11:10:56) : wwwService onCreate 20-03-2015 (11:10:56) : AlarmService onStartCommand 27-03-2015 (12:21:57) : 27-03-2015 (12:21:59) : 27-03-2015 (12:22:17) : 27-03-2015 (12:25:27) : 27-03-2015 (12:32:06) : 27-03-2015 (12:32:13) : [...]

The samples currently on the panel are:

FacebookOTP.apk - b50de8151649ba8ffd67404195e611db SeznamOTP.apk - b90161d546bb65ed4c087658137ca4c9

Screens from the apks:

A point of interest is a custom script on the panel that links users infected both by this iBanking and another banking trojan (don’t know which one). The other panel is on a different server and looks like is still active:

https://37.187.249.180/panel/show?action=domain_list&botid={ID}&prj_version={PRJ}

That’s all.