Octo2 Banking Trojan

Cybersecurity experts have identified an updated variant of the Android banking Trojan known as Octo. This variant is now enhanced with advanced features to facilitate device takeover (DTO) and enable fraudulent transactions.

Dubbed Octo2 by its creators, this new version has been distributed in misleading campaigns across European nations, including Italy, Poland, Moldova and Hungary. The developers have worked to improve the stability of the remote actions required for successful device takeover attacks.

The Emergence of the Octo Mobile Malware

Octo was initially identified by researchers in early 2022 and is attributed to a threat actor known by the online aliases Architect and goodluck. It has been evaluated as a 'direct descendant' of the Exobot malware, which was first detected in 2016 and later gave rise to another variant called Coper in 2021.

Developed from the source code of the banking Trojan Marcher, Exobot was actively maintained until 2018, targeting financial institutions through various campaigns primarily in Turkey, France, Germany, as well as Australia, Thailand and Japan. Following this, a streamlined version known as ExobotCompact was released by the threat actor referred to as 'android' on dark Web forums.

Applications Carrying the Octo2 Banking Trojan

Several harmful applications associated with Octo2 include Europe Enterprise (com.xsusb_restore3), Google Chrome (com.havirtual06numberresources), and NordVPN (com.handedfastee5).

These rogue Android applications, which distribute the malware, utilize a known APK binding service called Zombinder. This service enables the trojanization of legitimate applications, allowing them to download the actual malware (in this case, Octo2) under the pretense of installing a 'necessary plugin.'

Currently, there is no evidence suggesting that Octo2 is being spread through the Google Play Store, which implies that users are either downloading these applications from unreliable sources or being deceived into installing them through social engineering tactics.

With the original Octo malware's source code already leaked and readily available to various threat actors, Octo2 enhances this base with even more robust remote access capabilities and advanced obfuscation techniques.

Octo2 is Equipped with Expanded Threatening Capabilities

Another significant development is Octo's evolution into a Malware-as-a-Service (MaaS) model, according to Team Cymru. This shift allows the developer to profit by providing the malware to cybercriminals seeking to conduct information theft operations.

In promoting the update, the owner of Octo announced that Octo2 would be available to existing users of Octo1 at the same price with early access options. Infosec researchers anticipate that those previously using Octo1 will transition to Octo2, thereby increasing its presence in the global threat landscape.

One of the key enhancements in Octo2 is the implementation of a Domain Generation Algorithm (DGA) to generate the Command-and-Control (C2) server names, along with improvements in overall stability and anti-analysis techniques.

Utilizing a DGA-based C2 system provides a significant advantage, allowing threat actors to swiftly switch to new C2 servers, which diminishes the effectiveness of domain name blocklists and enhances resilience against potential takedown efforts.

This variant's capability to execute on-device fraud undetected and capture sensitive information, combined with its effortless customization for various threat actors, elevates the risk for mobile banking users worldwide.