IBM X-Force Research noted a recent shift in the targets of the Marcher mobile bot. Per X-Force analysis of Marcher samples, the malware has just added nine major bank brands in the U.K. to its target list. This mobile malware already goes after financial entities in other countries, including Germany, Austria, France, Australia and Turkey.

About the Marcher Mobile Bot

According to X-Force intelligence, Marcher first appeared in the wild in late 2013. It is known to be a commercial offering sold in Russian-speaking underground forums by its supposed developer or distribution accomplices.

In the first year of its activity, Marcher did not target banks; initially, it was only used by its various operators to steal credit card information from infected victims. To do so, a phishing overlay screen was triggered when users accessed the Google Play app store, plastering a fake window on top of the app store’s activity to request users’ credit card number, expiration date and CVV2 code. In 2014, Marcher began targeting banks, starting with a large bank in Germany, PhishLabs reported.

Aggregating Marcher configurations allows us to see a view of its top target geographies. The U.K. was added to the list in late May 2016.

Carefully matching each bank’s look and feel, Marcher adapts its fake overlay screens to the organizations it targets. The adaptation is most likely programmed by the original malware developer for an extra fee. However, overlay screens are not complicated to make and can be created by outsourced black-hat developers or the malicious operators.

The second figure below shows Marcher’s targets per app type. Its operators intend to focus on banking applications, but it also has the potential to be used in other credential theft scenarios.

Geared Toward Financial Fraud

Marcher is classified as banking malware, and as such, it is designed to facilitate online banking, e-commerce and payment fraud. Marcher’s theft capabilities allow operators to turn user devices into a central place where they can harvest both credentials and two-factor authentication elements.

Since victims are lured into divulging their credentials in real time, cybercriminals who operate Marcher do not patiently wait for users to launch a banking app or browse to their bank’s site at their convenience. To urge infected victims to log in, the malware sends a social engineering SMS message to the device, indicating that a money transfer was made into their account.

The curious user is inclined to look into the unexpected transfer and promptly accesses the account. This is the moment Marcher takes action and launches a phishing screen overlay on top of the mobile app/browser. The user unknowingly taps access credentials into the overlay, inadvertently allowing Marcher to steal them.

To vet out the validity of the just-phished credentials, Marcher first tests them against the bank’s server and only sends them to the C&C server after a successful login. In this way, Marcher’s operators ensure the utmost data quality.

To use the credentials for online banking fraud, Marcher’s operators further rely on the Trojan’s ability to hijack SMS messages and selectively forward phone calls from the device. In some cases, these two deliver authentication elements required for authorizing money transfers or confirming changes made to the account information.

By having a means to obtain these extra pieces of information from the same infected device, Marcher’s operators can potentially initiate fraudulent transactions from victim bank accounts in a device takeover scenario — all using an endpoint the fraudster controls.

In cases where Marcher’s operators do not target specific banks, the Trojan launches a fake overlay screen upon the launch of any app and demands credit card information.

Marcher’s control of the device’s SMS relay and phone calls also allows it to initiate covert text messages/calls to premium toll numbers registered by the cybercriminals in foreign countries, which generates even more illicit income.

Banking App or Web Browser? It No Longer Matters!

When it comes to overlay malware, other code varieties — such as GM Bot, Slembunk or Acecard — plaster fake overlay screens upon the launch of a banking application on a mobile device. Marcher has now supplemented that with overlay screens that plaster over the web browser when users navigate to their bank’s site.

Similarly to how PC Trojans operate, the malware is looking for specific bank apps and bank URLs. For that, it possesses a configuration that instructs it on when to take action, what to fetch and from where to obtain it. For example, Marcher comes loaded with hard-coded screens for some banks it targets, but it also dynamically fetches overlays for a long list of other bank apps.

On top of those two options to launch screens on app windows, Marcher also targets bank website URLs. The malware goes into action when victims use the browser to navigate to predefined URLs, fetching the overlay in real time. Browser overlays are launched upon access to banking sites in Austria and Australia, as well as a popular online payments app. Once users enter their information into the fake screen, the data is sent to the attacker’s control server.

Beyond its overlay screens, the Marcher mobile bot possesses an SMS hijacking module in addition to call and message diversion options. It can perform data exfiltration of a user’s browser history, contact list and the list of installed apps on the device.

Marcher is commercially accessible to different groups of cybercriminals. It is spread to devices via spam emails and text messages that lead users to believe they are downloading a Flash update, even sending them to a download site and providing installation instructions.

Antivirus Blocking, Too

With user awareness growing in the mobile threat space, Marcher’s operators have taken into account that devices could be protected by antivirus programs. To increase its potential of infection, this Android malware blocks a list of eight popular antivirus apps. In some cases, Marcher sends notifications to the phone to advise the user that the antivirus app still fully protects the device.

Mitigating Marcher’s Fraud Potential

The Marcher Android malware does not presently affect iOS devices or other platforms. Classified as banking malware, it is designed to phish credentials and intercept the two-factor authentication elements sent to mobile devices. Mitigation should focus on detecting its overlay activity, SMS hijacking actions and unauthorized access to victim accounts in cases where credentials have been stolen.

Additional advice for users includes:

  • Do not follow any URLs from SMS messages or emails that offer app upgrades or tools.
  • Delete apps you no longer use and regularly update those you do.
  • Do not root or jailbreak your device.
  • Don’t activate sideloading on the device, and only obtain apps from official stores.
  • Read app permissions. If they require options to charge you money, or be run as admin/root, untick that option or cancel the installation.
  • Set up a locking code for the device.
  • Protect the device with adequate endpoint protection.

You can find the relevant sample MD5 for Marcher on X-Force Exchange.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…