Marcher Mobile Bot Adds UK Targets, Steps Up Banking Fraud Capabilities

IBM X-Force Research noted a recent shift in the targets of the Marcher mobile bot. Per X-Force analysis of Marcher samples, the malware has just added nine major bank brands in the U.K. to its target list. This mobile malware already goes after financial entities in other countries, including Germany, Austria, France, Australia and Turkey.

About the Marcher Mobile Bot

According to X-Force intelligence, Marcher first appeared in the wild in late 2013. It is known to be a commercial offering sold in Russian-speaking underground forums by its supposed developer or distribution accomplices.

In the first year of its activity, Marcher did not target banks; initially, it was only used by its various operators to steal credit card information from infected victims. To do so, a phishing overlay screen was triggered when users accessed the Google Play app store, plastering a fake window on top of the app store’s activity to request users’ credit card number, expiration date and CVV2 code. In 2014, Marcher began targeting banks, starting with a large bank in Germany, PhishLabs reported.

Aggregating Marcher configurations allows us to see a view of its top target geographies. The U.K. was added to the list in late May 2016.

Marcher Top Targeted Geographies per Current Configurations (Source IBM X-Force)

Carefully matching each bank’s look and feel, Marcher adapts its fake overlay screens to the organizations it targets. The adaptation is most likely programmed by the original malware developer for an extra fee. However, overlay screens are not complicated to make and can be created by outsourced black-hat developers or the malicious operators.

The second figure below shows Marcher’s targets per app type. Its operators intend to focus on banking applications, but it also has the potential to be used in other credential theft scenarios.

Marcher Top Targets per App Type (Source IBM X-Force)

Geared Toward Financial Fraud

Marcher is classified as banking malware, and as such, it is designed to facilitate online banking, e-commerce and payment fraud. Marcher’s theft capabilities allow operators to turn user devices into a central place where they can harvest both credentials and two-factor authentication elements.

Since victims are lured into divulging their credentials in real time, cybercriminals who operate Marcher do not patiently wait for users to launch a banking app or browse to their bank’s site at their convenience. To urge infected victims to log in, the malware sends a social engineering SMS message to the device, indicating that a money transfer was made into their account.

The curious user is inclined to look into the unexpected transfer and promptly accesses the account. This is the moment Marcher takes action and launches a phishing screen overlay on top of the mobile app/browser. The user unknowingly taps access credentials into the overlay, inadvertently allowing Marcher to steal them.

To vet out the validity of the just-phished credentials, Marcher first tests them against the bank’s server and only sends them to the C&C server after a successful login. In this way, Marcher’s operators ensure the utmost data quality.

To use the credentials for online banking fraud, Marcher’s operators further rely on the Trojan’s ability to hijack SMS messages and selectively forward phone calls from the device. In some cases, these two deliver authentication elements required for authorizing money transfers or confirming changes made to the account information.

By having a means to obtain these extra pieces of information from the same infected device, Marcher’s operators can potentially initiate fraudulent transactions from victim bank accounts in a device takeover scenario — all using an endpoint the fraudster controls.

In cases where Marcher’s operators do not target specific banks, the Trojan launches a fake overlay screen upon the launch of any app and demands credit card information.

Marcher’s control of the device’s SMS relay and phone calls also allows it to initiate covert text messages/calls to premium toll numbers registered by the cybercriminals in foreign countries, which generates even more illicit income.

Banking App or Web Browser? It No Longer Matters!

When it comes to overlay malware, other code varieties — such as GM Bot, Slembunk or Acecard — plaster fake overlay screens upon the launch of a banking application on a mobile device. Marcher has now supplemented that with overlay screens that plaster over the web browser when users navigate to their bank’s site.

Similarly to how PC Trojans operate, the malware is looking for specific bank apps and bank URLs. For that, it possesses a configuration that instructs it on when to take action, what to fetch and from where to obtain it. For example, Marcher comes loaded with hard-coded screens for some banks it targets, but it also dynamically fetches overlays for a long list of other bank apps.

On top of those two options to launch screens on app windows, Marcher also targets bank website URLs. The malware goes into action when victims use the browser to navigate to predefined URLs, fetching the overlay in real time. Browser overlays are launched upon access to banking sites in Austria and Australia, as well as a popular online payments app. Once users enter their information into the fake screen, the data is sent to the attacker’s control server.

Beyond its overlay screens, the Marcher mobile bot possesses an SMS hijacking module in addition to call and message diversion options. It can perform data exfiltration of a user’s browser history, contact list and the list of installed apps on the device.

Marcher is commercially accessible to different groups of cybercriminals. It is spread to devices via spam emails and text messages that lead users to believe they are downloading a Flash update, even sending them to a download site and providing installation instructions.

Antivirus Blocking, Too

With user awareness growing in the mobile threat space, Marcher’s operators have taken into account that devices could be protected by antivirus programs. To increase its potential of infection, this Android malware blocks a list of eight popular antivirus apps. In some cases, Marcher sends notifications to the phone to advise the user that the antivirus app still fully protects the device.

Mitigating Marcher’s Fraud Potential

The Marcher Android malware does not presently affect iOS devices or other platforms. Classified as banking malware, it is designed to phish credentials and intercept the two-factor authentication elements sent to mobile devices. Mitigation should focus on detecting its overlay activity, SMS hijacking actions and unauthorized access to victim accounts in cases where credentials have been stolen.

Additional advice for users includes:

  • Do not follow any URLs from SMS messages or emails that offer app upgrades or tools.
  • Delete apps you no longer use and regularly update those you do.
  • Do not root or jailbreak your device.
  • Don’t activate sideloading on the device, and only obtain apps from official stores.
  • Read app permissions. If they require options to charge you money, or be run as admin/root, untick that option or cancel the installation.
  • Set up a locking code for the device.
  • Protect the device with adequate endpoint protection.

You can find the relevant sample MD5 for Marcher on X-Force Exchange.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.