Rewterz Threat Alert – From LokiBot to Xerxes to BlackRock banking Trojan

Severity

High

Analysis Summary

Researchers reports on a banking Trojan that appears to be a derivative of Xerxes and LokiBot that they have dubbed “BlackRock”. The source code for Xerxes has been publicly available since around May of 2019. One change to the source code used to create BlackRock includes the list of targets. The additions include social media, networking, communication, and dating apps. After installation onto an Android device, BlackRock first hides its icon from the app drawer so that it is not visible to the user. It then asks for additional privileges, namely access to the Accessibility Service. The Accessibility Service is a known pathway to gaining additional privileges in the Android world. Once this privilege is granted by the user, BlackRock then provides additional privileges to itself so that further user interaction is no longer required. After this is accomplished, it waits for instructions from its command and control server. Should the user attempt to use any of a number of Android anti-virus software applications, it will lock the user to the home screen of the device. Some functions available to BlackRock include overlay attacks, steal SMS messages, hide notifications, and act as a keylogger.

Impact

• Keylogging
• Information theft
• Locks users out of the device

Indicators of Compromise

SHA-256

• 51f9c37c3eec0b6f8325aa1c8fe64a0615ab920584042df557426473b1270b40
• 6fa4baef8a811f429cee4b383d7a4776b7b363b62551c8d8e0f93bad33adefbd
• 7d34aaf84754fb247507681bcd821f9533f24c6d78aa6779a11f4d789d4822ee
• 81fda9ff99aec1b6f7b328652e330d304fb18ee74e0dbd0b759acb24e7523d8c
• fbaf785edfafa583ea61884d88f507a27154892a394e27d81102f79fe7eb5b8f

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.