Level 42
Content Creator
Malware Hunter
The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS.

The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions. On the capability side, the addition of a "poor man scripting engine" based on JavaScript provides the operator with the ability to execute scripts while using its own internal commands backed by the power of JavaScript language. This is something that is very innovative in the Android malware space.
After Talos' initial report, the Gustuff operators changed their deployment redirections. When those were blacklisted, the actors eventually disabled the C2, but they never totally stopped operations. Several samples were still around, but the hardcoded C2 was not available. A new campaign was detected around June 2019, there were no significant changes the malware. The campaign was using Instagram, rather than Facebook, to lure users into downloading and installing malware.