Malware Threat details:

Name:                      S.O.V.A. Ransomware – A new Android Banking Trojan.

Description: This new banking malware is capable of stealing credentials through overlay attacks, keylogging, hiding notifications, and manipulating the clipboard to insert modified cryptocurrency wallet addresses, with future plans to incorporate on-device fraud through VNC, carry out DDoS attacks, deploy ransomware, and even intercept 2FA authentication codes.

SOVA’s main objective is to gather its victims’ personal identifiable information.The Trojan tries its best to remain undetected by abusing the overlay mechanic to trick victims into revealing their credentials, and other sensitive information. This is a common technique used by banking Trojans that create windows identical to a banking app’s login page, which is in fact controlled by the attacker.

Reference URL:         

  • https://oltnews.com/sova-new-android-banking-trojan-emerges-with-increasing-capabilities-the-hacker-news
  • https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html
  • https://heimdalsecurity.com/blog/new-android-banking-trojan-dubbed-sova-emerges/

ATT&CK STRATEGIES

T1115 – Clipboard Data, 
T1498 – Network Denial of Service, 
T1496 – Resource Hijacking, 
T1102 – Web Service, 
T1055 – Process Injection, 
T1056 – Input Capture, 
T1539 – Steal Web Session Cookie

IOCs HASH VALUE:

HASH VALUES TO BLOCK:

File hashes (SHA-256):
efb92fb17348eb10ba3a93ab004422c30bcf8ae72f302872e9ef3263c47133a7
dd8a5a1a8632d661f152f435b7afba825e474ec0d03d1c5ef8669fdc2b484165
8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57

YARA RULES

The following YARA rule was authored to catch Android Banking Trojan Variants:

import “pe”
rule Android_Bank_trojan {
meta:
description = “DetectsAndroid.adjusted several times”
author = “unixfreaxjp”
org = “MalwareMustDie”
date = “2018-01-14”
strings:
$header = { 4D 5A }
$magic1 = { E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? }
$st01 = “CCmdTarget” fullword nocase wide ascii
$st02 = “CUserException” fullword nocase wide ascii
$st03 = “FileType” fullword nocase wide ascii
$st04 = “FlsGetValue” fullword nocase wide ascii
$st05 = “AVCShellWrapper@@” fullword nocase wide ascii
$st06 = “AVCCmdTarget@@” fullword nocase wide ascii
$st07 = “AUCThreadData@@” fullword nocase wide ascii
$st08 = “AVCUserException@@” fullword nocase wide ascii
condition:
$header at 0 and all of ($magic*) and 6 of ($st0*)
and pe.sections[0].name contains “.text”
and pe.sections[1].name contains “.rdata”
and pe.sections[2].name contains “.data”
and pe.sections[3].name contains “.rsrc”
and pe.characteristics & pe.EXECUTABLE_IMAGE
and pe.characteristics & pe.RELOCS_STRIPPED
}