- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
Security Researchers Publish Gigabud Banking Malware Analysis
Cybersecurity researchers have published a new analysis of the elusive Gigabud banking malware.
Originating as an Android Remote Access Trojan (RAT), Gigabud was first observed in September 2022, causing ripples of concern across financial institutions in the Asia-Pacific region.
Answering a request from a Thailand-based financial organization customer, Group-IB’s experts started deciphering the malware’s distinctive modus operandi shortly after receiving the request.
According to an advisory published by the Group-IB Malware Analysis team earlier today, unlike conventional malware, Gigabud doesn’t execute its malicious actions immediately, but waits for user authorization, making it substantially harder to detect.
“Instead of using HTML overlay attacks, Gigabud RAT gathers sensitive information primarily through screen recording,” reads the report.
“With screen capturing, Gigabud is a powerful remote device access tool allowing the threat actor to access the victim’s account. It allows the threat actor to perform gestures on the user’s device. This leads to the possibility of evading defense, authentication (including two-factor authentication), and creating automated payments from the victim’s device.”
Further investigation revealed a two-pronged threat within the Gigabud family. Gigabud RAT, targeting several businesses and institutions across nations, aims to mimic trusted entities. Meanwhile, Gigabud Loan poses as fictional financial institutions, tricking users into revealing sensitive information under the guise of loan applications.
Notably, Gigabud.Loan has been posing as fictitious financial institution apps originating from Thailand, Indonesia and Peru since at least July 2022.
Further, the versions of Gigabud that Group-IB security experts have previously detailed encompass traits of both RAT and Loan.
“Both Gigabud RAT and Gigabud Loan have the same architecture and share the same certificate, which is why Group-IB researchers attribute them to the same Gigabud family,” reads the advisory.
“From 2022 to 2023, Group-IB detected more than 400 Gigabud RAT samples and more than 20 Gigabud Loan samples based on VirusTotal hunting rules.”
The malware tools are distributed through phishing websites across Thailand, Indonesia, Vietnam, the Philippines and Peru. Perpetrators employ smishing tactics, using instant messengers, SMS or social networks to deliver links to victims, coercing them to access phishing websites under the pretext of undergoing a tax audit and claiming a tax refund.
To counter Gigabud malware, Group-IB suggested financial firms monitor sessions, educate clients and deploy digital protection tools. Users should avoid risky links, cautious app downloads and use VPNs on public Wi-Fi, among other things. A complete list of recommendations is available in the Group-IB advisory.