Full Report
Cybersecurity researchers have discovered an updated version of an Android malware called TgToxic (aka ToxicPanda), indicating that the threat actors behind it are continuously making changes in response to public reporting. "The modifications seen in the TgToxic payloads reflect the actors' ongoing surveillance of open source intelligence and demonstrate their commitment to enhancing the
Analysis Summary
# Tool/Technique: TgToxic (ToxicPanda) Banking Trojan Variant
## Overview
TgToxic, also known as ToxicPanda, is an evolving Android banking trojan first documented in early 2023. The latest variants show continuous modifications aimed at evading security analysis, including advanced anti-analysis techniques and updated Command and Control (C2) infrastructure mechanisms.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android
- Capabilities: Stealing credentials and funds from crypto wallets, banking applications, and finance apps. Enhanced emulator detection. Evasive C2 communication.
- First Seen: July 2022 (Detected in the wild)
## MITRE ATT&CK Mapping
This summary focuses on the observed anti-analysis and C2 evasion techniques mentioned:
- **TA0005 - Defense Evasion**
- T1497 - Virtualization/Emulation Bypass
- T1497.001 - Virtual Machine Detection
- **TA0011 - Command and Control**
- T1573 - Encrypted Channel (Implied by use of encrypted strings pointing to C2)
- T1568 - Dynamic Resolution
- T1568.002 - Domain Generation Algorithms
## Functionality
### Core Capabilities
- Stealing sensitive data and funds from banking and finance applications on Android devices.
- Targeting users primarily in Taiwan, Thailand, Indonesia, and later expanding to Italy, Portugal, Hong Kong, Spain, and Peru.
### Advanced Features
- **Improved Emulator Detection:** Conducts thorough evaluation of hardware and system properties (brand, model, manufacturer, fingerprint) to identify discrepancies indicative of emulated systems.
- **C2 Infrastructure Evasion (Dead Drop Resolver):** Shifts from hard-coded C2 domains to retrieving C2 information from legitimate external forums (e.g., Atlassian community developer forum). The malware selects a public forum URL that contains an encrypted string pointing to the actual C2 server. This allows threat actors to update the C2 server location simply by modifying a user profile without releasing a new malware binary.
- **Domain Generation Algorithm (DGA):** Subsequent iterations utilize DGAs to dynamically generate new domain names for C2 communication, increasing resilience against blacklisting efforts.
## Indicators of Compromise
*Note: Specific IOCs (hashes, IPs, exact domains) were not provided in the article, but behaviors are noted.*
- File Hashes: [Not specified in article]
- File Names: Distributed via dropper APK files.
- Registry Keys: [Not specified in article]
- Network Indicators:
- Dead Drop Resolver URLs: Community forum profiles (e.g., Atlassian community) used to hide the true C2.
- C2 Servers: Dynamically generated via DGA in the newest variants.
- Behavioral Indicators: Device property examination for virtualization signatures; connection attempts to community forum URLs followed by connection to resulting C2 via encrypted channel.
## Associated Threat Actors
- Assessed to be the work of a **Chinese-speaking threat actor**.
## Detection Methods
- Signature-based detection: Targeting known TgToxic APK hashes.
- Behavioral detection: Monitoring processes that extensively query system hardware properties (brand, model) abnormally, or attempts to contact known dead-drop resolver platforms for C2 resolution.
- YARA rules: [Not specified in article]
## Mitigation Strategies
- Prevention measures: User education regarding dangerous SMS messages or phishing websites that distribute malware APKs.
- Hardening recommendations: Utilizing robust mobile endpoint security solutions capable of emulation detection analysis. Implementing strong application allow-listing policies where possible.
## Related Tools/Techniques
- TgToxic (Previous versions documented in Feb 2023).
- ToxicPanda (Variant name).
- Related malware utilizing dead-drop resolution techniques (e.g., Drokbk mentioned contextually regarding dead drops).