A group of researchers recently discovered a new Android banking Trojan they called “Revive” since threat actors designed it to restart if it stops working. Once a device is infected, hackers can intercept messages, including online banking one-time passwords (OTPs). Revive also enables attackers to steal login credentials since it can read and store everything the user types on the infected device.

Although new, Revive uses age-old phishing tactics, including look-alike domains and web pages. We looked into the indicators of compromise (IoCs) mentioned in the report and expanded these to uncover more artifacts that could potentially be used to deliver the malware. Our findings include:

• 3,300+ cyber resources that use the text strings “bbva,” “2fa + app,” “2fa + secure,” and “app + secure”
• Only 18% of these properties actively resolved to IP addresses
• About 7% of the cyber resources have been flagged as malicious, most of which contained the string “bbva”
• While most of the resolving properties were parked or hosted 404 pages, 6% led to login pages

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know about the IoCs

Two phishing domains were used to deliver the malware when it was detected on 15 June 2022. These were bbva[.]european2fa[.]com and bbva[.]appsecureguide[.]com, both imitating the Spanish financial services company, Banco Bilbao Vizcaya Argentaria, S.A. (BBVA) whose official domain is bbva[.]com.

WHOIS Lookup revealed that both IoCs were newly registered domains (NRDs), having been so only on 8 and 15 June 2022, respectively. The domain bbva[.]european2fa[.]com is managed by OwnRegistrar, while the other by NameSilo. The two IoCs had privacy-protected WHOIS records.

Thousands of BBVA and 2FA Digital Properties Added Since June 2022

Using Domains & Subdomains Discovery, we looked for other properties containing some of the text strings used in the IoCs. We found 3,320 cyber resources. The chart below shows how these were distributed across the different search strings.

Aside from these text strings, other words that repeatedly appeared in the artifacts included “services,” “mail,” “login,” and “online.” Dozens of properties also seemed to imitate Chase. These and other strings can be seen in the word cloud below.

Based on the Bulk IP Lookup results, only 18% of the more than 3,000 artifacts actively resolved to 487 unique IP addresses.

On the other hand, half of the domains in the sample fell under the .com top-level domain (TLD). It was followed by .ml (11%) and .arab and .app (5% each). The chart below shows the TLD distribution of the domains connected to the Revive IoCs based on text strings.

What Types of Content Do the Artifacts Host?

Screenshot analyses of the resolving properties proved interesting. About 6% showed login pages, some of which were pretty suspicious. Examples include properties imitating Argos Card and a company named “Greenlife.” The researchers’ browser security blocked access to both pages.

Other properties were either parked or resolved to 404 and index pages. However, one domain—bbvaallianzsegurospt[.]soportedigital[.]es—stood out since it hosted a look-alike of the BBVA homepage and was blocked by the researchers’ antimalware.

Malicious Artifacts Uncovered

Hundreds of artifacts have already been reported as malicious by various malware engines. Specifically, 7% of the properties were malicious. We broke down the number of times the text strings in the Revive IoCs appeared in the malicious artifacts. We found that “bbva” recurred most, followed by “secure” and “app.” The distribution is reflected in the chart below.

Revive and other banking Trojans can lead to the loss of people’s hard-earned money. Along with implementing two-factor authentication (2FA), monitoring and blocking access to potential malware carriers can help protect individuals and companies.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.