Targeting governments the world over in cyber attacks is not a novel concept. Doing that using mobile apps, however, is quite new as a tactic. And that’s what Cyble researchers reported as Gigabud RAT’s modus operandi—trailing its sights on citizens of Thailand, the Philippines, and Peru who use government-owned institutions’ mobile apps.

The Cyble analysis identified 10 indicators of compromise (IoCs) for this threat—six malware hashes and four URLs. We stripped down the URLs to three domains and one IP address in hopes of identifying more artifacts that could assuage potential targets’ fears should the threat actors trail their sights on them. Our IoC list expansion exercise led to the discovery of:

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Uncovering Facts about Gigabud RAT Infrastructure

WHOIS lookups for the domains identified as IoCs revealed interesting similarities, including that they all pointed to the U.S. as their registrant country and were newly registered—between November and December 2022. Interestingly, though, while the IoC cmnb9[.]cc was registered in the U.S., its IP host 18[.]143[.]123[.]20 was geolocated in Singapore.

DNS lookups for the domains tagged as IoCs gave us three additional IP addresses—18[.]143[.]123[.]20, 104[.]21[.]41[.]159, and 172[.]67[.]148[.]55.

Using these IP addresses as reverse IP/DNS lookup search terms allowed us to uncover 301 more possibly connected domains, as they shared the IoCs’ IP hosts. A bulk malware check for the artifacts showed that seven were malicious. Two of these dangerous properties should be avoided most since screenshot lookups revealed that they’re live—bestvpnshop[.]com (looks to be a shop selling virtual private network [VPN] services) and brandmybooks[.]com (seems like an online betting site).

To further our search for more Gigabud RAT digital breadcrumbs, we used the unique strings found among the IoCs as Domains & Subdomains Discovery search terms (see the table below).

Our search led to the discovery of 367 domains, eight of which were confirmed to be malware hosts. Including these in blocklists is advisable.

The Gigabud RAT analysis also mentioned eight organization targets—Banco de Comercio, Advice, Thai Lion Air, Shopee, SUNAT, DSI, BIR, and Kasikornbank. Using their names as Domains & Subdomains Discovery search terms (see the table below for the exact strings used) enabled us to find 519 additional domains, 11 of which were dubbed malware hosts. Note that we limited our search to those that began with the single strings and string combinations that started with the first term and contained the second one.

WHOIS record comparisons between the legitimate and potential typosquatting domains showed that only five of the 519 artifacts or less than 1% were owned by the organizations whose names appeared in them. Note, though, that we weren’t able to confirm the legitimacy of the Thai Lion Air, BIR, and Kasikornbank domains because their WHOIS records were redacted.

Screenshot lookups for all the connected domains via IP host, string, and brand name showed that 217 continued to be accessible and host live content. Error, index, and blank pages, along with those whose domains are currently up for sale and under construction or repair, were excluded. Some looked to be game download, adult content, tutorial service provider, shopping, and business sites. Given their ties to the IoCs, they may at least be worth monitoring for signs of suspicious activity or compromise.

At least three websites may warrant inclusion in blocklists since they host a video that would only play if users download a codec—a tried-and-tested cybercriminal tactic to spread malware.

Sites that seem to be mimicking the target institutions, such as bancomercio[.]credit below should be blocked as well.

Our expansion of four Gigabud RAT IoCs—three domains and one IP address—uncovered 1,190 yet-unpublished artifacts that could be connected to the threat, including 26 that turned out to be confirmed malware hosts. Organizations and individuals alike, particularly the clients of the target institutions, should be wary of clicking the look-alike domains as well as the possibly connected web properties. All of them could be sources of Gigabud RAT that steals banking credentials and records their screen content.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.