IBM security confounded to be contacted by brazen malware author for improved Trojan description

IBM security staff was confounded when an alleged malware developer contacted the firm, asking them to correct and update the details of his Trojan, which the firm had previously exposed in a company blog post. The supposed author of the malware dubbed Bilal Bot even offered to give an interview to the security vendor to help them correct and update them about the malware.

IBM first reported on Bilal Bot in April, identifying the malware as an Android banking Trojan, which was being traded on dark web forums. IBM's report on Bilal Bot, which was then at a beta version, highlighted that the malware was a "low cost" alternative to GM Bot, yet another potent mobile banking Trojan. The developers of banking Trojans GM Bot and KNL Bot were banned from several underground forums after which Bilal Bot made its entry into the underground cyber-market.

"Why would a developer of crimeware be contacting one of the largest security vendors in the world? You can imagine my surprise when I learned he (or she) was actually seeking my help to better highlight the malware in our security blog," said IBM security expert Limor Kessem, who was contacted by Bilal Bot's supposed author.

The alleged cybercriminal's email expressed dissatisfaction at how his malware was described and at the omission of the "underground drama" of his competitors' ban. "For what it's worth, we chose not to report that because both these Trojan developers can easily return to the forum after making amends with the buyers and forum admin. Furthermore, they can sell the malware on other boards and very likely still distribute it to buyers referred to them by their dubious customers, even if not openly over forum pages," Kessem explained.

The malware developer was also critical of IBM not having updated information on Bilal Bot. Kessem said: "The alleged author wanted to inform us that Bilal Bot has now moved up from the beta version, resulting in increased features and pricing. He was not happy that we referred to it as low cost; to him, that constitutes 'false information' about his product. Amazingly, he did not hesitate to contact an IBM Security employee to have that fixed!"

Bilal Bot updated?

IBM further analysed Bilal Bot and the contents of the email to ascertain whether the claims made by the sender were legitimate. The firm confirmed that there indeed is an updated version of Bilal Bot, which now comes with additional features like call forwarding, access to existing SMS messages, interception of incoming SMS messages, covert hijacking and exfiltration of SMS messages, overlay screen integration and more.

Additionally, IBM highlighted that the developers of the malware plan to implement Tor connectivity and an SMS spammer, which would be capable of flooding a specific number.
Kessem noted: "Like other mobile malware, this Trojan's Android application package (APK) can be bound with other, more legitimate-looking apps, Trojanized games, etc. Bilal Bot samples are detected in the wild as overlay malware, based on their malicious mechanism and M.O."

It is still unclear as to whether the person that actually contacted IBM is indeed Bilal Bot's developer. According to the firm, although the email sender was aware of the updates to Bilal Bot several weeks prior to a post on it circulating in dark web forums, indicating that he/she may indeed be the real developer, there were a few issues that "did not jive".

For instance, the email was sent from a mail.ru address, "possibly suggesting that the malware author, or a person claiming to be the dubious developer, is Russian", despite the fact that the malware's vendor has been selling it in English. Moreover, Bilal Bot's underground vendor's official email listed in the sales post was not found in the mail.ru domain. This is compounded by the fact that the malware's vendor also "took pains to indicate his one true email address to potential buyers in the sales post, declaring that any other email address claiming to be him is an impostor".

Kessem said: "We cannot be certain that the email I received was indeed from the original malware author. That said, whoever sent it did seem to have a strong motivation to update the information about the malware on our blog."

Unprecedented PR move?

Reports speculate that the brazen and befuddling move to actually reach out to a security firm to have them better describe a malicious product almost appears like a PR move.

Kessem said: "If I had to guess, I would say what bothered Bilal Bot's vendor the most is that my original blog post called his malware a 'low-cost option' compared to GM Bot. It is very possible that the price has gone up since the malware moved forward from the beta version, and the developer does not want potential buyers to demand the lower price they may have read about somewhere else."