Openhunting Threat Library

Fobber

Fobber
(Type: Banking trojan, Backdoor, Credential stealer)

(GovCERT.ch) In the original sample, there was no sign of Man-in-the-Browser (MitB) aiming to stealbanking credentials but, since the malware has the capability to update itself, this posibilitycan be later added by the attackers.On our analysis, apart from the update feature, we only found the form-grabbing / cookie-stealing malicious feature.

[News Analysis] Trends:

Total Trend: 5

Trend Per Year
5
2015


Trend Per Month
1
Jun 2015
2
Aug 2015
2
Sep 2015



[News Analysis] News Mention Another Threat Name:

0 - Fobber


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Analysing a new eBanking Trojan called Fobber

2015-09-11 by GovCERT.ch from GovCERT.ch

Fobber Analysis

2015-09-11 by GovCERT.ch from GovCERT.ch

Knowledge Fragment: Unwrapping Fobber

2015-08-18 by Daniel Plohmann from ByteAtlas

Fobber Code Decryption

2015-08-10 by Sergio Paganoni from Coding Stuffs

Elusive HanJuan EK Drops New Tinba Version (updated)

2015-06-24 by Jérôme Segura from Malwarebytes

Basic Information (Credit @etda.or.th)

Tool: Fobber

Names: Fobber

Description: (GovCERT.ch) In the original sample, there was no sign of Man-in-the-Browser (MitB) aiming to stealbanking credentials but, since the malware has the capability to update itself, this posibilitycan be later added by the attackers.On our analysis, apart from the update feature, we only found the form-grabbing / cookie-stealing malicious feature.

Category: Malware

Type: Banking trojan, Backdoor, Credential stealer

Information: https://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf

Information: https://www.govcert.ch/blog/analysing-a-new-ebanking-trojan-called-fobber/

Information: https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/

Information: http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html

Information: http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html

Information: https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:Fobber

Last-card-change: 2020-05-24

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact