Bumblebee and IcedID Trojans Clash with PindOS: Unraveling the Tactics of Android Malware

According to Fortinet, the Android malware that appeared in May was created using the Flutter SDK, which makes it very difficult to analyze. The latest Fluhorse sample reviewed by the experts also uses a packer to hide the malicious payload.

The malicious Bumblebee loader previously relied on PowerShell scripts to help extract and run the target DLL. Moving to JavaScript can mean a significant change in established techniques and tactics. The IcedID Trojan worked as a banker for a long time but has recently been repurposed and now also serves as a conduit for other malware.

Their new partner, PindOS, after deobfuscation, turned out to be a very primitive loader. Its single exec function takes four parameters:

1. UserAgent: The string used when loading the target DLL.
2. URL1: The main download address.
3. URL2: The backup address for download.
4. RunDLL: The exported DLL function to be called.

The downloaded payload is saved in the Windows user templates folder as a .dat file with an arbitrary name (a six-digit number). It is launched using rundll32.exe.

It is noteworthy that the resulting payload is generated on demand and pseudo-randomly. In other words, a new hash is created each time. Such a trick is usually used to bypass signature-based protections. However, in the case of Bumblebee, this trick does not have the desired effect, according to experts.