SlemBunk¶
Banking overlay trojan discovered by FireEye in December 2015. SlemBunk targeted 33 financial applications across North America, Europe, and Asia-Pacific using a sophisticated multi-stage attack chain that required three separate malicious app downloads before delivering the final payload. FireEye identified 170 samples with progressive code obfuscation.
Overview¶
| Property | Value |
|---|---|
| First Seen | Late 2015 |
| Type | Banking trojan (overlay-based) |
| Attribution | Unknown |
| Aliases | Trojan-Banker.AndroidOS.Slembunk (Kaspersky) |
Distribution¶
Distributed via malicious and adult websites, disguised as Adobe Flash Player and other legitimate apps. Used a multi-stage attack chain:
- Victim downloads initial dropper app
- Dropper fetches second-stage payload
- Second stage delivers final banking trojan
The C2 admin interface allowed attackers to customize payload delivery per campaign.
Capabilities¶
| Capability | Implementation |
|---|---|
| Overlay attacks | Customized phishing overlays for 33 financial apps |
| Process monitoring | Detected targeted apps in the foreground |
| C2 management | Admin panel for overlay template and payload customization |
| Obfuscation | Progressive code obfuscation across variants |
Target Regions¶
SlemBunk targeted banks across North America, Europe, and Asia-Pacific. The multi-stage delivery chain and well-organized C2 infrastructure (multiple domains registered throughout 2015) suggested a professional operation.
Related Families¶
SlemBunk was part of the wave of banking trojans influenced by the GM Bot overlay model. Its multi-stage delivery chain was an innovation that later became standard practice for banking trojan campaigns via Play Store droppers.