Hop on the BaaS (BOT as a Service)

Banking BOTs Go Mobile

IntSights Cyber intelligence analysts identify 2 new Banking Bots (BaaS Bot as a Service) aimed at Android devices offered for sale on the Russian underground.

The SaaS (Software as a Service) business model is loved by cyber tool developers, as it provides them with a wide distribution opportunity for their product along with a secure, predictable and steady income stream. Likewise, cybercriminals love this model as it allows them access to top-of-the-line tools that they would not otherwise be able to afford. In addition, it is a thrifty option which offers flexibility - renting a BOT on a monthly basis is much cheaper than developing one, or buying a Zero Day.

It is not surprising therefore, that underground stores offer many cyber tools as a service, from DDoS to Ransomware. Recently, a cyber intelligence analyst at IntSights discovered two new BOTs which are available to rent on such a store.

The first, an Android BOT named "Alien”, is sold on the Russian black market site. It is offered “as a service” only, including a trial for $700 a week and to rent for $4000 a month. They don’t appear to offer an annual discount, it seems that cypbercriminals still have something to learn from their more legal SaaS vendor contemporaries! Based on the list of features (though not stated by the author), “Alien” appears to be a banking Trojan, due to its web injects which are typically used in malware for banking purposes.


Another BOT sold on the same marketplace is named "Catelites" (perhaps a misspelling of “Satellites”). This BOT appears to be more powerful, and includes the capability to web-inject Google Play, the purpose of which is likely to be privilege escalation, or decoy.

The conclusion that emerges is that “BOT-as-a-service” is becoming more common. While renting Botnets has been common practice for years, the new generation of BOTs are more effective, and are being used with more malicious intent.


The older generation of BOTs were simply networks of infected computers, used to launch distributed DoS attacks or send large amounts of SPAM. Current BOTs are capable of more, such as stealing banking credentials, dialling international numbers and communicating via SMS when a data service or wifi is down.

This could indicate a shift in consumer trends in the Russian market, where banking- BOTs will slowly replace the more popular (and simpler) Ransomware tools of today.
This Post was written by IntSights intelligence team leader, Ido Wulkan.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.