Zscaler ThreatLabz researchers recently observed the rise of a sophisticated phishing campaign spreading via fake banking sites targeting big Indian banks like HDFC, AXIS, and SBI. The team will continue monitoring the emerging situation and will provide an update on any significant new developments. Previously, ThreatLabz researchers observed Indian banking customers being targeted with fake complaint forms from phishing sites spreading short message service (SMS) mobile text stealer malware. In contrast, this new campaign leverages fake card update sites to spread Android-based phishing malware aimed at collecting banking information for financial fraud.
Campaign 1: Targeting HDFC and Axis banks
ThreatLabz researchers observed domains serving links for fake banking application downloads as shown in Fig.1 and Fig.2 below.
Fig.1 - Imitation application phishing site targeting HDFC bank customers
Fig.2 - Imitation application phishing site targeting Axis bank customers
The two screenshots above show how these phishing scammers impersonate banking sites to gain customers' sensitive information by incentivizing them to fill out fake applications to redeem their earned card points for cash or a voucher. In most cases, these sites are being spread through SMS text messages to victims. Once a user clicks on the contained link, the victim is prompted to install an Android-based phishing malware, designed to steal critical financial data.
Fig.3 - Phishing page for HDFC bank credit card application
Upon opening the app, the user will see the fake page as presented in Fig 3 prompting them to enter sensitive information including card number, expiration date, cardholder name, phone number, DOB, etc., to redeem points for cash or vouchers, shown in the screenshot above. Once the victim submits their sensitive information into the fake form, the malware sends a copy to the command-and-control server (C2) shown in the screenshot below.
Fig.4 - In-App phishing page creation and C2
On the second run or completion of the prompted tasks, a timer screen is displayed to the user, revealed in the code shown in Fig 5 below.
Fig.5 - Final page shown to user as second snap in Fig.3
Upon receiving all the victim’s sensitive form-fill information including card details, the threat actor is now capable of initiating fraudulent financial transactions. All they require to carry out the attack is a one-time password (OTP).
To collect the OTP, victims are further prompted to provide SMS permission access to the malicious app at the time of installation. Once the user provides this access to SMS permissions, the malware is capable of exfiltrating received SMS text messages containing the OTP codes they need. To complete a transaction initiated using the user's card details, the application will intercept the OTP codes and forward them to the C2 server.
Fig.6 - Writing phishing data in shared preferences and MFA extraction
This malware also employs a cloaking technique that prevents it from running a second time. It writes data in the modifiable shared preferences settings using first-time install data written in the “time” object as its reference point to block users from seeing the card phishing page again.
Fig.7 - Cloaking to not load phishing page after running the first time
Campaign 2: targeting SBI bank customers with KYC verification scam
In other campaigns, ThreatLabz researchers observed adversaries sending SMS text messages prompting users to immediately update the ‘Know Your Customer’ (KYC) identity verification banking requirement or conduct another similarly urgent action, to avoid account blocking or lockout. This false sense of urgency created by adversaries is very effective at convincing victims to perform the requested action including downloading apps to perform the task. In the cases observed in this article, all of these requests were fake and the attacks infected users with malicious apps and stole personal banking information.
The screenshot below shows an attack in which the user is prompted to download a malicious app to unlock their account.
Fig.8 - Smishing campaigns
Unlike campaign 1 where applications were seen using in-app fake log in pages, in this campaign SBI bank KYC verification scam, applications rely on command servers to render the phishing pages. ThreatLabz researchers think that this is how the malware authors are able to create new campaigns so quickly, since only a few changes, such as updating C2 destinations, are required to spin up a new campaign.
The application starts by prompting users to log in to a fake SBI bank web page and then update the KYC verification, shown in Fig.9 below.
Fig.9 - Fake Login page redirect hosted on firebase
Users are navigated through a series of web pages hosted on firebase upon entering banking credentials, mobile numbers, etc., shown in Fig.10.
Fig.10 - Login data phishing used to steal banking credentials
The user is prompted to enter an OTP during each fake update step to make the application appear legitimate, as shown in Fig 11 below, this tactic can also be used to steal the OTP and gain access.
Fig.11 - Prompting users for OTP
The user is directed to a page and prompted to provide banking information, shown in Fig 12 below. Along with the bank details, the user is prompted to enter their Permanent Account Number (PAN).
Fig.12 - Application prompts user to provide sensitive banking information
Apart from collecting OTPs through phishing pages, malware developers have also implemented code routines to harvest OTPs from incoming SMS text messages and send them to a secondary C2 as well as a hard-coded phone number, as shown below.
Fig.13 - Code to send incoming SMS data to C2
Fig.14 - Testing of SMS data exfiltration to a static number
Fig.15 - Traffic showing data upload to a remote server
Zscaler sandbox is able to detect malware threat behavior and techniques.
Fig 15. Zscaler sandbox report showing detection of malicious applications
Zscaler advises users to not install any unknown applications sent through SMS text messages, especially if the messages identify with a financial institution or bank, this is a common practice used by threat actors to impose a false sense of urgency on users to act immediately without additional scrutiny.
Indicators of Compromise (IOC)
Campaign 1 IOCs
Domains:
- hxxps[://]updateyourcard[.]in/HDFC_Credit_Card[.]apk
- hxxps[://]cardupdatation[.]in/
- hxxps[://]cardupdate[.]in/
- hxxp[://]pointincash[.]xyz/hdfc_version1.0[.]9[.]1[.]apk
MD5s:
- df0b9265d07ffe523884f98613db8401
- 47eebf0d4ab713d53ec9f3b992777c18
- a57c255e5e69d843a1c402df96ced959
- ce8e95ef802d9943c2ff7abea1aa94da
Campaign 2 IOCs
Domains:
- hxxps[://]sheltered-dawn-11337[.]herokuapp[.]com/SBI-KYC[.]apk
- hxxps[://]sbi-kyc-update-immediately[.]web[.]app/SBI-KYC[.]apk
- hxxps[://]sbi-users-kyc-1[.]web[.]app/SBI-KYC[.]apk
- hxxps[://]sbi-user-kyc-app[.]web[.]app/SBI-KYC[.]apk
- hxxps[://]kyc-update-app[.]web[.]app/SBI-KYC[.]apk
- hxxps[://]sbi-kyc-apps-v-23[.]web[.]app/SBI-KYC[.]apk
- hxxps[://]point-dekho[.]xyz/save_sms[.]php
- hxxps[://]sbi-kyc-app[.]web[.]app/sbi-kyc[.]apk
- hxxps[://]sbi-kyc-points[.]web[.]app/sbi-kyc[.]apk
- hxxps[://]sbi-kyc-points[.]firebaseapp[.]com/sbi-kyc[.]apk
- hxxps[://]sbi-kyc-update-immediately[.]firebaseapp[.]com/sbi-kyc[.]apk
- hxxps[://]applicationkyc[.]pages[.]dev/SBI-KYC[.]apk
- hxxps[://]calm-fjord-69600[.]herokuapp[.]com/SBI-KYC[.]apk
- hxxps[://]calm-garden-42338[.]herokuapp[.]com/SBI-KYC[.]apk
- hxxps[://]please-visitnow-immediately[.]com/SBI-KYC[.]apk
- hxxps[://]publicationofindia[.]top/SBI-KYC[.]apk
MD5s:
- 0076369748034430dd9345fecd0d130a
- f8509e2b72b3ba5916d80888b990b285
- f0b6619e42722673e6599471a048edb1
- 436370a26633fb3a86f2ae2f09bcdb18
- 1aa0baa0c2fa54a89ecbfe71225726c6
- 331a9054e877a7210789315f7bcd2620