Phishing attack at Raiffeisen Bank by MazarBot

Yesterday I discovered phishing campaign targeting clients of Raiffeisen Bank by popular and still active Android banking Trojan - MazarBot. This infiltration targets German speaking users and makes them download fake Raiffeisen Security App.

 

Last time I wrote about MazarBot it was year and a half ago, however it is still spreading using different methods. MazarBot has been distributed via SMS, fake webpages or email spam.

How it works

This campaign of MazarBot is spread probably through email spam, where potential victim ends up with email and link to bogus webpage. In this case, it is exact coppie of Raiffeisen Bank web.

Figure 1. Fake phishing webpage

Figure 2. Legit Raiffeisen web

Once victim fills in login credentials, and basically sends them to the attacker, is redirected to another webpage where he allegedly needs to download and install Raiffeisenbank Security app due to new EU money laundering regulation which is mandatory for all customers with phone number.
On the webpage are also instructions how to download and install the app, even with QR code.

Figure 3. Install instructions for fake Raiffeisen Security App

How is attack performed

Potential victims

For downloading this app is used URL shortener, so we can check link statistics. Fortunately, only 37 clicks (14 desktop clicks + 23 mobile clicks ) were done in two days.

Figure 4. Raiffeisen Security app download link statistics

However, most of the downloads were done from Austria.

Figure 5. Detail of each link access

Functionality

Core functionality of this banking Trojan is to create overlay activity and lure user's credit card details from fake login forms.

Figure 6. Request of MazarBot to activate device administrator

IOC

Phishing URLs
http://banking.raiffeisen.at.updateid0891201.pw
http://banking.raiffeisen.at.updateid0891202.pw
http://banking.raiffeisen.at.updateid0891203.pw
http://banking.raiffeisen.at.updateid0891204.pw
http://banking.raiffeisen.at.updateid0891206.pw
http://banking.raiffeisen.at.updateid0891207.pw
http://banking.raiffeisen.at.updateid0891208.pw
http://banking.raiffeisen.at.updateid0891209.pw

Hashes
624195D0777BAC438C9372A1DB43324B107D78ED
D71A5C032AA08DEE55F8F19A607EF10DCF9FE326

C&C
http://hoploiuc.biz/index.php?action=command

Android Banking Trojan misuses accessibility services

Accessibility services can be used not only by disabled users but by malware as well. Infiltration by misusing accessibility services can read text from display activity, set itself as default messaging app and click on behalf of user.

I decided to put together quick (non) technical blog post with insights from SfyLabs. This particular infiltration was discovered few weeks ago, you can read about it here and here. So why another blog? In this post, I would like to bring more details on this Trojan such as distribution vector, samples, C&C server, functionality, targeted banks, video demonstration etc.

Distribution vector

For now, it is mostly spread using fake web pages impersonating legit software such as Adobe Flash Player, WhatsApp, sKlasse Antivirus or SkyScanner.

Spread via malicious links such as:
hxxp://xxxvideos.place/flash-update/Adobe_Flash_2017.apk
hxxp://mgmtiming.com/internal-app/sklasse-antivirus.apk

For rent or sale

Due to investigation of SenseCy, this banking Trojan is currently for sale on a Russian underground forum. From July 2017 it is offered for rent as well.

Example of infection

Once user gets infected, Trojan will persistently ask user to activate "Google services" until user does. After victim activates this fake accessibility service, Banking Trojan will set itself on user behalf as default messaging app (to bypass 2FA), activates device administrator rights and hides icon from user's view. Infection is demonstrated in following video.

Functionality

Decompiled code is obfuscated for static analysis with lot of junk, probably using automated tool.

Infiltration is capable of :

• send SMS
• intercept received SMS
• keylog
• display phishing dialogs
• block operation of AV software
• open URL
• collect information about contacts, installed apps, call logs

Targets

This Trojan targets more than 50 financial institutions apps from different countries around the world (UK, France, Austria, Germany, Polish, Turkey).

Malware will dynamically obtain encrypted configuration file containing targeted banking apps. SfyLabs team decrypted configuration file and found out targeted apps with phishing links.

For more details, here is config file.
Tool to decrypt the C2 config file via SfyLabs.

Yara Rules 

I decided to create public Yara rules for Koodous project, that could help increase detection and raise awareness of this particular Android banking threat.
For those, who are now aware of Koodous, it is a place for Android security researchers with lot of samples of Android malware for free to download.

You can find my rule set in here: Banker_misusing_accessibility_services

IOC

All of these hashes are on VirusTotal.

b7ef9daafcf1f43397e84ec856a1cd802d5f61e2
5268e82713a0a810e552acb86a6474d186269949
1af5e6ec43f9ca1f4e367fabd55265759751909d
409adb132f18d82d0b450c4985d6149ac700e19b
68a381aab056e1965564673c6e7739d22b552db6
04f97d1dffb518232e465a8c977f384cedbceaac
ccccb88c13e072ea39c25d087ebcd25e2c97fd2d
2517b2fea3caf382a2609578d009649e8c727a28
e89213ec06e9f06530b61ecb8c1622623c36c145
bbfc5b5c8bb1d37b791594872b283fc1b5a4060b
18f013d7641bf3ce3209dbfe0c3ee7600ccb85ac
dc37eb7299beb3b2509a514d471271a91f47596e
8ac3a4477ac576def60935ec568a79d1c9686df8
d2dfe94ea7ab51bdfd89c44cfc4e3ceb7c15d7e4
e2d138384714cbc0649d5920ba510dd7019ded18
5b50db5115918b2a6c5fe3763cf876799dd30f59
17357f5c7c4ca09f5cfa28762f9ca6aa0fe1bf33
27e419cc6b3c0095728f777eded88fdcc2d0d019
5fe18b55be462bc5249af282c5837c09ab372676
ef181584c93fc109c015138c6af071ac6cf1c78a
28a024dd33169ac60b80de97ad5f4311a3fe2d47
2c36f79e4fd34f1044c2a8c6c65badd70c07e503
136c14ae0976095bec0a94efe4c6665a1c3c4422
082af750a859714ce6d559f2a60aa40718436bb0
a8ef632ce4dc99b3fbe54c3c0ecac12f85aee4f7
287dae1bac54a74eebc98b6fce2072c8249c33a3
09722cdbc1693c12d36f3c857cad659b0b2eef8f
6cd5ec30466db01a781531bd5e6280d502345d70
b389f71644e4f7d08406d66e667857bc50468a30
44c64b06d93983cbdeae8c2f4debde0ae32cd40d
3b0781a1c94a3a2c83f76f6288bded7ab8b07e47
36e0507888f6eb79ce21ba22094fc7ecbed6c51d
11e8f4d2f1b98f5b4de7ac6982f7128c0b831ae0
a4545e0f6dbf5f416512fe5e5a882c64072a59cc
38d56f73e8c47a1c65fb3d21a6a3ff4528f71326
02836706d8d7ed0a6c6aa4aef127815867f29df5
21065f4437c3ca4444d42cb7be42a514ab2eee77
b9ed5a5f0387d03040aa526d9365da3d53025190

Petya Ransomware picture collection from infected countries around the world

On June 27, 2017 Petya ransomware infected computer in more than 65 countries around the world such as Belgium, Brazil, Germany, Denmark, Netherlands, France, Italy, Russia or the United States. Based on Microsoft report, Petya infected more than 12,500 machines only in Ukraine.
This breach comes just few weeks after WannaCry ransomware that infected computer in more than 150 countries. 

Petya ransomware affected variety of companies and institutions such as Ukraine central bank, Ukraine cabinet of ministers, state telecom, municipal metro, Kiev's airport, Ukraine electricity supplier, Chernobyl nuclear power plant, point-of-sale terminals, ATMs, transport and logistics company from Denmark, Russian oil company, pharmaceutical company, Pittsburgh-area hospital, Media companies etc.

Number of Bitcoins Ransomware collected: http://wannabucks.xyz

ATM

Supermarket in Kharkiv, east Ukraine - point-of-sale terminals

ATM

WannaCry Ransomware picture collection from infected countries around the world

The biggest cyberattack in history infected more than 200,000 computers in 150 countries and paralyzed computers and networks around the world, including the ones that run Britain's hospital network, Germany's national railway, Ministry of Internal Affairs in Russia, telecommunications giant Telefonica, Nissan, Renault, FedEx and many of other companies and government agencies worldwide.

Without any introduction, because it has been said a lot about this Ransomware, I just jump right into the main point of this blog post where I have put together collection of pictures taken during WannaCry Ransomware rampage. Feel free to post more pictures in the comments.

For those interested here is map of infections: https://www.youtube.com/watch?v=kG8E15WFM6E

Number of Bitcoins Ransomware collected: http://wannabucks.xyz/

[Update]

Somewhere in Japan

Taiwan

Chinese University. Student theses were locked. Some may face delay of graduation.

Indonesia

Vietnam

Somewhere in Vietnam

In Vietnam WannaCry infected ~1,900 computers

Indian bank ATM

Operator control and monitoring system in Italy

National Police Bureau, Thailand

ATM in Jawa, Indonesia

ATM in Indonesia

ATM's in Indonesia are offline due to WannaCry

Store in Japan

Somewhere in Vietnam

Somewhere in Vietnam

Tirumala Tirupati Devasthanam

Queue system of a hospital in Jakarta

Somewhere in the world

Under Wine you can infect your Linux desktop too

A Bayer MedRad device used to assist in MRI scans infected with the WannaCry ransomware.

WBSEDCL OFFICE at Malbazar in Dooars, India

This is a CJ CGV screen in Seoul that has been crippled by Wanna Cry ransomware

General practice surgery in Preston the north of England. Credits to @fendifille

Somewhere in Italy

Somewhere in Germany

Saudi Telecom Company (STC)

Somewhere in Russia

Let's start with one of the first infected countries, England and Spain.

Figure 1 NHS hospital in England

Figure 2 London GP sees when trying to connect to the NHS network

Figure 3 Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware

Figure 4 Germany's national railway

Figure 5 The Netherlands in parking systems of Q-Park

Figure 6 Ministry of Internal Affairs in Russia

Figure 7 Russian telecommunications company Megafon

Figure 8 Somewhere in Russia

Figure 9 Russian Railways center

Figure 10 Probably Nissan product line

Figure 11 The University  of Milano-Bicocca, Italia

Figure 12 Saudi Telecom Company

Figure 13 Thailand

Figure 14 Bank of China ATMs

Figure 15 Chinese traffic police

Figure 16 Chinese University

Figure 17 Somewhere in Nordic parking lot

Figure 18 Store in Singapore thanks to Goi

Figure 19 Local mall in Singapure - Tiong Bahru Plaza

Figure 20 Building lobby

Figure 21 Chile Moviestar

Figure 22 Pakistan

 

Still not enough?

Few pictures for those who are already fed up with WannaCry.

Patriarch of Russian Orthodox church making sure that the Ministry of Internal Affairs computers won't get affected by WannaCry virus attack