Monday, August 21, 2017

Phishing attack at Raiffeisen Bank by MazarBot

Yesterday I discovered phishing campaign targeting clients of Raiffeisen Bank by popular and still active Android banking Trojan - MazarBot. This infiltration targets German speaking users and makes them download fake Raiffeisen Security App.


Last time I wrote about MazarBot it was year and a half ago, however it is still spreading using different methods. MazarBot has been distributed via SMS, fake webpages or email spam.

How it works

This campaign of MazarBot is spread probably through email spam, where potential victim ends up with email and link to bogus webpage. In this case, it is exact coppie of Raiffeisen Bank web.

Figure 1. Fake phishing webpage

Figure 2. Legit Raiffeisen web

Once victim fills in login credentials, and basically sends them to the attacker, is redirected to another webpage where he allegedly needs to download and install Raiffeisenbank Security app due to new EU money laundering regulation which is mandatory for all customers with phone number.
On the webpage are also instructions how to download and install the app, even with QR code.

Figure 3. Install instructions for fake Raiffeisen Security App

How is attack performed

Potential victims

For downloading this app is used URL shortener, so we can check link statistics. Fortunately, only 37 clicks (14 desktop clicks + 23 mobile clicks ) were done in two days.

Figure 4. Raiffeisen Security app download link statistics

However, most of the downloads were done from Austria.

Figure 5. Detail of each link access


Core functionality of this banking Trojan is to create overlay activity and lure user's credit card details from fake login forms.

Figure 6. Request of MazarBot to activate device administrator


Phishing URLs



Tuesday, August 8, 2017

Android Banking Trojan misuses accessibility services

Accessibility services can be used not only by disabled users but by malware as well. Infiltration by misusing accessibility services can read text from display activity, set itself as default messaging app and click on behalf of user.

I decided to put together quick (non) technical blog post with insights from SfyLabs. This particular infiltration was discovered few weeks ago, you can read about it here and here. So why another blog? In this post, I would like to bring more details on this Trojan such as distribution vector, samples, C&C server, functionality, targeted banks, video demonstration etc.

Distribution vector

For now, it is mostly spread using fake web pages impersonating legit software such as Adobe Flash Player, WhatsApp, sKlasse Antivirus or SkyScanner.

Spread via malicious links such as:

For rent or sale

Due to investigation of SenseCy, this banking Trojan is currently for sale on a Russian underground forum. From July 2017 it is offered for rent as well.

Example of infection

Once user gets infected, Trojan will persistently ask user to activate "Google services" until user does. After victim activates this fake accessibility service, Banking Trojan will set itself on user behalf as default messaging app (to bypass 2FA), activates device administrator rights and hides icon from user's view. Infection is demonstrated in following video.


Decompiled code is obfuscated for static analysis with lot of junk, probably using automated tool.

Infiltration is capable of :
  • send SMS
  • intercept received SMS
  • keylog
  • display phishing dialogs
  • block operation of AV software
  • open URL
  • collect information about contacts, installed apps, call logs


This Trojan targets more than 50 financial institutions apps from different countries around the world (UK, France, Austria, Germany, Polish, Turkey).

Malware will dynamically obtain encrypted configuration file containing targeted banking apps. SfyLabs team decrypted configuration file and found out targeted apps with phishing links.

For more details, here is config file.
Tool to decrypt the C2 config file via SfyLabs.

Yara Rules 

I decided to create public Yara rules for Koodous project, that could help increase detection and raise awareness of this particular Android banking threat.
For those, who are now aware of Koodous, it is a place for Android security researchers with lot of samples of Android malware for free to download.

You can find my rule set in here: Banker_misusing_accessibility_services


All of these hashes are on VirusTotal.


Tuesday, July 4, 2017

Petya Ransomware picture collection from infected countries around the world

On June 27, 2017 Petya ransomware infected computer in more than 65 countries around the world such as Belgium, Brazil, Germany, Denmark, Netherlands, France, Italy, Russia or the United States. Based on Microsoft report, Petya infected more than 12,500 machines only in Ukraine.
This breach comes just few weeks after WannaCry ransomware that infected computer in more than 150 countries. 

Petya ransomware affected variety of companies and institutions such as Ukraine central bank, Ukraine cabinet of ministers, state telecom, municipal metro, Kiev's airport, Ukraine electricity supplier, Chernobyl nuclear power plant, point-of-sale terminals, ATMs, transport and logistics company from Denmark, Russian oil company, pharmaceutical company, Pittsburgh-area hospital, Media companies etc.

Number of Bitcoins Ransomware collected:


Supermarket in Kharkiv, east Ukraine - point-of-sale terminals


Wednesday, May 17, 2017

WannaCry Ransomware picture collection from infected countries around the world

The biggest cyberattack in history infected more than 200,000 computers in 150 countries and paralyzed computers and networks around the world, including the ones that run Britain's hospital network, Germany's national railway, Ministry of Internal Affairs in Russia, telecommunications giant Telefonica, Nissan, Renault, FedEx and many of other companies and government agencies worldwide.

Without any introduction, because it has been said a lot about this Ransomware, I just jump right into the main point of this blog post where I have put together collection of pictures taken during WannaCry Ransomware rampage. Feel free to post more pictures in the comments.

For those interested here is map of infections:
Number of Bitcoins Ransomware collected:


Somewhere in Japan


Chinese University. Student theses were locked. Some may face delay of graduation.



Somewhere in Vietnam

In Vietnam WannaCry infected ~1,900 computers

Indian bank ATM

Operator control and monitoring system in Italy

National Police Bureau, Thailand

ATM in Jawa, Indonesia

ATM in Indonesia

ATM's in Indonesia are offline due to WannaCry

Store in Japan

Somewhere in Vietnam

Somewhere in Vietnam

Tirumala Tirupati Devasthanam

Queue system of a hospital in Jakarta

Somewhere in the world

Under Wine you can infect your Linux desktop too

A Bayer MedRad device used to assist in MRI scans infected with the WannaCry ransomware.

WBSEDCL OFFICE at Malbazar in Dooars, India

This is a CJ CGV screen in Seoul that has been crippled by Wanna Cry ransomware

General practice surgery in Preston the north of England. Credits to @fendifille

Somewhere in Italy

Somewhere in Germany

Saudi Telecom Company (STC)

Somewhere in Russia

Let's start with one of the first infected countries, England and Spain.
Figure 1 NHS hospital in England

Figure 2 London GP sees when trying to connect to the NHS network

Figure 3 Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware

Figure 4 Germany's national railway

Figure 6 Ministry of Internal Affairs in Russia

Figure 7 Russian telecommunications company Megafon

Figure 8 Somewhere in Russia

Figure 9 Russian Railways center

Figure 10 Probably Nissan product line

Figure 11 The University  of Milano-Bicocca, Italia

Figure 12 Saudi Telecom Company

Figure 13 Thailand

Figure 14 Bank of China ATMs
Figure 15 Chinese traffic police

Figure 16 Chinese University

Figure 17 Somewhere in Nordic parking lot

Figure 18 Store in Singapore thanks to Goi

Figure 19 Local mall in Singapure - Tiong Bahru Plaza

Figure 20 Building lobby

Figure 21 Chile Moviestar

Figure 22 Pakistan


Still not enough?

Few pictures for those who are already fed up with WannaCry.

Patriarch of Russian Orthodox church making sure that the Ministry of Internal Affairs computers won't get affected by WannaCry virus attack