Monday, August 21, 2017

Phishing attack at Raiffeisen Bank by MazarBot

Yesterday I discovered phishing campaign targeting clients of Raiffeisen Bank by popular and still active Android banking Trojan - MazarBot. This infiltration targets German speaking users and makes them download fake Raiffeisen Security App.

 

Last time I wrote about MazarBot it was year and a half ago, however it is still spreading using different methods. MazarBot has been distributed via SMS, fake webpages or email spam.


How it works

This campaign of MazarBot is spread probably through email spam, where potential victim ends up with email and link to bogus webpage. In this case, it is exact coppie of Raiffeisen Bank web.

Figure 1. Fake phishing webpage

Figure 2. Legit Raiffeisen web

Once victim fills in login credentials, and basically sends them to the attacker, is redirected to another webpage where he allegedly needs to download and install Raiffeisenbank Security app due to new EU money laundering regulation which is mandatory for all customers with phone number.
On the webpage are also instructions how to download and install the app, even with QR code.

Figure 3. Install instructions for fake Raiffeisen Security App

How is attack performed



Potential victims


For downloading this app is used URL shortener, so we can check link statistics. Fortunately, only 37 clicks (14 desktop clicks + 23 mobile clicks ) were done in two days.

Figure 4. Raiffeisen Security app download link statistics

However, most of the downloads were done from Austria.

Figure 5. Detail of each link access

Functionality

Core functionality of this banking Trojan is to create overlay activity and lure user's credit card details from fake login forms.

Figure 6. Request of MazarBot to activate device administrator

IOC

Phishing URLs
http://banking.raiffeisen.at.updateid0891201.pw
http://banking.raiffeisen.at.updateid0891202.pw
http://banking.raiffeisen.at.updateid0891203.pw
http://banking.raiffeisen.at.updateid0891204.pw
http://banking.raiffeisen.at.updateid0891206.pw
http://banking.raiffeisen.at.updateid0891207.pw
http://banking.raiffeisen.at.updateid0891208.pw
http://banking.raiffeisen.at.updateid0891209.pw

Hashes
624195D0777BAC438C9372A1DB43324B107D78ED
D71A5C032AA08DEE55F8F19A607EF10DCF9FE326

C&C
http://hoploiuc.biz/index.php?action=command

Tuesday, August 8, 2017

Android Banking Trojan misuses accessibility services


Accessibility services can be used not only by disabled users but by malware as well. Infiltration by misusing accessibility services can read text from display activity, set itself as default messaging app and click on behalf of user.


I decided to put together quick (non) technical blog post with insights from SfyLabs. This particular infiltration was discovered few weeks ago, you can read about it here and here. So why another blog? In this post, I would like to bring more details on this Trojan such as distribution vector, samples, C&C server, functionality, targeted banks, video demonstration etc.


Distribution vector

For now, it is mostly spread using fake web pages impersonating legit software such as Adobe Flash Player, WhatsApp, sKlasse Antivirus or SkyScanner.




Spread via malicious links such as:
hxxp://xxxvideos.place/flash-update/Adobe_Flash_2017.apk
hxxp://mgmtiming.com/internal-app/sklasse-antivirus.apk


For rent or sale

Due to investigation of SenseCy, this banking Trojan is currently for sale on a Russian underground forum. From July 2017 it is offered for rent as well.



Example of infection

Once user gets infected, Trojan will persistently ask user to activate "Google services" until user does. After victim activates this fake accessibility service, Banking Trojan will set itself on user behalf as default messaging app (to bypass 2FA), activates device administrator rights and hides icon from user's view. Infection is demonstrated in following video.



Functionality

Decompiled code is obfuscated for static analysis with lot of junk, probably using automated tool.


Infiltration is capable of :
  • send SMS
  • intercept received SMS
  • keylog
  • display phishing dialogs
  • block operation of AV software
  • open URL
  • collect information about contacts, installed apps, call logs

Targets

This Trojan targets more than 50 financial institutions apps from different countries around the world (UK, France, Austria, Germany, Polish, Turkey).




Malware will dynamically obtain encrypted configuration file containing targeted banking apps. SfyLabs team decrypted configuration file and found out targeted apps with phishing links.

For more details, here is config file.
Tool to decrypt the C2 config file via SfyLabs.

Yara Rules 

I decided to create public Yara rules for Koodous project, that could help increase detection and raise awareness of this particular Android banking threat.
For those, who are now aware of Koodous, it is a place for Android security researchers with lot of samples of Android malware for free to download.

You can find my rule set in here: Banker_misusing_accessibility_services


IOC

All of these hashes are on VirusTotal.

b7ef9daafcf1f43397e84ec856a1cd802d5f61e2
5268e82713a0a810e552acb86a6474d186269949
1af5e6ec43f9ca1f4e367fabd55265759751909d
409adb132f18d82d0b450c4985d6149ac700e19b
68a381aab056e1965564673c6e7739d22b552db6
04f97d1dffb518232e465a8c977f384cedbceaac
ccccb88c13e072ea39c25d087ebcd25e2c97fd2d
2517b2fea3caf382a2609578d009649e8c727a28
e89213ec06e9f06530b61ecb8c1622623c36c145
bbfc5b5c8bb1d37b791594872b283fc1b5a4060b
18f013d7641bf3ce3209dbfe0c3ee7600ccb85ac
dc37eb7299beb3b2509a514d471271a91f47596e
8ac3a4477ac576def60935ec568a79d1c9686df8
d2dfe94ea7ab51bdfd89c44cfc4e3ceb7c15d7e4
e2d138384714cbc0649d5920ba510dd7019ded18
5b50db5115918b2a6c5fe3763cf876799dd30f59
17357f5c7c4ca09f5cfa28762f9ca6aa0fe1bf33
27e419cc6b3c0095728f777eded88fdcc2d0d019
5fe18b55be462bc5249af282c5837c09ab372676
ef181584c93fc109c015138c6af071ac6cf1c78a
28a024dd33169ac60b80de97ad5f4311a3fe2d47
2c36f79e4fd34f1044c2a8c6c65badd70c07e503
136c14ae0976095bec0a94efe4c6665a1c3c4422
082af750a859714ce6d559f2a60aa40718436bb0
a8ef632ce4dc99b3fbe54c3c0ecac12f85aee4f7
287dae1bac54a74eebc98b6fce2072c8249c33a3
09722cdbc1693c12d36f3c857cad659b0b2eef8f
6cd5ec30466db01a781531bd5e6280d502345d70
b389f71644e4f7d08406d66e667857bc50468a30
44c64b06d93983cbdeae8c2f4debde0ae32cd40d
3b0781a1c94a3a2c83f76f6288bded7ab8b07e47
36e0507888f6eb79ce21ba22094fc7ecbed6c51d
11e8f4d2f1b98f5b4de7ac6982f7128c0b831ae0
a4545e0f6dbf5f416512fe5e5a882c64072a59cc
38d56f73e8c47a1c65fb3d21a6a3ff4528f71326
02836706d8d7ed0a6c6aa4aef127815867f29df5
21065f4437c3ca4444d42cb7be42a514ab2eee77
b9ed5a5f0387d03040aa526d9365da3d53025190