Monday, August 21, 2017

Phishing attack at Raiffeisen Bank by MazarBot

Yesterday I discovered phishing campaign targeting clients of Raiffeisen Bank by popular and still active Android banking Trojan - MazarBot. This infiltration targets German speaking users and makes them download fake Raiffeisen Security App.


Last time I wrote about MazarBot it was year and a half ago, however it is still spreading using different methods. MazarBot has been distributed via SMS, fake webpages or email spam.

How it works

Thanks to insights from NI@FI@70, who specified distribution vector for this particular infiltration, which is email spam. This phishing email could be received from

Figure 1. Distribution vector - email

This campaign of MazarBot is spread through email spam, where potential victim ends up with email and link to bogus webpage. In this case, it is exact copy of Raiffeisen Bank web.

Figure 2. Fake phishing webpage

Figure 3. Legit Raiffeisen web

Once victim fills in login credentials, and basically sends them to the attacker, is redirected to another webpage where he allegedly needs to download and install Raiffeisenbank Security app due to new EU money laundering regulation which is mandatory for all customers with phone number.
On the webpage are also instructions how to download and install the app, even with QR code.

Figure 4. Install instructions for fake Raiffeisen Security App

How is attack performed

Potential victims

For downloading this app is used URL shortener, so we can check link statistics. Fortunately, only 37 clicks (14 desktop clicks + 23 mobile clicks ) were done in two days.

Figure 5. Raiffeisen Security app download link statistics

However, most of the downloads were done from Austria.

Figure 6. Detail of each link access


Core functionality of this banking Trojan is to create overlay activity and lure user's credit card details from fake login forms.

Figure 7. Request of MazarBot to activate device administrator

IOC (updated 12.09.2017)

Phishing URLs



1 comment: