Improvised Modus Operandi for Targeting Indian Banking Customers via SMS Forwarding Malware

CloudSEK team has uncovered a banking trojan, with improvised modus operandi, where the threat actor or a group of threat actors host a simple online complaint portal having the domains like online-complaint[.]com or customer-complaint[.]com and target Indian banking customers.
Updated on
April 19, 2023
Published on
June 22, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Region: India Industry: Finance & Banking Region: A1

Executive Summary

THREAT IMPACT MITIGATION
  • A new phishing campaign is targeting Indian banking consumers.
  • The phishing site collects victims’ banking credentials and PII, post which an Android SMS forwarding malware is downloaded to their devices.
  • Banking credentials and PII can be used to launch social engineering attacks and to create fake bank accounts.
  • The malware allows threat actors to carry out unauthorized transactions by accessing OTPs or verification codes via SMS forwarding.
  • Conduct awareness campaigns and training programs for customers and employees.
  • Monitor and take down fake domains.
CloudSEK’s TRIAD team has uncovered a banking trojan, with improvised modus operandi, where the threat actor or a group of threat actors host a simple online complaint portal having the domains like online-complaint[.]com or customer-complaint[.]com and target Indian banking customers. Our research team has found multiple domains based on the same modus operandi and having identical templates. The table below lists the domains discovered during the course of our investigation.
Domain WHOIS Record
accountsecureverify[.]com (online-complaint.accountsecureverify.com) Created Date: 2022-01-31 Updated Date: 2022-01-31 Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US
secureaccounts[.]in Created Date: 2022-02-05 Updated Date: 2022-02-10 Registrant State/Province: Bihar Registrant Country: IN
online-complaint[.]com Created Date: 2022-04-27 Updated Date: 2022-05-11 Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284
customer-complaint[.]com Created Date: 2022-05-25 Updated Date: 2022-05-29 Registrant City: ALLA HABAD Registrant Name: Registrant Email: Registrant Phone: Registrant Street EC 128 Registrant Country: IN Registrant State/Province Uttar Pradesh Registrant Postal Code: 211008
 

Modus Operandi

  • The victims fill out sensitive banking information such as card number, CVV number, and expiry date, on the fake complaint portal.
  • After the banking information is exploited, a malicious customer support application, Customer_Sopport_Srvice.apk, gets downloaded to the victims’ devices.
  • No logos or names of the Indian Banks have been used in these phishing websites, in order to avoid suspicion and detection. Moreover, the malicious customer support application is not hosted on the Google Play Store or any of the third-party application stores.
  • The malicious application is used to send all the incoming SMS to its C2 (Command and Control) server, which is online-complaint[.]com in this case.
[caption id="attachment_19679" align="aligncenter" width="1195"]Phishing website from which the malware gets downloaded Phishing website from which the malware gets downloaded[/caption]  

Analysis and Attribution

Features of the Malware

Functionality

Upon further analysis, it was discovered that the major role of the banking trojan is to forward all SMS from the victims' devices to the C2 server.

Delivery Mechanism

  • Threat actors trick the victim into submitting their complaints about “transaction failure” on the domains online-complaint[.]com and customer-complaint[.]com, created in April 2022 and May 2022 respectively.
  • The domains mentioned above are used by the threat actors to host fake Customer Support Complaint phishing websites.
  • The victims have to enter their complaint type along with other sensitive banking information such as card number, CVV number, and expiry date, to get a “refund” on the “failed transaction”.
  • On submitting the details mentioned above, the malicious application, “Customer_Sopport_Service.apk”, gets downloaded to the victims’ devices.

Permissions and Execution

  • CloudSEK’s research team has analyzed the malicious application on BeVigil, the world’s first security search engine for mobile applications. BeVigil’s report for the malicious application can be found here.
  • BeVigil's findings of the application can be summarized as follows:
  • The malicious application asks permission for reading, sending, and receiving SMS after the first installation.
  • The trojan can also read contact numbers on the victim’s device.
[caption id="attachment_19680" align="aligncenter" width="694"]Permissions of the malicious application Permissions of the malicious application[/caption]  

Analysis of the Source Code

  • After the malware gets installed on the victims’ devices, it will check for RECEIVE_SMS, READ_SMS, and SEND_SMS permissions.
[caption id="attachment_19681" align="aligncenter" width="1101"]SMS Forwarding Malware checking permission for receiving, reading, and sending SMS  Malware checking permission for receiving, reading, and sending SMS[/caption]  
  • The AutoStartHelper() method invokes the malware to run in the background after booting/installing on the devices. The following code shows that after starting up the malware can work on devices from various manufacturers.
[caption id="attachment_19682" align="aligncenter" width="1373"]Code Snippet of the AutoStartHelper() function Code Snippet of the AutoStartHelper() function[/caption]  
  • The sendMessage() method sends SMS from the victim devices to the C2 (Command and Control) server.
[caption id="attachment_19683" align="aligncenter" width="1521"]Code Snippet of the sendMessage() function Code Snippet of the sendMessage() function[/caption]  
  • The interface MyApi() helps the malware steal the SMS from the victim devices to the endpoint API of the C2 (Command and Control) server.
[caption id="attachment_19684" align="aligncenter" width="727"]Code Snippet of the MyApi() interface Code Snippet of the MyApi() interface[/caption]  

Information from OSINT

  • While performing Open Source Intelligence (OSINT) on the IP address 148.72.158.61 of the web server of domain online-complaint[.]com, which is also the C2 (Command and Control) server of the malicious application, our research team uncovered other websites carrying out similar scams. The table below lists the similar domains discovered during the course of our investigation.
Similar Domains
online-complaint[.]accountsecureverify[.]com
secureaccounts[.]in
customer-complaint[.]com
  • Based on passive record logs, the above-mentioned IP address was also being contacted by other similar kinds of banking trojans since March 2022.
[caption id="attachment_19685" align="aligncenter" width="813"]Banking trojans which contacted the given IP address Banking trojans which contacted the given IP address[/caption]  

Impact & Mitigation

Impact Mitigation
  • Threat actors will gain sensitive banking information which may lead to financial loss.
  • The malware will help the threat actors gain other sensitive information like OTP or 2FA verification codes via SMS forwarding.
  • The collected sensitive information can be used by threat actors to launch successful social engineering attacks against the victim.
  • This type of impersonated campaign also has a negative impact on the value and reputation of any targeted entity or organization.
  • Create more awareness campaigns and training programs for both the customers and internal employees, educating them on such newly targeted campaigns.
  • Monitor fake domains proactively and take such suspected domains down before it causes further damage.
  • Educate consumers about the usage of any product or service provided by any particular entity.
 

Indicators of Compromise (IoCs)

Files Obtained
Customer_Sopport_Service.apk
SHA256
53c185090a170800ceb525ccbb1b798603428766
URL
hxxp://online-complaint[.]com/controller
hxxp://online-complaint[.]com/controller/api
hxxp://online-complaint[.]com/controller/api/common
IPv4
148.72.158.61
Domain
online-complaint[.]accountsecureverify[.]com
secureaccounts[.]in
customer-complaint[.]com
 

References

Appendix

[caption id="attachment_19686" align="aligncenter" width="662"]Screenshot of the contents of an internal directory of online-complaint[.]com Screenshot of the contents of an internal directory of online-complaint[.]com[/caption]  [caption id="attachment_19687" align="aligncenter" width="1067"]Screenshot of the contents of an internal directory of online-complaint[.]com Screenshot of the contents of an internal directory of online-complaint[.]com[/caption]  [caption id="attachment_19688" align="aligncenter" width="683"]Screenshot of the contents of an internal directory of online-complaint[.]com Screenshot of the contents of an internal directory of online-complaint[.]com[/caption]  [caption id="attachment_19689" align="aligncenter" width="1195"]Screenshot of the message being displayed upon submitting a complaint on online-complaint[.]com Screenshot of the message being displayed upon submitting a complaint on online-complaint[.]com[/caption] 

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations