Trend Micro researchers observed an uptick in attacks targeting bank customers in India, the common entry point being a text message with a phishing link.
The SMS content urges the victims to open the embedded phishing link or malicious app download page and follow the instructions: To fill in their personally identifiable information (PII) and credit card details to allegedly get a tax refund or credit card reward points. As of this writing, Trend Micro observed five banking malware families involved in these attacks, namely Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy.
Elibomi, first documented by McAfee in September 2021, is engineered to steal personal data, take screenshots, and even capture the lock screen code or pattern by abusing Android’s accessibility API permissions, enabling it to seize control of the compromised devices.
The apps themselves are delivered through phishing websites with domain names similar to that of their legitimate counterparts, in addition to reusing the brand logos to increase the likelihood of a successful attack and trick the user into downloading the malicious app to get “instant reward points.”
The similarity in stolen data and phishing themes notwithstanding, Trend Micro said there is no concrete evidence tying all these malware families to a single threat actor.
Trend Micro researchers analyzed that the bank customers targeted include account subscribers of seven banks, including some of the most well-known banks located in the country and potentially affecting millions of customers. Common among these routines include the abuse of the legitimate banks’ logos, names, and affiliated brands and services to convince victims that their respective phishing sites are affiliated.
Trend Micro Solutions
Users can follow the below trendmicro solutions
Trend Micro Mobile Security Solutions can scan mobile devices in real time and on demand to detect malicious apps, sites, or malware to block or delete them. These solutions are available on Android and iOS, and can protect users’ devices and help them minimize the threats brought by these fraudulent applications and websites
IOCS
Elibomi
SHA256
0eda2c0b96aa1e482760d47c25b8bcd033f1ad028885e8b276878b429b6c80f9 Elibomi malware AndroidOS_Elibomi
1240870ae35a18d53287b89f300cafec31e6c2a4962faba4c467c587b24d445b Elibomi malware AndroidOS_Elibomi
12b47e5b7f6cc7371c7a243ae0d58cf7b7391e0a471a4365d03b7db9e45a5dd8 Elibomi malware AndroidOS_Elibomi
1e7df4ba8b45253bae2f419e831089a9cc776032d6c7175d45fc3db45687b19d Additional payload installed by Elibomi AndroidOS_Elibomi
289469ac20602f3acfc528b34f9b085c08697b69c745891f14f66d39b41dea0b Elibomi malware AndroidOS_Elibomi
40b469c6e7176101abb3d114c689fe0b3cc244292bcbc0658174337596caf1a9 Elibomi malware AndroidOS_Elibomi
5c9dd64dd4ee534d4d9e2faa1b43eabc04336530a7ec81d2579fa33f27bf1356 Elibomi malware AndroidOS_Elibomi
7d3d5f16ae9c4d9efd33714731bbea8e0188b5021e3845ceef1b48f9b23b8bb0 Elibomi malware AndroidOS_Elibomi
7e4e88db5aa46a5fa7d9eb4ec17c9451dd53a4bd68cae59d0b5da3e1e93a373c Elibomi malware AndroidOS_Elibomi
87325f5be4c9d736ac5538d5a8f0c35e4724728e9cccf9f2f5b3115e223b4922 Additional payload installed by Elibomi AndroidOS_Elibomi
a389911dcba6afa54a1977657a17292ec1a8e3f49ee3726600725f4200ca7960 Elibomi malware AndroidOS_Elibomi
a444b4264d141e5dfb4547b87f36444ae85e54b51e73e6814a63d4ca30a0673e Elibomi malware AndroidOS_Elibomi
b91f82459d599afc32c12a371588fdeb3c709fe402f7ae383c3828338f6028d3 Additional payload installed by Elibomi AndroidOS_Elibomi
d4b7e0a6a8f86b52214e584f75291cc5f6b77e0b790170b0fad13b2fbbfef7af Elibomi malware AndroidOS_Elibomi
d832cd08d46db8af42ca7136401da8dd751d6e5be9339e0b040d0e0d134bc7d8 Elibomi malware AndroidOS_Elibomi
df863dcb5f08e11bb3776f2a72aff7e691738621a8d989495ff4876cc9efa770 Elibomi malware AndroidOS_Elibomi
URLs/Domains
192.227.196.185 Backend server
198.12.107.13 Backend server
3.108.190.204 Backend server
http://192.227.196.185/647922207/y9zd44e.php Phishing link
http://192.227.196.185/804194164/e3nr.php Phishing link
hxxp://192.227.196.172/185221368/30ayx2.php Phishing link
http://198.12.107.13/iaserver.php Command and control (C&C) link
http://198.12.107.13/Play/Play.apk Download link of additional payload
http://198.12.107.13/si/teamApp.apk Download link of additional payload
http://gia.3utilities.com/iaserver.php Command and control (C&C) link
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment