Yesterday I discovered phishing campaign targeting clients of Raiffeisen Bank by popular and still active Android banking Trojan - MazarBot. This infiltration targets German speaking users and makes them unduh fake Raiffeisen Security App.
Last time I wrote about MazarBot it was year and a half ago, however it is still spreading using different methods. MazarBot has been distributed via SMS, fake webpages or email spam.
How it works
[UPDATE]Thanks to insights from NI@FI@70, who specified distribution vector for this particular infiltration, which is email spam. This phishing email could be received from raiffeisen@elba-service.team.info
 |
| Figure 1. Distribution vector - email |
This campaign of MazarBot is spread through email spam, where potential victim ends up with email and link to bogus webpage. In this case, it is exact copy of Raiffeisen Bank web.
 |
| Figure 2. Fake phishing webpage |
 |
| Figure 3. Legit Raiffeisen web |
Once victim fills in login credentials, and basically sends them to the attacker, is redirected to another webpage where he allegedly needs to unduh and install Raiffeisenbank Security app due to new EU money laundering regulation which is mandatory for all customers with phone number.
On the webpage are also instructions how to unduh and install the app, even with QR code.
 |
| Figure 4. Install instructions for fake Raiffeisen Security App |
How is attack performed
Potential victims
For downloading this app is used URL shortener, so we can check link statistics. Fortunately, only 37 clicks (14 desktop clicks + 23 mobile clicks ) were done in two days.
 |
| Figure 5. Raiffeisen Security app unduh link statistics |
However, most of the downloads were done from Austria.
 |
| Figure 6. Detail of each link access |
Functionality
Core functionality of this banking Trojan is to create overlay activity and lure user's credit card details from fake login forms. |
| Figure 7. Request of MazarBot to activate device administrator |
IOC (updated 12.09.2017)
Phishing URLshttp://banking.raiffeisen.at.updateid090867.top
http://banking.raiffeisen.at.updateid090866.top
http://banking.raiffeisen.at.updateid090865.top
http://banking.raiffeisen.at.updateid090864.top
http://banking.raiffeisen.at.updateid090863.top
http://banking.raiffeisen.at.updateid090862.top
http://banking.raiffeisen.at.updateid090861.top
http://banking.raiffeisen.at.updateid090860.top
http://banking.raiffeisen.at.updateid090859.top
http://banking.raiffeisen.at.updateid090858.top
http://banking.raiffeisen.at.updateid090857.top
http://banking.raiffeisen.at.updateid090856.top
http://banking.raiffeisen.at.updateid090855.top
http://banking.raiffeisen.at.updateid090854.top
http://banking.raiffeisen.at.updateid090853.top
http://banking.raiffeisen.at.updateid090852.top
http://banking.raiffeisen.at.updateid090851.top
http://banking.raiffeisen.at.updateid090850.top
http://banking.raiffeisen.at.updateid0891201.pw
http://banking.raiffeisen.at.updateid0891202.pw
http://banking.raiffeisen.at.updateid0891203.pw
http://banking.raiffeisen.at.updateid0891204.pw
http://banking.raiffeisen.at.updateid0891206.pw
http://banking.raiffeisen.at.updateid0891207.pw
http://banking.raiffeisen.at.updateid0891208.pw
http://banking.raiffeisen.at.updateid0891209.pw
Hashes
872521EAD4C74CB178921A8D122589C6C06559DB
624195D0777BAC438C9372A1DB43324B107D78ED
D71A5C032AA08DEE55F8F19A607EF10DCF9FE326
C&C
https://sacstfwascas.pw/becall
https://hioczuzsadaz.biz/becall
https://joloutzuzut.biz/becall
https://huiioasdagc.pw/becall
https://hsuchasdgzauc.biz/becall
http://hoploiuc.biz/index.php?action=command
Komentar
Posting Komentar