Monday, August 21, 2017

Phishing attack at Raiffeisen Bank by MazarBot

Yesterday I discovered phishing campaign targeting clients of Raiffeisen Bank by popular and still active Android banking Trojan - MazarBot. This infiltration targets German speaking users and makes them download fake Raiffeisen Security App.

 

Last time I wrote about MazarBot it was year and a half ago, however it is still spreading using different methods. MazarBot has been distributed via SMS, fake webpages or email spam.


How it works

[UPDATE]
Thanks to insights from NI@FI@70, who specified distribution vector for this particular infiltration, which is email spam. This phishing email could be received from raiffeisen@elba-service.team.info

Figure 1. Distribution vector - email

This campaign of MazarBot is spread through email spam, where potential victim ends up with email and link to bogus webpage. In this case, it is exact copy of Raiffeisen Bank web.

Figure 2. Fake phishing webpage

Figure 3. Legit Raiffeisen web

Once victim fills in login credentials, and basically sends them to the attacker, is redirected to another webpage where he allegedly needs to download and install Raiffeisenbank Security app due to new EU money laundering regulation which is mandatory for all customers with phone number.
On the webpage are also instructions how to download and install the app, even with QR code.

Figure 4. Install instructions for fake Raiffeisen Security App

How is attack performed



Potential victims


For downloading this app is used URL shortener, so we can check link statistics. Fortunately, only 37 clicks (14 desktop clicks + 23 mobile clicks ) were done in two days.

Figure 5. Raiffeisen Security app download link statistics

However, most of the downloads were done from Austria.

Figure 6. Detail of each link access

Functionality

Core functionality of this banking Trojan is to create overlay activity and lure user's credit card details from fake login forms.

Figure 7. Request of MazarBot to activate device administrator

IOC (updated 12.09.2017)

Phishing URLs
http://banking.raiffeisen.at.updateid090867.top
http://banking.raiffeisen.at.updateid090866.top
http://banking.raiffeisen.at.updateid090865.top
http://banking.raiffeisen.at.updateid090864.top
http://banking.raiffeisen.at.updateid090863.top
http://banking.raiffeisen.at.updateid090862.top
http://banking.raiffeisen.at.updateid090861.top
http://banking.raiffeisen.at.updateid090860.top
http://banking.raiffeisen.at.updateid090859.top
http://banking.raiffeisen.at.updateid090858.top
http://banking.raiffeisen.at.updateid090857.top
http://banking.raiffeisen.at.updateid090856.top
http://banking.raiffeisen.at.updateid090855.top
http://banking.raiffeisen.at.updateid090854.top
http://banking.raiffeisen.at.updateid090853.top
http://banking.raiffeisen.at.updateid090852.top
http://banking.raiffeisen.at.updateid090851.top
http://banking.raiffeisen.at.updateid090850.top
http://banking.raiffeisen.at.updateid0891201.pw
http://banking.raiffeisen.at.updateid0891202.pw
http://banking.raiffeisen.at.updateid0891203.pw
http://banking.raiffeisen.at.updateid0891204.pw
http://banking.raiffeisen.at.updateid0891206.pw
http://banking.raiffeisen.at.updateid0891207.pw
http://banking.raiffeisen.at.updateid0891208.pw
http://banking.raiffeisen.at.updateid0891209.pw

Hashes
872521EAD4C74CB178921A8D122589C6C06559DB
624195D0777BAC438C9372A1DB43324B107D78ED
D71A5C032AA08DEE55F8F19A607EF10DCF9FE326

C&C
https://sacstfwascas.pw/becall
https://hioczuzsadaz.biz/becall
https://joloutzuzut.biz/becall
https://huiioasdagc.pw/becall
https://hsuchasdgzauc.biz/becall
http://hoploiuc.biz/index.php?action=command

1 comment:

  1. I recommend you to learn how to delete history android phone properly without leaving footprints.

    ReplyDelete