Credential phishing and an Android banking Trojan combine in Austrian mobile attacks

November 03, 2017
Proofpoint Staff

Overview

Credential phishing, banking Trojans, and credit card phishing schemes are common threats that we regularly observe both at scale and in more targeted attacks. However, Proofpoint researchers have recently observed phishing attacks that incorporate all of these elements in a single, multistep scheme involving the Marcher Android banking Trojan targeting customers of large Austrian banks. Attacks involving Marcher have become increasingly sophisticated, with documented cases involving multiple attack vectors and a variety of targeted financial services and communication platforms [1][2]. In this case, a threat actor has been targeting customers of Bank Austria, Raiffeisen Meine Bank, and Sparkasse since at least January 2017.

The attacks described here begin with a banking credential phishing scheme, followed by an attempt to trick the victim into installing Marcher, and finally with attempts to steal credit card information by the banking Trojan itself.

Analysis

Marcher is frequently distributed via SMS, but in this case, victims are presented with a link in an email. Oftentimes, the emailed link is a bit.ly shortened link, used to potentially evade detection. The link leads to a phishing page that asks for banking login credentials or an account number and PIN. Figure 1 shows one such landing page using stolen branding from Bank Austria.

Figure 1

Figure 1: Landing page for phishing scheme asking for the victim’s signatory number and PIN using stolen branding from Bank Austria

Because the actor delivered phishing links using the bit.ly URL shortener, we can access delivery statistics for this particular campaign. The link resolves to a URL designed to appear legitimate, with a canonical domain of sicher97140[.]info including the “bankaustria” brand.

Figure 2

Figure 2: Bit.ly statistics for a phishing landing page targeting Bank Austria customers

The actor appears to have recently begun using “.top” top-level domains (TLDs) for their phishing landing pages and have implemented a consistent naming structure as shown below. Earlier this year, the actor used “.pw” TLDs while the Bank Austria scheme highlighted above used “.info”. Some recent campaigns against other bank customers also used “.gdn” TLDs.

Other attacks on Bank Austria customers that we observed resolved to the following .top domains:

  • Oct 23, 2017  hxxp://online.bankaustria.at.id8817062[.]top/
  • Oct 23, 2017  hxxp://online.bankaustria.at.id8817461[.]top/
  • Oct 23, 2017  hxxp://online.bankaustria.at.id8817465[.]top/
  • Oct 23, 2017  hxxp://online.bankaustria.at.id8817466[.]top/
  • Oct 23, 2017  hxxp://online.bankaustria.at.id8817469[.]top/
  • Oct 17, 2017  hxxp://online.bankaustria.at.id58712[.]top/
  • Oct 17, 2017  hxxp://online.bankaustria.at.id58717[.]top/
  • Oct 17, 2017  hxxp://online.bankaustria.at.id58729[.]top/
  • Oct 17, 2017  hxxp://online.bankaustria.at.id58729[.]top/
  • Oct 17, 2017  hxxp://online.bankaustria.at.id87721[.]top/
  • Oct 17, 2017  hxxp://online.bankaustria.at.id87726[.]top/

These permutations of TLDs and canonical domains incorporating the legitimate domain expected by the targeted banking customers exemplifies recent trends in social engineering by threat actors. Just as threat actors may use stolen branding in their email lures to trick potential victims, they reproduce a legitimate domain name in a fraudulent domain that is not controlled by the bank.

Once the victim enters their account information on the landing page, the phishing attack then requests that the user log in with their email address and phone number.

Figure 3

Figure 3: Step two of the credential phish asking for the victim’s email address and phone number

Having stolen the victim’s account and personal information, the scammer introduces a social engineering scheme, informing users that they currently do not have the “Bank Austria Security App” installed on their smartphone and must download it to proceed. Figure 4 shows the download prompt for this fake app; an English translation follows.

Figure 4

Figure 4: Alert prompting the victim to download an Android banking app (English translation below), with stolen branding and fraudulent copy

***Translation***

Dear Customer,

The system has detected that the Bank Austria Security App is not installed on your smartphone. Due to new EU money laundering guidelines, the new Bank Austria security app is mandatory for all customers who have a mobile phone number in our system.

Please install the app immediately to avoid blocking your account.

Follow the instructions at the bottom of this page.

Why you need the Bank Austria Security App:

Due to outdated technology of the mobile network important data such as mTan SMS and online banking connections are transmitted unencrypted.

Our security app allows us to transmit this sensitive data encrypted to you, thus increasing the security that you will not suffer any financial loss.

Step 1: Download Bank Austria Security App

Download the Bank Austria security app to your Android device. To do this, open the displayed link on your mobile phone by typing in the URL field of your browser or scan the displayed QR code.

***End translation***

The phishing template then presents additional instructions for installing the fake security application (Figure 5):

Figure 5

Figure 5: Additional instructions telling the victim to give the app the requested permissions (English translation below), with stolen branding and fraudulent copy

***Translation***

Step 2: Allow installation

Open your device's settings, select Security or Applications (depending on the device), and check Unknown sources.

Step 3: Run installation

Start the Bank Austria security app from the notifications or your download folder, tap Install.

After successful installation, tap Open and enable the device administrator. Finished!

***End translation***

Referring again to bit.ly, we can see click statistics for this campaign (Figure 6).

Figure 6

Figure 6: bit.ly statistics for the fake Bank Austria Android app download link

From this small sample, we see that 7% of visitors clicked through to download the application, which is actually a version of the Marcher banking Trojan named “BankAustria.apk”, continuing the fraudulent use of the bank’s branding to fool potential victims.

This sample is similar to those presented in other recent Marcher analyses [1][2].

This particular application is signed with a fake certificate:

Owner:
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown

Issuer
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial: 1c9157d7

Validity:
11/02/2017 00:16:46
03/20/2045 00:16:46

MD5 Hash: A8:55:46:32:15:A9:D5:95:A9:91:C2:91:77:5D:30:F6
SHA1 Hash: 32:17:E9:7E:06:FE:5D:84:BE:7C:14:0C:C6:2B:12:85:E7:03:9A:5F

The app requests extensive permissions during installation that enable a range of activities supported by the malware. Those permission shown in bold below are the most problematic:

  • Allows an application to write to external storage.
  • Allows an application to read from external storage.
  • Allows an application to use SIP service.
  • Allows an application to collect battery statistics
  • Allows an app to access precise location.
  • Allows an application to receive SMS messages.
  • Allows an application to send SMS messages.
  • Allows an application to read SMS messages.
  • Allows an application to write SMS messages.
  • Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
  • Allows applications to access information about networks.
  • Allows applications to open network sockets.
  • Allows an application to read the user's contacts data.
  • Allows an application to read or write the system settings.
  • Allows an application to force the device to lock
  • Allows applications to access information about Wi-Fi networks.
  • Allows applications to change Wi-Fi connectivity state.
  • Allows applications to change network connectivity state.

Analysis of the malware shows that it uses the common string obfuscation of character replacement (Figure 7):

Figure 7

Figure 7: Encoded Marcher Strings

Figure 8

Figure 8: Decoded Marcher Strings

As noted, the application requests extensive permissions during installation; Figure 9 shows the request to act as device administrator, a particular permission that should very rarely be granted to an app.

Figure 9

Figure 9: Prompt for application permissions upon installation

Figures 10 and 11 show the other permission screens for the app:

Figure 10

Figure 10: Part 1 of the permission screen for the app

Figure 11

Figure 11: Part 2 of the permission screen for the app

Once installed the app will place a legitimate looking icon on the phone’s home screen, again using branding stolen from the bank.

Figure 12

Figure 12: Fake Bank Austria Security application icon

In addition to operating as a banking Trojan, overlaying a legitimate banking app with an indistinguishable credential theft page, the malware also asks for credit card information from the user when they open applications such as the Google Play store.

Figure 13

Figure 13: Popup asking for a credit card number

The application also supports stealing credit card verification information (Figures 14 and 15).

Figure 14

Figure 14: Information theft via fake credit card verification using stolen branding

Figure 15

Figure 15: Information theft via fake credit card verification using stolen branding

Some of the campaigns appear to have a wider reach based on bit.ly statistics like this one from October 13, 2017:

Figure 16

Figure 16: bit.ly statistics for an October 13, 2017 campaign

Over several days during the last three months, Proofpoint researchers observed campaigns using similar techniques targeting the banking customers of Raffeisen and Sparkasse. A review of the bit.ly statistics for these campaigns shows that they were at least as effective in driving end-user clicks as the Bank Austria campaign analyzed above.

Conclusion

As our computing increasingly crosses multiple screens, we should expect to see threats extending across mobile and desktop environments. Moreover, as we use mobile devices to access the web and phishing templates extend to mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail here. As on the desktop, mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites. Unusual domains, the use of URL shorteners, and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware.

 

References

[1] https://clientsidedetection.com/marcher.html

[2] https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1047

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

47.91.92[.]60

IP

Phish Landing

49.51.37[.]177

IP

Phish Landing

49.51.37[.]247

IP

Phish Landing

47.254.128[.]80

IP

Phish Landing

8dfc01cfed545651e3cf73437ab748dc

MD5

Marcher - Analyzed Sample

185.188.204[.]16

IP

Marcher C&C

 

ET and ETPRO Suricata/Snort Signatures

2024943          Raiffeisen Phishing Domain Nov 03 2017

2024944          Sparkasse Phishing Domain Nov 03 2017

2024946          BankAustria Phishing Domain Nov 03 2017

2024947          Successful Raiffeisen Phish Nov 03 2017

2024948          Successful Sparkasse Phish Nov 03 2017

2024949          Successful BankAustria Phish Nov 03 2017

2024950          Android Marcher Trojan Download - Raiffeisen Bank Targeting (set)

2024951          Android Marcher Trojan Download - Sparkasse Bank Targeting (set)

2024952          Android Marcher Trojan Download - BankAustria Targeting (set)

2024953          Android Marcher Trojan Download - Austrian Bank Targeting

2828513          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI

2828514          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 2

2828515          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 3

2828516          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 4

2828517          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 5

2828518          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 6

2828519          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 7

2828520          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 8

2828521          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 9

2828524          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 1

2828525          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 2

2828526          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 3

2828527          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 4

2828528          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 5

2828529          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 6

2828530          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 7

2828531          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 8