ALPS blog

Massive Phishing Campaigns Target India Banks’ Clients

We observed an uptick in attacks targeting bank customers in India, the common entry point being a text message with a phishing link. The SMS content urges the victims to open the embedded phishing link or malicious app download page and follow the instructions: To fill in their personally identifiable information (PII) and credit card details to allegedly get a tax refund or credit card reward points. As of this writing, we observed five banking malware families involved in these attacks, namely Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy.

We analyzed that the bank customers targeted include account subscribers of seven banks, including some of the most well-known banks located in the country and potentially affecting millions of customers. Common among these routines include the abuse of the legitimate banks’ logos, names, and affiliated brands and services to convince victims that their respective phishing sites are affiliated. This blog entry will discuss three of the identified banking malware families and their latest changes (as IcRAT and IcSpy have been documented): Elibomi is an old malware that has evolved into a fully equipped banking trojan, while FakeReward and AxBanker are newly discovered banking trojans. Bank clients are advised to remain vigilant against these kinds of threats, and to protect their information and devices from malware infections.

Elibomi returns with more functions

fig1-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 1. Timeline of Elibomi variants deployed

Elibomi’s first and second variants, “fake certificates” and “iMobile” campaigns, appeared towards the end of 2020 and remained active in 2021, designed to steal victims’ PII and credit card information. During the early months of 2022, we observed a phishing campaign dropping a new variant of Elibomi with a package name that ended with “iApp.” From this variant on, the routine changed drastically: the threat actors added automation to workflow tasks via Accessibility permissions such as automated clicking, granting of permissions, and capturing screenshots.

fig2-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 2. Elibomi’s latest variants’ functions
fig3-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 3. Elibomi’s phishing page harvests the victim’s PII and credit card information

More recently, we found a fourth variant of Elibomi delivered from the same phishing site with a package name ending with “iAssist.” This variant added the cloud-hosted real-time database Firebase as an alternative command and control (C&C) server and an environment check tool called RDVerify for detection evasion. In the next sections, we detail the different commands and functions that the third and fourth variants of Elibomi are capable of, as well as the implications of these updates. It is also worth noting that an update has again been observed in October on the latest iterations, as documented by security researchers from Cyble.

Overview: Elibomi’s automated variants

Due to the automated workflow framework of the latest variants, we called the third (“iApp” campaign) and fourth (“iAssist” campaign) automated variants and break down the commands and functions we found from their respective routines.

fig4-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 4. RDVerify workflow

Sophisticated command format

Looking into the routines of the third and fourth variants, Elibomi implements a sophisticated and lengthy command list and has three types of commands to conduct malicious activities: Task command, server command, and auto command. The succeeding section breaks down the three commands we found.

Task command

We found that the task command was the main command among the three, enumerating the specific malicious activities needed in the routine. It is capable of being a recursive command for complex tasks, or a non-recursive command function:

  1. As a non-recursive command: A single command that contains the command name and corresponding operands. This can be split by “:::” to get the sub-terms.
  2. As a recursive command: A combination of non-recursive commands that can be split by “,” or “-” to get non-recursive commands.

As an example, should a specific aspect of Elibomi’s routine require unlocking the device without the user becoming aware of it, the malware can use this recursive command to accomplish three tasks: wakeup, remove the screen overlay, and make the gesture combination for the unlock screen pin or pattern.

fig5-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 5. Elibomi task command

Server command

This command returns the execution result to the backend server. For example, “D:::Unlock has been executed – ##-##” shows and communicates with the server that the task command was able to unlock the device successfully.

Auto command

The auto command plays a vital role in Elibomi’s automated workflow, describing how Elibomi uses Accessibility to conduct the malicious behaviors step by step. For example, auto command is responsible for how Elibomi enables the Media Projection automatically. When the attackers get the Accessibility permissions granted and receive the task command MEDIAPROJECTION, Elibomi will generate the auto command <SCREENCLICK:Button:start now|ok|accept|allow> to click on “START NOW” in the MediaProjection dialog box.

fig6-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 6. Taking screenshots of the victim’s window

A fully automated malware

Analyzing the routines that the two latest variants of Elibomi are capable of, this malware can interact with the device’s user interface (UI) automatically without the user knowing. To become a “fully automated malware,” Elibomi will show a message upon launch that pushes the user to enable Accessibility permissions by disguising itself as a Google application. It then proceeds to show a dialog box upon launch as if there is an urgent need to grant Accessibility permissions to push the user to allow the said request.

fig7-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 7. Elibomi requests for the Accessibility permission to proceed with the automated tasks

The following is the full list of malicious tasks that have been added to Elibomi’s automation workflow in the latest automated variants:

Task Related Task Command Related Auto Command
Get MediaProjection permission EXECUTORSEQUENCE::: PERMISSIONFOLLOWUP#222#MEDIAPROJECTIONPERMISSION CLICK:Button:start now|ok|accept|allow:-:-::SCREENCLICK:Button:start now|ok|accept|allow:-:-::CLICK:Button:start now|ok|accept|allow:-:-::SCREENCLICK:Button:start now|ok|accept|allow:-:-
Allow Write settings EnableSettingsSequence fullforwardswipe:Switch:-:-:-::fullforwardswipe:Switch:-:-:-::fullforwardswipe:Switch:-:-:-
Get SMS-related permissions EXECUTORSEQUENCE::: PERMISSIONFOLLOWUP#222# SMSPERMISSION CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-
Set itself as default SMS app PERMISSIONS:::REVOKEDEFAULTSMS

STARTSMSSEQUENCE

CLICK:Button:yes|ok|accept|allow:-:-::SCREENCLICK:Button:yes|ok|accept|allow:-:-::CLICK:Button:yes|ok|accept|allow:-:-::SCREENCLICK:Button:yes|ok|accept|allow:-:-
Allow Install App from Unkown Source REQUESTINSTALLPERMISSION CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-
Disable battery optimization IGNORE_BATTERY_OPTIMIZATIONS CLICK:Button:ok|accept|allow:-:-::SCREENCLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::SCREENCLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-“
Install additional APK and grant permission for the payload DOWNLOADAPK

EXECUTORSEQUENCE:::INSTALLAPK

EXECUTORSEQUENCE:::OPENAPPCOMPONENTandGRANTPERMISSIONS

CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-::CLICK:Button:ok|accept|allow:-:-
Get all accounts SCREENSHOT

GLOBAL_ACTION_BACK

N/A
Disable Google Play Protect DISABLEPLAYPROTECT N/A
Read or delete emails from Gmail GMAILSEQUENCE click:android.widget.Button:Empty:-:-
Prevent disable Accessibility GLOBAL_ACTION_BACK N/A
Prevent Uninstall GLOBAL_ACTION_BACK N/A
Prevent enabling of Google Play Protect GLOBAL_ACTION_BACK N/A
Unlock device WAKEUP N/A

Table 1. List of malicious tasks added to the two latest variants of Elibomi

Elibomi affects Android 12 and lower, and can automatically grant the attackers sensitive permissions, enable/disable sensitive settings such as enable installation of apps from unknown sources, and disable GooglePlay protect. Android 13 is not affected as Google restricts the Accessibility permission in the latest version.

Overlay mechanisms

For both iApp and iAssist campaigns, Elibomi implements an overlay by adding a view to the current window as an evasion technique from users, instead of having an overlay on other apps such as bank applications to steal users’ credentials.

Wait screen overlay

In order to evade visual detection from users, Elibomi will show a waiting screen after gaining Accessibility permissions for service. However, it already executes an automated workflow in the background to grant sensitive permissions to the attacker.

fig8-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 8. Wait screen overlay to hide malicious activities in the background

Elibomi uses another window type called “TYPE_ACCESSIBILITY_OVERLAY” instead of request “SYSYTEM_ALERT_WINDOW” permission to add an additional view to the current window.

fig9-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 9. Create layout with type “TYPE_ACCESSIBILITY_OVERLAY”

Fake pin overlay

To unlock the device automatically, Elibomi is capable of stealing the pin code or pattern saved by the user by showing an overlay screen to the victim and “listening” for the user’s actions to record their gestures and clicks.

fig10-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 10. Touch Listener code to record the victim’s actions observed from Elibomi’s third variant

Not just Android

From our scanning online, we found the cybercriminals extending their phishing campaign not only on Android but have also ventured to other platforms such as email. Comparing previous phishing sites, it appears that they have created different themes to induce victims to fill in their sensitive information. The type of stolen data is nearly the same as what they require users to put on the Android platform.

fig11-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 11. More recent phishing websites urging victims to download the iAssist app

“iAssist” campaign as a fast-evolving Elibomi variant for more profit

In the fourth variant, we noted one interesting task added to their automated workflow. While the Accessibility permission detects the payment risk notification string that sends the message “continuing to pay may cause loss of money” to appear on the UI, it will click on “Ignore risk” to dismiss the alert dialog. This warning usually appears if there is a risk of payments or transfers occurring while using a bank app, and can indicate that the cybercriminals behind this malware can consistently update or enhance Elibomi to automatically conduct money transfers from the victim’s device without them noticing.

fig12-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 12. Elibomi capable of clicking “Ignore risks” button automatically

FakeReward: Targeting three banks’ customers in India

In August, we found a campaign we named FakeReward targeting customers of three of the largest banks in India wherein the threat actors registered several domains similar to the legitimate domains to confuse victims. These phishing websites were pretending to be the official websites of these three banks, even abusing the companies’ names and logos to complete their look.

fig13-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 13. FakeReward’s phishing websites target customers of three specific banks in India

The FakeReward banking trojan shows a page to request SMS permissions upon launching. Once granted, the malware will collect all text messages to the device and upload it to a remote server, then set up a monitor to listen to incoming SMS messages and sync it to the remote server. We released an initial social media thread on the said campaign to warn security teams and their respective bank customers to be vigilant against this malware.

fig14-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 14. Requests SMS permissions and collects PII and credit card information

Latest changes

In its recent update, FakeReward malware tries to request a notification permission to extract text messages instead of directly requesting access for SMS permissions.

fig15-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 15. Request notification permission as seen by the user (left), and the code to parse the notification (right)

Security researchers from K7 Security Labs and MalwareHunterTeam have also found samples of at least five other FakeReward variants. We noted the increase in the number of families and variants of FakeReward malware targeting users in India that appear the same when examined using tactics, techniques, and procedures (TTPs) but show differences in codes. Trend Micro customers are protected from all these emerging phishing families and variants.

Potential connection between FakeReward and IcRAT

During our investigation, we found an interesting coincidence: FakeReward and IcRAT started targeting the customers of one bank nearly at the same time. Moreover, we also found the phishing websites of these two malware families to be nearly similar, making us believe that the cybercriminals behind these two malware families are connected.

fig16-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 16. Tracking FakeReward and IcRAT (Screenshot taken from VirusTotal)
fig17-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 17. Phishing site of IcRAT

AxBanker: Fake app targeting bank’s customers

In addition to FakeReward banking malware targeting the customers of two banks, we also found another banking trojan targeting the customers of another major Indian bank that has been active since late August. The website has a similar phishing theme wherein customers “Get Reward Points” to attract victims to download and install the app.

fig18-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 18. AxBanker phishing website pretending to be an offer from a major bank

Once the malware is installed and launched, it will request SMS permissions in order to capture and upload incoming SMS to a remote server. The malware will then show several fake pages to collect the victim’s personal data and credit card information.

fig19-massive-phishing-campaign-target-india-banks-customers-elibomi-fakereward-axbanker-icrat-icspy
Figure 19. AxBanker malware harvests the victim’s personal data and credit card information

Conclusion

While the types of stolen data and phishing themes are similar, we don’t have enough evidence to conclude that the cybercriminals behind all of these banking malware families are connected but are aggressive in developing further. In the case of the threat actors behind Elibomi, these cybercriminals are likely knowledgeable and adept in Android development based on the automation of tasks pertaining to Accessibility permissions. Meanwhile, the threat actors behind FakeReward appear to have deployed phishing malware prior to this campaign based on their capability of hiding their tracks: the phishing domains used operate for only three to four days at a time before becoming inaccessible. In addition, a quick scan shows that only a few security engines have been able to pick up on its new variant.

Our monitoring also shows that while no other customers outside India have been targeted by these malware families, phishing campaigns in the country have significantly increased and are increasingly becoming adept at detection evasion. One possible reason for this uptick is the growing number of new threat actors entering the India underground market, bringing with them profitable business models, and interacting with other malicious players to learn, exchange ideas from, and establish connections. Users and bank customers are advised to remain vigilant and follow these best practices:

  • Check the text message’s sender. Legitimate companies and organizations have official contact channels from where they send notifications and promotions.
  • Do not download and install applications from unknown sources. Choose to download the official bank apps from official platforms.
  • Do not enter sensitive personal information in untrusted apps or websites. Contact banks and organizations through their known channels to ask if they have ongoing promotions or announcements like the message received.
  • Double check the dialog boxes’ requests and messages before granting sensitive permissions such as Accessibility to untrusted apps.

Trend Micro solutions

Trend Micro Mobile Security Solutions can scan mobile devices in real time and on demand to detect malicious apps, sites, or malware to block or delete them. These solutions are available on Android and iOS, and can protect users’ devices and help them minimize the threats brought by these fraudulent applications and websites.

Indicators of Compromise (IOCs)

For a full list of the IOCs, find it here.

Facebook
Twitter
LinkedIn

Featured News