During a proactive hunt for mobile malware, SophosX-Ops researchers uncovered four credential-harvesting Android apps targeting Iranian bank customers, using a possibly stolen code-signing certificate and various evasion tricks. The campaign employed unusual C2 methods (HTTPS/HTTP, Firebase Cloud Messaging) and hosting across multiple domains, including a compromised university server, suggesting potential future campaigns.
Read more: #BankMellat #BankSaderat #ResalatBank #CentralBankofIran #FirebaseCloudMessaging #KosarIslamicScienceEducationComplex #ARSNetwork #AndrPhishERC #ThisIsPhisherOnline
Read more: #BankMellat #BankSaderat #ResalatBank #CentralBankofIran #FirebaseCloudMessaging #KosarIslamicScienceEducationComplex #ARSNetwork #AndrPhishERC #ThisIsPhisherOnline
Keypoints
- Four credential-harvesting Android apps targeted Iranian banks: Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran.
- Apps collect login credentials and credit card details, with capabilities like hiding icons and intercepting incoming SMS messages used for MFA.
- Installation shows a permission prompt to read SMS messages, followed by a login screen that redirects to the real bank site while disabling other UI elements.
- Stolen credentials are sent to a C2 server, and users are asked for their date of birth; attackers respond with an error message to create a window for credential abuse.
- Two C2 mechanisms are used: HTTPS/HTTP for data exfiltration and Firebase Cloud Messaging (FCM) for certain commands, helping the actors blend in with normal Android traffic.
- Some C2 infrastructure appears to be hosted on a compromised domain (Kosar Islamic Science Education Complex) and on a domain like thisisphisher.online.
- The campaign includes hints of a wider plan, such as hardcoded lists of other finance/crypto apps to target in future versions.
MITRE Techniques
- [T1056.003] Credential from Web Form β The login screen collects the userβs phone number, username, and password. βThe login screen requests the userβs phone number, username, and password.β
- [T1071.001] Web Protocols β The malware uses HTTPS (and sometimes HTTP) for C2 communication to send stolen data. βthe malware relies on HTTPS for C2 communication (although in some cases this is plain HTTP).β
- [T1518.001] Software Discovery β The malware searches the device for other banking/finance apps; βthe malware searches for several other apps relating to banking, payment, or cryptocurrency. The list of apps is hardcoded in the malware.β
- [T1564.001] Hide Artifacts β The malware can hide its icon so it appears to have been uninstalled while still running. βthe ability to hide their icons if given a particular command by the malware operator.β
- [T1041] Exfiltration Over C2 Channel β Data (credentials, birth date) is sent to the C2 server as part of the theft flow. βthe apps send the data to a C2 server, and ask the user for their date of birth β which is also sent back to the attackers.β
Indicators of Compromise
- [Certificate] 7c42deb20377f0e18ec4788312a692ee7aed1917 β Stolen code-signing certificate fingerprint used to sign malicious apps; previously used by ARS Network to sign benign Google Play apps.
- [Domain] thisisphisher[.]online β Domain hosting C2 infrastructure and HTML phishing content referenced in the campaign.
- [Malware Family] Andr/Phish-ERC β The malicious apps are detected and classified under this family name.
Read more: https://news.sophos.com/en-us/2023/07/27/uncovering-an-iranian-mobile-malware-campaign/