Threat Research

Cyble – Phishing Campaign Targeting Indonesian BRI Bank Using SMS Stealer

Securonix

Cyble researchers uncovered a phishing campaign targeting Bank Rakyat Indonesia (BRI) that escalates by distributing Android SMS stealers to harvest OTPs and bypass 2FA. The operation begins with credential- and OTP-phishing sites, then installs a custom SMS stealer APK (Brimo) and SMSEye-based malware to automate OTP access and exfiltrate data. #SmsEye #BRI #BRImo

Keypoints

  • Target: Bank Rakyat Indonesia (BRI) phishing campaign harvesting credentials and OTPs to bypass 2FA.
  • Phishing sites are used first to collect login credentials and 6-digit PINs, then switch to delivering Android APKs to steal SMS OTPs.
  • Two APKs are involved: a custom SMS stealer (Brimo) and SMSeye-based malware, both loading the legitimate BRI site in a WebView.
  • The Brimo APK masquerades as the BRI app (icon/logo spoof) and requests RECEIVE_SMS to capture SMS data.
  • SMSeye-based stealer captures incoming SMSs and forwards them to a C2 server (ionicio[.]com) and to a Telegram bot.
  • Open-source Sms Eye project is used as the basis, showing TA exploitation of existing tooling for OTP theft.
  • CRIL notes potential for future updates, additional banking targets, and evolving credential/OTP harvesting techniques.

MITRE Techniques

  • [T1476] Deliver Malicious App via Other Means – Used to deliver APKs via phishing sites to install malicious apps. ‘Deliver Malicious App via Other Means.’
  • [T1444] Masquerade as a Legitimate Application – The malware uses the icon of the BRI mobile banking application to appear genuine. ‘The malware uses the icon of the BRI mobile banking application to appear genuine.’
  • [T1426] System Information Discovery – Simultaneously, in the background malware collects basic device information such as device name, model number, etc. ‘collects basic device information such as device name, model number, etc’
  • [T1402] Broadcast Receivers – Malware registers a SMSReceiver in the Manifest file. ‘The malware has registered a SMSReceiver in the Manifest file.’
  • [T1412] Capture SMS Messages – Receiver collects incoming SMS messages and forwards them to C2. ‘receives an SMS… collects the incoming SMSs and sends them to the C&C server’
  • [T1411] Input Prompt – Phishing flow prompts users for login credentials and 6-digit PIN. ‘the malicious site prompts the victim to login credentials and 6-digit net banking PIN’
  • [T1567] Exfiltration Over Web Service – Exfiltrates captured data to a remote server/C2. ‘sends them to the C&C server’

Indicators of Compromise

  • [SHA256] 75b0d191544f1e96f9bdec94df3556aa7db1808f0f2e194f6a882154857d0384, 2e194f6a882154857d0384
  • [SHA1] f2634015dceb01106d6ba20ac50a0dea436a74ff
  • [MD5] 914e60fa50bb5dafd67c610c716fd76a, 7aa828231a5b52a3ae3a6926f6996257
  • [URL] hxxps://ionicio[.]com/
  • [URL] hxxps://id-bri-login.apk-online[.]com/download.php
  • [URL] hxxps://skematrf-login[.]apk-ind.com/
  • [URL] hxxps://brimo-login-id.apk-ind[.]com
  • [URL] hxxps://brimo-login-ind.apk-online[.]com
  • [URL] hxxps://login-bri-ib[.]apk-ind.com
  • [URL] hxxps://id-bri-login[.]apk-online.com
  • [URL] hxxps://id-login-brimo[.]apk-ind.com
  • [URL] hxxps://id-login-brimo[.]apk-online.com
  • [URL] hxxps://login-brimo-tarif[.]com

Read more: https://blog.cyble.com/2022/11/15/phishing-campaign-targeting-indonesian-bri-bank-using-sms-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint