Threat Research

Cyble – Phishing Campaign Targets Japanese Tax Payers

Securonix

Cyble researchers uncovered a phishing campaign impersonating Japan’s National Tax Agency to steal V-Preca card details from Japanese taxpayers, combining fake NTA sites, smishing, and Android malware (FakeCop) with extensive C2 infrastructure. The operation exfiltrates personal data and card information through a chained redirection flow, ultimately pushing victims to pay via an electronic money method. #RoamingMantis #FakeCop #NationalTaxAgency #VPreca #KDDICorporation #AU #Smishing #Japan

Keypoints

  • The campaign impersonates the National Tax Agency and uses typo-squatted domains to lure Japanese users to a fake Tax Agency site.
  • Phishing flows prompt users to enter PII and select the “Electronic money (v Preca issuing code)” payment method, disabling other payment options.
  • User details and V-Preca card information are redirected to ta domains via multiple URL steps (putinfo.php, putcard.php, etc.).
  • A separate smishing campaign (FakeCop) distributes Android malware masquerading as an AU mobile security app, with extensive data-collection capabilities.
  • The malware uses a proxy URL to fetch a C2 server and can exfiltrate data such as contacts, SMS, and app data, and can delete SMS messages to avoid detection.
  • Cyble observed over 20,000 malicious samples in the last 3 months, indicating active targeting of Japan by the Roaming Mantis threat actors.

MITRE Techniques

  • [T1476] Deliver Malicious App via Other Means – The campaign delivers malicious apps through alternative delivery methods, including smishing and fake app installations that masquerade as legitimate software. “The downloaded malicious application pretends to be the AU mobile security application developed by KDDI to appear genuine.”
  • [T1444] Masquerade as Legitimate Application – The campaign masquerades as a legitimate security app to appear authentic and trick users into installing it. “masquerade as legitimate application” and related visuals.
  • [T1417] Input Capture – Victims are prompted to enter their PII (email, phone, name) during the phishing flow. “Users are prompted to enter their Personally Identifiable Information (PII), such as email address, phone number, and name.”
  • [T1412] Data from Local System – The malware collects data such as contacts, SMS, and installed apps from the device. “collects sensitive data such as contact lists, SMS data, installed application data.”
  • [T1432] Data from Contacts List – The campaign explicitly targets contact lists on devices as part of data collection. “collects … contact lists.”
  • [T1447] Delete Device Data – The malware deletes SMS messages to conceal activity. “the malware further deletes SMSs from infected devices to avoid being noticed.”
  • [T1071] Application Layer Protocol – The malware communicates with a proxy URL to obtain C2 details. “The malware connects to a proxy URL … and then receives the Command and Control (C&C) server URL for further communication.”
  • [T1567] Exfiltration Over Web Service – Victim data (e.g., card details) is exfiltrated via web services to ta domains. “sends the card details to a URL … /putcard.php”

Indicators of Compromise

  • [SHA256] Hash – 14fff9319b49ed4cc6e4141f3e894106b2e2b22bc31bf8a9847db1b65a552188 – Hash of the analyzed APK file.
  • [SHA1] Hash – 1691d547980d2c8faa929301c3a6aa6d958b9389 – Hash of the analyzed APK file.
  • [MD5] Hash – 8b6c4fea9e4a6d8761c1c53525a91374 – Hash of the analyzed APK file.
  • [URL] Proxy server – hxxp//220105[top] – Proxy URL used by the malware to reach the C2.
  • [URL] C2 server – hxxp://192.186.11[.]120:6666 – IP-based C2 endpoint referenced in the campaign.
  • [URL] Phishing domain – hxxps://ntagoi-jp[.]qgvvtoq[.]cn – Main phishing domain used in redirects.
  • [URL] Redirected phishing page – hxxps://ntagoi-jp[.]qgvvtoq[.]cn/884412781[.]php – Example redirect page.
  • [URL] Card data endpoint – hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putcard[.]php – Endpoint where card details are sent.
  • [URL] Image/upload endpoint – hxxps://ntagoi-jp[.]qgvvtoq[.]cn/putimg[.]php – Endpoint for uploaded ticket images.
  • [URL] Additional phishing domains – hxxps://ntagoi-jp[.]tifrrqf[.]cn, hxxps://ntagoi-jp[.]tljkcnk[.]cn, … (and 6+ more similar domains)

Read more: https://blog.cyble.com/2022/09/13/phishing-campaign-targets-japanese-tax-payers/