Threat Research

Indian Taxpayers Face A Multifaceted Threat With Drinik Malware’s Return – Cyble

Securonix

CRIL researchers document Drinik malware’s return with a broader target set in India, including UPI apps, plus new features to sustain persistence and complicate removal. The updated variant uses smishing to deliver a malicious itrMobile APK, exploits Android Accessibility Service, and harvests banking credentials via keylogging and screen recording while communicating with a C2 server. #DrinikMalware #UPIApps

Keypoints

  • Drinik has operated since 2020 with a focus on Indian income tax users and shows heightened activity during tax filing periods.
  • The latest variant adds UPI app targeting (Google Pay, PhonePe, Paytm) and a Blast SMS feature to widen distribution.
  • Phishing and smishing are used to lure victims to download a malicious itrMobile APK from deceptive sites.
  • Accessibility Service is exploited to monitor user actions and prevent uninstallation or interference.
  • New capabilities include screen recording, keylogging, stealing camera pictures, deleting True Caller, and modifying clipboard data.
  • The malware communicates with a C2 server, downloads additional payloads, and uses LocalCapture to exfiltrate data.

MITRE Techniques

  • [T1624.001] Event-Triggered Execution – Drinik triggers incoming SMS stealer code based on the SMS broadcast receiver. “Drinik triggers incoming SMS stealer code based on the SMS broadcast receiver.”
  • [T1629.001] Impair Defenses – Drinik prevents uninstallation. “Drinik prevents uninstallation.”
  • [T1630.002] Indicator Removal on Host – Drinik deletes SMSs from the infected device. “Drinik deletes SMSs from the infected device.”
  • [T1616] Call Control – Drinik can disallow or block incoming call. “Drinik can disallow or block incoming call.”
  • [T1636.003] Protected User Data: Contact List – Steals contact list. “Steals contact list.”
  • [T1513] Screen Capture – Steals recorded screen content. “Steals recorded screen content.”
  • [T1533] Data from Local System – Steals camera pictures. “Steals camera pictures.”
  • [T1417.001] Input Capture: Keylogging – Uses keylogging to steal netbanking credentials. “Uses keylogging to steal netbanking credentials.”
  • [T1582] SMS Control – Drinik can send and delete SMS. “Drinik can send and delete SMS.”
  • [T1437.001] Application Layer Protocol: Web Protocols – Communicated with C&C server using HTTP. “Communicated with C&C server using HTTP.”
  • [T1646] Exfiltration Over C2 Channel – Sending exfiltrated data over C&C server. “Sending exfiltrated data over C&C server.”

Indicators of Compromise

  • [Hash] Hashes of analyzed APK – ad1ff9a584cd143eb1c950692fd0b3223c7f285f09c33cf9a6cd9591c45fd489, f3d4ad7dd8a48b72c18d3e1c5f769adaf01636fa
  • [URL] Distribution/ITR phishing links – hxxp://107.174.45[.]116/ip2/?ITR, hxxp://78.110.116[.]82/~serverxp/R7UWUA/?itrMobile
  • [URL] APK download URL – hxxp://198.46.177[.]159/VDAJ/index.php?dir=../apk/9dg
  • [URL] Additional download URL – hxxp://192.3.124[.]14/us/Child[.]apk
  • [URL] Net banking login page observed in workflow – https://eportal.incometax.gov.in/iec/foservices/#/login/netBanking
  • [URL] C2 server – hc.bounceme.net/iaserver.php
  • [Path] Local storage path for downloaded APK – /storage/emulated/0/Android/data/com.avu.itrMobile/files/apks/AApk.apk

Read more: https://cyble.com/blog/indian-taxpayers-face-a-multifaceted-threat-with-drinik-malwares-return/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint