Threat Research

“New Phishing Tactics Targeting Mobile Users in PWA Applications”

ESET-welivesecurity

A novel phishing campaign targets mobile users via PWAs and WebAPKs to impersonate Czech banking apps and steal credentials, bypassing typical warnings. The activity involves two threat actor groups with Czech, Hungarian, and Georgian victims, and banks were notified to bolster protections. #PWAPhishing #WebAPK #OTPBank #TBCBank #CSIRTKNF #ESETResearch

Keypoints

  • Phishing campaigns target both Android and iOS users using PWAs and WebAPKs.
  • Installation of PWAs/WebAPKs bypasses warnings about third-party applications.
  • Phishing apps appear to be installed from the Google Play store on Android.
  • Campaigns primarily targeted clients of Czech banks, with some incidents in Hungary and Georgia.
  • Two distinct threat actors were identified based on C&C infrastructure.
  • Victims’ banks were notified to enhance protection against these phishing attempts.

MITRE Techniques

  • [T1660] Phishing – Brief description: Applications are first distributed by malicious advertising or mass phishing. After installation, the application itself is used for phishing. “Applications are first distributed by malicious advertising or mass phishing. After installation, the application itself is used for phishing.”
  • [T1417.002] Input Capture: GUI Input Capture – Brief description: Credentials are harvested by impersonating the login pages of targeted banks. “Credentials are harvested by impersonating the login pages of targeted banks.”
  • [T1437.001] Application Layer Protocol: Web Protocols – Brief description: PWA/WebAPK phishing apps send login data via JavaScript interfaces, as well as tracking data. “PWA/WebAPK phishing apps send login data via JavaScript interfaces, as well as tracking data.”

Indicators of Compromise

  • [Files] Android mobile phishing app – D3D5AE6B8AE9C7C1F8690452760745E18640150D (base.apk), 66F97405A1538A74CEE4209E59A1E22192BC6C08 (base.apk)
  • [IP] C2/distribution servers – 46.175.145.67 (hide-me[.]online); 185.181.165.124 (cryptomaker[.]info)
  • [Domain] C2/distribution domains – hide-me[.]online; cryptomaker[.]info
  • [Hosting provider] Cloudflare, Inc. – used by 46.175.145.67 and 172.67.182.151
  • [Hosting provider] Hosting Ukraine LTD – csas.georgecz[.]online

Read more: https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint