Threat Research

NexusRoute: Attempting to Disrupt an Indian Government Ministry – CYFIRMA

Cyfirma
NexusRoute: Attempting to Disrupt an Indian Government Ministry – CYFIRMA

The NexusRoute campaign is a large-scale, professionally maintained Android malware and phishing operation that impersonates Indian Government services (mParivahan / e-Challan), distributes malicious APKs via GitHub repositories/GitHub Pages, and operates mass phishing domains to steal UPI, card, and banking credentials. Technical analysis shows a native-backed multi-stage RAT with dynamic code loading, SMS interception, persistence via BroadcastReceivers and foreground services, Socket.IO C2 at 154.61.80.242, and OSINT links to a commercial Android obfuscation/surveillance tooling ecosystem. #NexusRoute #mParivahan

Keypoints

  • The campaign distributes fake mParivahan/e-Challan APKs via GitHub repositories and GitHub Pages to bypass app-store controls and host phishing pages.
  • Phishing portals use Indian Government branding and a ₹1 verification lure to collect mobile numbers, vehicle data, UPI PINs, OTPs, card details, and banking credentials.
  • The Android malware is a multi-stage, native-backed RAT using DexClassLoader, JNI native libraries, heavy obfuscation (NP Manager), and dynamic payload loading to evade analysis.
  • Persistence and stealth are achieved through BroadcastReceivers, foreground services, OEM auto-start abuse, accessibility automation, icon swapping, and deceptive system prompts to prevent removal.
  • Capabilities include SMS interception/sending (dual-SIM abuse), SIM profiling, contacts/call-log theft, keylogging, screen capture (MediaProjection), camera/microphone access, continuous GPS tracking, and automated exfiltration via Socket.IO C2.
  • OSINT links (hardcoded email and “Gymkhana Studio” branding) tie the toolchain to a broader commercial Android obfuscation and surveillance tooling ecosystem, indicating a professional, scalable operation.

MITRE Techniques

  • [T1476 ] Deliver Malicious App – Fake mParivahan APK delivered via GitHub Pages and phishing domains to install the trojanized app (‘Fake mParivahan APK delivered via GitHub Pages and phishing domains instead of official app stores.’)
  • [T1566 ] Phishing – Cloned challan and payment portals impersonating government services to harvest credentials (‘Victims lured using cloned challan and payment portals impersonating government services.’)
  • [T1204 ] User Execution – Requires users to enable “Install from Unknown Sources” and manually install the APK (‘Users manually install the malicious APK after enabling “Install from Unknown Sources.”’)
  • [T1626 ] Dynamic Code Loading – Uses DexClassLoader and native libraries to load payloads at runtime, hiding functionality until execution (‘DexClassLoader and native libraries used to load malicious payloads at runtime.’)
  • [T1624 ] Event Triggered Execution – Malware executes in response to system events to maintain activity (‘Malware executes automatically in response to system events.’)
  • [T1624.001 ] Broadcast Receivers – Abuse of Android broadcast receivers to maintain background execution and persistence (‘Abuse of Android broadcast receivers to maintain background execution.’)
  • [T1541 ] Foreground Persistence – Keeps a continuous foreground service disguised as legitimate to avoid termination (‘Malware maintains a continuous foreground service disguised as a legitimate app.’)
  • [T1603 ] Scheduled Task/Job – Uses scheduled background jobs to ensure repeated execution of malicious components (‘Scheduled background jobs ensure repeated execution of malicious components.’)
  • [T1409 ] Access Sensitive Data – Requests excessive permissions to read SMS, contacts, storage, and phone state for credential theft and profiling (‘Abuse of SMS, contacts, phone state, and storage permissions to escalate access.’)
  • [T1407 ] Download New Code at Runtime – Fetches and installs secondary APKs and updated payloads from external storage and remote hosts (‘Additional payloads fetched dynamically after initial installation.’)
  • [T1627 ] Obfuscated Files or Information – Heavy string and code obfuscation (NP Manager) used to hinder reverse engineering (‘Heavy string and code obfuscation used to evade detection and analysis.’)
  • [T1629 ] Impair Defenses – Forces dangerous permission grants, disables protections, and uses deceptive prompts to weaken device defenses (‘Malware forces dangerous permission grants and weakens system protections.’)
  • [T1629.001 ] Prevent Application Removal – Uses fake security alerts and persistent prompts to discourage uninstall attempts and remove only the dropper (‘Fake security warnings and persistent prompts discourage uninstall attempts.’)
  • [T1417 ] Input Capture – Phishing forms and overlays capture OTPs, UPI PINs, and payment data (‘Reuse of phishing forms and overlays to collect OTPs and authentication values.’)
  • [T1417.002 ] GUI Input Capture – Visual UPI PIN keypad and payment entry screens harvest sensitive inputs (‘Visual UPI PIN and payment entry screens used to harvest sensitive inputs.’)
  • [T1417.001 ] Keylogging – Keystroke-level monitoring and local log staging used to capture credentials (‘User keystrokes collected during authentication interactions.’)
  • [T1513 ] Screen Capture – MediaProjection-based screen capture activated via C2 commands to observe victim screens (‘Screen contents related to verification and payment screens captured for fraud.’)
  • [T1071 ] Application Layer Protocol – Uses HTTP/WebSocket (Socket.IO) channels for C2 and real-time operator interaction (‘Persistent WebSocket-based channels with automatic reconnection, enabling real-time operator interaction.’)
  • [T1020 ] Automated Exfiltration – Stolen SMS, SIM data, credentials and device info are automatically exfiltrated to central C2 (‘Stolen SMS, SIM data, credentials, and device information exfiltrated automatically.’)
  • [T1471 ] Data Encrypted for Impact – Potential capability noted to encrypt local data for disruption or extortion (‘Potential capability to encrypt local data for disruption or extortion.’)
  • [T1516 ] Input Injection – Malware can simulate or inject user input (via Accessibility) to manipulate victim interactions and automate transactions (‘Simulated or injected user input used to manipulate victim interactions.’)

Indicators of Compromise

  • [Domain ] phishing and hosting infrastructure – rtochallan1239542138464[.]shop, mparivahan1[.]github[.]io, and 20+ related rtochallan*.shop/.store/.online domains
  • [IP Address ] command-and-control endpoint – 154.61.80.242 (Socket.IO C2 at 154.61.80.242:0999)
  • [SHA256 Hash ] known malicious APKs – d17e958bf9b079c7ca98f54324e6c2f31e9c1d4c7945e8bc190895c08c762655, aba3e587430fae0877a2e0fb07866427a092dc4eccb0db17715d62b7a7c0c992
  • [URL ] GitHub hosting and repo artifacts – https[:]//github[.]com/pavan202006/NextGen-mParivahan, https[:]//github[.]com/ChaIIan-94 (and other throwaway GitHub repos hosting APKs)
  • [Email ] developer/crash-report artifact – [email protected] (embedded in crash-reporting/exfiltration routines and linked to Gymkhana Studio tooling)
  • [File Name / Path ] dropped/secondary payloads – /sdcard/CRAZYrd/Download/CRAZY_update.apk (secondary-stage APK), mParivahan.apk (hosted payload)

Read more: https://www.cyfirma.com/research/nexusroute-attempting-to-disrupt-an-indian-government-ministry/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint