RedHook is a new Android banking trojan targeting Vietnamese users through phishing sites impersonating financial and government institutions, utilizing advanced techniques like WebSocket communication, keylogging, and screen capture via Android’s MediaProjection API. The malware’s low VirusTotal detection and Chinese-language artifacts suggest a Chinese-speaking threat actor behind the campaign. #RedHook #AndroidBankingTrojan #VietnamPhishing
Keypoints
- RedHook targets Vietnamese users by distributing malicious APKs through phishing websites spoofing trusted financial and governmental entities.
- The trojan supports 34 remote commands via a WebSocket connection, enabling complete remote control over infected Android devices.
- It abuses Android’s MediaProjection API for continuous screen capturing and exfiltrates sensitive information including credentials, SMS, contacts, and keystrokes.
- An exposed AWS S3 bucket revealed operational data, screenshots, and templates connected to RedHook dating back to November 2024.
- The malware contains Chinese-language strings, indicating development by a Chinese-speaking threat actor or group.
- Linked domains such as mailisa[.]me connect RedHook to prior Vietnamese scam campaigns, showing an evolution from social engineering to sophisticated malware use.
- Despite its extensive capabilities, RedHook currently exhibits low detection rates on antivirus platforms like VirusTotal, making it stealthy and active.
MITRE Techniques
- [TA0027][T1660] Phishing – Distributed via phishing sites impersonating legitimate Vietnamese institutions (‘Malware is distributed via phishing sites’).
- [TA0030][T1655.001] Masquerading: Match Legitimate Name or Location – Disguised as legitimate banking applications (‘Malware pretending to be a genuine application’).
- [TA0030][T1418] Application Discovery – Collects installed application package names to map victim’s device (‘Collects the installed application package name list’).
- [TA0030][T1516] Input Injection – Performs automated user interactions like clicks and gestures (‘Malware can mimic user interaction, perform clicks and various gestures, and input data’).
- [TA0030][T1630.001] Indicator Removal on Host: Uninstall Malicious Application – Can uninstall itself to evade detection (‘RedHook can uninstall itself’).
- [TA0031][T1417.001] Input Capture: Keylogging – Captures keystrokes along with active application info (‘RedHook can collect credentials via keylogging’).
- [TA0032][T1426] System Information Discovery – Collects device information including brand, screen orientation, and lock type (‘RedHook collects device information’).
- [TA0035][T1636.004] Protected User Data: SMS Messages – Retrieves SMS messages from the device (‘Collects SMSs’).
- [TA0035][T1636.003] Protected User Data: Contact List – Collects contacts from the infected device (‘Protected User Data: Contact List’).
- [TA0035][T1513] Screen Capture – Uses MediaProjection API to capture screen content (‘Malware records the screen using Media Projection’).
- [TA0037][T1437.001] Application Layer Protocol: Web Protocols – Communicates with C2 server over HTTP and WebSocket (‘Malware uses HTTP to communicate with the C&C server’).
- [TA0036][T1646] Exfiltration Over C2 Channel – Sends stolen data to command-and-control servers (‘Sending exfiltrated data over the C&C server’).
Indicators of Compromise
- [SHA256] Malware hash samples – 0ace439000c8c950330dd1694858f50b2800becc7154e137314ccbc5b1305f07, ebc4bed126c380cb37e7936b9557e96d41a38989616855bb95c9107ab075daa3, and 7 more hashes.
- [Domain] Command-and-Control servers – adsocket[.]e13falsz.xyz, api9[.]iosgaxx423.xyz, skt9[.]iosgaxx423.xyz, api5[.]jftxm.xyz.
- [URL] Distribution and phishing URLs – nfe-bucketapk[.]s3.ap-southeast-1.amazonaws.com/SBV.apk, sbvhn[.]com/, and dzcdo3hl3vrfl.cloudfront[.]net/Chinhphu.apk.
Read more: https://cyble.com/blog/redhook-new-android-banking-targeting-in-vietnam/