Monday, June 24, 2024

Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

An Android malware campaign was previously discovered that distributed banking trojans targeting four major Iranian Banks: Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran. 

There were 40 credential-harvesting applications circulated on Cafe Bazaar between December 2022 and May 2023.

These applications mimicked the legitimate versions of the banking applications for stealing login credentials, credit card information, and SMS OTP codes.

However, recent research found that there were 245 of these applications which were not reported during the previous research.

28 out of these 245 applications were able to evade VirusTotal scanning. The samples of these applications were linked with the same threat actors.

Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Capabilities of these New Variants

The new applications were found with several new capabilities, like checking the presence of other applications, and seemed to have expanded their targets to new banks.

Nevertheless, the applications are still under development by the malware developers as these new capabilities tend to expand their attack.

In addition to this, the applications also collected information about several cryptocurrency wallet applications. There are high possibilities that crypto wallets could be their future target.

Accessibility Service Abuse and Data Exfiltration

Furthermore, these applications were also found to be utilizing accessibility services for overlaying screens intended to harvest login credentials and credit card details.

They also abused other accessibility services such as Auto Grant of SMS permissions, preventions of uninstallation, and search & click of UI elements.

Code containing Telegram channel ID (Source: Zimperium)
Code containing Telegram channel ID (Source: Zimperium)

As part of exfiltrating the data, some of the C2 servers were found to be consisting of a PHP source that had Telegram channel IDs and bot tokens. The threat actors also used GitHub to share the final C&C URL.

Furthermore, a complete report about these malware and variants has been published, which provides detailed information about the attack vectors, their source code, indicators of compromise, and other information.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.


Latest articles

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Consulting Companies to Pay $11 Million Failing Cybersecurity Requirements

Two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay...

New RAT Malware SneakyChef & SugarGhost Attack Windows Systems

Talos Intelligence has uncovered a sophisticated cyber campaign attributed to the threat actor SneakyChef....

Chinese Winnti Group Intensifies Financially Motivated Attacks

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential...

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles