InTheBox-Blog-Android

‘InTheBox’ Web Injects Targeting Android Banking Applications Worldwide

Technical Analysis of the Web Injects in Android Botnet Operations

Cyble Research and Intelligence Labs (CRIL) has been observing the activities of the Threat Actor/Group dubbed ‘InTheBox’, predominantly active on a Russian language cybercrime forum. This Threat Actor has been expanding their inventory at their Tor-based online shop with ready-to-sale web injects that are compatible with various Android banking malware at inexpensive prices and lucrative discounts.

They offered injects intended to target retail banking, mobile payment services, cryptocurrency exchanges, and mobile e-commerce applications operated by major organizations in Australia, Brazil, India, Indonesia, Japan, Kuwait, Malaysia, Philippines, Qatar, Saudi Arabia, Singapore, Thailand, United States and various other countries in Europe and Asia.

This blog provides a comprehensive overview of the shop, the standard framework of the web injects on offer, and its indicators of compromise, observed in the usage of these web injects in recent Android malware operations.

About ‘InTheBox’

InTheBox has been a verified seller of Android mobile application web injects since February 2020 and operates a Tor-based online shop for the automated sale of web injects. The shop offers an easy-to-go purchase of web injects and shares lucrative discounts to attract sales. Thetor website was initially free for registration but now requires a one-time registration fee.

“An Android web inject is a custom module for any banking malware, developed for harvesting credentials and sensitive data from specific applications, uses an overlay interface disguising as a legitimate mobile application interface. This technique has similar attack vectors of a Man-in-the-Browser (MITB) attack.”

At the time of penning the blog, the shop listed the following pricing for unlimited web inject packages:

  • 814 web injects compatible with Alien, Ermac, Octopus, and MetaDroid for USD 6,512
  • 495 web injects compatible with Cerberus for USD 3,960
  • 585 web injects compatible with Hydra for USD 4,680

The price for individual web injects has been reduced from USD 50 to USD 30 each. It is worth mentioning that InTheBox also offers custom web inject development for any banking malware bot.

Initially, InTheBox listed web injects targeting organizations in the US, Australia, and South America but later expanded their scope to 44 countries.

Figure 1: Tor-based Online Shop InTheBox

Android web injects targeting popular social media mobile applications were also listed on sale and were last updated on October 24, 2022.

Details Observations & Analysis

The web injects offered by InTheBox, are usually delivered in a compressed archive consisting of an app icon in PNG format and an HTML file. The HTML file comprises of JavaScript code for the collection of credentials and data using a malicious overlay interface of the disguised mobile application input form.

Technical Analysis

After thorough sample analysis of a web inject compatible with Alien, Ermac, Octo, and MetaDroid banking malware which was targeting an Asian mobile banking App, we found that the injection begins with an overlay interface prompting an infected user to enter mobile banking credentials such as user ID, password and mobile number.

After these credentials are submitted, it loads the next overlay interface, which deceives the user into entering the credit card number, expiry date, and CVV information, which may not be a required input in the legitimate application.

Figure 2: Overlay interface mimicking an Asian bank mobile banking login (L) and credit card phishing page (R)

Figure 3: HTML codes used for designing overlay interfaces.

The analysis of the JavaScript code in the HTML file targeting the Asian bank also illustrated the following set of common procedures observed in their web injection modules:

Figure 4: Fetch credentials

Figure 5: Checking the congruency of the data

Figure 6: Validating credit card numbers

Figure 7: Sending the data to the C&C server

Usage in Recent Malware Operations

Analysis of the Javascript call functions in InTheBox injects, revealed a similar JS-embedded HTML android web inject developed to harvest credentials from a Brazilian Android banking application. However, no C&C infrastructure-related information was found.

Further, it was observed that the same call functions were used in another Android web inject targeting an Spanish bank mobile application, that was observed in January 2023. The Javascript in the web inject was communicating with a Command-and-Control (C&C) server at http[:]//194[.]180[.]174[.]127/uadmin/gate.php hosted at MivoCloud SRL, a Moldovan offshore hosting service.

The same Spanish bank mobile application was also targeted in the recent by another web inject that communicated with the C&C server at http[:]//85[.]31[.]46[.]136/uadmin/gate.php hosted by Namecheap.

A few other similar instances were identified for which the IoCs are enclosed.

Figure 8: VT Graph of the aforementioned web inject files

 

IndicatorsIndicator TypesDescription
a5c35d51b125c65678d49757b1767f95bc57567d226cf086874a6769031cac2eSHA-256JS-Embedded HTML File
hxxp://194.180.174.127/IP AddressC2 Server
d30e68986780b1986daab6d0b617f2cc0435d6a37e0781ecc78b962b81056bc8SHA-256JS-Embedded HTML File
2e6c700a8ec012f8b001ef39f91e6ff0909be265db9c84be43304c9540cb9326SHA-256JS-Embedded HTML File
5e7b6a669ab5fd1ab271c9c9f6b0202d9cef57bf0ba95fb1ee439ba4b687db21SHA-256JS-Embedded HTML File
hxxp://199.192.26.165/IP AddressC2 Server
93b26b301bb09d23dfdc2d429d953b2cbd74c223b3b0854ca535451422297c6fSHA-256JS-Embedded HTML File
hxxp://85.31.46.136/IP AddressC2 Server
1f306dd73b5fcf4414b7d4e91411ad0089153382c417eb4385edc2f2a162e55bSHA-256JS-Embedded HTML File

Relation to Historical Android Malware Campaigns

  1. The same functions were also found in an Executable and Linkable File (ELF) that was associated with the ‘The Coper’ android banking malware campaigns, which was predominantly active during 2021 targeting Columbian banks. Further research revealed a similar web inject in the wild, which was also associated with a malicious campaign.
  2. Open-source research revealed that the standard function calls in the aforementioned JavaScript were also used in an overlay attack module of an ‘Alien’ android malware operation identified by a security researcher in September 2022.
IndicatorsIndicator TypesDescription
e36dbc3cc4e8eb3e551b7dcd8f071d3880f7705708d764281106b540c8196dc0SHA-256ELF File (The Coper Android Bot)
ea4960b84756fd82fe43cb2cffdbe464df6dd4d48aa10d1cefe38aa8ac6eb44dSHA-256APK File
603fcae1ef4062087e0e09aa377c03fcc8bbd6f3db443717957f1bfe8c4a4daeSHA-256Payload
hxxp://185.255.131.145/IP AddressC&C Server

Our Recommendations

We have listed essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Play Store or the iOS App Store.
  • Install licensed Anti-viruses and keep them updated.
  • Avoid opening any links received via messages or emails from unverified recipients on your phone.
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated.
  • Ascertain security features provided in the latest updates and if the application is prompting for additional permissions and inputs such as payment card details.
  • As part of troubleshooting, perform a factory reset and remove the application in case a factory reset is not possible. 
  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

References

https://otx.alienvault.com/pulse/60fa8321254ba0501adc5ede/

https://muha2xmad.github.io/malware-analysis/alien/#overlay-attack

Comments are closed.

Scroll to Top