Technical Analysis of the Web Injects in Android Botnet Operations
Cyble Research and Intelligence Labs (CRIL) has been observing the activities of the Threat Actor/Group dubbed ‘InTheBox’, predominantly active on a Russian language cybercrime forum. This Threat Actor has been expanding their inventory at their Tor-based online shop with ready-to-sale web injects that are compatible with various Android banking malware at inexpensive prices and lucrative discounts.
They offered injects intended to target retail banking, mobile payment services, cryptocurrency exchanges, and mobile e-commerce applications operated by major organizations in Australia, Brazil, India, Indonesia, Japan, Kuwait, Malaysia, Philippines, Qatar, Saudi Arabia, Singapore, Thailand, United States and various other countries in Europe and Asia.
This blog provides a comprehensive overview of the shop, the standard framework of the web injects on offer, and its indicators of compromise, observed in the usage of these web injects in recent Android malware operations.
About ‘InTheBox’
InTheBox has been a verified seller of Android mobile application web injects since February 2020 and operates a Tor-based online shop for the automated sale of web injects. The shop offers an easy-to-go purchase of web injects and shares lucrative discounts to attract sales. Thetor website was initially free for registration but now requires a one-time registration fee.
“An Android web inject is a custom module for any banking malware, developed for harvesting credentials and sensitive data from specific applications, uses an overlay interface disguising as a legitimate mobile application interface. This technique has similar attack vectors of a Man-in-the-Browser (MITB) attack.”
At the time of penning the blog, the shop listed the following pricing for unlimited web inject packages:
- 814 web injects compatible with Alien, Ermac, Octopus, and MetaDroid for USD 6,512
- 495 web injects compatible with Cerberus for USD 3,960
- 585 web injects compatible with Hydra for USD 4,680
The price for individual web injects has been reduced from USD 50 to USD 30 each. It is worth mentioning that InTheBox also offers custom web inject development for any banking malware bot.
Initially, InTheBox listed web injects targeting organizations in the US, Australia, and South America but later expanded their scope to 44 countries.
Android web injects targeting popular social media mobile applications were also listed on sale and were last updated on October 24, 2022.
Details Observations & Analysis
The web injects offered by InTheBox, are usually delivered in a compressed archive consisting of an app icon in PNG format and an HTML file. The HTML file comprises of JavaScript code for the collection of credentials and data using a malicious overlay interface of the disguised mobile application input form.
Technical Analysis
After thorough sample analysis of a web inject compatible with Alien, Ermac, Octo, and MetaDroid banking malware which was targeting an Asian mobile banking App, we found that the injection begins with an overlay interface prompting an infected user to enter mobile banking credentials such as user ID, password and mobile number.
After these credentials are submitted, it loads the next overlay interface, which deceives the user into entering the credit card number, expiry date, and CVV information, which may not be a required input in the legitimate application.
The analysis of the JavaScript code in the HTML file targeting the Asian bank also illustrated the following set of common procedures observed in their web injection modules:
Usage in Recent Malware Operations
Analysis of the Javascript call functions in InTheBox injects, revealed a similar JS-embedded HTML android web inject developed to harvest credentials from a Brazilian Android banking application. However, no C&C infrastructure-related information was found.
Further, it was observed that the same call functions were used in another Android web inject targeting an Spanish bank mobile application, that was observed in January 2023. The Javascript in the web inject was communicating with a Command-and-Control (C&C) server at http[:]//194[.]180[.]174[.]127/uadmin/gate.php hosted at MivoCloud SRL, a Moldovan offshore hosting service.
The same Spanish bank mobile application was also targeted in the recent by another web inject that communicated with the C&C server at http[:]//85[.]31[.]46[.]136/uadmin/gate.php hosted by Namecheap.
A few other similar instances were identified for which the IoCs are enclosed.
| Indicators | Indicator Types | Description |
| a5c35d51b125c65678d49757b1767f95bc57567d226cf086874a6769031cac2e | SHA-256 | JS-Embedded HTML File |
| hxxp://194.180.174.127/ | IP Address | C2 Server |
| d30e68986780b1986daab6d0b617f2cc0435d6a37e0781ecc78b962b81056bc8 | SHA-256 | JS-Embedded HTML File |
| 2e6c700a8ec012f8b001ef39f91e6ff0909be265db9c84be43304c9540cb9326 | SHA-256 | JS-Embedded HTML File |
| 5e7b6a669ab5fd1ab271c9c9f6b0202d9cef57bf0ba95fb1ee439ba4b687db21 | SHA-256 | JS-Embedded HTML File |
| hxxp://199.192.26.165/ | IP Address | C2 Server |
| 93b26b301bb09d23dfdc2d429d953b2cbd74c223b3b0854ca535451422297c6f | SHA-256 | JS-Embedded HTML File |
| hxxp://85.31.46.136/ | IP Address | C2 Server |
| 1f306dd73b5fcf4414b7d4e91411ad0089153382c417eb4385edc2f2a162e55b | SHA-256 | JS-Embedded HTML File |
Relation to Historical Android Malware Campaigns
- The same functions were also found in an Executable and Linkable File (ELF) that was associated with the ‘The Coper’ android banking malware campaigns, which was predominantly active during 2021 targeting Columbian banks. Further research revealed a similar web inject in the wild, which was also associated with a malicious campaign.
- Open-source research revealed that the standard function calls in the aforementioned JavaScript were also used in an overlay attack module of an ‘Alien’ android malware operation identified by a security researcher in September 2022.
| Indicators | Indicator Types | Description |
| e36dbc3cc4e8eb3e551b7dcd8f071d3880f7705708d764281106b540c8196dc0 | SHA-256 | ELF File (The Coper Android Bot) |
| ea4960b84756fd82fe43cb2cffdbe464df6dd4d48aa10d1cefe38aa8ac6eb44d | SHA-256 | APK File |
| 603fcae1ef4062087e0e09aa377c03fcc8bbd6f3db443717957f1bfe8c4a4dae | SHA-256 | Payload |
| hxxp://185.255.131.145/ | IP Address | C&C Server |
Our Recommendations
We have listed essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Install licensed Anti-viruses and keep them updated.
- Avoid opening any links received via messages or emails from unverified recipients on your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
- Ascertain security features provided in the latest updates and if the application is prompting for additional permissions and inputs such as payment card details.
- As part of troubleshooting, perform a factory reset and remove the application in case a factory reset is not possible.
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
References
https://otx.alienvault.com/pulse/60fa8321254ba0501adc5ede/
https://muha2xmad.github.io/malware-analysis/alien/#overlay-attack
Comments are closed.