Cyble-Patanjali-Users-Targeted-Via-Phishing-Malware

Phishing pages used for Malware Delivery

Fake Patanjali Yoga Gram Payment Page delivers SMS stealer malware  

Patanjali Yoga Gram is a center in India that provides holistic treatment through the integrated use of Yoga, Naturopathy, herbs, and medicinal plants.

During our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a Twitter post wherein researchers have mentioned a Phishing URL that is also used to deliver SMS stealer malware.

Our analysis found that the Threat Actors (TAs) have hosted phishing pages where they pretend to assist users with failed Patanjali Yoga Gram Registration or payment issues.

These TAs further exploit these pages by stealing sensitive banking information such as card details, net banking credentials, etc., and dropping an APK file capable of stealing incoming SMSs and sending them to a number provided by the TA’s server without the victim’s knowledge.

Technical Analysis

Cyble Research Labs believes that the user could have received a spam email containing the phishing URL that steals sensitive banking information and would serve to deliver the malware to unsuspecting users.

When a user first visits the URL: hxxps://srqc[.]online/, they will see a page with the Patanjali logo and a form that requests the patient’s full name, failed transaction type (i.e., ATM card, net banking), and registered mobile number. Refer to Figure 1.

Figure 1 – Requesting User’s Information

While monitoring the traffic, we identified that these details were being uploaded to the server through URL: hxxps://srqc[.]online/controller/api/common/insert2.php, as shown in the below figure.

Figure 2 – User Information Sent to the Server

As this malicious activity is based on the Patanjali Yoga Gram payment process, in this phase, it redirects to a page where it asks users to confirm the refund mode for online money transfer. Refer to Figure 3.

Figure 3 – Refund Type

In the next stage, the malware asks for banking information such as card details or net-banking credentials as per the user’s selection and uploads them to the server through URL: hxxps://srqc[.]online/controller/api/common/update.php as shown in Figures 4 & 5.

Figure 4 – Banking Information being requested
Figure 5 – Uploads the Banking Details to the Server

After the user has provided card details such as card number, expiry date, and CVV, the malware also requests and uploads the PIN for these cards. Refer to Figures 6 & 7.

Figure 6 – Requests for PIN

Figure 7 – Uploads PIN to the Server

After gaining access to these banking credentials, the malware drops an Android APK with the name “Customer_Support’ from the server URL: hxxps://srqc[.]online/Customer_Support.apk, as shown in the below figure.

Figure 8 – Drops APK File

The malware also requests for the OTP sent by the banks to the user’s registered mobile number or email ID and sends it to the server, as shown in Figures 9 & 10.

Figure 9 – Requests for OTP

Figure 10 – Sends OTP to the Server

APK Analysis

While analyzing the dropped APK file, we observed it has a package name that contains a string related to a major international bank. This leads us to believe that the TAs could possibly also be involved in other malicious activities related to various banks.

APK Metadata Information

  • App Name:  Customer Support
  • Package Name: com.helpdev.[redacted]_support
  • SHA256 Hash: 87a9b872cd82d56f02632949a5af82f700125692f5f1561c088b5ace317b5abf

Figure 11 shows the metadata information of an application.

Figure 11 – App Metadata Information

The figure below shows the application icon and name displayed on the Android device.

Figure 12 – App Icon and Name

Manifest Description

The malware requests users for 8 different permissions, out of which it abuses 5. These dangerous permissions are listed below.

PermissionsDescription
READ_SMSAccess SMSs from the victim’s device.
RECEIVE_SMSIntercept SMSs received on the victim’s device
SEND_SMSAllows an application to send SMS messages.
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
READ_PHONE_NUMBERSAllows read access to the device’s phone number

As shown below, we observed a defined launcher activity in the malicious app’s manifest file, which loads the application’s first screen.

Figure 13 – Launcher Activity

Source Code Review

During our analysis, we observed that the malware initially requests the users to allow the READ_SMS permission. After that, it hides its icon from the device’s screen.

The malware uses the code snippet shown in the below image to hide its icon from the device screen.

Figure 14 – Code to Hide Icon

The malware reads the incoming SMSs and sends their content to the number provided by the TA’s server. Refer to Figure 15.

Figure 15 – Code to Send Received SMS

The below code snippet shows that the malware sends the incoming SMSs to the number provided by the TAs.

Figure 16 – Sends Incoming SMSs to the Number

The below figure shows the open directory of TA’s website, which shows that TAs have been active since February 2022.

Figure 17 – Open Directory of TAs Website

Conclusion

Patanjali Yoga Gram provides treatment for various health issues and diseases through the integrated use of Yoga, Naturopathy, herbs, and medicinal plants. It is one of the largest providers of Ayurvedic/Yogic treatment in the world. Yoga is a set of physical, mental, and spiritual practices or disciplines that originated in ancient India and aims to control and still the mind as well as improve physical fitness. It has since gained popularity across the world.

The TAs behind this particular malware perform malicious activities to steal sensitive information to exploit the patients and users of Patanjali products; in this case, the attackers are stealing banking information. There is also the ever-present threat of TAs using this sensitive data to commit financial fraud and further propagate the malware to other devices.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
ExecutionT1575Native Code
CollectionT1412Capture SMS Messages

Indicators of Compromise (IOCs)  

IndicatorsIndicator TypeDescription
87a9b872cd82d56f02632949a5af82f700125692f5f1561c088b5ace317b5abfSHA256APK Targeting Patanjali Customers
ba434d1e60524b9fd47f229bcc342c20e577346aSHA1APK Targeting Patanjali Customers
1af3daa6e97082ba13524e960eb73135MD5APK Targeting Patanjali Customers
hxxps://srqc[.]online/URLServer URL Used to Upload Data and Drop Malicious APK

Scroll to Top