Fake Bank Apps Target Loan Applications With Infostealing RAT

Researchers have uncovered an information-stealing campaign that specifically targets legitimate Android users, with the goal of obtaining banking information. The attackers use duplicated versions of legitimate websites to trick individuals into visiting sites that infect their devices with infostealing RAT.

The attackers have targeted users in Thailand, Peru, and the Philippines, using a new type of RAT (remote access trojan) known as Gigabud, found Cyble Research & Intelligence Labs (CRIL).

When a user visits the fake website in search of a loan, they are prompted to download an app laced with this infostealing RAT. The app is linked to a command and control server that instructs it to steal and send information back to the server.

Infostealing RAT and loans

CRIL discovered a malicious campaign that uses an infostealing RAT to target only legitimate users on Android. Individuals are fooled by using infected websites that are duplicated versions of genuine websites like the Thai Airline – Thai Lion Air.

Once, the user looking for a loan accesses the fake website, they are shown instructions to download a trojanized application. This application connects with the command and control (C&C) server that sends instructions to the app to steal and send information back to the C&C.

Researchers have found Gigabud’s usage in Thailand since July 2022 which has spread to other countries ever since. However, it is interesting to note that the instances of its usage have remained undetected by antivirus software.

Fake bank apps and infostealing

The user would download the app as mentioned on the webpage such as the app of the bank it is impersonating.

Following this, the users would be shown a screen to enter their details such as mobile number and password, which would be stolen along with the other data from the device. The screen would reflect an error message as such the response code 400.

At this stage, the app would follow the instructions of the cybercriminal to check if the mobile number entered is genuine.

“The Gigabud uses a server-side verification process to filter targets from the invalid ones. This step is used to ensure that the invalid victims such as those from other countries or security researchers, etc. are not part of this campaign,” a CRIL team member told The Cyber Express.

Other details such as the target’s name, ID number, selected bank name, card details, etc. After registering, the user logs in which stage more information is stolen by Gigabud. It uses the OpenService which establishes the connection between the C&C server and the app. Users are lured with a fake loan contract into which additional user data is entered.

Researchers observed the final malicious activity at this final stage with the Real Name Authentication page showing on the screen which asks the user to click on the ‘click to activate button.’

Additional permissions are asked including screen recording, screen overlay, and appearing over other apps. Using these permissions, the app starts these activities without the consent of the user.

This latest Android malware sends screen recordings every second using the WebSocket connection as shown below:

(Source: Cyble)

Technical analysis of a sample app named BANCO De COMERCIO.apk found by CRIL

Metadata of Banco de comercio (Source: Cyble)

1. Package: com.cloud.loan
2. SHA256 Hash: a940c9c54ff69dacc6771f1ffb3c91ea05f7f08e6aaf46e9802e42f948dfdb66
3. C&C server: hxxp://bweri6[.]cc
4. Screen recordings are sent to this server: hxxp://8.219.85[.]91:8888/push-streaming?id=1234.
5. C&C server for taking commands: hxxp://bweri6[.]cc/x/command?token=&width=1080&height=1920
6. Action code 15 for asking banking details: “bankName”, “bankImg” and “bank_id”
7. Action code 5 is used for sending mobile numbers, and messages.
8. Action code 29 for sending bank card details and adding it to the clipboard.
9. The password is sent using the retrofit object.

Instances of detecting and addressing this campaign in 2022

Earlier, it was detected and notified by the Department of Special Investigation (DSI) Thailand in July 2022 with a warning. Then, the cybercriminals behind the campaign created spoofed or duplicated versions of Thailand’s DSI website.

The campaign was also detected by the Thailand Telecommunication sector Cert (TTC-Cert) in September. The TTC-Cert found malware associated with this campaign – Revenue.apk which was mentioned in their technical advisory.

Following the reporting by the TTC-Cert, the spread of the malware increased manifolds including the creation of several cloned websites and targeting users in Peru and the Philippines. Cybercriminals seem to be largely relying on fake icons from government agencies as shown below to win the trust of their targets:

(Source: Cyble)

Icons of websites that were found to be impersonated:

1. Shopee Thailand
2. Advice – IT company from Thailand
3. Banco de Comercio – Peruvian bank
4. Thai Lion Air – Thailand Airline
5. Kasikornbank Thailand
6. Sunat Thailand
7. Bureau of Internal Revenue Philippine
8. DSI – Department of Special Investigation Thailand