Injections for Japanese Banks in High Demand on the Russian Underground

In early June 2017, we detected a newly-opened thread on a closed forum in the Russian underground, where a forum member offered for sale what he described as injections for mobile Trojans.

According to the seller, these injections are compatible with all types of Android banking Trojans, and he further claimed to have at his disposal injections for various banks, social networks, payment systems and other online services. Japan was added to the list of the targeted banks several days after the initial sales thread was published.

In his post, the seller elaborates on the different services his injections can compromise, including banks in several countries, social networks, e-payment systems, etc. In total, 108 different apps are targeted.

Attack Method

Any buyer of these injections can implement them on all types of Android Trojans, according to the seller. The first step for a potential attacker would be to infect a mobile device with a banking Trojan (by a method of the attacker’s choice, such as malicious SMS, malicious links sent to the user’s email account, etc). Once infected, the malware will identify applications that are compatible with the injections. When one of these applications is launched, the second phase of the attack starts – an “overlay attack,” in which a customized phishing window opens whenever a targeted application is started on the device. This window will present the user with a screen that closely resembles the legitimate login page, as seen in the image below, and will attempt to harvest the user’s banking credentials.

The stages of a mobile injection attack
The stages of a mobile injection attack

Japanese Banks Targeted

As mentioned above, several days after the initial post, the seller updated his offer to include injections for two Japanese banks, targeting their official Android apps. We detected several screenshots uploaded by the seller where the injections (used for executing an overlay attack) for two Japanese banks were presented. By comparing the overlay pages to the original applications of these two organizations, we learned that the overlay pages were well-crafted and almost identical to the original.

On June 10, 2017, the seller added screenshots of three more injections for Japanese organizations to his sales threads, now including injections for five different Japanese banks. For obvious reasons, we will not disclose the names of the targeted banks. The updated package of injections for five Japanese banks costs $110.

The fake pages of Japanese banking applications
The fake pages of Japanese banking applications

We noticed there were a number of comments posted in the sales thread, signifying that several forum members have already purchased the injections. Their feedback was positive, indicating that the seller’s offer is most likely credible.

We asses that such injections could be widely used by threat actors present on these underground forums. Our assessment is based on several inferences, gleaned from the following:

  • The recent rise in interest among Russian threat actors regarding Japanese targets
  • The price of the injections – $40 for the two first injections, $110 for all five
  • The ease with which a threat actor can use these injections to compromise Japanese organizations. Of note, the majority of users do not generally install AV programs and other security software on their mobile devices, unlike on computers.

This finding relates closely to a worrying trend we detected in recent months:

Rise in the Trade of Mobile Trojans  

This sale offer, which is only one example of the vigorous activities taking place in various underground communities, comes on the backdrop of a more general trend gaining momentum in recent months – a rise in the development and trade of mobile banking Trojans. Currently, SenseCy’s analysts are monitoring the trade of at least four prominent banking Trojans for Android, in addition to several services for the creation of injections for these Trojans.

A prominent example in this context is the recently-released new version of the Exobot mobile Trojan (Exobot 2.0). This version was first offered for rent in early May for $2,400 per month, and has multiple capabilities, including:

  • Stealing credit card data from the victim – either manually launched and presented on the screen or triggered by opening specific apps
  • 120 injections for banks in several countries (Japan is not currently mentioned, albeit, as stated, it is possible to implement separately purchased injections, as explained above), and many more
  • USSD requests
  • Call redirection
  • Full control over SMS messages: interception, deletion and sending to any number/s
  • Blocking the home screen with a pre-defined web page
  • Blocking undesired apps – such as AV programs, device cleaners, etc

Exobot 2.0 is compatible with Android OS versions 4-7. However, the renter admits there are certain issues with overlay pages in Android 7. No root privileges are required for the Trojan functionality. All traffic between the infected device and the C&C server is encrypted and additional modules are available for rent, for extra payment:

  • SMS Deleter – $4,000
  • Contact Collector – for extracting all contacts saved on the infected device – $500
  • Socks 5 – TBD
  • SecureCard Stealer – TBD
  • OTP stealer (one-time-passwords) – TBD
Screenshots of Exobot 2.0 administration panel
Screenshots of Exobot 2.0 administration panel

Judging from the recent increase in the trade of mobile Trojans and the keen interest in Japanese organizations among Russian cybercriminals, we asses that this trend will only intensify in the near future.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s