11:00 ET, 24 February 2014

Security researchers at InterCrawler discovered a Banking trojan which infected a large number of devices the Middle East belonging to Islamic Banks.

IntelCrawler cyber intelligence firm discovered a large fraud campaign against major Islamic banking institutions. The attackers have used a sizable mobile botnet, more than 27 000 intercepted SMS-messages were detected between April 2013 and Feb 2014, which puts many smart phone banking customers at risk.

 i1

The expert uncovered a malware which infected the mobile devices of banking customers to interfere with two factor authentication mechanisms implemented by the financial institutions. The malicious code, like any other similar banking trojan, is able to intercept OTP («One-Time-Password») token code used to validate user’s transactions and sent it to the bad actor who implemented several types of secured and encrypted notifications, including alerts through configured Jabber.

The attackers created a clone for a legitimate mobile banking app used by one of the principal Middle East financial banking institutions.

i2

File type: Zip archive data, at least v2.0 to extract

File name: ncbmtoken.apk

File size: 235454

MD5:  f629adcfbcdd4622ad75337ec0b1a0ff

SHA1:  b614696113212e4090eaae6b20bc22aad22651a0

SHA256: 66911ee32fc4777bb9272f9be9eb8970b39440768b612fbab4ac01d8e23f9aa1

Giving a look to the Android manifest file it is possible to find indication on the functions implemented by banking trojan authors, including complete SMS management.

 i3

The experts at InterCrawler reverse engineering the banking trojan code discovered that it sends specific callbacks to administrative panel of bad actors using strings «AaB03x».

 i4

In particular the includes information about the infected mobile device such as IMEI and IMSI used by malware authors to identify a specific user within the overall amount of data captured.

i5

All the OTP codes intercepted are aggregated in a user-friendly administrative console which also allows to upload a new design template of malicious applications, generate new malicious code samples and of course to manage all the infected devices.

“The functionality of the mobile banking trojan allowed it to intercept all the messages from mobile device using predefined signatures, keywords, and search rules providing a sophisticated search engine for the bad actor with alerting to bad actor to predefined number.” states the official post.

The most interesting feature appears to be the possibility to generate new mobile malware simply using pre-configured templates for popular applications. It’s clear that the feature allows malware authors to adopt a Software-as-a-Service model of sale giving the opportunity to differed group of cyber criminals to easily create and distribute their own malicious code under the different legends.

i6

i7

It’s not clear who is behind the attacks, according experts the attribution is not simply because of using keywords and domain names in various jurisdictions, which could be also used for targeted surveillance campaign against Eastern countries. The experts dubbed the banking trojan “mtoken-user7903.com”, the domain used for the attacks was created on 5th February along with the group of similar domain names such as “mtoken-user1034.com”, “mtoken-user3110.com”, “mtoken-user4901.com”, “mtoken-user7230.com”.

The investigators at Intercrawler have found many other similar domain names registered in October 2013 through NOW.CN, Todaynic.com, Inc is a Guangdong (China) based network company.

As explained in the post, it is possible that bad actors behind the malware platform are conducting also a large cyber espionage campaign.

“It seems to be, that for that time, the bad actors planned to create the resource with various fake mobile banking applications for token codes generation with name «mtokenapps.com» IntelCrawler’s analysts and intelligence officers have been monitoring the underground to try and determine the motivations behind such attacks. Beyond the clear financial greed of draining bank accounts, which these targets in oil rich nations would seem attractive, other political motives could also be an alternative.”

The Telecommunications Regulatory Authority (TRA) confirmed that the number of attacks has grown rapidly in the past three years, from 8,400 in 2010 up to 530,000 in the first quarter.  TRA also revealed to have detected more than half a million cyber attacks on UAE computer users in the first three months of 2013 year.

It’s easy to predict a further intensification of activities for bad actors in the area.

Pierluigi Paganini

(Editor-In-Chief, CDM)

 

rsa-logo