FinStealer Malware Attacking Leading Indian Bank’s Mobile Users To Steal Login Credentials

   February 11, 2025  Posted in CyberSecurityNews


A sophisticated malware campaign dubbed “FinStealer” is actively targeting customers of a leading Indian bank through fraudulent mobile applications.

The malware, identified as Trojan.rewardsteal/joxpk, employs advanced tactics to steal banking credentials and personal information from unsuspecting users.

The malicious campaign operates through a suspicious website (motocharge[.]online) that distributes fake banking apps mimicking legitimate ones.

SIEM as a Service

APK Details (Source – CYFIRMA)

CYFIRMA analysts identified that the malware is built using Kotlin and exhibits sophisticated capabilities.

Obfuscated Code (Source – CYFIRMA)

The capabilities include XOR-based string obfuscation to evade detection, a dual command-and-control (C2) infrastructure utilizing both IP-based servers (41.216.183.97) and Telegram bots, and advanced WebView exploitation for credential harvesting.

Core functionality of FinStealer

Technical analysis revealed the malware’s core functionality through this critical code snippet:-

public class NPStringFog {
    public static String KEY = "npmanager";
    private static final String hexString = "0123456789ABCDEF";
    public static String decode(String str) {
        ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length() / 2);
        for (int i = 0; i < str.length(); i += 2) {
            baos.write((hexString.indexOf(str.charAt(i)) << 4) | hexString.indexOf(str.charAt(i + 1)));
        }
        //... [obfuscation logic]
    }
}
Obfuscated Module (Source – CYFIRMA)

The malware communicates with its C2 infrastructure through a Telegram bot (API key: 7754264825:AAEqSBGNuEbuMqnWFqN7E_SvhS5sy_IFjEE) to exfiltrate sensitive data including:-

  • Banking credentials
  • Credit card details
  • Personal identification information

Security researchers also discovered a critical vulnerability (CVE-2011-2688) in the C2 server, allowing SQL injection attacks through the mysql/mysql-auth.pl script in the mod_authnz_external module.

Snapshot of C2 Server – Admin Panel (Source – CYFIRMA)

To protect against this threat, CYFIRMA recommends implementing advanced endpoint protection, monitoring for exploit-like behavior, conducting regular security audits of mobile applications, and blocking known malicious indicators of compromise (IOCs).

The following YARA rule can help detect the malware:-

rule Bank_Fraud_App {
    meta:
        author = "CRT"
        description = "Detects fraudulent mobile apps impersonating Bank"
    strings:
        $telegram_bot = "/bot" ascii nocase
        $hex_pattern = { 6c 43 6c 43 6c 20 63 72 6564 6974 2063617264 }
        $wix_webview = "wixsite.com" ascii nocase
    condition:
        any of ($telegram_bot, $hex_pattern, $wix_webview)
}

Users are strongly advised to download banking applications only from official sources and verify app authenticity before installation.

The campaign remains active, with researchers monitoring new variants and attack vectors as they emerge.

IOCs

IOCs (Source – CYFIRMA)

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free



Source link