Related Families: Elibomi, FakeReward, AxBanker, IcRAT, IcSpy
Verticals Targeted: Financial
Trend Micro recently reported on a phishing and Android malware campaign targeting clients of multiple banks in India. The campaign leverages multiple malware families, including Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy.
- A large-scale phishing campaign targeted customers of multiple Indian banks.
- The malware used in the campaign included Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy.
- While the other malware families have been in the wild for some time, FakeReward and AxBanker are novel malware families.
A large-scale phishing and Android malware campaign was recently observed targeting customers of seven financial institutions in India. One of the known attack vectors was an SMS message containing either a phishing link or a link to a malicious app download. Threat actors abused the logos, names, and affiliated brands and services of legitimate banks to create an elaborate phishing scheme.
The campaign leveraged at least five banking trojan malware families, including Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy. While IcRAT, IcSpy, and Elibomi were previously active in the wild, FakeReward and AxBanker are newly discovered malware families.
Elibomi is an Android malware that has been active in the wild since at least 2020. It is used to steal PII and credit card information. In early 2022, Trend Micro researchers observed it being used in a phishing campaign targeting Indian banks. The new variant used in this campaign had a package name ending in iApp. Threat actors added functionality, including automated clicking, permission granting, and screenshot captures. Another Elibomi variant had a package name ending in iAssist. This variant used Firebase for C2 and used RDVerify to evade detection. It affects Android 12 and lower.
IcRAT is an Android banking malware. It was used to target customers of a particular bank at nearly the same time FakeReward was used to target the same bank. Trend Micro researchers also noticed an overlap of the phishing websites used by both malware families.
IcSpy requests SMS permissions and enables a debug option to allow the threat actors to access application data and run arbitrary code on affected Android versions. IcSpy uploads SMS messages to the C2.
FakeReward is an Android banking Trojan that requests SMS permissions upon launch. FakeReward collects all text messages sent to the device and sends them to the C2. It also sets up monitoring to listen to incoming SMS messages. Updated versions of FakeReward request notification permission to extract text messages. Multiple FakeReward variants were used in this campaign.
AxBanker is a banking Trojan targeting Indian banking customers since at least August 2022. The phishing website associated with this malware entices customers with a reward points system to convince them to download the app. AxBanker also requests SMS permissions and uses phishing pages to collect the victim’s personal data and credit card information.
PolySwarm has multiple samples associated with this campaign.
You can use the following CLI command to search for all Elibomi samples in our portal:
$ polyswarm link list -f Elibomi
You can use the following CLI command to search for all IcRAT samples in our portal:
$ polyswarm link list -f IcRAT
You can use the following CLI command to search for all IcSpy samples in our portal:
$ polyswarm link list -f IcSpy
You can use the following CLI command to search for all FakeReward samples in our portal:
$ polyswarm link list -f FakeReward
You can use the following CLI command to search for all AxBanker samples in our portal:
$ polyswarm link list -f AxBanker
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports