2022-04-06 Fake E-shops on the prowl for banking credentials using Android malware| Threat Intelligence Malaysia

📃Title: Fake E-shops on the prowl for banking credentials using Android malware
📅Date: 2022-04-06
🔗References:

https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/

Description

Cybercriminals are exploiting the growing popularity of online shopping by tricking potential victims into downloading malware, according to research by ESET security researchers in May 2022 and published in the International Security Journal.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant
topic: mobile-attack

🔖MISP Galaxies:

producer ESET
target-information=“Malaysia”
sector=“Finance”
mitre-attack-pattern=[‘T1411’, ‘T1412’, ‘T1437’, ‘T1444’, ‘T1476’]

MISP event uuid: 1fde6563-28ae-40bc-b7cc-4909f1aaf1aa

Indicator of Compromise (IoCs)

type,value,comment
domain, muapks.online, 'Malicious app impersonating Grabmaid service C2'
domain, m4apks.online, 'Malicious app impersonated Maria’s Cleaning service C2'
domain, maid4uapks90.online, 'Malicious app impersonating Maid4u service C2'
domain, grabsapks.online, 'Malicious app impersonating MaidACall service C2'
domain, grabmyapks90.online, 'Malicious app impersonating MaidACall service C2'
domain, grabmaidsapks80.online, 'Malicious app impersonating YourMaid service C2'
ip-dst, 185.244.150.159, 'token2[.]club Distribution website'
domain, token2.club, 'token2[.]club Distribution website'
ip-dst, 194.195.211.26, 'grabamaid-my[.]online Distribution website'
domain, grabamaid-my.online, 'grabamaid-my[.]online Distribution website'
ip-dst, 172.67.177.79, 'maidacalls[.]online Distribution website'
domain, maidacalls.online, 'maidacalls[.]online Distribution website'
ip-dst, 172.67.205.26, 'petsmore[.]online & grabsapks[.]online & muapks[.]online Distribution website'
domain, petsmore.online, 'petsmore[.]online Distribution website'
ip-dst, 172.67.174.195, 'cleangmy[.]site Distribution website'
domain, cleangmy.site, 'cleangmy[.]site Distribution website'
domain, my-maid4us.site, 'my-maid4us[.]site Distribution website'
domain, yourmaid.online, 'yourmaid[.]online Distribution website'
ip-dst, 104.21.19.184, 'grabmyapks90[.]online C&C server'
ip-dst, 104.21.29.168, 'm4apks[.]online C&C server'
ip-dst, 172.67.208.54, 'maid4uapks90[.]online C&C server'
ip-dst, 172.67.161.142, 'grabmaidsapks80[.]online C&C server'
ip-dst, 2.57.90.16, 'puapks[.]online C&C server'
domain, puapks.online, 'puapks[.]online C&C server'
ip-dst, 124.217.246.203, '124.217.246[.]203:8099 C&C server'
ip-dst, 172.67.166.180, 'meapks[.]xyz C&C server'
domain, meapks.xyz, 'meapks[.]xyz C&C server'

Full IOCs available in Rectifyq's MISP```

Rectifyq

Explorer

2022-04-06 Fake E-shops on the prowl for banking credentials using Android malware

Indicator of Compromise (IoCs)

Graph View