A Copybara fraud campaign targets mobile banking users in Italy and Spain. VMX Labs discovered 39 malware samples impersonating prominent financial organizations in 11 domains. Bank users are deceived into installing Copybara malware using social engineering techniques. For instance, cybercriminals make their victims believe that suspicious activity is detected in their accounts, and they need to install an additional app from the bank as part of the standard security procedure. These latest Copybara samples attack 781 mobile apps, mostly for banking, and can perform overlay attacks on at least 425 apps.
Message for the Italian users:
Consente al sistema di proteggere il dispositivo, utilizza gli eventi di accessibilità per cercare i virus e bloccarli. (Consente al sistema di proteggere il dispositivo, utilizza gli eventi di accessibilità per cercare i virus e bloccarli).
Machine translation:
Allows the system to protect the device, uses accessibility events to scan for viruses and block them. (Allows the system to protect the device, uses accessibility events to scan for viruses and block them).
Message for the Spanish users:
Permite que el sistema proteja su dispositivo. Utiliza los eventos de accesibilidad para buscar virus y detenerlos. (Permite al sistema asegurar su dispositivo, Utiliza los eventos de accesibilidad para buscar virus y detenerlos).
Machine translation:
Allows the system to secure your device. Uses accessibility events to scan for and stop viruses. (Allows the system to secure your device, Uses accessibility events to scan for and stop viruses).
There are 62 commands supported in the latest samples. 59 of them were previously documented.
| New commands |
|---|
| hid_app_icno |
| downfildata |
| Send_Text_FromPKeyboard |
Exposing the Phishing Tactics
During this research, we also had the opportunity to explore the threat actor’s phishing infrastructure to understand their tactics in addition to the Copybara ABT distribution. We can report the following four adversarial tactics.
- The threat actor directs victims to a fake card-blocking website on the phone (vishing) where they pass their PINs and relay their debit/credit card’s NFC traffic via mobile phones.
- Victims are persuaded to create an emergency account and move their funds to this account to secure them. They are likely tricked into moving their funds to an attacker-controlled account. We found 16 Italian bank brands used in this scheme.
- The threat actor impersonates the Bizum mobile payment service supported by many mobile banking apps in Spain for its fraud operations. Unfortunately, this fake website was offline or not reachable at the time of our discovery.
- Interestingly, we found only one fake online banking login page hosted by this operation and it was for the Postbank from Germany. This may be an indicator of interest in expanding into Germany.
Indicator of Compromise (IOC) List
| Indicator | Type | Description |
|---|---|---|
| play-store-app.cc | Domain | Distribution website |
| www-app.cc | Domain | Distribution website |
| app-play.cc | Domain | Distribution website |
| www-app.xyz | Domain | Distribution website |
| app-gplay.cc | Domain | Distribution website |
| www-scarica.cc | Domain | Distribution website |
| play-app.cc | Domain | Distribution website |
| www-app.cyou | Domain | Distribution website |
| www-appstore.cc | Domain | Distribution website |
| app-appstore.cc | Domain | Distribution website |
| www-app-nuova.cc | Domain | Distribution website |
| 194.61.120.177 | IP | C2 |
| 45.86.231.15 | IP | C2 |
| 46.249.35.210 | IP | C2 |
| 7cb62f7c0d9eab1adf0655910873c916fd9e8958574cf8169f16a2cee530d5eb | SHA256 | Copybara sample |
| 7ce24cd6ae82dde21baa2e35dc081793623df4c9378447b2da616425dc7ff49f | SHA256 | Copybara sample |
| ab887055566b4f5129788cc8bf0d420e1c80833718be1546ee5461f587b851d6 | SHA256 | Copybara sample |
| 8589192d4ba8354ec1fbe5955d25e2e17ac8e82124598952142ea29d3078d0d6 | SHA256 | Copybara sample |
| 388d13999b020eac4735267b8f44da722b123701336ea701791100e429a58952 | SHA256 | Copybara sample |
| 926b1cedebf4149b2e612bc276232ff3931faf3c26d138546124d6acd6a33c9d | SHA256 | Copybara sample |
| 8c90e87ffff431de735f8d8732b711dbd4f5bea35a386a85810866bd922f8db8 | SHA256 | Copybara sample |
| 987c0e205af8d8dda346b657acc96ea1ae6148fd98641223a0f378369e30d644 | SHA256 | Copybara sample |
| efd1ff7eb9bf8b57bf4e0f1a386684eebbb40f6019e2967d59577921c9db1ee7 | SHA256 | Copybara sample |
| 8fb1431c0c1044b574396c3f57e0b7b326e5a6a43df6c54449cae39f3aa55025 | SHA256 | Copybara sample |
| a3d4400373b44a08eb04f190cc82ff56540e58c52cb38ba3e6abfd64cfdce504 | SHA256 | Copybara sample |
| c9468b7c32c5df3b9df0854eea56b6eebd0e17be05198623e77725f3ac67afea | SHA256 | Copybara sample |
| 7a87306399d05667b46938abbd831be502f22738b8495379580903ac6d41e5fe | SHA256 | Copybara sample |
| 308942a5140466cff112cb89b24d329c6912443b53d26a6bba50c29d5340d83e | SHA256 | Copybara sample |
| 15126601e0196e2932027a87f7d9171dcad94917e5125729718d556e1669bfe3 | SHA256 | Copybara sample |
| 1275fdf5d8d287719bef224609c4803dd469138387872a215130ad4e7d09337e | SHA256 | Copybara sample |
| b4eb03cc14e3a4a969661f1d19a4e6101975ac9dd342d1666641353659eabfab | SHA256 | Copybara sample |
| f092b7a7f68d77400308f2de62dfc64ad66edc5578dffbe528da57aff0da0596 | SHA256 | Copybara sample |
| 32a26de3fdc2165a85f25ead77a7ab0675b046a996c247b31cbee8b829751811 | SHA256 | Copybara sample |
| ecebc0d376bede40d39f52623a13aecca3bf808ab68ad36796d4e59e2d522030 | SHA256 | Copybara sample |
| bf56b2f45649c5aa8dc8195364af66277171398ba642330e44c67239c3fef52b | SHA256 | Copybara sample |
| 61d3806415988b203fdb11594836203501b956c01b7c551e8dff307e2b46eb60 | SHA256 | Copybara sample |
| 57c6896ef32e6e1989b69abc7c8cf179173b8b3a061f363b3b7a6421e87778eb | SHA256 | Copybara sample |
| 7a55d88bd896dabe9f6257c0d13635dc9317c11fe1c6cde02ec3604a23b0fd3b | SHA256 | Copybara sample |
| f717e9449835314b9923aaa5ad0d41ee76bd2803044cb190a77c9b3f4e982d6f | SHA256 | Copybara sample |
| bdae3cc96acd16347a7ca568b9972d82ecdef8d637abee96302d20d4d02cd613 | SHA256 | Copybara sample |
| a9c726a35aa4c024e349219077a96e800ab92661330439722fc0584d744f6073 | SHA256 | Copybara sample |
| f79e0122924037595c8e8bd128797d599f154a153c41b0be12d45e7f51ccf281 | SHA256 | Copybara sample |
| 62e0fbd83fdeea4e1e76ddfcdaeaf02003ca0d5dbc91ae9a6638f5b7ea063fd1 | SHA256 | Copybara sample |
| 62408c1fbeb1a7f351a50d7c8ca7d41c9f8059d33843bcd1e394006424be41d4 | SHA256 | Copybara sample |
| ef543f27a5f7f42c40d68209c4629f6dc01a8c9bf7b823e834ed790ba787f2c6 | SHA256 | Copybara sample |
| eee162cad710e9b55d0b9574cf952cd2bcd7f8795d3d3cee6c102aad54ba2d00 | SHA256 | Copybara sample |
| 4403a910d0b22ab9210a2f20cd06e1d169b2f983a0b4c5c405f08a8af61e287d | SHA256 | Copybara sample |
| 0d7f8e528043ae7e7303dafc3c8ef737ffb787d5cc8456232c6fb3c8541f973e | SHA256 | Copybara sample |
| b0bcce730ac2c3d69f200616ffe0de76ffb9094a987baae2c149a40a72d040b5 | SHA256 | Copybara sample |
| 5e4e32312e3ec948a44e65f28d8c5f79230f717f04964637eac21c9fdf1f8080 | SHA256 | Copybara sample |
| 2bdca94ec38b7d2a5971d243c050fe5b173837293c0e28f8b0afa311a29d8623 | SHA256 | Copybara sample |
| d9c26b9f8edf10e72a6b6ed3e2babb03c30ff85d25033ab4162af2a632e6deab | SHA256 | Copybara sample |
| aad498e6962ec8ff4081b16550be71c8e3134f99d8eee29de080345ea41f7458 | SHA256 | Copybara sample |
SparkKitty: A Silent Threat in ‘Trusted’ Apps