Drinik Malware Has Returned With Enhanced Capabilities Targeting Indian Taxpayers
The Indian Computer Emergency Response Team (CERT-In) issued a warning in September of 2021 about a new malware strain that could potentially target Indian taxpayers and decided to alert customers of approximately 27 banks.
The Threat Actors (TA) behind this campaign were suspected of using Drinik malware. An early variant of Drinik malware first appeared in 2016 as a text-message stealer. The last time Drinik malware was observed was around August 2021, when it began infecting Android devices with banking trojans.
Researchers have monitored the various variations of the Drinik Android malware. According to a recent study, a masquerading income tax application targeted Indian taxpayers to steal Personally Identifiable Information (PII) and banking credentials using phishing attacks.
Several banks in India were recently targeted with a new version of Drinik impersonating the Income Tax Department of India and exploiting the devices of Indians, whose names are explicitly mentioned in the malicious APK file.
The TA uses the same bait as the one used to lure the victim, but the malware has been upgraded to include new features. We have listed the important features incorporated in the new malware variant, making it an advanced danger:
The malware variant is communicating with Command & Control (C&C) server hxxp://gia[.]3utilities.com, which is hosted on IP 198[.]12.107[.]13. Researchers confirmed that the campaign also used the same IP for C&C communication, indicating that the Threat Actor (TA) behind both campaigns is the same. The below image shows the connection between the C&C IP address and the campaign in question.
Evolution Of Drinik:
Researchers identified 3 distinct variations of this malware last year. The first variant was observed in September 2021, when the malware used phishing pages to steal login credentials. Two different variations were identified in late 2022, introducing Screen Recording and Keylogging features. The image below shows the Drinik timeline and its features.
During our investigation, we discovered that the first version makes use of a simple phishing page to steal banking credentials, whereas the second uses a screen recording along with the phishing technique.
Finally, the third page loads the genuine income tax department's website and uses screen recording along with a keylogging function to steal the login credentials. The next picture shown below depicts the login page of three different system versions.
In this analysis, we take a look at the latest sample “iAssist.apk (86acaac2a95d0b7ebf60e56bca3ce400ef2f9080dbc463d6b408314c265cb523)” of Drinik malware observed on October 18, 2022, which has additional code for abusing the CallScreeningService.
By abusing this just, the malware can deny incoming calls without the user's knowledge. Additionally, the strings in the documentation file are encrypted to fool antivirus software, and the malware decrypts them at runtime with a custom decryption function. The image below shows the code snippet the malware used to encrypt and decrypt the strings in the documentation file.
Nonetheless, a new variant of the malware features distinct capabilities, which is the reason we've listed all the elements below:
领英推荐
Stealing User’s Data
In its latest release, this malware masquerades as an APK known as iAssist, which is the official tax-management application of the Indian Income Tax Department. After the software is installed, it will request the requesting user's SMS, call log, and external storage devices. In addition to all this, the user will be asked for permission to read, send, and receive SMS messages.
The next step is to ask the user if they wish to accept the app's permission to use Accessibility Service. Upon granting permission, it uses Google Play Protect to perform the following tasks:
At the end of the software, the genuine India income tax website will be loaded through normal threads instead of phishing pages; the application is set up to grab the user credentials through screen recordings and keylogging.
Banks Were Targeted
Drinik uses the Accessibility Service constantly to track activities related to the targeted banking apps, then executes the identity theft attack if they find any indicator of a match. Using the keystroke information gathered by Drinik, the malware attempts to exploit the creds of the target-based user to go to a subsequent C2 server, if any.
Several banks are being targeted, including SBI (State Bank of India), a bank that serves more than 450,000,000 people daily with a huge network of 22,000 active branches.
Conclusion?
Several Android banking trojans like Hydra, BRATA, and Anubis, as well as others heavily, rely on the Accessibility Service and have developed advanced features by successfully abusing this. Researchers have noted Drinik malware is also evolving into an advanced threat by implementing powerful features observed in other banking trojans.
Our security findings show that TA Dawson Pediatrics is boosting its malware through sophisticated phishing pages. The TA had begun its malware campaign with sophisticated phishing pages for credential harvesting purposes.
However, our observations suggest that Drinik has enhanced its framework by adding features, such as video recording and keylogging, to steal personal information of real income tax websites, banking sites, and biometric details as well. The malware is still developing, and we may see a new version of Drinik malware with new targets and methods to expose their targets.
Our Recommendations?
If you don't want to any of them by yourself, leave the hard work to Terraeagle and have a deep breath. We got you covered.
Found this article interesting? Follow Terraeagle on Facebook, and LinkedIn to read more exclusive content we post.