{"id":1894,"date":"2025-02-11T10:03:37","date_gmt":"2025-02-11T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/02\/11\/finstealer-malware-attacking-leading-indian-banks-mobile-users-to-steal-login-credentials\/"},"modified":"2025-02-11T10:03:37","modified_gmt":"2025-02-11T10:03:37","slug":"finstealer-malware-attacking-leading-indian-banks-mobile-users-to-steal-login-credentials","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/02\/11\/finstealer-malware-attacking-leading-indian-banks-mobile-users-to-steal-login-credentials\/","title":{"rendered":"FinStealer Malware Attacking Leading Indian Bank\u2019s Mobile Users To Steal Login Credentials"},"content":{"rendered":"
FinStealer Malware Attacking Leading Indian Bank\u2019s Mobile Users To Steal Login Credentials \n \t
\n <\/BR> \n \n \t
\n <\/BR><\/p>\n
\n
A sophisticated malware campaign dubbed \u201cFinStealer\u201d is actively targeting customers of a leading Indian bank through fraudulent mobile applications.<\/p>\n
The malware, identified as Trojan.rewardsteal\/joxpk, employs advanced tactics to steal banking credentials and personal information from unsuspecting users.<\/p>\n
The malicious campaign operates through a suspicious website (motocharge[.]online) that distributes fake banking apps mimicking legitimate ones.<\/p>\n
The capabilities include XOR-based string obfuscation to evade detection, a dual command-and-control (C2) infrastructure utilizing both IP-based servers (41.216.183.97) and Telegram bots, and advanced WebView exploitation for credential harvesting.<\/p>\n
Core functionality of FinStealer<\/strong><\/h2>\n
Technical analysis revealed the malware\u2019s core functionality through this critical code snippet:-<\/p>\n
public class NPStringFog {\n public static String KEY = \"npmanager\";\n private static final String hexString = \"0123456789ABCDEF\";\n public static String decode(String str) {\n ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length() \/ 2);\n for (int i = 0; i < str.length(); i += 2) {\n baos.write((hexString.indexOf(str.charAt(i)) << 4) | hexString.indexOf(str.charAt(i + 1)));\n }\n \/\/... [obfuscation logic]\n }\n}<\/code><\/pre>\n
The malware communicates with its C2 infrastructure through a Telegram bot (API key: 7754264825:AAEqSBGNuEbuMqnWFqN7E_SvhS5sy_IFjEE) to exfiltrate sensitive data including:-<\/p>\n
\n
Banking credentials<\/li>\n
Credit card details<\/li>\n
Personal identification information<\/li>\n<\/ul>\n
Security researchers also discovered a critical vulnerability (CVE-2011-2688) in the C2 server, allowing SQL injection attacks through the mysql\/mysql-auth.pl script in the mod_authnz_external module.<\/p>\n
\nSnapshot of C2 Server \u2013 Admin Panel (Source \u2013 CYFIRMA)<\/figcaption><\/figure>\n<\/div>\n
To protect against this threat, CYFIRMA recommends implementing advanced endpoint protection, monitoring for exploit-like behavior, conducting regular security audits of mobile applications, and blocking known malicious indicators of compromise (IOCs).<\/p>\n
The following YARA rule can help detect the malware:-<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjBLCUWaedXTslQ4UEA3qY8egFtIElUdJMil3ZumbTaeXycP_r_kz_Eubyd_N9mSbzxylbtoWHV3PC1fVkUUVA2aDGnfTWVdmZwBXxsanQX48kjhgqgxuB8AbkKz-YdUgeGYukS2Ymd31-6MbK-q5i4uN_TI1w4aUQew5Suoem8-NB89VFn7ovK05xcW_8\/s16000\/APK%2520Details%2520%28Source%2520-%2520CYFIRMA%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgxZfW9XO85zA_uQkZ-hDajS8wwzqKM7OJI83wQKT-FXE9rt4mMLRAp-vV5gl7f-zmHPJR6kHcP5kBEvGOdntDusiB5OY9TNj5jcAiitkXR2_tlp85a-3ddz5pu76sYTwTGbO2g6D6WZchSTTPoYcntIz60h2mkOL92y1lUuLnczqhf6X3SENFxKHT_X0Q\/s16000\/Obfuscated%2520Code%2520%28Source%2520-%2520CYFIRMA%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhNLJ3MSlLi557cLlMNHS9VSfjoznkY9OxgJ7u1D7u1cVy00xW0oDt6fUhOcuz0ksSAwUQxoWjVrBznrwx7jYxGyalo16LfY6fAuFBJl6RIWAVjjHnF09qdTXOebT9tlZ0nRvGticQ_-t_9Y3yalafx0eKttUoSr3PktAnQhmmLEMHoM7EoYaSrVqKobug\/s16000\/Obfuscated%2520Module%2520%28Source%2520-%2520CYFIRMA%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjA5z6iStWvfQRoYbePeMaHVfTws496MlmXjIa9N-tb5smsEVfEo193tOnga9bynM4S7K30ntS2FQwG6Nw06UhuFRd3R5Q6EUkB_7IIXWajtSlvkx2P0mBnLAr7oEWLEcYMnEcgUiJeKSuqv6uwudwo2-nz7MTWWbfyei3TibQrDoElAxVTf-WefiKw40o\/s16000\/Snapshot%2520of%2520C2%2520Server%2520-%2520Admin%2520Panel%2520%28Source%2520-%2520CYFIRMA%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhi1gF95bNQzU7BaWcPkw4DC_oapNb42ubwEboLmGSPomw9jh7zpG5RhKyuQNDMfJtKkQU90ApsbTueII0j6vbHZr_8sMEZuFRwB5t0V0Tjih55oYHk1CO1xmsRqlYRXtLYU09Kzqdn_l7M7PStIfRM53KNDzI37FFzc3Tbu1RPqJnZSNtXDXXsWcyPY7k\/s16000\/IOCs%2520%28Source%2520-%2520CYFIRMA%29.webp?ssl=1\")