Uncovering ICICI Phishing Campaign: New Fraud App Found

Rakesh Krishnan
3 min readSep 21, 2024

--

Today, during my Research, I came across a malicious host which mimics ICICI Bank and also uncovered a Malicious App which is disguised as ICICI Helpdesk.

ICICI Fraudulent Site

DOMAIN DETAILS

Domain: cppcccare.com
IP: 77.37.34.191
Location: Great Britain 🇬🇧
ASN: AS47583
ASN Location: Cyprus 🇨🇾

NOTE: This ASN is notable in hosting highly malicious activities such as GuLoader, AgentTesla, NetSupportRAT, Latrodectus, SmokeLoader, PureLog Stealer, RedLine Stealer, SuperShell, IcedID, DarkGate, QakBot, Emotet, Dridex, DreamBot, Loki Botnet etc previously.

This ASN was also used by Popular 🇷🇺 Threat Actor Group TA577 by using PikaBot.

The domain is recently registered on 22nd August 2024, hosted under Hostinger.

Let’s dive into the Malicious Host Config:-

Server: Litespeed
Platform: Hostinger
Panel: HPanel

MALICIOUS APP

It is important to note here that there is NO Official App with the name “ICICI Helpdesk”, however there are websites with the same title.

Malicious APK hosted on Phishing Domain

MD5: df1e45aa0435509d552602ca1b84ccb6
SHA-1: bde9068c2deb1e3dcf9b7646dc8960dbea97d8b3
SHA-256: cd89b4cc7dc155f30db39e31b30894ed11f3fb6ad0fe5b2d014b123e333084c6
FileName: ICICI.apk
Detected as: Trojan Banker, Keylogger, SMSspy

The observed malicious app is not yet found out in the wild, and I have submitted the sample to VT today (21st Sept, 2024). Hence, it can be assumed that the app is being operational since August 2024.

VT Result of the analyzed Malicious File

File Size: 3.58MB
Package Name: sc.st
Version Code: 15
Version Name: 451
Minimum Supported Android Version: Lollipop (5) — API level 21
Target SDK: unknown — API level 35

While checking the Downloads Page, it is found that there are about 500K+ downloads. But this could be an inflated number, as users will fall into the trap by checking this falsified information.

UNCOVERING MALICIOUS INDICATORS

As a general rule of Thumb, it is found that the description used in this App also gets an exact match with other fraudulent apps. Following is the description:-

Every spin of the classic slot machines will give you a super jackpot thrill! 

The most exciting casino machines and games.

With amazing graphics and some great twists, our slot machines offer a unique experience!
An exact Match of the Description found on the ICICI Phishing Website

By analyzing all these facts, it is found that the observed domains and sample are highly malicious and should be get added to your IOC Check List.

Reference:

https://www.virustotal.com/gui/file/cd89b4cc7dc155f30db39e31b30894ed11f3fb6ad0fe5b2d014b123e333084c6/detection

IOCs

Domain: cppcccare.com
URL: ftp.cppcccare.com
Live URL: https://cppcccare.com/store/
IP: 77.37.34.191
MD5: df1e45aa0435509d552602ca1b84ccb6

This incident is being reported to the Bank, Hosting Provider and CERT-IN Authorities.

UPDATE: TAKEDOWN

As an effort of reporting a Phishing Domain of ICICI Bank at first hand, it is a privilege to be the reason for the takedown of the website 💪.

Phishing Domain: Taken Down

The Phishing domain was reported to Hostinger on Saturday at 12:10PM and the domain was taken down by Sunday morning, within 24 Hours.

Hostinger Response to my Request

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

--

--

Rakesh Krishnan

Independent Security Researcher and Threat Analyst. Often sheds light on Dark Web. Regular contributor to Infosec Community.