Uncovering ICICI Phishing Campaign: New Fraud App Found
Today, during my Research, I came across a malicious host which mimics ICICI Bank and also uncovered a Malicious App which is disguised as ICICI Helpdesk.
DOMAIN DETAILS
Domain: cppcccare.com
IP: 77.37.34.191
Location: Great Britain 🇬🇧
ASN: AS47583
ASN Location: Cyprus 🇨🇾
NOTE: This ASN is notable in hosting highly malicious activities such as GuLoader, AgentTesla, NetSupportRAT, Latrodectus, SmokeLoader, PureLog Stealer, RedLine Stealer, SuperShell, IcedID, DarkGate, QakBot, Emotet, Dridex, DreamBot, Loki Botnet etc previously.
This ASN was also used by Popular 🇷🇺 Threat Actor Group TA577 by using PikaBot.
The domain is recently registered on 22nd August 2024, hosted under Hostinger.
Let’s dive into the Malicious Host Config:-
Server: Litespeed
Platform: Hostinger
Panel: HPanel
MALICIOUS APP
It is important to note here that there is NO Official App with the name “ICICI Helpdesk”, however there are websites with the same title.
MD5: df1e45aa0435509d552602ca1b84ccb6
SHA-1: bde9068c2deb1e3dcf9b7646dc8960dbea97d8b3
SHA-256: cd89b4cc7dc155f30db39e31b30894ed11f3fb6ad0fe5b2d014b123e333084c6
FileName: ICICI.apk
Detected as: Trojan Banker, Keylogger, SMSspy
The observed malicious app is not yet found out in the wild, and I have submitted the sample to VT today (21st Sept, 2024). Hence, it can be assumed that the app is being operational since August 2024.
File Size: 3.58MB
Package Name: sc.st
Version Code: 15
Version Name: 451
Minimum Supported Android Version: Lollipop (5) — API level 21
Target SDK: unknown — API level 35
While checking the Downloads Page, it is found that there are about 500K+ downloads. But this could be an inflated number, as users will fall into the trap by checking this falsified information.
UNCOVERING MALICIOUS INDICATORS
As a general rule of Thumb, it is found that the description used in this App also gets an exact match with other fraudulent apps. Following is the description:-
Every spin of the classic slot machines will give you a super jackpot thrill!
The most exciting casino machines and games.
With amazing graphics and some great twists, our slot machines offer a unique experience!
By analyzing all these facts, it is found that the observed domains and sample are highly malicious and should be get added to your IOC Check List.
Reference:
https://www.virustotal.com/gui/file/cd89b4cc7dc155f30db39e31b30894ed11f3fb6ad0fe5b2d014b123e333084c6/detectionIOCs
Domain: cppcccare.com
URL: ftp.cppcccare.com
Live URL: https://cppcccare.com/store/
IP: 77.37.34.191
MD5: df1e45aa0435509d552602ca1b84ccb6This incident is being reported to the Bank, Hosting Provider and CERT-IN Authorities.
UPDATE: TAKEDOWN
As an effort of reporting a Phishing Domain of ICICI Bank at first hand, it is a privilege to be the reason for the takedown of the website 💪.
The Phishing domain was reported to Hostinger on Saturday at 12:10PM and the domain was taken down by Sunday morning, within 24 Hours.
Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)
NOTE:- The article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.
