Fake Google reCAPTCHA used to hide Android banking malware. The phishing campaign impersonates Google in attacks against banking institutions and their users.

Researchers have documented a recent phishing campaign targeting online banking users which masquerades as Google in its attempt to steal valuable credentials.

According to cybersecurity researchers from Sucuri, the attack wave against a Polish bank and its users is impersonating Google reCAPTCHA systems and panic-eliciting techniques to prompt victims to click on malicious links embedded in scam emails.

The emails in question contain a fake confirmation for a recent transaction, alongside a link to a malicious .PHP file.

Messages sent to would-be victims ask them to ‘verify‘ these non-existent transactions by clicking on the link.

This attack method is nothing new, but the next stage is somewhat more unusual. If a victim fails to realize the message is fake and clicks on the link, they are not sent to a standard, fake replica of the bank, but rather the PHP file serves a fake 404 error page.

The page has a number of specifically defined user-agents which are limited to Google crawlers. If the request is not Google crawler-related — in other words, alternative search engines are in use — then the PHP script instead loads a fake Google reCAPTCHA made up of JavaScript and static HTML.

“This page does a decent job at replicating the look of Google’s reCAPTCHA, but since it relies on static elements, the images will always be the same unless the malicious PHP file’s coding is changed,” the researchers say. “It also doesn’t support audio replay, unlike the real version.”

The browser agent is then re-checked to ascertain how the victim has visited the page. A .zip dropper is on offer, alongside a malicious .APK reserved for Android users who fill in the CAPTCHA and download the payload.

Samples of the malware have been uploaded to VirusTotal. The malware is most often found in the wild in its Android form and is able to read a mobile device’s state, location, and contacts; scan and send SMS messages, make phone calls, record audio, and steal other sensitive information.

The Trojan is detected as Banker, BankBot, Evo-gen, Artemis, and more by antivirus software.

In January, researchers from Trend Micro uncovered an interesting campaign relating to the Anubis banking Trojan. The team found two apps in the Google Play store, a currency converter and power saver, which were laden with malware which would only trigger when a user moved their device.

By using motion sensor data as a catalyst for execution, the Trojan attempted to prevent discovery by researchers making use of sandbox environments.

A recently-discovered phishing scam was found peddling malware, using a new technique to mask its malicious landing page: A fake Google reCAPTCHA system.

The campaign targeted a Polish bank and its users with emails, said researchers with Sucuri. These emails contained a link to a malicious PHP file, which eventually downloaded the BankBot malware onto victims’ systems.

This Android-targeted banking malware, first discovered in 2016, is a remotely controlled Android banking trojan capable of stealing banking details by impersonating bank apps, looking at text messages and displaying unsolicited push notifications. In this specific case, BankBot was scooping up various private data, including SMS and call logs, contacts and location, researchers said.

“During a recent investigation, we discovered a malicious file related to a phishing campaign that targeted a Polish bank,” said Luke Leak with Sucuri, in a Thursday analysis. “This campaign employed both the impersonation and panic/bait techniques within an email in order to lure victims into downloading banking malware.”

The emails asked victims for confirmation for a recent transaction, along with a link to a malicious PHP file. Researchers said that users of the bank who saw the email would likely be alarmed that it was asking for confirmation of an unknown transaction, prompting them to click the malicious link.

“This makes it a bit more unique from the phishing content that we typically find, which often consists of a PHP mailer and file(s) used to construct the phishing page itself,” said Leak. “In most cases, it’s just a replica of the login page for whatever institution they are targeting.”

When the victims clicked on the link, the malicious PHP file would send them a fake “404 error” page. The PHP code then loaded a fake Google reCAPTCHA using a combination of HTML elements and JavaScript. reCAPTCHA is Google’s authentication mechanism used for distinguishing bots from true site users.

The fake reCAPTCHA looks real, and makes victims feel as though the landing page is legitimate, researchers said.

“This page does a decent job at replicating the look of Google’s reCAPTCHA, but since it relies on static elements, the images will always be the same unless the malicious PHP file’s coding is changed,” said Leak. “It also doesn’t support audio replay, unlike the real version.”

The PHP code then determined which form of malware to download on the victim’s device. If the victim uses Android, it would drop a malicious .apk, and if not, it downloaded a .zip dropper.

Besides “BankBot,” the Android malware is also labeled as “Banker” and “Artemis” on VirusTotal by varying anti-virus programs.

“Shortly after the discovery of the apps trojanized with BankBot on Google Play in the beginning of 2017, we have confirmed that the malicious apps were derived from source code made public on underground forums in December 2016,” said ESET researchers, in an analysis of BankBot. “The public availability of the code has led to a surge in both the number and sophistication of mobile banking trojans.”

Phishing scams have continued to step up their game over the past year, with bad actors are continuously updating their methods to become trickier. That includes using new tactics like Google Translate or custom fonts to make the scams seem more legitimate.

Leak said this type of phishing campaign “can cause serious headaches for website owners.”

“The malicious directories used in these campaigns are uploaded to a website after it has been compromised,” said Leak. “When dealing with this type of malware, it is important to delete the files contained in a complaint, however; we strongly encourage administrators to scan all other existing website files and database for malware as well. You’ll also want to update all of your passwords to prevent the attackers from accessing the environment again.”

Fake Google reCAPTCHA used to hide Android banking malware

Related Videos:

Related Posts:

About the Author: Bernard Aybout