FinStealer

Feb. 17, 2025, 11:22 a.m.

Description

A sophisticated malware campaign exploits a leading Indian bank's brand through fraudulent mobile applications. Distributed via phishing links and social engineering, these fake apps mimic legitimate bank apps, tricking users into revealing sensitive information. The malware uses advanced evasion techniques, including encrypted communication with C2 servers, dynamic payload execution, and runtime behavior alterations. The attackers aim for financial gain through credential theft, unauthorized transactions, and data sale on darknet forums. The campaign employs Telegram bots, SQL injection attacks, and XOR encryption. The analysis highlights the threat's impact and provides recommendations for mitigation, including advanced monitoring, vulnerability patching, and user education.

External References

https://www.cyfirma.com/research/finstealer/
https://otx.alienvault.com/pulse/67b3177984418020ac6ea6b2
Tags
sql injection
phishing
android
credential theft
banking
telegram
mobile
c2 servers
xor encryption
2025-02-17
finstealer
trojan.rewardsteal/joxpk
CVE-2011-2688

Date

  • Created: Feb. 17, 2025, 11:03 a.m.
  • Published: Feb. 17, 2025, 11:03 a.m.
  • Modified: Feb. 17, 2025, 11:22 a.m.

Indicators

  • 0c874cbd38d49db0d6b24aee6c57382b1fe912158f8dcb0786933ff2c206e1c9
  • 41.216.183.97
  • 92.113.19.132
  • mysql-auth.pl
  • motocharge.online
Download all indicators here!

Attack Patterns

  • Trojan.rewardsteal/joxpk

Additional Informations

  • Finance
  • British Indian Ocean Territory
  • India

Linked vulnerabilities

CVE-2011-2688

None
Published: