Threat Actor Expanding Arsenal By Targeting Vietnam-based Bank
At the end of 2021, Cyble Research and Intelligence Labs (CRIL) identified an Android Banking Trojan pretending to be a cleaning service app and targeting Malaysian Banks through a fake e-shop campaign.
The fake e-shop campaign started in Malaysia, wherein the Threat Actor (TA) was found using the Facebook ads service and impersonating the Facebook page of a famous cleaning service agency. Once unsuspecting victims visited this Facebook page and communicated with the TA, they were tricked into downloading the malicious app from the phishing link shared by the TA.
Initially, the TA skillfully employed the trope of cleaning services and pet stores to lure victims into downloading the malicious app. From May 2022, we observed TAs leveraging campaigns designed around travel agencies, E-commerce platforms, shopping marts, and car rental agencies among others, to distribute malware, as shown in the figure below.
On June 2, Maybank – Malaysia’s largest financial services group, issued a public warning against fraud campaigns, highlighting security practices mentioned in a MyCERT security advisory, cautioning their consumers against downloading apps from unknown sources.
Despite such public warnings issued by several Malaysian banks and MyCERT, we have observed various instances wherein unsuspecting victims have fallen prey to scams and incurred substantial financial losses.
We came across a similar scam incident in August 2022, wherein the TA created a Facebook page called “Premium TV Channel”, offering low-cost packages to victims related to IPTV subscriptions. If the victim contacts the advertiser on WhatsApp, the TA tricks the victim into downloading the malicious application “EEPAD(Eng).3.1.apk” and making a payment for the subscription service.
The figure below shows the WhatsApp conversation with the TA and a screenshot of one such fraudulent transaction.
On analyzing the APK file, the malware was found targeting 10 Malaysian banks for stealing credentials of several banking accounts to perform fraudulent transactions. These banks include Hong Leong Bank, CIMB Bank, Maybank, AmBank, Public Bank, RHB Bank, OCBC Bank, Bank Rakhyat, Bank Islam, Bank Simpanan Nasional (BSN), and Agrobank.
The malware collects the Net banking credentials, Credit Card details, and incoming SMSes to bypass 2FA credentials and sends them to the Command and Control (C&C) Server “hxxps://superstore88[.]xyz/WTAppTv/”.
In the same month, we observed another scam wherein the TA created a Facebook page impersonating the genuine cleaning service of Malaysia “KleanHouz House Cleaning”. The infection chain starts once the victim reaches out via the WhatsApp number provided by the TA for further communication with the victim.
When the victim sends the WhatsApp message to the number provided on the fake Facebook page, the TA sends the phishing link to prompt the victim into downloading the malware and starting the payment process, as shown in the image below.
The genuine “KleanHouz Home Cleaning” service also warned its customers against this ongoing scam. In one of their warning posts, the KleanHouz team mentioned that TAs are using a fake business certificate to convince the victim into downloading the malicious app.
CRIL is constantly monitoring the activity of fake e-shop campaigns and has identified more than 70 phishing sites that are distributing Android Malware since April. Most of them are typosqautted domains impersonating the same entity.
Our statistics revealed a sudden rise in the number of attacks by this campaign in August 2022.
Vietnam: A New Target of Fake e-shop scam
Recently, CRIL observed a new phishing site “hxxps://bestpay-vn[.]store” pretending to be a payment application website and distributing Android Malware targeting HD Bank from Vietnam.
We believe that the TA might have distributed this phishing site through WhatsApp messages or SMSes similar to the campaign explained above. Once the user clicks on the Google Play button, the site downloads the APK file “bestpayVN.apk”. The detailed behavior of this app is explained in the Technical Analysis section.
Technical Analysis
APK Metadata Information  
- App Name: BestPay
- Package Name: com.app.ebayarz
- SHA256 Hash: b344e13fc9840d1c3dcd14778777f8f28b1b56e633989e0649761eddfbf9798a
 Figure 10 shows the metadata information of the application. Â
Manifest Description 
The harmful permissions requested by the malware are: 
| Permission | Description |
| RECEIVE_SMS | Allows an application to receive SMS messages |
| READ_SMS | Access phone messages |
| SEND_SMS | Allows the application to send SMS messages |
Source Code Review 
The malware pretends to be a legitimate mobile payment application and provides fake functionalities such as phone bill payment, electric bill payment, insurance, internet bill payment, VN shop, loan payment, and cable TV bill payment, as shown in the image below.
When the user tries to make a payment, the malware displays a screen with the bank name and the bill amount. Once the victim proceeds with the payment, the malware redirects him to a fake net banking URL hxxps://ebanking[.]hdbank.vn. This variant under our analysis was seen targeting only one bank from Vietnam as of now – HDBank.
The TA has attempted to duplicate the UI of the genuine HDbank website to trick unsuspecting users. The figure below showcases the genuine and fake HDBank net banking websites.
The malware has the SMS receiver class MyReciever which is used to collect the incoming SMSes from the victim’s device and send them to the C&C server hxxps://sgbx[.]online. The stolen SMSes are used to fetch OTPs for bypassing the Two-Factor Authentication (2FA) while making fraudulent transactions.
As the same C&C server has been found in other malicious applications related to the same campaign, we believe that this malware variant is associated with the same cybercriminal.
The malicious application appears to still be under development as the malware has the SendSmsActivity and SmsSendService classes with no implemented code. This functionality can be implemented by the TA in the future to send spam SMSes from the victim’s device to further spread malware.
Conclusion
The Fake e-shop campaign started at end of 2021 and is still actively targeting Malaysian citizens. According to our research, the TA is focusing on expanding its targets and infecting more users. The scam is seen targeting a Vietnam bank as of now but in the future, there is a possibility of the TA targeting more Vietnam Banks and slowly expanding the campaign to other countries.
Users are advised to exercise caution while making financial transactions, follow cyber awareness programs to stay abreast of news of such campaigns, and avoid installing applications from unknown sources.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  
How to prevent malware infection?
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Persistence | T1402 | Broadcast Receivers |
| Collection | T1412 | Capture SMS Messages |
| Credential Access | T1411 | Input Prompt |
| Exfiltration | T1567 | Exfiltration Over Web Service |
Indicators of Compromise (IoCs)Â
| Indicators | Indicator Type | Description |
| b344e13fc9840d1c3dcd14778777f8f28b1b56e633989e0649761eddfbf9798a | SHA256 | Hash of the analyzed APK file |
| cbaabe04312cdffe7529deb209c97231b36af7dc | SHA1 | Hash of the analyzed APK file |
| b91d45e2b33d0446d814bc86d1477d28 | MD5 | Hash of the analyzed APK file |
| hxxps://sgbx[.]online | URL | C&C server |
| hxxps://bestpay-vn[.]store/ | SHA1 | Malware Distribution Malware |
| b003f25170be4f015fb01026b42046c6800bbb6d0548140ae2aa78b5bdb769b0 | SHA256 | Hash of the analyzed APK file |
| 63ee2db3c916812b86616f09c13901046a586232 | SHA1 | Hash of the analyzed APK file |
| 2c428b6e60950590b18f6c761e144423 | MD5 | Hash of the analyzed APK file |
| hxxps://superstore88[.]xyz | URL | C&C server |
| hxxps://kaksiti-clean[.]store | URL | Malware Distribution Phishing Site |
| hxxps://qnmholidays[.]store | URL | Malware Distribution Phishing Site |
| hxxps://agencysmy[.]store | URL | Malware Distribution Phishing Site |
| hxxps://44speed-mart[.]com | URL | Malware Distribution Phishing Site |
| hxxps://kuisland-travelz[.]store | URL | Malware Distribution Phishing Site |
| hxxps://bestpay-vn[.]store | URL | Malware Distribution Phishing Site |
| hxxp://goomart[.]net | URL | Malware Distribution Phishing Site |
| hxxp://coco-cat[.]info | URL | Malware Distribution Phishing Site |
| hxxps://suria-fruit[.]com | URL | Malware Distribution Phishing Site |
| hxxps://mycleanon[.]store | URL | Malware Distribution Phishing Site |
| hxxps://mycleanson[.]store | URL | Malware Distribution Phishing Site |
| hxxps://mycleanzon[.]store | URL | Malware Distribution Phishing Site |
| hxxps://cleanzon-my[.]store | URL | Malware Distribution Phishing Site |
| hxxp://go-mart[.]info | URL | Malware Distribution Phishing Site |
| hxxps://kleannhouse[.]site | URL | Malware Distribution Phishing Site |
| hxxps://kleannhouz[.]site | URL | Malware Distribution Phishing Site |
| hxxps://kleannhouse[.]store | URL | Malware Distribution Phishing Site |
| hxxps://kleannhouz[.]store | URL | Malware Distribution Phishing Site |
| hxxps://cleanzons[.]online | URL | Malware Distribution Phishing Site |
| hxxps://carzman[.]site | URL | Malware Distribution Phishing Site |
| hxxp://cleaningz-on[.]store | URL | Malware Distribution Phishing Site |
| hxxps://kleanzhouz[.]store | URL | Malware Distribution Phishing Site |
| hxxps://kleanhouse[.]store | URL | Malware Distribution Phishing Site |
| hxxps://kuzislandtravel[.]store | URL | Malware Distribution Phishing Site |
| hxxps://clean-ons[.]store | URL | Malware Distribution Phishing Site |
| hxxps://carz-man[.]site | URL | Malware Distribution Phishing Site |
| hxxps://gomart[.]info | URL | Malware Distribution Phishing Site |
| hxxps://proz-cleaning[.]online | URL | Malware Distribution Phishing Site |
| hxxps://cleanzonz[.]online | URL | Malware Distribution Phishing Site |
| hxxp://kleanhouz[.]online | URL | Malware Distribution Phishing Site |
| hxxps://yourmaidsagency[.]store | URL | Malware Distribution Phishing Site |
| hxxps://kleanshouz[.]store | URL | Malware Distribution Phishing Site |
| hxxps://eibayar[.]store | URL | Malware Distribution Phishing Site |
| hxxps://prozclean[.]store | URL | Malware Distribution Phishing Site |
| hxxps://prozcleaning[.]store | URL | Malware Distribution Phishing Site |
| hxxps://cleaneron[.]store | URL | Malware Distribution Phishing Site |
| hxxp://proscleaning[.]store | URL | Malware Distribution Phishing Site |
| hxxps://cleaner-on[.]store | URL | Malware Distribution Phishing Site |
| hxxps://tripvoucherzcart[.]store | URL | Malware Distribution Phishing Site |
| hxxps://pro-cleaning[.]store | URL | Malware Distribution Phishing Site |
| hxxps://familycleaningz4u[.]store | URL | Malware Distribution Phishing Site |
| hxxps://sunshinecars[.]store | URL | Malware Distribution Phishing Site |
| hxxps://maxs-cleanings[.]store | URL | Malware Distribution Phishing Site |
| hxxps://max-cleanings[.]store | URL | Malware Distribution Phishing Site |
| hxxp://maxs-cleaning[.]store | URL | Malware Distribution Phishing Site |
| hxxps://tripvouchers[.]store | URL | Malware Distribution Phishing Site |
| hxxps://procleanings[.]store | URL | Malware Distribution Phishing Site |
| hxxps://yourmaidagency[.]store | URL | Malware Distribution Phishing Site |
| hxxps://winewarehouse-my[.]store | URL | Malware Distribution Phishing Site |
| hxxps://winewarehouses[.]store | URL | Malware Distribution Phishing Site |
| hxxps://kuislandtravels[.]online | URL | Malware Distribution Phishing Site |
| hxxps://familyclean4you[.]online | URL | Malware Distribution Phishing Site |
| hxxps://homecleaning[.]store | URL | Malware Distribution Phishing Site |
| hxxps://mariecleaning[.]store | URL | Malware Distribution Phishing Site |
| hxxps://tripvouchercart[.]store | URL | Malware Distribution Phishing Site |
| hxxp://kuislandtravel[.]store | URL | Malware Distribution Phishing Site |
| hxxps://wine4u-warehouse[.]online | URL | Malware Distribution Phishing Site |
| hxxps://midcleaning-my[.]site | URL | Malware Distribution Phishing Site |
| hxxps://mariecleaningmy[.]site | URL | Malware Distribution Phishing Site |
| hxxps://yourmaid-my[.]online | URL | Malware Distribution Phishing Site |
| hxxps://n-warehouse[.]online | URL | Malware Distribution Phishing Site |
| hxxps://midszcleaning[.]online | URL | Malware Distribution Phishing Site |
| hxxps://midscleaningz[.]online | URL | Malware Distribution Phishing Site |
| hxxps://homezcleanings[.]site | URL | Malware Distribution Phishing Site |
| hxxps://youmaidz[.]online | URL | Malware Distribution Phishing Site |
| hxxps://yourzmaid-my[.]online | URL | Malware Distribution Phishing Site |
| hxxps://yourmaidzs[.]site | URL | Malware Distribution Phishing Site |
| hxxps://yourmaidz[.]site | URL | Malware Distribution Phishing Site |
| hxxps://yourmaidz[.]online | URL | Malware Distribution Phishing Site |
| hxxps://midcleaningz[.]online | URL | Malware Distribution Phishing Site |
| hxxps://midcleaningzs[.]online | URL | Malware Distribution Phishing Site |
| hxxps://homezcleaningz[.]online | URL | Malware Distribution Phishing Site |
| hxxps://homezcleanings[.]online | URL | Malware Distribution Phishing Site |
