FinStealer

FinStealer
1
FinStealer

EXECUTIVE SUMMARY
At CYFIRMA, we provide cutting-edge insights into the ever-evolving tactics of
cybercriminals targeting organizations and individuals. This analysis has uncovered a
sophisticated malware campaign exploiting a leading Indian bank’s brand through
fraudulent mobile applications. Distributed via phishing links, and social engineering,
these fake apps closely mimic legitimate Bank apps, tricking users into revealing
credentials, financial data, and personal details. The malware employs advanced
evasion techniques, including encrypted communication with Command-and-Control
(C2) servers, dynamic payload execution, and runtime behaviour alterations, enabling it
to bypass detection by security systems.
The attackers' primary motive is financial gain through large-scale credential theft,
unauthorized transactions, and the sale of stolen banking and personal data on darknet
forums. Additionally, the campaign may serve as a stepping stone for broader fraud
operations, enabling threat actors to launder money, conduct identity theft, and exploit
compromised accounts for further malicious activities.

Our research delves into the threat actors' tactics, including the use of Telegram bots,
SQL injection attacks, and XOR encryption to enhance operational complexity. The
report highlights the significant impact of these campaigns and provides actionable
recommendations such as advanced threat monitoring, vulnerability patching, and user
education to mitigate risks. With these insights, CYFIRMA aims to empower organizations
to detect emerging threats and protect customers from sophisticated banking malware
attacks.

INTRODUCTION
In today’s digital age, banking mobile applications have become integral to managing
financial transactions, offering unparalleled convenience and accessibility. However, this
widespread adoption has also attracted the attention of cybercriminals, making these
applications prime targets for exploitation. Recently, threat actors have intensified their
efforts to compromise financial security by leveraging the bank’s brand through
fraudulent mobile applications designed to mimic the legitimate apps.

One such threat, Trojan.rewardsteal/joxpk, demonstrates the evolving sophistication of

cyberattacks. Distributed via phishing campaigns and unofficial app stores, this malware
not only deceives users into divulging sensitive information but also exfiltrates Personally
Identifiable Information (PII), including banking credentials and card details. Utilizing
advanced tactics such as string obfuscation, XOR encryption, and Telegram-based
Command-and-Control (C2) mechanisms, the malware evades detection and poses a
substantial risk to financial institutions and their customers.

This report explores the tactics, techniques, and procedures (TTPs) employed by the
attackers, shedding light on the social engineering strategies, malware capabilities, and
distribution methods. Additionally, it highlights the need for proactive measures to
mitigate risks and protect users from these sophisticated threats.

2
FinStealer

3
FinStealer

KEY FINDINGS
• The malware is built using Kotlin, ensuring efficient performance and seamless
compatibility with Android devices.
• Uses both IP-based servers and Telegram bots as Command-and-Control (C2)
servers.
• Employs XOR-based string obfuscation to evade detection and hinder analysis.
• Requests personal information and sensitive card details from users.
• Leaks PII, including personal details and banking credentials, exposing users to
identity theft.

Technical Analysis
Source Website
The screenshot below reveals the source website hosting the malicious APK.

Snapshot of Malicious Source Website.

4
FinStealer

The below shows the redirects in action, highlighting the sequence of URLs or destinations
that the traffic is directed to. This process can be indicative of malicious activity, as
attackers often use redirects to steer users to phishing sites or to facilitate malware
distribution.

Snapshot of redirects

The below WHOIS details, provide information about the domain registration, ownership,
and contact details. This can help identify the entity behind the domain and assess its
legitimacy.

Snapshot of WHOIS.

5
FinStealer

APK
File Name Bank[.]apk
File Size 4.67 MB
Signed Signed
MD5 Hash 9d0460f69ed87ee3580c51c4b7c7ed1d
SHA-256 Hash 0c874cbd38d49db0d6b24aee6c57382b1fe912158f8dcb0786933ff2c206e1c9

APK Details

The table below covers important permissions with descriptions that apps use for
malicious activity.
Sr.no Permissions Descriptions
1. RECEIVE_SMS This permission allows the threat
actor to receive and read
incoming SMS messages on the
device.
2. SEND_SMS This permission allows the threat
actor to send SMS messages
from the device without the
user's consent.
3. READ_SMS This permission helps the App to
read and access the SMS.

The following snippet provides clear evidence of string obfuscation, showcasing

techniques to conceal the malware's functionality and evade detection.

Obfuscated Code.

6
FinStealer

This snippet from the Obfuscated module identifies the cipher type as XOR and the key
as "npmanager." It highlights the malware's obfuscation techniques to secure its string
and evade detection.

Obfuscated Module.

The screenshot below is from the communication servers, showcasing the infrastructure
used for data exfiltration. It highlights the use of IP-based servers (41.216.183.97) and a
Telegram bot (NEW DEVICE) for C2 operations, ensuring flexibility and stealth in executing
malicious activities.

Module to communicate with communication servers.

The decoded string reveals details of the communication servers, highlighting their use of
IP-based infrastructure for C2 operations, enabling data exfiltration and stealthy malware
activity.

Decoded value of communication servers.

The string below indicates that the app communicates through Telegram bots, enabling
remote control and facilitating data exfiltration. This method allows the attackers to
maintain flexibility in their command-and-control infrastructure, bypassing traditional
security measures. Using Telegram bots, the malware can receive instructions and send
stolen data without raising suspicion, making it more difficult for security systems to detect
and block the communication.

7
FinStealer

The module communicating through Telegram bots.

Telegram Bot – ID and API Key

Telegram bot.

Telegram ID which frequently interacted with the bot.

8
FinStealer

This snippet is using WebView, a component that allows embedding web content within
a mobile application. It facilitates the display of HTML pages, enabling seamless
integration of web-based content into native apps.

Module to WebView.

The decoded string is a URL pointing to a cloud-based website-building platform that

allows users to create and host websites without needing advanced technical skills.
Commonly used for legitimate purposes, it has also been exploited by attackers to create
phishing sites, host malware, and deceive users. Due to the simplicity of setting up
websites malicious actors can easily create convincing sites to impersonate trusted
services and steal sensitive information. This highlights the need for caution when
interacting with URLs from unknown sources, as they could lead to compromised or
fraudulent sites.

9
FinStealer

Technical Analysis and Exploitation of C2

Server
The page below is a snapshot of the communication server, displaying the IP-based
infrastructure used for managing the malware's command-and-control operations. This
server facilitates data exfiltration and the execution of remote commands, allowing
attackers to maintain control over infected devices.

Snapshot of C2 Server

The snapshot highlights a high-severity vulnerability in the C2 server, identified as CVE-

2011-2688. This vulnerability lies within the mysql/mysql-auth.pl script of the
mod_authnz_external module (version 3.2.5 and earlier) for the Apache HTTP Server. It is
an SQL injection issue that allows remote attackers to execute arbitrary SQL commands
through the user field, potentially compromising the server and enabling unauthorized
access.

Snapshot of the Vulnerability

10
FinStealer

The screenshot below reveals the password of the C2 server, which has been extracted
through the exploitation of CVE-2011-2688. This vulnerability, an SQL injection flaw in the
mysql/mysql-auth.pl script of the mod_authnz_external module, allows attackers to
execute arbitrary SQL commands, enabling them to retrieve sensitive credentials such as
the C2 server's password.

Snapshot of Vulnerability

The screenshot below shows the extracted password of the C2 server. Using the retrieved
credentials, we accessed the server to investigate its control mechanisms, uncovering its
potential to expose sensitive PII and critical data.

Snapshot of C2 Server – Admin Panel

Snapshot of Sample Data stored in C2 Server

11
FinStealer

EXTERNAL THREAT LANDSCAPE MANAGEMENT

The Trojan.rewardsteal/joxpk malware was traced back to the suspicious website
motocharge[.]online, which hosts fraudulent versions of the bank’s mobile banking app.
This site, part of a broader attack targeting users of the banking app, distributes malware
through phishing links often disguised as ads or app download prompts. The malware
collects sensitive data, including login credentials, and communicates with Telegram
bots for data exfiltration and command execution. The C2 server associated with the
malware is also vulnerable to an SQL injection (CVE-2011-2688), which could allow
attackers to extract critical information, such as server passwords. This indicates a multi-
layered approach by the threat actor to maintain control over infected devices.

In conclusion, the threat actor behind the malware campaign is leveraging sophisticated
techniques, including phishing, obfuscation, and exploiting server vulnerabilities to avoid
detection. The attack primarily uses the motocharge[.]online site and Telegram bots for
distribution and data theft, highlighting the dangers of cybercriminals exploiting trusted
platforms to target users. The campaign's complexity calls for proactive defense
measures from both security teams and users to mitigate risk.

Diamond Model

Adversary
Cybercriminals: Financial fraud
and Identity theft

Capabilities
Infrastructure
Kotlin-built malware.
XOR obfuscation, PII Banking IP-based server and
exfiltration. Telegram bot
Dynamic C2 APK
communication

Target
Targeting: Bank’s Account Holders

12
FinStealer

CONCLUSION
The external threat landscape continues to evolve, with cybercriminals employing
increasingly sophisticated techniques to exploit vulnerabilities and compromise user
data. The case of Trojan.rewardsteal/joxpk targeting Bank users through fraudulent
mobile applications exemplifies the growing complexity of these threats. By leveraging
tactics such as advanced malware obfuscation, SQL injection vulnerabilities, and
communication through Telegram bots and IP-based servers, attackers can stealthily
exfiltrate sensitive information and maintain persistent access to compromised systems.
This highlights the critical need for a proactive and multi-layered cybersecurity strategy.
Organizations must continuously monitor external threats, identify vulnerabilities, and
implement effective countermeasures, including patching known exploits and
educating users on the risks of phishing and malicious applications. By adopting a
comprehensive approach to external threat management, organizations can reduce
their exposure to cyber risks, safeguard sensitive data, and ensure the security and trust
of their users.
YARA Rule:
rule Bank_Fraud_App
{
meta:
author = "CRT"
description = "Detects fraudulent mobile apps impersonating Bank"
date = "2025-02-04"
severity = "High"
category = "Banking Malware"

strings:
$telegram_bot = "/bot" ascii nocase
$hex_pattern = { 6c 43 6c 43 6c 20 63 72 65 64 69 74 20 63 61 72 64 }
$wix_webview = "wixsite.com" ascii nocase

condition:
any of ($telegram_bot, $hex_pattern, $wix_webview)
}

13
FinStealer

RECOMMENDATIONS
Strategic Recommendations:
Block Exploit-Like Behavior: Monitor endpoint memory for unusual process handle
requests and other behavioral patterns indicative of exploitation to detect both known
and zero-day threats.

Implement a Holistic Security Strategy: Reduce the attack surface with proactive security
controls, effective patch management, and active network monitoring through next-
generation security solutions.

Deploy Advanced Endpoint Protection: Utilize endpoint security solutions that detect and
prevent malware and malicious activities using behavior-based analysis instead of relying
solely on signature-based detection.

Management Recommendations:
Policy Enforcement: Establish strict policies for app development, distribution, and
monitoring to prevent impersonation and fraud.

Incident Response Plan: Develop and regularly update an incident response strategy to
quickly address malware-related breaches.

Regular Audits: Conduct periodic security audits of mobile applications and associated
infrastructure to identify vulnerabilities.

Tactical Recommendations:
Application Monitoring: Continuously monitor app stores and third-party platforms for
fake Bank applications.

Threat Hunting: Actively search for phishing campaigns and C2 infrastructure using threat
intelligence tools.

String Analysis: Implement static and dynamic analysis to detect obfuscated malware
and suspicious app behavior.

Build and undertake safeguarding measures by monitoring/ blocking the IOCs and
strengthening defence based on the tactical intelligence provided.

Add the YARA rule for threat detection and monitoring which will help to detect
anomalies in log events and identify and monitor suspicious activities.

14
FinStealer

APPENDIX1
MITRE ATT&CK MAPPING (MOBILE)

Tactic Technique ID Description

Execution Scheduled Task/Job T1603 Adversaries create or modify
scheduled tasks for execution.
Persistence Foreground Persistence T1541 Malware remains active in the
foreground to ensure persistence.
Privilege Scheduled Task/Job T1603 Using scheduled tasks to escalate
Escalation privileges.
Defense Hide Artifacts T1628 Techniques to hide malicious artifacts
Evasion from detection.
Defense Hide Artifacts: User Evasion T1628.002 Evading detection by imitating
Evasion legitimate user behavior.
Credential Clipboard Data T1414 Capturing sensitive data copied to the
Access clipboard.
Discovery System Network Configuration T1422 Identifying network configurations and
Discovery connected devices.
Collection Clipboard Data T1414 Harvesting clipboard data for sensitive
information.
Impact Data Manipulation T1641 Modifying data to disrupt operations or
mislead users.
Impact Data Manipulation: Transmitted T1641.001 Altering transmitted data for malicious
Data Manipulation purposes.

IOCs
No Indicators of Compromise (IOCs) Type Remarks
1 https[:]//motocharge[.]online/ Domain Source
2 41[.]216[.]183[.]97 IP C2
3 92[.]113[.]19[.]132 IP Source
4 0c874cbd38d49db0d6b24aee6c57382b1fe912158f8dcb0786933ff2c206e1c9 SHA-256 SHA256

15
FinStealer

CYFIRMA is an external threat landscape management platform company. We combine

cyber intelligence with attack surface discovery and digital risk protection to deliver early
warning, personalized, contextual, outside-in, and multi-layered insights. Our cloud-based AI
and ML-powered analytics platform provides the hacker’s view with deep insights into the
external cyber landscape, helping clients prepare for impending attacks. CYFIRMA is
headquartered in Singapore with offices across APAC, the US, and EMEA. The company is
funded by Goldman Sachs, Zodius Capital, Z3 Partners, and L&T Innovations Fund.

16