FOCUS MODE
EXTRACT IOC
Threat Research

FinStealer

Cyfirma
FinStealer
This article discusses a sophisticated malware campaign targeting a leading Indian bank through fake mobile applications, advancing financial fraud via credential theft and social engineering. Key tactics include phishing links, dynamic payloads, and encrypted communications with C2 servers. The malware’s primary objective is to steal credentials and sensitive data for financial gain. Affected: Indian Bank, financial institutions, mobile banking users

Keypoints :

  • Trojan.rewardsteal/joxpk malware exploits a leading Indian bank’s brand through fraudulent apps.
  • Malware is distributed via phishing and unofficial app stores, deceiving users into revealing sensitive information.
  • Structure includes dangers such as abandoned personal information, financial data theft, and evades detection using advanced techniques.
  • Utilizes Telegram bots and IP-based servers for Command-and-Control (C2) operations.
  • Malware collects Personally Identifiable Information (PII) and banking credentials.
  • SQL injection vulnerabilities are exploited to control the C2 server.
  • Recommendations include advanced threat monitoring and proactive user education to mitigate risks.

MITRE Techniques :

  • Execution: Scheduled Task/Job (T1603) – Adversaries create or modify scheduled tasks for execution.
  • Persistence: Foreground Persistence (T1541) – Malware remains active in the foreground to ensure persistence.
  • Privilege Escalation: Scheduled Task/Job (T1603) – Using scheduled tasks to escalate privileges.
  • Defense Evasion: Hide Artifacts (T1628) – Techniques to hide malicious artifacts from detection.
  • Defense Evasion: User Evasion (T1628.002) – Evading detection by imitating legitimate user behavior.
  • Credential Access: Clipboard Data (T1414) – Capturing sensitive data copied to the clipboard.
  • Discovery: System Network Configuration Discovery (T1422) – Identifying network configurations and connected devices.
  • Impact: Data Manipulation (T1641) – Modifying data to disrupt operations or mislead users.
  • Impact: Transmitted Data Manipulation (T1641.001) – Altering transmitted data for malicious purposes.

Indicator of Compromise :

  • [Domain] https[:]//motocharge[.]online/
  • [IP] 41[.]216[.]183[.]97
  • [IP] 92[.]113[.]19[.]132
  • [SHA-256] 0c874cbd38d49db0d6b24aee6c57382b1fe912158f8dcb0786933ff2c206e1c9


Full Story: https://www.cyfirma.com/research/finstealer/

Tags: DISCOVERY, SQL INJECTION, ANDROID, EXPLOIT, IMPACT, MONITOR, EXFILTRATION, CLOUD