Highlights

  • Check Point Research (CPR) uncovered a fresh strain of malware that is cleverly disguised as popular Android applications from East Asia.
  • The malware campaign is highly sophisticated and is directed at a variety of sectors in Eastern Asia. It mimics legitimate apps, each of which has already been downloaded by over 100,000 users.
  • The goal of this phishing scheme is to steal sensitive information, including user credentials (like 2FA) and credit card details.

 New Malware findings

Check Point Research (CPR) has spotted a concerning new malware strain, dubbed FluHorse. The malware operates via a set of malicious Android applications, each of which mimics a popular and legitimate app with over 100,000 installs. These malicious apps are designed to extract sensitive information, including user credentials and Two-Factor Authentication (2FA) codes.

Two factor authentication (2FA) can improve security for anyone using an online service or accessing corporate resources. Basically, it requires the user to provide two different types of information to authenticate or prove they are who they say they are before access is granted.

FluHorse targets multiple sectors in Eastern Asia, and is typically distributed via email. In some cases, high-profile entities such as governmental officials were targeted at the initial stages of the phishing email attack.
FluHorse comes as the APAC region is experiencing a major increase in cyberattacks – in the first quarter of 2023, the average organization in APAC was attacked 1,835 times per week according to Check Point Research. This is a 16% increase over the first quarter of 2022.

One of FluHorse’s most worrying aspects is its ability to remain undetected for extended periods of time, making it a persistent and dangerous threat that is difficult to identify. CPR urges businesses and individuals in the affected regions to remain vigilant and take steps to protect themselves against this sophisticated and potentially devastating new malware.

In this research, CPR describe the different attacks, and provides examples of the phishing malicious applications, compared to the original, legitimate mimicked android apps, showing how difficult it may be to spot the differences.

Mimicked applications

Cybercriminals often opt for popular apps with a high number of downloads to maximize the impact of their attack and gain greater traction.
This case was no exception.
The attackers chose an eclectic selection of targeted sectors for specific countries, using one mimicked application in each country:

Country Sphere Mimicked App
Google Play installs of a mimicked app
Taiwan Toll Collection ETC  +1,000,000
Undisclosed Transportation  Undisclosed + 100,000
Vietnam Banking Undisclosed +1,000,000

Attackers have targeted these mimicked applications from reputable companies because they are confident that such applications will attract financially stable customers. This is because the companies behind these applications have a solid reputation for trustworthiness.

Phishing scheme

The diagram below summarizes the phishing scheme in a graphical form: After the victim enters his credentials, it is sent to a server controlled by the attackers (C&C server). The malware then tells the victim to wait while the information is being processed. At the same time, the malware starts intercepting all incoming text messages, including any codes sent for two-factor authentication. If the attackers have stolen the victim’s login credentials or credit card information, they can use this to bypass the 2FA and gain access to the victim’s accounts.

Image 1 – How the malware performs phishing attacks.

Luring victims to download the mimicked apps

Phishing emails are one of the most common cyber threats that an organization and individuals may face. Phishing attacks can be used to accomplish a variety of goals for an attacker including stealing user credentials, data, and money, as well as delivering malware to a recipient’s computer or luring the victim to download a file.
We discovered multiple high-profile entities among the recipients of these specific emails in this attack, including employees of the government sector and large industrial companies.
This is an example of one of these luring emails, aiming to have the victim download the malicious app:

Image 3 – Example of an email sent by malware operators to government recipient.

 

This is the email translation:

Dear eTag user

Your one-time toll of 128 yuan expires on January 10, 2023. To avoid
a fine of 300 yuan per transaction, please use your mobile phone to click
and download the Yuantong Electric Collection App as soon as possible
Pay online. https://www.fetc-net[.com
Far Eastern Electronic Toll Collection Co,Ltd.All Right Reserved.
Yuantong Electric has trademarks and copyrights, please do not copy or
reprint without authorization.
If you have any questions, please call Yuantong Customer Service Line 02-77161998.

Thanks.

Remain protected against Mobile Threats

As the human factor remains an important factor in similar attacks, Check Point Research recommends the following suggestions for mobile device users:

  • Check Point’s Harmony Mobile prevents malware from infiltrating mobile devices by detecting and blocking the download of malicious apps in real-time. Harmony Mobile’s unique network security infrastructure – On-device Network Protection – allows you to stay ahead of emerging threats by extending Check Point’s industry-leading network security technologies to mobile devices.
  • Users are advised to remain vigilant and refrain from clicking on links arriving by emails or texts from unknown sources.

How to Identify a Spoofed Email

Spoofed emails are part of phishing campaigns, which are designed to trick the recipient into taking some action that helps the attacker. If an email has an embedded link to click, an attachment, or requests some other action, then it is wise to check it for spoofing.

In some cases, the attacker may use a real, lookalike address, such as substituting cornpany.com for company.com. In others, the value of the FROM header may be replaced with a legitimate address that is not under the sender’s control.

While the first case can usually be detected by taking a careful look at the sender’s email address, the second might require more digging. Spoofed FROM addresses can be identified based on:

Context: Phishing emails are designed to look legitimate, but they may not always succeed. If an email doesn’t sound like it came from the alleged sender, it may be a spoofed phishing email.

Reply-To: A Reply-To address enables replies to an email from one address to be directed to another. While this has legitimate uses (such as mass email campaigns), it is unusual and should be cause for suspicion for emails coming from a personal account.

Received: The RECEIVED header in an email indicates the IP addresses and domain names of the computers and email servers along the path that the email traveled. An email from and to email addresses within the same company should only pass through the company’s email server.

 

The full technical research is available at http://research.checkpoint.com

*Last updated on 08/05/2023

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You may also like