Resecurity
With the rapid growth of fraudulent activity in a post-pandemic world, the bad actors continue to upgrade their tooling to attack customers of major financial institutions (FIs), e-commerce platforms and online marketplaces. According to collected statistics in Q4 2022 during DFIR engagements conducted on Fortune 500 companies by Resecurity, cybercriminals are especially successful when attacking mobile apps and leveraging gained access for further unauthorized access and financial theft. Unless FIs implement various technologies to combat fraud, this vector remains relatively unprotected which provides threat actors enough flexibility to bypass fraud detection systems by ultimately controlling the victim's mobile device. Once the mobile device of the victim has been compromised, the bad actors can intercept OTP codes, incoming SMS messages, and phone calls to extract sensitive information including call history and contact lists. Besides other concerning types of threats such as "SIM Swapping" also widely used by fraudsters, mobile malware remains the key in a cybercriminals arsenal to conduct banking theft from consumers worldwide.
This research arranged by Resecurity Hunter team is focused on the new marketplace called “InTheBox”, recently emerged in the Dark Web and designed specifically for mobile malware operators. The first mentions of “InTheBox” were identified on reputable underground communities around January 2020 - since that time the key actor was offering webinjects development services for other cybercriminals privately, but after gaining enough credibility the actor scaled it to a fully productized automated marketplace. The automation allows other bad actors to create orders to receive the most up to date webinject for further implementation into mobile malware. For those using proprietary (or so called “private”), mobile malware is not widely available for sale or rent, because of this “InTheBox” is offering customized development solutions. As of today, the most widely malware families supporting webinjects are - Alien, Cerberus, Ermac, Hydra, Octopus (aka “Octo”), Poison, and MetaDroid.
The marketplace is available in TOR network:
As an OPSEC measure, the administrator of the marketplace also requires vetting of new customers:
After the successful account activation, the marketplace will offer listing of available webinjects for sale:
It is worth mentioning how almost all of them may be used for credential interception from any service the victim may attempt to access while using their mobile device besides online-banking. The bad actor may then use the data stolen from said devices for any malicious purposes. To facilitate successful credentials interception, the bad actors use a so called "Webinjects" - customized modules or packages used in malware that typically inject HTML or JavaScript code into content before it's rendered on a web browser. As a result, webinjects can alter what the user sees on his/her browser, as opposed to what's in fact being sent by the server.
Typically, malware developers design code to intercept victims credentials using such approach which in practice looks completely invisible visually, as the webinject will interpret an identical design of legitimate pages from popular services. Technically, the success rate of banking theft depends on the quality of the webinject and stability of mobile malware. During past years, the market of mobile banking malware became extremely mature, and the majority of Dark Web actors stopped selling it, they switched to potentially renting, or to privately us it.
Examples of webinjects:
There are multiple underground vendors developing webinjects - tracking the latest design and updates of legitimate mobile apps makes their attacks extremely efficient. The price on webinjects is typically lower than mobile malware itself and varies between 50$ and 200$ per inject depending how popular the FI is. Typically, it also includes basic support and possible customization in case the mobile app changes. The price range on mobile malware varies and with the recent shift to rent and private operations, the inject may exceed 5,000$ per month or leveraged commission-based model with payouts from successful thefts shared between malware operator and developers.
Just recently “InTheBox” implemented a new tariff called “unlim” allowing cybercriminals to generate unlimited number of webinjects during the subscription period. Such model allows to minimize manual and human interactions with the marketplace operators, simplifying malware customization processes.
Based on the chosen plan other malware operators can create orders on the injects or customized development. Their feedback and order status will be available via the portal:
The bad actor known as "inthebox" launched a new webinjects marketplace on the TOR network. The marketplace provides different templates of webinjects for various mobile malware families which are used independently or in combination to successful execute data theft:
- Template “Authorization data”
- Template “Ask only PIN”
- Template “With Credit Card data”
- Template “With Credit Card data + ATM PIN”
- Template “Ask Full Data”
Today, “InTheBox” provides access to over 400 professionally developed webinjects categorized by geography and target:
The majority of high-demand injects is related to payment services including digital banking and cryptocurrency exchangers. During November 2022 the actor arranged a significant update of close to 144 injects improving their visual design.
The marketplace has also region-specific categories with a strong focus on the U.S. and U.K. businesses, online-services and financial institutions:
Besides the U.S. and the U.K. as 2 major geographies to target consumers, “InTheBox” provides webinjects for online-services and financial institutions from over 28 countries including Andorra, Argentina, Austria, Australia, Belgium, Brazil, Canada, Chile, Colombia, Germany, Denmark, Spain, France, Georgia, Greece, Hungary, Italy, Japan, Mexico, Malaysia, Nigeria, Peru, Poland, Portugal, Qatar, Romania, Turkey, United Arab Emirates and Saudi Arabia.
The full list of other injects for sale porovided below:
Modern mobile malware for example “MetaDroid”, has an advanced implementation of WEB-injects aimed towards banking platforms, and may use several injects simultaneously. Below is an example of 5 victims using mobile devices under Android OS from China, Finland, Netherlands, France and United States with collected credentials from popular services.
Once the victim has been successfully infected and credentials have been delivered to a C2C Server, mobile malware enabled operators execute various commands to manage the victim and to perform actions on their devices for further successful theft (“Get SMS list”, “Send SMS” or “Forward Call”, for example:- when interacting with the bank’s validation systems to confirm transaction or OTP code). This set of commands may vary depending on the mobile banking malware family.
Bots like ERMAC have functions to manage WEB-injects from C2C server (“Injections” – on the screenshot below):
Significance
There is no doubt, “In The Box” may be called the largest and probably the only one in its marketplace category providing high-quality webinjects for popular types of mobile malware. It is expected cybercriminals will continue to upgrade their tools to attack consumers, and will start developing more advanced webinjects as well. For today, "In the Box" is leveraged by cybercriminals to attack over 300 financial institutions (FIs), payment systems, social media and online-retailers in 43 countries.