A fake e-shop scam campaign has been targeting Southeast Asia since 2021, as CRIL observed a surge in activity in September 2022, with the campaign expanding from Malaysia to Vietnam and Myanmar.
The attackers use phishing websites to distribute a malicious APK (Android application package), which steals user credentials through SMS and can now also take screenshots and utilize accessibility services on the victim’s device, giving the attackers more control.
Cybercriminals have launched a fake e-shop campaign in Malaysia since 2021 by impersonating cleaning services on social media, tricking victims into contacting them via WhatsApp.
It led users to download malicious APKs through phishing websites.
The malware specifically targeted login credentials for Malaysian banks, including Hong Leong, CIMB, Maybank, and others, demonstrating a growing trend of social engineering tactics combined with phishing attacks to steal banking information.
AI-Powered Protection for Business Email Security
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
A fake e-shop campaign observed by Cyble has been expanding its operations across Southeast Asia, where attackers use phishing websites disguised as legitimate payment gateways to distribute malware.Â
The malware then delivers fake login pages designed to steal bank credentials; in Vietnam, the campaign targeted HD Bank customers with a website mimicking the bank’s online portal.
They also used a command and control server to manage the malicious operation, as in Myanmar, the campaign used a similar tactic but targeted different banks and employed a Burmese language phishing page. Â
A new wave of phishing sites targeting Malaysian online shoppers has been identified by mimicking legitimate e-commerce platforms that lack sophistication and offer only basic features and fake iOS download buttons.Â
The malware behind the scam has also been updated, incorporating features like screen sharing and exploiting accessibility services to steal user data.
The latest version targets 18 Malaysian banks and utilizes two URLs, one for phishing and control and another for screen sharing.
Technical Details:
eCart malware disguises itself as a shopping app but is designed to steal user data. Upon installation, it requests accessibility permission to perform automatic clicks and gestures.Â
It then communicates with remote servers to initiate screen sharing and send logs, utilizing the Janus plugin to control gestures and obfuscate strings with Paranoid to hinder analysis.
It attempts to replace the default SMS app and gain screen capture permissions where screen sharing wasn’t functional due to misconfiguration; its inclusion suggests the malware’s potential for more sophisticated attacks.
The malware campaign uses fake e-shops to trick users into logging in with stolen credentials, which then presents fake products and uses a fake FPX payment page to steal banking information from 18 Malaysian banks.
According to Cyble, the attackers have upped their game by adding screen-sharing and exploiting accessibility services, showing an effort to target a wider audience and steal more data.
They use a phishing email (T1660) containing a malicious e-shop app link (hxxps://www[.]worldshopping-global[.]com/) to gain initial access (TA0027).
Once installed, the malware registers broadcast receivers (T1624.001) to steal incoming SMS messages (T1636.004) and inject inputs (T1516) to potentially mimic user actions.
It also captures screenshots (T1513) using a Janus WebRTC plugin, and exfiltrated data, including SMS messages, is sent to a command and control server (T1646) at hxxps://superbunapp[.]com. Â
The attackers also use similar tactics with a fake trading application distributed via a different phishing website (hxxps://ecart-global[.]com).
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
%20(1)%20(1).webp "Token Infrastructure Platform Hacked: $44.5 Million Stolen in Cryptos"){kind=small}
.webp "Google Meet Now Allows Non-Google Account Users to Join Encrypted Calls"){kind=small}
