Saturday, October 1, 2022

DRINIK

Author

Date

Category

Malware name: DRINIK 

Type: Trojan malware 

File type: .apk 

DRINIK is an android malware that is a Trojan Virus as it pretends to be an Income tax refund application and instead steals the banking information of the user. DRINIK uses phishing techniques to attack user and persuade them to enter sensitive banking information. 

How does DRINIK steal information? 

Spreading URLs: 

http://192.210.218.49/?dir=9sp 

http://192.210.218[.149/fcm/mc/tapp.php?dir=9sp

http://192.3.122[.]195/Refund/iMobile/instantTransfer.apk 

  1. The user will receive an SMS which contains the malicious link, the message informs the victim about their income tax refund. 
  2. When the user clicks on the link, it asks them to enter some personal information and install an APK file which actually in the malware. Once the user installs it, the Trojan is now in our android and the user can’t tell much difference in the interface of the DRINIK app and a genuine Income tax application. 
  3. Once installed the application asks permissions like SMS, Contacts, Call logs etc. If the user has not given any information on the website, the Trojan again asks the same details once the user has installed the application to further proceed using it.  
  4. The personal details that are asked by the users include full name, Aadhaar number, PAN, address, mobile number, date of birth, email address. 
  5.  The financial details that re asked by the user includes account number, CIF number, IFS code, card number, date of expiry, CVV and finally the PIN gives the attacker whole access to the user’s account.  
  6. Then the malware asks the user to refund the amount of money to their accounts. The moment the user enter the amount and hit ‘transfer’, it shows a fake screen and tell about some update  

Indicators of compromise: 

  1. Hashes of the file: 

103824893e45fa2177e4a655c0c77d3b 

28ef632aeee467678b9ac2d73519b00b 

 78745bddd887cb4895f06ab2369a8cce 

8cc1e2baeb758b7424b6e1c81333a239 

e60e4f966ee709de1c68bfb1b96a8cf7  

00313e685c293615cf2e1f39fde7eddd 

04c3bf5dbb5a27d7364aec776c1d8b3b 

  1. C2 servers: 

jsig.quicksytes[.]com 

c4.mypsx[.]net 

fcm.pointto[.]us 

rfb.serveexchange[.]com 

IP ADDRESS SCANS

192.210.218.49 and 192.3.122.195 totally unresponsive to ping and all ports filtered.  

192.210.218.149 responsive, the hosts are up and running on this IP with port 22/tcp open  

How to avoid DRINIK malware? 

  1. It is always advised to file income tax return using the official website of government of India https://www.incometax.gov.in/iec/foportal  
  2. Hyperlinks send through messages should never be opened, instead we should always know the official websites before we login or put any information in some random website. 
  3. We should never install any application from the web instead try searching for the application on Google Play store or App Store to avoid installing any malware.  
  4. None of the income tax websites ever asks for your PIN number, so see the details carefully what is asked and if found suspicious then don’t continue on the website or application.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

RECENT HERE