Tuesday , March 18 2025
CYFIRMA

FinStealer Malware Targets Indian Bank’s Mobile Users, Stealing Credentials

CYFIRMA analysis reveals a sophisticated malware campaign that exploits a major Indian bank’s brand through fake mobile apps. These apps, distributed via phishing links and social engineering, closely resemble the real bank apps, deceiving users into sharing their credentials and personal information. The malware uses advanced techniques, such as encrypted communication with C2 servers and altering its behavior, allowing it to evade detection by security systems.

The attackers aim to profit by stealing credentials, making unauthorized transactions, and selling stolen banking and personal data on darknet forums. This campaign may also help them set up larger fraud operations, allowing for money laundering, identity theft, and further exploitation of compromised accounts.

Hackers Exploit ChatGPT with CVE-2024-27564

Attackers are actively targeting OpenAI, exploiting CVE-2024-27564, a Server-Side Request Forgery (SSRF) vulnerability in OpenAI’s ChatGPT infrastructure. Veriti’s latest research...
Read More
Hackers Exploit ChatGPT with CVE-2024-27564

(CVE-2024-540385)
CVSS 10 Alert! HPE Cray Vulnerability Authentication Bypass Threat

A critical vulnerability, CVE-2024-540385, has been found in HPE Cray XD670 servers using the AMI BMC Redfish API, allowing remote...
Read More
(CVE-2024-540385)  CVSS 10 Alert! HPE Cray Vulnerability Authentication Bypass Threat

CVE-2025-24813
Apache Tomcat Flaw Exploited In The Wild

CVE-2025-24813, a critical remote code execution vulnerability, is actively exploited, enabling attackers to control vulnerable Apache Tomcat servers with a...
Read More
CVE-2025-24813  Apache Tomcat Flaw Exploited In The Wild

B1nary_Band1ts secure first for “MIST CyberTron 2025”

MIST Cyber Security Club hosted an exciting MIST CyberTron 2025, featuring a CTF competition, hacking sessions, live demonstrations, and real-world...
Read More
B1nary_Band1ts secure first for “MIST CyberTron 2025”

CVE-2025-24016
Critical RCE vulnerability affects Wazuh

Cybersecurity researchers unveil a critical remote code execution vulnerability (CVE-2025-24016) in Wazuh, a popular open-source SIEM platform. The vulnerability has...
Read More
CVE-2025-24016  Critical RCE vulnerability affects Wazuh

AWS SNS misused for Data Exfiltration and Phishing

A recent report from Elastic reveals that threat actors misuse Amazon Web Services (AWS) Simple Notification Service (SNS) for malicious...
Read More
AWS SNS misused for Data Exfiltration and Phishing

Researcher found non protected database form ESHYFT containig 86000 records

Cybersecurity researcher Jeremiah Fowler found and reported a non-password-protected database with over 86,000 records belonging to ESHYFT, a New Jersey-based...
Read More
Researcher found non protected database form ESHYFT containig 86000 records

CVE-2024-55591 and CVE-2025-24472
New SuperBlack ransomware exploits Fortinet flaws

Forescout Research- Vedere Labs identified a series of intrusion based on two Fortinet vulnerabilities which began with the exploitation of...
Read More
CVE-2024-55591 and CVE-2025-24472  New SuperBlack ransomware exploits Fortinet flaws

CVE-2025-25291 & CVE-2025-25292
Attention! GitLab Patched Critical Authentication Bypass Flaws

GitLab has released versions 17.9.2, 17.8.5, and 17.7.7 for its Community and Enterprise Editions to fix security vulnerabilities, including a...
Read More
CVE-2025-25291 & CVE-2025-25292  Attention! GitLab Patched Critical Authentication Bypass Flaws

CVE-2025-20138
Cisco released High Security Alert for IOS XR Software

Cisco has issued a security advisory for a high-severity vulnerability in its IOS XR Software, labeled CVE-2025-20138, with a CVSS...
Read More
CVE-2025-20138  Cisco released High Security Alert for IOS XR Software

FinStealer malware employs advanced evasion methods to evade security systems. It uses encrypted communication with Command-and-Control servers, executes dynamic payloads, and alters its behavior during runtime. It also utilizes XOR encryption and Telegram bots for added complexity and data theft.

Attackers exploit vulnerabilities like SQL injection (CVE-2011-2688) to compromise command and control servers, gaining unauthorized access to critical information such as server passwords.

Once installed on a device, the malware gains permission to access SMS messages, allowing it to intercept one-time passwords (OTPs) and other sensitive information. This enables attackers to bypass multi-factor authentication (MFA), leading to unauthorized transactions and identity theft. Its undetected nature highlights its sophistication, posing serious risks to individual users and financial institutions.

Cyfirma researchers found that malware is linked to a fake website that hosts counterfeit versions of a bank’s app. This site spreads malware through phishing campaigns disguised as ads or download prompts. The campaign highlights vulnerabilities in mobile banking systems, especially in areas with high use of digital financial services.

The malware uses a Telegram bot to send sensitive data to its command and control server including:

Banking credentials
Credit card details
Personal identification information

Security researchers also discovered a critical vulnerability (CVE-2011-2688) in the C2 server, allowing SQL injection attacks through the mysql/mysql-auth.pl script in the mod_authnz_external module.

CYFIRMA recommends using advanced endpoint protection, monitoring for suspicious behavior, regularly auditing mobile apps, and blocking known malicious indicators to safeguard against threats.

India to launch new domain name for banks to combat digital fraud

 

Check Also

Wazuh

CVE-2025-24016
Critical RCE vulnerability affects Wazuh

Cybersecurity researchers unveil a critical remote code execution vulnerability (CVE-2025-24016) in Wazuh, a popular open-source …

Leave a Reply

Your email address will not be published. Required fields are marked *