In 2023, Account Takeover (ATO) was confirmed to be among the most harmful types of fraud for online banking customers. At Cleafy, we have seen that 90% of fraud attempts are still conducted via Account Takeover, and our forecasts expect this number to stay flat in 2024. Banks and financial institutions have always been the highest priority targets of ATO attacks, as cybercriminals aim to make immediate financial gains from their illegal activities.

An intricate and growing threat is On-Device Fraud (ODF). This fraud presents a multifaceted challenge for anti-fraud teams within the banking sector, as it involves fraudulent activities initiated directly through the victim's device. Unlike traditional methods of fraud, ODF reduces the presence of conspicuous risk indicators during browsing sessions, rendering conventional anti-fraud countermeasures largely ineffective.

This emerging threat has been made possible through the capabilities afforded by over 80% of modern Android banking trojans such as Vultur, TeaBot, and SpyNote. At the core of this capability lies the concept of remote control, which enables Threat Actors (TAs) to execute ODF scenarios. Each malware family executing remote control functionality may employ distinct implementation flavours, reflecting the varying skills and knowledge of the developers behind them.

Readers must understand that the challenge posed by ODF extends far beyond a single banking trojan like Copybara, the focus of this report. Our findings underscore the broader scope of this threat landscape, as we have traced the entire fraud chain orchestrated by responsible TAs. This investigation will give readers the full spectrum of their tactics, techniques, and procedures (TTPs), from the initial Social Engineering components (such as phishing and vishing) used to initiate the attack to the distribution of Copybara for device infection and the meticulous management of these attack phases to ensure the success of their campaigns.

• From the end of 2023 to the first weeks of 2024, we intercepted an ongoing banking fraud campaign against UK, Spain, and Italy.
• Threat Actors (TAs) behind this campaign adopted a hybrid approach, including Social Engineering techniques (smishing/vishing) and malware components to perform unauthorised banking transfers (via Instant Payments) to a well-organized network of bank accounts (money mule).
• TAs have been caught using a structured way of managing all the ongoing phishing campaigns via a centralised web panel known as “Mr. Robots”. With this panel, TA can enable and manage multiple phishing campaigns (against different financial institutions) based on their needs.
• Suppose a victim appears using an Android device. In this case, TAs will try to install an Android banking trojan known as Copybara with the help of Social Engineering.
• Copybara presents all the functionalities for performing On-Device Fraud (ODF), and initiating unauthorised money transfers directly on the victim's device. With the ODF approach, TAs have significantly enhanced their ability to process fraudulent transactions, rendering conventional anti-fraud countermeasures largely ineffective.

TTPs

The following table represents a summary of the TTP behind Copybara campaigns:

The following diagram provides a high-level overview of the technical components involved in TA fraud operations.

On top of this fraud operation architecture, TAs exploit Social Engineering techniques for distributing the Copybara banking trojan, which typically involves smishing and vishing techniques, leveraging native-speaker operators. In particular, several samples reveal TAs distributing Copybara through seemingly legitimate apps, utilizing logos of well-known banks and names that sound authentic, such as “Caixa Sign Nueva”, “BBVA Codigo”, “Sabadell Codigo”.

According to data retrieved during our investigation:

• TAs leverage a dedicated web panel to manage all the active phishing websites and adequately distribute the malware to potential victims. According to the logo on the login page, this panel has been named “Mr. Robot”.  
• TAs abuse the Reverse Proxy service offered by Cloudflare to mask the actual location of their servers and guarantee more protection against DDOS attacks and takedown requests.
• Not all active domains present a phishing kit for a specific banking institution; some appear to be deployed only for serving Copybara samples (.apk). It is possible that TAs already have valid data on potential victims (e.g., personal details, phone numbers, login information) coming from previous phishing campaigns.

TAs are interested in 3 countries: Spain, Italy, and the UK.

‍

Phishing has evolved into a sophisticated art form in cybercrime, leveraging deceptive tactics to trick individuals into revealing sensitive information. Nowadays, many successful phishing campaigns leverage tools called "phishing kits." These kits are pre-packaged sets of malicious tools and resources meticulously crafted by TAs to streamline and amplify their fraudulent activities.

A phishing kit is a collection of malicious assets and scripts designed to replicate legitimate websites, often mimicking the login pages of banks, financial institutions, or other trusted platforms. These kits are constructed to deceive unsuspecting victims into divulging confidential information such as usernames, passwords, and phone numbers.
The deployment of phishing kits serves several purposes for cybercriminals engaged in fraudulent activities, especially those centered around banking fraud:

• Ease of Use: Phishing kits simplify setting up malicious websites, allowing even less technically skilled TAs to conduct sophisticated cyber attacks.
• Speed and Efficiency: With pre-configured templates and scripts, TAs can rapidly deploy phishing campaigns, maximising the volume of potential victims.
• Concealment: By mimicking legitimate sites, phishing kits help TAs avoid detection by blending into the vast sea of genuine online traffic.
• Customisation: TAs can tailor phishing kits to target specific organisations or demographics, enhancing the chances of success in their fraudulent endeavours.

Our investigations unveiled an additional C2 framework dubbed "Mr. Robot". The name “Mr. Robot” has been taken according to the logo present on the login page of the web panel.

What sets this C2 framework apart is its capability to handle multiple phishing campaigns concurrently. It allows TAs to orchestrate tailored attacks on distinct financial institutions simultaneously. Each phishing campaign, equipped with unique phishing kits, is designed to mirror the targeted bank's online interface.

According to the source code of Mr. Robot C2, the authors decided to leave a standard database, such as MySQL, to store only some of the fraudulent data collected during their campaigns. Instead, their approach was based on the usage of SleekDB, a NoSQL database implementation using pure PHP that stores data in plain JSON files, as shown in the following Figure.

The consequences of this approach are crucial since all the data appears to be saved in plain text, in JSON format, and inside the web server. Data can be easily accessible without authentication if the path is known.

Despite these weaknesses encountered during our analysis, TAs deployed several layers of countermeasures against web crawling and scraping techniques, widely typically adopted by cybersecurity firms and vendors. The following paragraph will explore how TAs try to evade detection and domain takedown actions.

Nowadays, multiple Threat Intelligence vendors have embraced proactive measures to identify phishing websites, newly registered and, in specific contexts, soon-to-be activated. On the other hand, TAs put effort into developing evasion techniques to avoid a quick detection of a newly registered phishing domain.

Typically, modern phishing kits adopt multiple anti-detection techniques, including:

• Geofencing checks
• Device fingerprinting
• Blackisting specific ASN and/or network ranges
• Abuse of legitimate services, such as CDN and reverse-proxy, for masking the actual location of the web server
• Dynamic content generation

The following Figure summarises all the primary anti-evasion techniques adopted, starting when a potential new victim follows a malicious link set up by TAs.

Since the primary focus of this fraudulent campaign is the clientele of retail banking institutions from specific geographical areas (Italy, Spain, and the UK), filtering out all the connections except the ones coming from a mobile device is a pretty standard technique adopted by various TAs. Most individuals nowadays engage in home banking activities through their mobile devices, making them lucrative targets for TAs.

If all the checks are successfully passed, the originating connection will be considered “a potential new victim”, so the phishing login page can be shown accordingly.

As shown, TAs adopted a dynamic routine to extract all the necessary files for their phishing attempt at run-time. With this method, each victim will be redirected to a specific subfolder and randomly named where the phishing kit has been extracted.

‍

The following is an example of an active phishing kit leveraged by this TA, which is composed of three simple steps:

• Exfiltrate the valid credentials and the associated phone number;
• Exfiltrate a valid name and an estimation of the bank account’s balance;
• Display a fake message to the victims after data exfiltration.

All the collected data are usually sent back to a dedicated Telegram group, if set, and stored on their C2 panel. From here, operators can easily manage all victims' data inserted in the current phishing page.

The next step is a vishing approach to the victims. Fraud operators leverage native speakers to get a direct connection via phone, typically spoofing a valid number of the targeted banking institution and introducing them as an anti-fraud / security team.

According to their panel, a dropdown menu has been created to help fraud operators keep track of the state of each victim:

• “Da chiamare”: not called yet [yellow box]
• “Fatto”: already called [green box]
• “Elimina”: cancel record [red box]

Introduction

In this section, we provide a tour of the main features of the Copybara botnet, starting from the functionalities offered through the associated C2 (Command and Control) web panel.

In botnet operations, C2 web panels provide attackers with a centralised interface to manage and control compromised devices. These panels are pivotal components in the infrastructure of botnets, offering attackers a range of functionalities to execute and oversee their malicious activities.

Furthermore, web panels facilitate data collection from compromised devices, including system information and credentials, enabling analysis and exploitation for further malicious activities. Lastly, botnet controllers leverage web control panels to monitor the health and performance of their botnet, tracking the number of active bots and their geographic distribution.

Understanding the capabilities and functionalities of web control panels is crucial for comprehending the threat landscape posed by botnet operations. Analysts can gain deeper insights into attacker tactics, techniques, and procedures (TTPs) by dissecting these components, enhancing their ability to effectively mitigate and counteract such threats.

Overview of C2 panel and functionalities

Copybara leverages a C2 panel named “JOKER RAT”. Starting from its dashboard, the panel displays the list of all the infected devices and their geographical distribution over a map, with the feature called “Live MAP”, as shown in the following Figure 11.

This dashboard can also retrieve basic information about the infected devices, such as the device name, OS version, and IP address. With this data, TAs can easily “triage” the infected devices by country or determine which victim is online/offline. A “notification mechanism” is also triggered whenever a new device is infected.

As shown in the following Figure 12, for each infected device inside the panel, TAs can perform different actions, in particular:

• Silent Connect: This is the main feature of the panel that allows the TAs to control remotely and interact in real-time with the victim's infected device (VNC).
• Inject: injecting the overlay page to steal the banking/crypto credentials (Overlay attacks).
• Notes: This feature is usually used by TAs to note down some information about the victim to be defrauded.
• Delete: delete the infected device from the dashboard.

When the “Silent Connect” button is clicked, a new page is opened, and TAs can collect additional data and perform fraudulent actions on the infected device.

In the Android banking trojan context, this feature is also known as VNC, which enables the attacker to view and manipulate the screen of the compromised device remotely. This level of access allows them to carry out various fraudulent activities, including on-device frauds (ODF).

Real-time keylogging

Once the user accepts the Accessibility Service popup during the installation phases, the malware can record every activity done by the user on the compromised device. The attacker can observe them in real time on the C2 panel. In particular, the TAs can observe:

• The list of applications installed on the infected device;
• Which application uses the user and every action performed on them;
• Any text is written by the user.

Overlay attacks and SMS sniffer

Another way to steal the banking/crypto credentials is through the well-known overlay attack. In Figure 12, in addition to the “silent connect” button, TAs can use the “inject” button to show the overlay page to the infected device. Once TAs have received the list of the apps installed inside the victim device, they can upload the specific overlay page (composed of HTML, CSS, and Javascript code) to the “injections settings”, specifying the package name of the targeted app, as shown in Figure 16.

Furthermore, TAs can steal SMS messages using the “SMS RAT” capability, considering that some banks/crypto apps use the SMS as a 2FA method to send the OTP code during the login phase or to approve a transaction. When an attacker presses the “SMS RAT” button (1), on the infected device appears a popup or a setting page (depending on the Android version) that asks the user to change the default SMS manager app (2) with the malicious app (masqueraded behind the bank name/icon). In case of change, the TAs can receive all the SMS messages (3) and automatically hide them on the infected device.

Fake notifications

Another feature available inside the panel is the “Push Notification”, probably used to send to the infected devices fake push notifications that look like a bank notification to entice the user to open the bank's app in such a way that the malware can steal credentials. As shown in Figure 18, TAs can customise the fake push notification with a “title”, a “description”, the package name of the app, and an icon.

APK builder

TAs can access a specific section of the panel to create and customise malicious apps. As illustrated in Figure 19, TAs can select the names and package names for the app and specify the icon to be used. Based on past campaigns, Copybara TAs typically opt for names and icons resembling those of Italian and Spanish banks, often incorporating terms like “Token” and “Sicuro/Seguro”.

Within the panel, TAs can further customise the APK file by:

• Implementing a specific Accessibility service popup to appear legitimate during the installation phases
• Encrypting the APK to evade detection
• Include “web injects” files to execute overlay attacks

The emergence of On-Device Fraud (ODF) represents a significant and evolving threat within the realm of banking fraud. Our investigation into a recent Copybara operation sheds light on the intricate tactics employed by TAs to compromise user devices and perpetrate fraudulent activities directly through familiar channels. Using remote control functionality embedded within modern Android banking trojans, such as Vultur, TeaBot, and SpyNote, perpetrators have effectively minimised detection by challenging traditional anti-fraud measures.

Stakeholders within the banking and cybersecurity sectors must recognise the gravity of ODF and its implications for financial institutions and end-users. By understanding the complexities of these attacks and remaining vigilant against emerging threats, organisations can proactively mitigate risks and safeguard against potential losses. Our findings underscore the necessity for continued collaboration, innovation, and adaptation in the ongoing fight against banking fraud.

Collectively, we can work towards a more secure digital ecosystem for all through ongoing vigilance, robust defences, and informed decision-making.

‍

Appendix 1: list of IoCs

The following table will summarize the list of all the commands found on Oscorp during the technical analysis: