Advisories

MA-936.052023: MyCERT Advisory - Malicious Activities at mydivedeals.shop Website
  •   10 May 2023
  •   Advisory
  •   phishing, SMSSpy, stealer, sms, banking, card

1.0 Introduction

MyCERT observed cybercriminals had exploited a malicious Android application in a campaign targeting internet users in Malaysia. The campaign is targeting online shoppers and consumers. The target victim will be lured to click links leading to fake sites impersonating “Dive Deals”, an e-commerce and voucher platform quite popular in a neighbouring country, Singapore. 

The victim will choose the item to purchase and be instructed to download a malicious Android application to complete the payment process. The threat actor set up the websites to tempt potential victims to domains similar to their impersonating services. The malicious application and websites will capture and steal sensitive credit card information and banking credentials. The malicious APK can also intercept SMSs and steal the secure OTP code during transactions without the victims noticing.

2.0 Impact
Financial loss. Disclosure of credit card information and banking credentials.

3.0 Affected Products
Android mobile devices

4.0 Other related alerts programs and advisories

Below are references to similar campaigns:

5.0 Indicators of Compromise
Table 1: List of indicators of compromise used in the campaign:

Indicators Indicator type 

MyDiveDeals.apk
bb87dbe51e22e0e8082a83d9f336b9651a396ca6f1300b54f4b7305fd2c98908

11a8b8c759f156a658a1f09d26672767e0251a1e411419a9643e377334f1844b

apk, SHA256 

Table 2: List indicator of compromise  – IP addresses

IPProviderDetails

172.67[.]150[.]10       

104.21[.]63[.]198                  

Hostinger             mydivedeals[.]shop
Distribution website

172.67[.]186[.]171

104.21[.]64[.]157

Hostingermydivedeals[.]com
Distribution website
   
172.67[.]135[.]185
104.21[.]7[.]41		Hostingere12345[.]online
C&C server
104.21[.]42[.]160
172.67[.]163[.]135		Hostingergs996[.]online
C&C server
172.67[.]223[.]99
104.21[.]70[.]119		Hostingerppsss[.]online
C&C server
104.21[.]40[.]16
172.67[.]174[.]128		Hostingermydiveapp[.]online
C&C server
   

URL:
hxxps://mydivedeals[.]shop
hxxps://mydivedeals[.]com
hxxps://www.facebook[.]com/mydivedeals/

Phone Number
+60109451053

+60146461482

+60102756212

+60168512782

+60109126693

+60177273489

 

 

 

6.0 Recommendations
The application can retrieve information from the victim’s phone and be used for other malicious purposes. As CERT, we would highly recommend the followings:
• Verify an application permission and the application author or publisher before installing it.
• Avoid side loading (installing from non-official sources) when you can. If you need to install Android software from a source other than the trusted marketplace, ensure that it comes from a reputable source.
• Do not click on adware or suspicious URL sent through SMS/messaging services.
• Malicious program could be attached to collect users' information.
• Always run a reputable anti-virus on your smartphone/mobile devices, and keep it up to date regularly.
• Update the operating system and applications on smartphone/tablet, including the browser, to avoid any malicious exploits of security holes in out-dates versions.
• Do not root or 'Jailbreak' your phone.
• Contact relevant authorities such as MyCERT of CyberSecurity Malaysia for any inquiries and assistance related to this threat.
 

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please get in touch with MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

  1. MA-790.072020: MyCERT Alert - SMSSpy using Malaysian Law Enforcement as theme
    https://www.mycert.org.my/portal/advisory?id=MA-790.072020
  2. MA-690.122017: MyCERT Alert - Fake PDRM Malicious APK
    https://www.mycert.org.my/portal/advisory?id=MA-690.122017
  3. MA-695.012018: MyCERT Alert - Fake Bank Negara Malicious APK - New Variant
    https://www.mycert.org.my/portal/advisory?id=MA-695.012018
  4. MA-694.012018: MyCERT Alert - Fake Bank Negara Malicious APK
    https://www.mycert.org.my/portal/advisory?id=MA-694.012018
  5. https://www.virustotal.com/gui/ip-address/139.162.61.96/relations
  6. https://www.virustotal.com/gui/file/fc9d34436b4711d6f586903d07a99b089ca5aa61f931febd57abba9a7135d98d/relations
  7. https://twitter.com/esetresearch/status/1526440685460672512?s=24&t=xveoIxTaZLIdhpnzy-YSag
  8. https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/
  9. https://notes.netbytesec.com/2022/05/scam-and-malicious-apk-targeting.html
  10. MA-834.052022: MyCERT Alert - SMSSpy campaign to steal Malaysian banking user credential-https://www.mycert.org.my/portal/advisory?id=MA-834.052022
Popular Advisories
Archives