A threat actor named InTheBox is offering 1,894 web injects (phishing windows) to steal credentials and sensitive data from banking, cryptocurrency exchange, and e-commerce apps on Russian cybercrime forums. These overlays are compatible with various Android banking malware and are designed to mimic apps used in dozens of countries. This large number of injects being available at low prices allows cybercriminals to focus on other parts of their campaigns and expand their attack to other regions.
When a victim launches a target app, the malware automatically loads the overlay that mimics the interface of the legitimate product. InTheBox provides up-to-date injects for hundreds of apps, as discovered by researchers at threat intelligence company Cyble.
As of January 2023, InTheBox had the following web inject packages, updated as recently as October 2022: 814 web injects compatible with Alien, Ermac, Octopus, and MetaDroid for $6,512; 495 web injects compatible with Cerberus for $3,960; and 585 web injects compatible with Hydra for $4,680. InTheBox also sells web injects individually for $30 each, allowing users to order custom injects for any malware.
The injects include app icon PNGs and an HTML file with JavaScript code that collects the victim’s credentials and other sensitive data. In most cases, the injects feature a second overlay that requests the user to enter credit card numbers, expiration dates, and CVV numbers. The Luhn algorithm checks the validity of the credit card numbers entered by victims. Finally, the stolen data is converted into string value and sent to a server controlled by the operator of the Android banking trojan.
InTheBox has been selling web injects for Android malware since February 2020. Cyble confirmed that InTheBox’s web injects have been used by the ‘Coper’ and the ‘Alien’ Android trojans in 2021 and September 2022, respectively, while the most recent campaign occurred in January 2023 and targeted Spanish banks.
