[Online] Warning — new security alert A-280791

To the attention of ONLINE S.A.S,

Telefónica España manages the fraudulent actions against CaixaBank, Laboral Kutxa and all issues related to security incidents against this company.

We have detected a BankBot Anubis malware incident against CaixaBank, Laboral Kutxa, on a website hosted by ONLINE S.A.S, from the following URL(s):

http://gost.zadc.ru/jisjdfioasf/fafa.php?f=com.tecnocom.cajalaboral&p=5fd33cfb66e9138d|es
http://gost.zadc.ru/jisjdfioasf/fafa.php?f=es.lacaixa.mobile.android.newwapicon&p=5fd33cfb66e9138d|es
http://gost.zadc.ru
http://gost.zadc.ru/o1o/a1.php
http://gost.zadc.ru/o1o/a2.php
http://gost.zadc.ru/o1o/a3.php
http://gost.zadc.ru/o1o/a4.php
http://gost.zadc.ru/o1o/a5.php
http://gost.zadc.ru/o1o/a6.php
http://gost.zadc.ru/o1o/a7.php
http://gost.zadc.ru/o1o/a8.php
http://gost.zadc.ru/o1o/a9.php
http://gost.zadc.ru/o1o/a10.php
http://gost.zadc.ru/o1o/a11.php
http://gost.zadc.ru/o1o/a12.php
http://gost.zadc.ru/o1o/a13.php
http://gost.zadc.ru/o1o/a14.php
http://gost.zadc.ru/o1o/a15.php
http://gost.zadc.ru/o1o/a16.php

IP: 62.210.140.227, related to your network.

Like most Android banking trojans, BankBot Anubis monitors for a targeted banking application to be launched and then overlays the legitimate app with a phishing screen to steal the victim’s credentials. It then uses its SMS theft capabilities to intercept any subsequent security codes sent from the bank. This malware has many other functionalities, including remote access functions, keylogging, call forwarding, lock screen, etc.

This malware uses the URLs reported in a similar way to a Command & Control (C&C) server, to download updates to its configuration.

— MD5(s) for this malware is/are: 0a932d4484bea1a7a6eebaac19a32652
— Evidences: https://www.virustotal.com/gui/file/ffc87d2e61774df732e9979b21965b952171fe262684329fe81a1f1f67b26371/detection

This fraudulent content represents a misuse of the intellectual property of CaixaBank, Laboral Kutxa, and it is being used to obtain personal information of our client’s customers, get unauthorized access into their bank accounts, use their credit cards, etc.

You can find more information about the operation of the BankBot Anubis malware in the following in-depth analyses, in which you can verify that the malicious content reported exactly matches this malware behaviour:
hxxps://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis
hxxps://securityintelligence.com/anubis-strikes-again-mobile-malware-continues-to-plague-users-in-official-app-stores/

We need your collaboration to stop this fraud by removing the malicious file(s). If you need more information regarding this incident, please contact our SOC 24/7 at +34 900 102 230 (option 9) or by replying to this email.

Thank you very much for your attention. Looking forward to your reply.

Regards,

————————————————————
CyberThreats — Anti-Fraud Service
Telefónica España

Phone: +34 900102230 (option 9)
Email: phishing@telefonica.com
servicio.antifraude@telefonica.com
————————————————————