Sign in

Malware targeting Indian taxpayers returns with advanced capabilities

In September 2021, the Indian Computer Emergency Response Team (CERT-In) – the country’s apex agency for cybersecurity – issued an alert for the Drinik malware, which was being distributed through a ‘smishing’ campaign – a phishing campaign via SMS.

Published on: Nov 6, 2022, 23:25:53 IST
By
Share
Share via
  • facebook
  • twitter
  • linkedin
  • whatsapp
Copy link
  • copy link

Mumbai: A potent malware – Drinik – targeting Indian taxpayers in 2021 through a fake Income Tax (I-T) department website, has reportedly returned, but this time with advanced capabilities. The new variant has raised serious concerns because it loads the original I-T website, but at the same time also records every activity on the hacked device, including screen activity and keystrokes.

In October 2022, researchers at Cyble – a global threat intelligence service provider – spotted a new variant of the malware. (Image for representation)
In October 2022, researchers at Cyble – a global threat intelligence service provider – spotted a new variant of the malware. (Image for representation)

In September 2021, the Indian Computer Emergency Response Team (CERT-In) – the country’s apex agency for cybersecurity – issued an alert for the Drinik malware, which was being distributed through a ‘smishing’ campaign – a phishing campaign via SMS. Many people across the country had received text messages offering refunds on the income tax that they had paid, purportedly from the I-T Department.

However, in October 2022, researchers at Cyble – a global threat intelligence service provider – spotted a new variant of Drinik. Accordingly, a team from Cyble Research Intelligence and Labs (CRIL) started analysing the variant and its activities on the internet.

“The scam is massive and actively targeting Indian taxpayers via smishing. The malware has returned with advanced capabilities, such as screen recording, OTP SMS stealing, device biometric (recording as well as a PIN), saved card details and keylogging,” said Dhanalakshmi PK, Senior Director, Malware and Intelligence Research.

She said that these techniques are used by malware to steal the credentials of Indian banking applications without the victim’s knowledge and the attacker can harvest these credentials to perform fraudulent transactions, which could lead to a virtual bank account takeover.

How it works

The latest version of Drinik is also distributed via SMS but with a crucial difference: Opening the link in the message takes the victims to the actual I-T department website. As a result, no alarms are tripped in the device’s anti-virus mechanism.

However, at the same time, Drinik also throws up a dialog box, seeking certain access permissions from the user. As the user thinks this is necessary for the ‘income tax refund’, they end up granting the permissions. Once completed, Drinik activates the screen recording and keylogging feature.

Hence, everything that appears on the target device’s screen is recorded and every key hit by the user is logged, all of which is communicated to the C2 server – a server from which malware receives all its commands and to which it sends all stolen data after gaining access to a device. At the same time, Drinik also slips into the call screening function of the hacker phone and disallows any incoming calls that the user may be getting for verification purposes.

After the first log-in, Drinik redirects the victim to the fake version, where additional instructions lure the victims into entering their I-T account credentials, net banking login details, credit or debit card details and other sensitive data like PAN and AADHAR numbers.

CRIL has further found that in the latest version of the malware, the Threat Actor (TA) only targets victims with legitimate income tax site accounts, indicating that the TA has access to data of Indian income tax account holders.

CRIL is still investigating the TA behind the campaign.

Catch every big hit, every wicket with Crickit, a one stop destination for Live Scores, Match Stats, Infographics & much more. Explore now!

Stay updated with all the Breaking News and Latest News from Mumbai. Click here for comprehensive coverage of top Cities including Bengaluru, Delhi, Hyderabad, and more across India along with Stay informed on the latest happenings in World News.