MoqHao Malware

MoqHao Malware Description

Smishing campaign leveraged against South Korean Android users is delivering a new banking Trojan named MoqHao Malware. The suspicious lure SMS messages contain shortened URLs that lead to a fake Chrome Android app. However, before that, JavaScript is tasked with checking the user agent of the browser accessing the link. Android devices will be presented with a fake alert for a new Chrome update that is in fact the weaponized application while any other type of device will be redirected towards the security page of Naver, a popular South Korean online platform. 

When the downloaded APK is executed, it would ask for broad permissions on the device such as the ability to directly call phone numbers, read contacts, and text messages. Furthermore, MoqHao will attempt to establish a persistence mechanism by repeatedly asking the user for device administrator privileges. When installed, the Trojan will briefly display a fake icon on the home screen that is nearly identical to Google Chrome's logo before hiding it. 

A Threatening Functionality

MoqHao is capable of executing a broad set of harmful activities on the compromised device. The malware can access the user's contacts and begin sending phishing SMS messages to further proliferate itself. It also gathers sensitive information that will be exfiltrated to the Command-and-Control (C2, C&C) server of the operation. MoqHao can also fetch and download additional Android apps from its server as well as receive remote commands. 

The attack campaign utilizes a two-server structure. MoqHao will connect to the first-stage server and will then dynamically retrieve the IP address for the second-stage server from the user profile page of Baidu, the biggest search engine in China. During the first communication with the second-stage server, MoqHao will send a 'hello' message that contains various information about the infected device: UUID, device ID, product name, build ID string, Android versions, SIM status, phone number, etc. Afterward, at set intervals, the malware will beam additional details such as network operator, network type, MAC address, battery level, and more. 

Fake Banking Applications

The main goal of MoqHao is to steal the user's banking credentials. It scans the compromised devices for apps belonging to several major South Korean banks. If such apps are discovered, the Trojan will download a fake or Trojanized version from its C2 server. It will then present the user with a fake alert stating that the targeted app needs to be updated to a newer version. If the user falls for the trick, the legitimate app will be deleted and the weaponized version will be installed. The apps targeted by MoqHao include:

wooribank.pib.smart

kbstar.kbbank

ibk.neobanking

sc.danb.scbankapp

shinhan.sbanking

hanabank.ebk.channel.android.hananbank

smart

epost.psf.sdsi

kftc.kjbsmb

smg.spbs

Several of the threatening capabilities exhibited by the MoqHao Android banking Trojan appear to still be under development. Indeed, several test versions with varying degrees of sophistication have been cataloged by infosec researchers.