Scams, Slaves and (Malware-as-a) Service: Tracking a Trojan to Cambodia’s Scam Centers
An Android banking trojan is being distributed globally as a Malware-as-a-Service (MaaS) from scam centers in Cambodia, utilizing forced labor to conduct social engineering campaigns. The malware features extensive surveillance capabilities, including SMS interception and biometric capture, allowing attackers to bypass KYC and OTP protections to commit direct financial fraud.
Authors: Infoblox Threat Intel, Chong Lua Dao
Source:
Infoblox
- domainalafrica[.]xyzC2 domain used by the MaaS administrator
- domainalperu[.]topC2 domain used by the MaaS administrator
- domainvnwd[.]topC2 domain used by the MaaS administrator
- sha2564fff28eecc0ab6303e4948df77671009dda5b93ed3d1cead527b02d1317426bcSample of the malicious Android APK
Key Takeaways
- An Android banking trojan is being operated as a Malware-as-a-Service (MaaS) from Cambodian scam centers, notably K99 Triumph City, utilizing forced labor.
- The malware features extensive surveillance capabilities, including SMS/call interception and biometric capture (facial recognition) to bypass banking KYC and OTP protections.
- Attackers use lookalike domains and RDGAs impersonating government agencies, banks, and airlines across at least 21 countries.
- Infrastructure relies heavily on Hong Kong registrars (Dominet, Domain International Services) and Cloudflare, favoring .top, .cc, and .com TLDs.
- Recent malware variants dynamically retrieve C2 IPs at runtime to evade static analysis, indicating active development.
Affected Systems
- Android OS
- Mobile Devices
Attack Chain
Victims are initially contacted via VoIP (eyeBeam) and messaging apps (Zalo, Messenger) by scammers impersonating government officials or legitimate organizations. They are directed to lookalike domains where a base64-encoded JavaScript downloads a malicious 23MB APK. Once installed, the malware escalates permissions, displays fake KYC overlays to capture facial biometrics, and intercepts SMS OTPs. Attackers use this access to authenticate into the victim's banking app in the background and transfer funds to accounts under their control.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules (YARA, Sigma, etc.) but offers extensive network and file-based IOCs.
Detection Engineering Assessment
EDR Visibility: Medium — Standard desktop EDR is not applicable, but Mobile Device Management (MDM) or Mobile Threat Defense (MTD) solutions can detect malicious APK installations and excessive permission requests. Network Visibility: High — The malware relies heavily on DNS queries to RDGAs, connections to known C2 IPs, and specific TLD patterns (.top, .cc) which are highly visible in network logs. Detection Difficulty: Moderate — While dynamic C2 retrieval makes static analysis of the APK harder, the infrastructure patterns, DNS anomalies, and use of specific subdomains are highly visible and trackable.
Required Log Sources
- DNS Logs
- Mobile Device Management (MDM) Logs
- Network Flow Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for sudden spikes in DNS queries to newly registered domains using .top, .cc, or .xyz TLDs, especially those with 'go' or 'gov' suffixes. | DNS Logs | Command and Control | Medium |
| Monitor mobile devices for applications requesting excessive permissions such as SMS reading, camera access, and accessibility services simultaneously. | MDM Logs | Execution / Privilege Escalation | Low |
| Identify network traffic to subdomains like 'kef', 'ador', 'rpc', 'adm', or 'apim' hosted on .top or .xyz TLDs. | DNS Logs / Network Flow | Command and Control | Low |
Control Gaps
- Lack of Mobile Threat Defense (MTD) on personal devices (BYOD)
- Reliance on SMS-based OTPs which are susceptible to interception
Key Behavioral Indicators
- Base64-encoded JavaScript delivering large APK files
- Apps dynamically resolving C2 IPs at runtime
- Use of specific subdomains ('kef', 'ador', 'rpc') on .top domains for C2 panels
False Positive Assessment
- Low. The specific combination of lookalike domains, malicious APKs, and known C2 infrastructure is highly indicative of this specific threat operation.
Recommendations
Immediate Mitigation
- Block known C2 IPs and malicious domains at the network perimeter.
- Implement DNS filtering for newly registered domains (NRDs) and suspicious TLDs (.top, .cc).
Infrastructure Hardening
- Deploy Mobile Device Management (MDM) solutions to restrict sideloading of APKs on corporate devices.
User Protection
- Transition from SMS-based OTPs to hardware tokens or authenticator apps for sensitive accounts to prevent interception.
Security Awareness
- Educate users on the dangers of sideloading applications outside of official app stores.
- Train employees to recognize government impersonation scams and verify requests through official channels.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1204.002 - User Execution: Malicious File
- T1636.004 - Protected User Data: SMS Messages
- T1125 - Video Capture
- T1056.002 - Input Capture: GUI Input Capture
- T1406 - Obfuscated Files or Information
Additional IOCs
- Domains:
vsgo[.]cc- Targeted lure domain impersonating Philippines Social Security Systemnmxgo[.]cc- Targeted lure domain impersonating South African Police Serviceorgo[.]cc- Targeted lure domain impersonating Indonesian State-Owned Pension Fundidphil[.]net- Targeted lure domain impersonating Philippines Department of Information and Communications Technologyimmigration-kr[.]net- Targeted lure domain impersonating South Korean Immigration Bureauopenbank-es[.]com- Targeted lure domain impersonating Openbank Spaingoogleplay[.]djppajakgoid[.]com- Targeted lure domain impersonating Indonesian Directorate General of Taxescedula-registraduria-gov[.]org- Targeted lure domain impersonating Colombian National Civil Registrydkhth[.]com- Targeted lure domain used to download malicious APKngovbr[.]cc- Targeted lure domain used to download malicious APKavianca[.]sxjgo[.]cc- Targeted lure domain used to download malicious APKrycnair[.]com- Targeted lure domain used to download malicious APKsafeapk[.]xyz- MaaS administrator custom APK management platformlx-yindu[.]top- Domain used for phishing/pig butchering impersonating Supreme Court of Indiaorbiixtrade[.]com- Domain used for phishing/pig butchering impersonating Orbix crypto trading platformsss[.]oiago[.]cc- Lure domain distributed via Facebook Messengeregov[.]nbsvgo[.]cc- Lure domain impersonating Philippine government, later repurposed for Moroccan bankdvc-chinhphu[.]com- Lure domain observed in scam center operator chatsdvc-mobi[.]com- Lure domain observed in scam center operator chatsdvc-mobile[.]net- Lure domain observed in scam center operator chatswww[.]dvc-etax[.]com- Lure domain observed in scam center operator chatsdvc-dientu[.]com- Lure domain observed in scam center operator chatsdvc-chinhpu[.]com- Lure domain observed in scam center operator chatsvietchinhphuvn[.]com- Lure domain observed in scam center operator chatsgov-idverify[.]com- Lure domain referenced in SMS phishing lures
- File Hashes:
39ea88f852b25d3c55d605464a3440bd250a577e3e21f52d1eaf94d15aad5b82(SHA256) - Sample of the malicious Android APK4338ab77d05aeacd7eac5acbe9eed5568778c8e3e9499562816805b54b4d1a6a(SHA256) - Sample of the malicious Android APK