The InTheBox store promotes web injections on Russian cybercriminal forums to steal credentials and confidential information from banking applications, crypto wallets and e-commerce applications.
Web injections are compatible with various Android banking trojans and mimic popular applications of large organizations used on almost every continent. As a rule, mobile banking trojans check which applications are present on the infected device and extract web injections from the C2 server corresponding to certain applications. When the victim launches the target application, the malware automatically loads an overlay that mimics the interface of a legitimate product.
According to Cyble's analysis, as of January 2023, InTheBox sells the following web injection packages:
- 814 Alien, ERMAC, Octopus and MetaDroid compatible web injections for $6512;
- 495 Cerberus compatible web injections for $3960;
- 585 Hydra compatible web injections for $4680.
For those who don't want to buy whole packages, InTheBox also sells web injections individually for $30 each. The dark web store also allows users to order web injections individually for any type of malware.
InTheBox has been selling web injections for Android since February 2020, constantly adding new pages targeting more banking and financial apps. Cyble experts confirmed that InTheBox web injections were used by "Coper" and "Alien" Trojans in 2021 and 2022, respectively. The availability of web injections in such numbers and at low prices allows cybercriminals to focus on other parts of their campaigns, develop malware, and expand their attack to other regions.
Resecurity experts, who first discovered this darknet market, named InTheBox as the largest and most significant source of bank theft and mobile device fraud. Most of the mobile malware supported by InTheBox targets Android devices.