A sophisticated cyberattack has recently emerged, targeting Indonesia’s senior citizens by exploiting their trust in the nation’s pension fund system. This malicious campaign impersonates PT Dana Tabungan dan Asuransi Pegawai Negeri (TASPEN), the state-owned pension fund responsible for managing over $15.9 billion in assets for millions of Indonesian civil servants and retirees.
This attack signifies a concerning evolution in cybercrime tactics, as it leverages institutional trust to execute large-scale financial fraud against elderly citizens who are increasingly encouraged to use digital platforms for managing their pensions.
Phishing Website and Malware Deployment
The attackers have created a meticulously designed phishing website hosted at taspen[.]ahngo[.]cc. This site closely resembles an official mobile application download page, complete with TASPEN’s branding and the Indonesian slogan Aplikasi Andal, semudah bersama TASPEN (A reliable app, easy with TASPEN).
The fraudulent site features deceptive Google Play and Apple App Store buttons. Clicking the Android version initiates direct downloads of malicious APK files, while the iOS button displays a misleading maintenance message in Bahasa Indonesia to maintain credibility.
CloudSEK analysts identified this campaign through their threat intelligence monitoring, revealing that the malware employs advanced evasion techniques to bypass traditional security measures.
Advanced Evasion Techniques
The malicious application is protected by DPT-Shell, an open-source Android packer that encrypts the executable code and deploys it only during runtime. This method effectively defeats static analysis tools used by security researchers, making detection more challenging.
Runtime Payload Deployment and Surveillance Capabilities
Upon execution, the DPT-Shell protection system decrypts the hidden malicious payload in memory before writing it to the application’s private code_cache directory as a ZIP archive named i111111.zip. This runtime unpacking ensures that the true malicious functionality remains hidden from security scanners until the application is actively running on a live device.
Once operational, the malware deploys multiple background services designed for comprehensive data theft:
– SmsService Component: Provides persistent SMS interception capabilities, automatically reading and forwarding all incoming messages, including critical two-factor authentication codes.
– ScreenRecordService: Enables real-time visual monitoring of all user activities.
– CameraService: Facilitates facial video capture for biometric data harvesting.
These components work in concert with a ContactData class that systematically exfiltrates the victim’s complete address book, including names, phone numbers, email addresses, and call history.
Command and Control Communication
The malware establishes encrypted communication with its command and control server at rpc.syids.top through both HTTP POST requests for credential theft and persistent WebSocket connections for real-time command execution.
When victims enter their banking credentials, the malware encrypts and transmits this data while deliberately displaying Indonesian error messages to mask the successful exfiltration, creating the illusion of a simple failed login attempt.
Attribution and Implications
Attribution analysis reveals strong linguistic indicators pointing to Chinese-speaking threat actors, with error messages in Simplified Chinese found embedded within both the phishing infrastructure and command and control server responses.
The success of this campaign threatens to establish a dangerous precedent for similar attacks against other critical Indonesian public institutions. This could potentially affect millions of citizens who rely on digital government services for essential financial and healthcare needs.
Recommendations for Users
To protect against such sophisticated attacks, users are advised to:
– Verify Sources: Always download applications from official and verified sources.
– Be Cautious of Phishing Attempts: Be wary of unsolicited messages or emails requesting personal information or directing you to download applications.
– Keep Software Updated: Regularly update your device’s software and security applications to protect against known vulnerabilities.
– Monitor Account Activity: Regularly check your financial accounts for any unauthorized transactions.
By staying vigilant and adopting these practices, users can better protect themselves against evolving cyber threats.
