EXECUTIVE SUMMARY:[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:[emaillocker id="1283"]
A Banking Fraud-as-a-Service (BFaaS) toolkit known as Sikka has been identified targeting users of multiple Indian banking, payment, and digital financial platforms. The toolkit is designed to facilitate large-scale financial fraud operations through a modular infrastructure that enables operators to automate account compromise, transaction abuse, and credential theft activities. The malware ecosystem appears highly organized, offering capabilities that support fraud operators through dedicated management functions, encrypted communications, and extensive targeting of online banking and payment services.
The toolkit incorporates a wide range of capabilities aimed at bypassing banking security controls and facilitating fraudulent transactions. Analysis indicates the use of stolen mobile banking API credentials, device fingerprint spoofing, session hijacking techniques, OTP interception workflows, and abuse of payment-related cryptographic processes. Communications between infected systems and command-and-control infrastructure are protected through encryption, while session information is stored in encrypted files to hinder forensic analysis. The malware also employs multiple anti-analysis and evasion mechanisms, including virtual machine detection, debugger identification, security-tool blacklisting, registry modifications, and browser automation through Chromium-based frameworks. These capabilities enable threat actors to automate banking fraud operations, maintain persistence, and reduce the likelihood of detection during fraudulent activity.
The Sikka BFaaS toolkit demonstrates the growing and commercialization of financial cyber operations. Its combination of automation, credential theft, session manipulation, and anti-analysis capabilities significantly lowers the barrier to conducting large-scale banking fraud. Organizations within the financial sector should strengthen monitoring of authentication workflows, implement robust fraud detection controls, enforce multi-factor authentication protections, and continuously monitor for indicators of account takeover activity to mitigate the risks posed by such advanced fraud platforms.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| T1106 | Native API | - | |
| Persistence | T1547.009 | Boot or Logon Autostart Execution | Shortcut Modification |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control |
| Stealth | T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| T1497.001 | Virtualization/Sandbox Evasion | System Checks | |
| T1622 | Debugger Evasion | - | |
| T1070.004 | Indicator Removal | File Deletion | |
| T1480.001 | Execution Guardrails | Environmental Keying | |
| Defense Impairment | T1112 | Modify Registry | - |
| T1553.004 | Subvert Trust Controls | Install Root Certificate | |
| Credential Access | T1552.002 | Unsecured Credentials | Credentials in Registry |
| T1539 | Steal Web Session Cookie | - | |
| T1111 | Multi-Factor Authentication Interception | - | |
| T1528 | Steal Application Access Token | - | |
| T1552.001 | Unsecured Credentials | Credentials In Files | |
| Discovery | T1082 | System Information Discovery | - |
| T1057 | Process Discovery | - | |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1573.001 | Encrypted Channel | Symmetric Cryptography | |
| T1102.001 | Web Service | Dead Drop Resolver | |
| T1568.001 | Dynamic Resolution | Fast Flux DNS | |
| T1090.003 | Proxy | Multi-hop Proxy | |
| Impact | T1657 | Financial Theft | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| E1027 | Obfuscated Files or Information | |
| Collection | E1560 | Archive Collected Data |
| Command and Control | B0030 | C2 Communication |
| Credential Access | F0002 | Keylogging |
| E1113 | Screen Capture | |
| Defense Evasion | B0025 | Conditional Execution |
| B0029 | Polymorphic Code | |
| F0001 | Software Packing | |
| F0004 | Disable or Evade Security Tools | |
| F0005 | Hidden Files and Directories | |
| F0007 | Self Deletion | |
| F0015 | Hijack Execution Flow | |
| E1564 | Hide Artifacts | |
| Discovery | B0013 | Analysis Tool Discovery |
| B0038 | Self Discovery | |
| E1082 | System Information Discovery | |
| Execution | B0011 | Remote Commands |
| E1059 | Command and Scripting Interpreter | |
| Impact | B0016 | Compromise Data Integrity |
| B0033 | Denial of Service | |
| E1486 | Data Encrypted for Impact | |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| E1112 | Modify Registry | |
| Privilege Escalation | E1055 | Process Injection |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]