| {"text": "Why Did Chinese Spyware Linger in U.S .", "spans": {}, "info": {"id": "cyner_mitre_test_00000", "source": "cyner_mitre_test"}} |
| {"text": "Phones ?", "spans": {}, "info": {"id": "cyner_mitre_test_00001", "source": "cyner_mitre_test"}} |
| {"text": "November 16 , 2016 In what 's being chalked up as an apparent mistake , more than 120,000 Android phones sold in the U.S. were shipped with spying code that sent text messages , call logs and other sensitive data to a server in Shanghai .", "spans": {"System: Android": [[90, 97]]}, "info": {"id": "cyner_mitre_test_00002", "source": "cyner_mitre_test"}} |
| {"text": "The New York Times reported on Nov. 15 that Kryptowire , a mobile enterprise security company , discovered the code on a lower-end smartphone made by BLU Products of Doral , Fla .", "spans": {"Organization: New York Times": [[4, 18]], "Organization: Kryptowire": [[44, 54]], "Organization: BLU": [[150, 153]]}, "info": {"id": "cyner_mitre_test_00003", "source": "cyner_mitre_test"}} |
| {"text": "The phones are sold at Best Buy and Amazon.com , among other retail outlets .", "spans": {"Organization: Best Buy": [[23, 31]], "Organization: Amazon.com": [[36, 46]]}, "info": {"id": "cyner_mitre_test_00004", "source": "cyner_mitre_test"}} |
| {"text": "Kryptowire says the code , which it found on a BLU R1 HD devices , transmitted fine-grained location information and allowed for the remote installation of other apps .", "spans": {"Organization: Kryptowire": [[0, 10]], "Organization: BLU": [[47, 50]]}, "info": {"id": "cyner_mitre_test_00005", "source": "cyner_mitre_test"}} |
| {"text": "Text message and call logs were transmitted every 72 hours to the Shanghai server , and once a day for other personally identifiable data , the company says .", "spans": {}, "info": {"id": "cyner_mitre_test_00006", "source": "cyner_mitre_test"}} |
| {"text": "It turns out , however , that other security researchers noticed suspicious and faulty code on BLU devices as early as March 2015 , and it has taken nearly that long to remove it from the company 's devices .", "spans": {"Organization: BLU": [[95, 98]]}, "info": {"id": "cyner_mitre_test_00007", "source": "cyner_mitre_test"}} |
| {"text": "The finding , in part , shows the risk that can come in opting for less expensive smartphones , whose manufacturers may not diligently fix security vulnerabilities .", "spans": {"Vulnerability: security vulnerabilities": [[139, 163]]}, "info": {"id": "cyner_mitre_test_00008", "source": "cyner_mitre_test"}} |
| {"text": "It 's also raising eyebrows because of the connection with China , which has frequently sparred with the U.S. over cyber espionage .", "spans": {}, "info": {"id": "cyner_mitre_test_00009", "source": "cyner_mitre_test"}} |
| {"text": "BLU Products has now updated its phones to remove the spying code , which most likely would have never been detected by regular users .", "spans": {"Organization: BLU": [[0, 3]]}, "info": {"id": "cyner_mitre_test_00010", "source": "cyner_mitre_test"}} |
| {"text": "The code never informed phone users that it was collecting that data , a behavior uniformly viewed by many as a serious security concern .", "spans": {}, "info": {"id": "cyner_mitre_test_00011", "source": "cyner_mitre_test"}} |
| {"text": "The developer of the code , Shanghai Adups Technology Co. , has apologized , contending that the code was intended for another one of its clients who requested better blocking of junk text messages and marketing calls .", "spans": {"Organization: Shanghai Adups Technology Co.": [[28, 57]]}, "info": {"id": "cyner_mitre_test_00012", "source": "cyner_mitre_test"}} |
| {"text": "Vulnerabilities Reported BLU Products , founded in 2009 , makes lower-end Android-powered smartphones that sell for as little as $ 50 on Amazon .", "spans": {"System: Android-powered": [[74, 89]], "Organization: Amazon": [[137, 143]]}, "info": {"id": "cyner_mitre_test_00013", "source": "cyner_mitre_test"}} |
| {"text": "Like many original equipment manufacturers , it uses software components from other developers .", "spans": {}, "info": {"id": "cyner_mitre_test_00014", "source": "cyner_mitre_test"}} |
| {"text": "The company uses a type of software from Adups that 's nicknamed FOTA , short for firmware over-the-air .", "spans": {"Organization: Adups": [[41, 46]], "System: FOTA": [[65, 69]]}, "info": {"id": "cyner_mitre_test_00015", "source": "cyner_mitre_test"}} |
| {"text": "The software manages the delivery of firmware updates over-the-air , the term used for transmission via a mobile network .", "spans": {}, "info": {"id": "cyner_mitre_test_00016", "source": "cyner_mitre_test"}} |
| {"text": "Firmware is low-level code deep in an operating system that often has high access privileges , so it 's critical that it 's verified and contains no software vulnerabilities .", "spans": {}, "info": {"id": "cyner_mitre_test_00017", "source": "cyner_mitre_test"}} |
| {"text": "Long before Kryptowire 's announcement , Tim Strazzere , a mobile security researcher with RedNaga Security , contacted BLU Products in March 2015 after he found two vulnerabilities that could be traced to Adup 's code .", "spans": {"Organization: Kryptowire": [[12, 22]], "Organization: RedNaga Security": [[91, 107]], "Organization: Adup": [[206, 210]]}, "info": {"id": "cyner_mitre_test_00018", "source": "cyner_mitre_test"}} |
| {"text": "Those vulnerabilities could have enabled someone to gain broad access to an Android device .", "spans": {"System: Android": [[76, 83]]}, "info": {"id": "cyner_mitre_test_00019", "source": "cyner_mitre_test"}} |
| {"text": "Strazzere 's colleague , Jon Sawyer , suggested on Twitter that the vulnerabilities might have not been there by mistake , but rather included as intentionally coded backdoors .", "spans": {"Organization: Twitter": [[51, 58]]}, "info": {"id": "cyner_mitre_test_00020", "source": "cyner_mitre_test"}} |
| {"text": "He posted a tweet to The New York Times report , sarcastically writing , \" If only two people had called this company out for their backdoors several times over the last few years .", "spans": {"Organization: New York Times": [[25, 39]]}, "info": {"id": "cyner_mitre_test_00021", "source": "cyner_mitre_test"}} |
| {"text": "'' Strazzere 's experience in trying to contact both vendors last year is typical of the frustrations frequently faced by security researchers .", "spans": {}, "info": {"id": "cyner_mitre_test_00022", "source": "cyner_mitre_test"}} |
| {"text": "\" I tried reaching out to Adups and never heard back , '' Strazzere tells Information Security Media Group .", "spans": {"Organization: Adups": [[26, 31]], "Organization: Information Security Media Group": [[74, 106]]}, "info": {"id": "cyner_mitre_test_00023", "source": "cyner_mitre_test"}} |
| {"text": "\" BLU said they had no security department when I emailed them .", "spans": {"Organization: BLU": [[2, 5]]}, "info": {"id": "cyner_mitre_test_00024", "source": "cyner_mitre_test"}} |
| {"text": "'' Strazzere says he also failed to reach MediaTek , a Taiwanese fabless semiconductor manufacturer whose chipsets that powered BLU phones also contained Adups software .", "spans": {"Organization: MediaTek": [[42, 50]], "Organization: BLU": [[128, 131]], "Organization: Adups": [[154, 159]]}, "info": {"id": "cyner_mitre_test_00025", "source": "cyner_mitre_test"}} |
| {"text": "To their credit , both Google and Amazon appear to have put pressure on device manufacturers to fix their devices when flaws are found , Strazzere says .", "spans": {"Organization: Google": [[23, 29]], "Organization: Amazon": [[34, 40]]}, "info": {"id": "cyner_mitre_test_00026", "source": "cyner_mitre_test"}} |
| {"text": "For Google , Android security issues - even if not in the core operating code - are a reputation threat , and for Amazon , a product quality issue .", "spans": {"Organization: Google": [[4, 10]], "Organization: Amazon": [[114, 120]]}, "info": {"id": "cyner_mitre_test_00027", "source": "cyner_mitre_test"}} |
| {"text": "But devices sold outside of Amazon \" might not have ever seen fixes , '' he says .", "spans": {"Organization: Amazon": [[28, 34]]}, "info": {"id": "cyner_mitre_test_00028", "source": "cyner_mitre_test"}} |
| {"text": "Officials at BLU could n't be immediately reached for comment .", "spans": {"Organization: BLU": [[13, 16]]}, "info": {"id": "cyner_mitre_test_00029", "source": "cyner_mitre_test"}} |
| {"text": "Attitude Change The disinterest in the issues appears to have changed with The New York Times report , which lit a fire underneath Adups and BLU .", "spans": {"Organization: New York Times": [[79, 93]], "Organization: Adups": [[131, 136]], "Organization: BLU": [[141, 144]]}, "info": {"id": "cyner_mitre_test_00030", "source": "cyner_mitre_test"}} |
| {"text": "Adups addressed the issue in a Nov. 16 news release , writing that some products made by BLU were updated in June with a version of its FOTA that had actually been intended for other clients who had requested an ability to stop text spam .", "spans": {"Organization: Adups": [[0, 5]], "Organization: BLU": [[89, 92]], "System: FOTA": [[136, 140]]}, "info": {"id": "cyner_mitre_test_00031", "source": "cyner_mitre_test"}} |
| {"text": "That version flags messages \" containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user 's contacts , '' the company says .", "spans": {}, "info": {"id": "cyner_mitre_test_00032", "source": "cyner_mitre_test"}} |
| {"text": "Manufacturers should be keeping close tabs on what software ends up on their devices .", "spans": {}, "info": {"id": "cyner_mitre_test_00033", "source": "cyner_mitre_test"}} |
| {"text": "But it would appear that BLU only took action after Kryptowire notified it along with Google , Adups and Amazon .", "spans": {"Organization: BLU": [[25, 28]], "Organization: Kryptowire": [[52, 62]], "Organization: Google": [[86, 92]], "Organization: Adups": [[95, 100]], "Organization: Amazon": [[105, 111]]}, "info": {"id": "cyner_mitre_test_00034", "source": "cyner_mitre_test"}} |
| {"text": "\" When BLU raised objections , Adups took immediate measures to disable that functionality on BLU phones , '' Adups says .", "spans": {"Organization: BLU": [[7, 10], [94, 97]], "Organization: Adups": [[31, 36]]}, "info": {"id": "cyner_mitre_test_00035", "source": "cyner_mitre_test"}} |
| {"text": "The greater worry is that these situations may sometimes not be simple mistakes .", "spans": {}, "info": {"id": "cyner_mitre_test_00036", "source": "cyner_mitre_test"}} |
| {"text": "Security experts have long warned of the ability of advanced adversaries to subvert hardware and software supply chains .", "spans": {}, "info": {"id": "cyner_mitre_test_00037", "source": "cyner_mitre_test"}} |
| {"text": "Also , the software vulnerabilities pointed out in the FOTA software by Strazzere in 2015 could have been taken advantage of by cybercriminals looking to steal bank account details or execute other frauds .", "spans": {"Vulnerability: software vulnerabilities": [[11, 35]], "System: FOTA": [[55, 59]]}, "info": {"id": "cyner_mitre_test_00038", "source": "cyner_mitre_test"}} |
| {"text": "Strazzere advises that consumers should look at the pedigree of mobile manufacturers and take a close look at their security track record before making a decision on what device to buy .", "spans": {}, "info": {"id": "cyner_mitre_test_00039", "source": "cyner_mitre_test"}} |
| {"text": "\" In the end , the consumer needs to vote with their wallet , '' he says .", "spans": {}, "info": {"id": "cyner_mitre_test_00040", "source": "cyner_mitre_test"}} |
| {"text": "Skygofree : Following in the footsteps of HackingTeam 16 JAN 2018 At the beginning of October 2017 , we discovered new Android spyware with several features previously unseen in the wild .", "spans": {"Malware: Skygofree": [[0, 9]], "Organization: HackingTeam": [[42, 53]], "System: Android": [[119, 126]]}, "info": {"id": "cyner_mitre_test_00041", "source": "cyner_mitre_test"}} |
| {"text": "In the course of further research , we found a number of related samples that point to a long-term development process .", "spans": {}, "info": {"id": "cyner_mitre_test_00042", "source": "cyner_mitre_test"}} |
| {"text": "We believe the initial versions of this malware were created at least three years ago – at the end of 2014 .", "spans": {}, "info": {"id": "cyner_mitre_test_00043", "source": "cyner_mitre_test"}} |
| {"text": "Since then , the implant ’ s functionality has been improving and remarkable new features implemented , such as the ability to record audio surroundings via the microphone when an infected device is in a specified location ; the stealing of WhatsApp messages via Accessibility Services ; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals .", "spans": {"System: WhatsApp": [[241, 249]]}, "info": {"id": "cyner_mitre_test_00044", "source": "cyner_mitre_test"}} |
| {"text": "We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants .", "spans": {"System: Android": [[109, 116]]}, "info": {"id": "cyner_mitre_test_00045", "source": "cyner_mitre_test"}} |
| {"text": "These domains have been registered by the attackers since 2015 .", "spans": {}, "info": {"id": "cyner_mitre_test_00046", "source": "cyner_mitre_test"}} |
| {"text": "According to our telemetry , that was the year the distribution campaign was at its most active .", "spans": {}, "info": {"id": "cyner_mitre_test_00047", "source": "cyner_mitre_test"}} |
| {"text": "The activities continue : the most recently observed domain was registered on October 31 , 2017 .", "spans": {}, "info": {"id": "cyner_mitre_test_00048", "source": "cyner_mitre_test"}} |
| {"text": "Based on our KSN statistics , there are several infected individuals , exclusively in Italy .", "spans": {}, "info": {"id": "cyner_mitre_test_00049", "source": "cyner_mitre_test"}} |
| {"text": "Moreover , as we dived deeper into the investigation , we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine .", "spans": {"System: Windows": [[95, 102]]}, "info": {"id": "cyner_mitre_test_00050", "source": "cyner_mitre_test"}} |
| {"text": "The version we found was built at the beginning of 2017 , and at the moment we are not sure whether this implant has been used in the wild .", "spans": {}, "info": {"id": "cyner_mitre_test_00051", "source": "cyner_mitre_test"}} |
| {"text": "We named the malware Skygofree , because we found the word in one of the domains * .", "spans": {"Malware: Skygofree": [[21, 30]]}, "info": {"id": "cyner_mitre_test_00052", "source": "cyner_mitre_test"}} |
| {"text": "Malware Features Android According to the observed samples and their signatures , early versions of this Android malware were developed by the end of 2014 and the campaign has remained active ever since .", "spans": {"System: Android": [[17, 24], [105, 112]]}, "info": {"id": "cyner_mitre_test_00053", "source": "cyner_mitre_test"}} |
| {"text": "The code and functionality have changed numerous times ; from simple unobfuscated malware at the beginning to sophisticated multi-stage spyware that gives attackers full remote control of the infected device .", "spans": {}, "info": {"id": "cyner_mitre_test_00054", "source": "cyner_mitre_test"}} |
| {"text": "We have examined all the detected versions , including the latest one that is signed by a certificate valid from September 14 , 2017 .", "spans": {}, "info": {"id": "cyner_mitre_test_00055", "source": "cyner_mitre_test"}} |
| {"text": "The implant provides the ability to grab a lot of exfiltrated data , like call records , text messages , geolocation , surrounding audio , calendar events , and other memory information stored on the device .", "spans": {}, "info": {"id": "cyner_mitre_test_00056", "source": "cyner_mitre_test"}} |
| {"text": "After manual launch , it shows a fake welcome notification to the user : Dear Customer , we ’ re updating your configuration and it will be ready as soon as possible .", "spans": {}, "info": {"id": "cyner_mitre_test_00057", "source": "cyner_mitre_test"}} |
| {"text": "At the same time , it hides an icon and starts background services to hide further actions from the user .", "spans": {}, "info": {"id": "cyner_mitre_test_00058", "source": "cyner_mitre_test"}} |
| {"text": "Service Name Purpose AndroidAlarmManager Uploading last recorded .amr audio AndroidSystemService Audio recording AndroidSystemQueues Location tracking with movement detection ClearSystems GSM tracking ( CID , LAC , PSC ) ClipService Clipboard stealing AndroidFileManager Uploading all exfiltrated data AndroidPush XMPP С & C protocol ( url.plus:5223 ) RegistrationService Registration on C & C via HTTP ( url.plus/app/pro/ ) Interestingly , a self-protection feature was implemented in almost every service", "spans": {"System: GSM": [[188, 191]], "Indicator: url.plus:5223": [[336, 349]], "Indicator: url.plus/app/pro/": [[405, 422]]}, "info": {"id": "cyner_mitre_test_00059", "source": "cyner_mitre_test"}} |
| {"text": ".", "spans": {}, "info": {"id": "cyner_mitre_test_00060", "source": "cyner_mitre_test"}} |
| {"text": "Since in Android 8.0 ( SDK API 26 ) the system is able to kill idle services , this code raises a fake update notification to prevent it : Cybercriminals have the ability to control the implant via HTTP , XMPP , binary SMS and FirebaseCloudMessaging ( or GoogleCloudMessaging in older versions ) protocols .", "spans": {"System: Android 8.0": [[9, 20]]}, "info": {"id": "cyner_mitre_test_00061", "source": "cyner_mitre_test"}} |
| {"text": "Such a diversity of protocols gives the attackers more flexible control .", "spans": {}, "info": {"id": "cyner_mitre_test_00062", "source": "cyner_mitre_test"}} |
| {"text": "In the latest implant versions there are 48 different commands .", "spans": {}, "info": {"id": "cyner_mitre_test_00063", "source": "cyner_mitre_test"}} |
| {"text": "You can find a full list with short descriptions in the Appendix .", "spans": {}, "info": {"id": "cyner_mitre_test_00064", "source": "cyner_mitre_test"}} |
| {"text": "Here are some of the most notable : ‘ geofence ’ – this command adds a specified location to the implant ’ s internal database and when it matches a device ’ s current location the malware triggers and begins to record surrounding audio .", "spans": {}, "info": {"id": "cyner_mitre_test_00065", "source": "cyner_mitre_test"}} |
| {"text": "” social ” – this command that starts the ‘ AndroidMDMSupport ’ service – this allows the files of any other installed application to be grabbed .", "spans": {}, "info": {"id": "cyner_mitre_test_00066", "source": "cyner_mitre_test"}} |
| {"text": "The service name makes it clear that by applications the attackers mean MDM solutions that are business-specific tools .", "spans": {}, "info": {"id": "cyner_mitre_test_00067", "source": "cyner_mitre_test"}} |
| {"text": "The operator can specify a path with the database of any targeted application and server-side PHP script name for uploading .", "spans": {}, "info": {"id": "cyner_mitre_test_00068", "source": "cyner_mitre_test"}} |
| {"text": "Several hardcoded applications targeted by the MDM-grabbing command ‘ wifi ’ – this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled .", "spans": {}, "info": {"id": "cyner_mitre_test_00069", "source": "cyner_mitre_test"}} |
| {"text": "So , when a device connects to the established network , this process will be in silent and automatic mode .", "spans": {}, "info": {"id": "cyner_mitre_test_00070", "source": "cyner_mitre_test"}} |
| {"text": "This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to perform traffic sniffing and man-in-the-middle ( MitM ) attacks .", "spans": {}, "info": {"id": "cyner_mitre_test_00071", "source": "cyner_mitre_test"}} |
| {"text": "addWifiConfig method code fragments ‘ camera ’ – this command records a video/capture a photo using the front-facing camera when someone next unlocks the device .", "spans": {}, "info": {"id": "cyner_mitre_test_00072", "source": "cyner_mitre_test"}} |
| {"text": "Some versions of the Skygofree feature the self-protection ability exclusively for Huawei devices .", "spans": {"Malware: Skygofree": [[21, 30]], "Organization: Huawei": [[83, 89]]}, "info": {"id": "cyner_mitre_test_00073", "source": "cyner_mitre_test"}} |
| {"text": "There is a ‘ protected apps ’ list in this brand ’ s smartphones , related to a battery-saving concept .", "spans": {}, "info": {"id": "cyner_mitre_test_00074", "source": "cyner_mitre_test"}} |
| {"text": "Apps not selected as protected apps stop working once the screen is off and await re-activation , so the implant is able to determine that it is running on a Huawei device and add itself to this list .", "spans": {"Organization: Huawei": [[158, 164]]}, "info": {"id": "cyner_mitre_test_00075", "source": "cyner_mitre_test"}} |
| {"text": "Due to this feature , it is clear that the developers paid special attention to the work of the implant on Huawei devices .", "spans": {"Organization: Huawei": [[107, 113]]}, "info": {"id": "cyner_mitre_test_00076", "source": "cyner_mitre_test"}} |
| {"text": "Also , we found a debug version of the implant ( 70a937b2504b3ad6c623581424c7e53d ) that contains interesting constants , including the version of the spyware .", "spans": {"Indicator: 70a937b2504b3ad6c623581424c7e53d": [[49, 81]]}, "info": {"id": "cyner_mitre_test_00077", "source": "cyner_mitre_test"}} |
| {"text": "Debug BuildConfig with the version After a deep analysis of all discovered versions of Skygofree , we made an approximate timeline of the implant ’ s evolution .", "spans": {"Malware: Skygofree": [[87, 96]]}, "info": {"id": "cyner_mitre_test_00078", "source": "cyner_mitre_test"}} |
| {"text": "Mobile implant evolution timeline However , some facts indicate that the APK samples from stage two can also be used separately as the first step of the infection .", "spans": {}, "info": {"id": "cyner_mitre_test_00079", "source": "cyner_mitre_test"}} |
| {"text": "Below is a list of the payloads used by the Skygofree implant in the second and third stages .", "spans": {"Malware: Skygofree": [[44, 53]]}, "info": {"id": "cyner_mitre_test_00080", "source": "cyner_mitre_test"}} |
| {"text": "Reverse shell payload The reverse shell module is an external ELF file compiled by the attackers to run on Android .", "spans": {"System: Android": [[107, 114]]}, "info": {"id": "cyner_mitre_test_00081", "source": "cyner_mitre_test"}} |
| {"text": "The choice of a particular payload is determined by the implant ’ s version , and it can be downloaded from the command and control ( C & C ) server soon after the implant starts , or after a specific command .", "spans": {}, "info": {"id": "cyner_mitre_test_00082", "source": "cyner_mitre_test"}} |
| {"text": "In the most recent case , the choice of the payload zip file depends on the device process architecture .", "spans": {}, "info": {"id": "cyner_mitre_test_00083", "source": "cyner_mitre_test"}} |
| {"text": "For now , we observe only one payload version for following the ARM CPUs : arm64-v8a , armeabi , armeabi-v7a .", "spans": {"System: ARM": [[64, 67]], "System: arm64-v8a": [[75, 84]], "System: armeabi": [[87, 94]], "System: armeabi-v7a": [[97, 108]]}, "info": {"id": "cyner_mitre_test_00084", "source": "cyner_mitre_test"}} |
| {"text": "Note that in almost all cases , this payload file , contained in zip archives , is named ‘ setting ’ or ‘ setting.o ’ .", "spans": {"Indicator: setting": [[91, 98]], "Indicator: setting.o": [[106, 115]]}, "info": {"id": "cyner_mitre_test_00085", "source": "cyner_mitre_test"}} |
| {"text": "The main purpose of this module is providing reverse shell features on the device by connecting with the C & C server ’ s socket .", "spans": {}, "info": {"id": "cyner_mitre_test_00086", "source": "cyner_mitre_test"}} |
| {"text": "Reverse shell payload The payload is started by the main module with a specified host and port as a parameter that is hardcoded to ‘ 54.67.109.199 ’ and ‘ 30010 ’ in some versions : Alternatively , they could be hardcoded directly into the payload code : We also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path .", "spans": {"Indicator: 54.67.109.199": [[133, 146]], "Indicator: 30010": [[155, 160]]}, "info": {"id": "cyner_mitre_test_00087", "source": "cyner_mitre_test"}} |
| {"text": "Equipped reverse shell payload with specific string After an in-depth look , we found that some versions of the reverse shell payload code share similarities with PRISM – a stealth reverse shell backdoor that is available on Github .", "spans": {"Malware: PRISM": [[163, 168]], "Organization: Github": [[225, 231]]}, "info": {"id": "cyner_mitre_test_00088", "source": "cyner_mitre_test"}} |
| {"text": "Reverse shell payload from update_dev.zip Exploit payload At the same time , we found an important payload binary that is trying to exploit several known vulnerabilities and escalate privileges .", "spans": {"Indicator: update_dev.zip": [[27, 41]]}, "info": {"id": "cyner_mitre_test_00089", "source": "cyner_mitre_test"}} |
| {"text": "According to several timestamps , this payload is used by implant versions created since 2016 .", "spans": {}, "info": {"id": "cyner_mitre_test_00090", "source": "cyner_mitre_test"}} |
| {"text": "It can also be downloaded by a specific command .", "spans": {}, "info": {"id": "cyner_mitre_test_00091", "source": "cyner_mitre_test"}} |
| {"text": "The exploit payload contains following file components : Component name Description run_root_shell/arrs_put_user.o/arrs_put_user/poc Exploit ELF db Sqlite3 tool ELF device.db Sqlite3 database with supported devices and their constants needed for privilege escalation ‘ device.db ’ is a database used by the exploit .", "spans": {"Indicator: run_root_shell/arrs_put_user.o/arrs_put_user/poc": [[84, 132]], "Indicator: device.db": [[165, 174], [269, 278]]}, "info": {"id": "cyner_mitre_test_00092", "source": "cyner_mitre_test"}} |
| {"text": "It contains two tables – ‘ supported_devices ’ and ‘ device_address ’ .", "spans": {}, "info": {"id": "cyner_mitre_test_00093", "source": "cyner_mitre_test"}} |
| {"text": "The first table contains 205 devices with some Linux properties ; the second contains the specific memory addresses associated with them that are needed for successful exploitation .", "spans": {"System: Linux": [[47, 52]]}, "info": {"id": "cyner_mitre_test_00094", "source": "cyner_mitre_test"}} |
| {"text": "You can find a full list of targeted models in the Appendix .", "spans": {}, "info": {"id": "cyner_mitre_test_00095", "source": "cyner_mitre_test"}} |
| {"text": "Fragment of the database with targeted devices and specific memory addresses If the infected device is not listed in this database , the exploit tries to discover these addresses programmatically .", "spans": {}, "info": {"id": "cyner_mitre_test_00096", "source": "cyner_mitre_test"}} |
| {"text": "After downloading and unpacking , the main module executes the exploit binary file .", "spans": {}, "info": {"id": "cyner_mitre_test_00097", "source": "cyner_mitre_test"}} |
| {"text": "Once executed , the module attempts to get root privileges on the device by exploiting the following vulnerabilities : CVE-2013-2094 CVE-2013-2595 CVE-2013-6282 CVE-2014-3153 ( futex aka TowelRoot ) CVE-2015-3636 Exploitation process After an in-depth look , we found that the exploit payload code shares several similarities with the public project android-rooting-tools .", "spans": {"Vulnerability: CVE-2013-2094": [[119, 132]], "Vulnerability: CVE-2013-2595": [[133, 146]], "Vulnerability: CVE-2013-6282": [[147, 160]], "Vulnerability: CVE-2014-3153": [[161, 174]], "Vulnerability: futex": [[177, 182]], "Vulnerability: TowelRoot": [[187, 196]], "Vulnerability: CVE-2015-3636": [[199, 212]]}, "info": {"id": "cyner_mitre_test_00098", "source": "cyner_mitre_test"}} |
| {"text": "Decompiled exploit function code fragment run_with_mmap function from the android-rooting-tools project As can be seen from the comparison , there are similar strings and also a unique comment in Italian , so it looks like the attackers created this exploit payload based on android-rooting-tools project source code .", "spans": {"System: android-rooting-tools": [[74, 95], [275, 296]]}, "info": {"id": "cyner_mitre_test_00099", "source": "cyner_mitre_test"}} |
| {"text": "Busybox payload Busybox is public software that provides several Linux tools in a single ELF file .", "spans": {}, "info": {"id": "cyner_mitre_test_00100", "source": "cyner_mitre_test"}} |
| {"text": "In earlier versions , it operated with shell commands like this : Stealing WhatsApp encryption key with Busybox Social payload Actually , this is not a standalone payload file – in all the observed versions its code was compiled with exploit payload in one file ( ‘ poc_perm ’ , ‘ arrs_put_user ’ , ‘ arrs_put_user.o ’ ) .", "spans": {"Malware: Busybox Social payload": [[104, 126]]}, "info": {"id": "cyner_mitre_test_00101", "source": "cyner_mitre_test"}} |
| {"text": "This is due to the fact that the implant needs to escalate privileges before performing social payload actions .", "spans": {}, "info": {"id": "cyner_mitre_test_00102", "source": "cyner_mitre_test"}} |
| {"text": "This payload is also used by the earlier versions of the implant .", "spans": {}, "info": {"id": "cyner_mitre_test_00103", "source": "cyner_mitre_test"}} |
| {"text": "It has similar functionality to the ‘ AndroidMDMSupport ’ command from the current versions – stealing data belonging to other installed applications .", "spans": {}, "info": {"id": "cyner_mitre_test_00104", "source": "cyner_mitre_test"}} |
| {"text": "The payload will execute shell code to steal data from various applications .", "spans": {}, "info": {"id": "cyner_mitre_test_00105", "source": "cyner_mitre_test"}} |
| {"text": "The example below steals Facebook data : All the other hardcoded applications targeted by the payload : Package name Name jp.naver.line.android LINE : Free Calls & Messages com.facebook.orca Facebook messenger com.facebook.katana Facebook com.whatsapp WhatsApp com.viber.voip Viber Parser payload Upon receiving a specific command , the implant can download a special payload to grab sensitive information from external applications .", "spans": {"System: Facebook": [[25, 33], [230, 238]], "Indicator: jp.naver.line.android": [[122, 143]], "System: LINE : Free Calls & Messages": [[144, 172]], "Indicator: com.facebook.orca": [[173, 190]], "System: Facebook messenger": [[191, 209]], "Indicator: com.facebook.katana": [[210, 229]], "Indicator: com.whatsapp": [[239, 251]], "System: WhatsApp": [[252, 260]], "Indicator: com.viber.voip": [[261, 275]], "System: Viber": [[276, 281]]}, "info": {"id": "cyner_mitre_test_00106", "source": "cyner_mitre_test"}} |
| {"text": "The case where we observed this involved WhatsApp .", "spans": {"System: WhatsApp": [[41, 49]]}, "info": {"id": "cyner_mitre_test_00107", "source": "cyner_mitre_test"}} |
| {"text": "In the examined version , it was downloaded from : hxxp : //url [ .", "spans": {"Indicator: hxxp : //url [ .": [[51, 67]]}, "info": {"id": "cyner_mitre_test_00108", "source": "cyner_mitre_test"}} |
| {"text": "] plus/Updates/tt/parser.apk The payload can be a .dex or .apk file which is a Java-compiled Android executable .", "spans": {"System: Android": [[93, 100]]}, "info": {"id": "cyner_mitre_test_00109", "source": "cyner_mitre_test"}} |
| {"text": "After downloading , it will be loaded by the main module via DexClassLoader api : As mentioned , we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way .", "spans": {"System: WhatsApp messenger": [[148, 166]]}, "info": {"id": "cyner_mitre_test_00110", "source": "cyner_mitre_test"}} |
| {"text": "The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen , so it waits for the targeted application to be launched and then parses all nodes to find text messages : Note that the implant needs special permission to use the Accessibility Service API , but there is a command that performs a request with a phishing text displayed to the user to obtain such permission .", "spans": {"System: Android": [[21, 28]]}, "info": {"id": "cyner_mitre_test_00111", "source": "cyner_mitre_test"}} |
| {"text": "Windows We have found multiple components that form an entire spyware system for the Windows platform .", "spans": {"System: Windows": [[0, 7], [85, 92]]}, "info": {"id": "cyner_mitre_test_00112", "source": "cyner_mitre_test"}} |
| {"text": "Name MD5 Purpose msconf.exe 55fb01048b6287eadcbd9a0f86d21adf Main module , reverse shell network.exe f673bb1d519138ced7659484c0b66c5b Sending exfiltrated data system.exe d3baa45ed342fbc5a56d974d36d5f73f Surrounding sound recording by mic update.exe 395f9f87df728134b5e3c1ca4d48e9fa Keylogging wow.exe", "spans": {"Indicator: msconf.exe": [[17, 27]], "Indicator: 55fb01048b6287eadcbd9a0f86d21adf": [[28, 60]], "Indicator: network.exe": [[89, 100]], "Indicator: f673bb1d519138ced7659484c0b66c5b": [[101, 133]], "Indicator: system.exe": [[159, 169]], "Indicator: d3baa45ed342fbc5a56d974d36d5f73f": [[170, 202]], "Indicator: update.exe": [[238, 248]], "Indicator: 395f9f87df728134b5e3c1ca4d48e9fa": [[249, 281]], "Indicator: wow.exe": [[293, 300]]}, "info": {"id": "cyner_mitre_test_00113", "source": "cyner_mitre_test"}} |
| {"text": "16311b16fd48c1c87c6476a455093e7a Screenshot capturing skype_sync2.exe 6bcc3559d7405f25ea403317353d905f Skype call recording to MP3 All modules , except skype_sync2.exe , are written in Python and packed to binary files via the Py2exe tool .", "spans": {"Indicator: 16311b16fd48c1c87c6476a455093e7a": [[0, 32]], "Indicator: skype_sync2.exe": [[54, 69], [152, 167]], "Indicator: 6bcc3559d7405f25ea403317353d905f": [[70, 102]], "System: Skype": [[103, 108]], "System: Python": [[185, 191]], "System: Py2exe": [[227, 233]]}, "info": {"id": "cyner_mitre_test_00114", "source": "cyner_mitre_test"}} |
| {"text": "This sort of conversion allows Python code to be run in a Windows environment without pre-installed Python binaries .", "spans": {"System: Python": [[31, 37], [100, 106]], "System: Windows": [[58, 65]]}, "info": {"id": "cyner_mitre_test_00115", "source": "cyner_mitre_test"}} |
| {"text": "msconf.exe is the main module that provides control of the implant and reverse shell feature .", "spans": {"Indicator: msconf.exe": [[0, 10]]}, "info": {"id": "cyner_mitre_test_00116", "source": "cyner_mitre_test"}} |
| {"text": "It opens a socket on the victim ’ s machine and connects with a server-side component of the implant located at 54.67.109.199:6500 .", "spans": {"Indicator: 54.67.109.199:6500": [[112, 130]]}, "info": {"id": "cyner_mitre_test_00117", "source": "cyner_mitre_test"}} |
| {"text": "Before connecting with the socket , it creates a malware environment in ‘ APPDATA/myupd ’ and creates a sqlite3 database there – ‘ myupd_tmp\\\\mng.db ’ : CREATE TABLE MANAGE ( ID INT PRIMARY KEY NOT NULL , Send INT NOT NULL , Keylogg INT NOT NULL , Screenshot INT NOT NULL , Audio INT NOT NULL ) ; INSERT INTO MANAGE ( ID , Send , Keylogg , Screenshot , Audio", "spans": {"Indicator: APPDATA/myupd": [[74, 87]], "Indicator: myupd_tmp\\\\mng.db": [[131, 148]]}, "info": {"id": "cyner_mitre_test_00118", "source": "cyner_mitre_test"}} |
| {"text": ") VALUES ( 1 , 1 , 1 , 1 , 0 ) Finally , the malware modifies the ‘ Software\\Microsoft\\Windows\\CurrentVersion\\Run ’ registry key to enable autostart of the main module .", "spans": {"Indicator: Software\\Microsoft\\Windows\\CurrentVersion\\Run": [[68, 113]]}, "info": {"id": "cyner_mitre_test_00119", "source": "cyner_mitre_test"}} |
| {"text": "The code contains multiple comments in Italian , here is the most noteworthy example : “ Receive commands from the remote server , here you can set the key commands to command the virus ” Here are the available commands : Name Description cd Change current directory to specified quit Close the socket nggexe Execute received command via Python ’ s subprocess.Popen ( ) without outputs ngguploads Upload specified file to the specified URL nggdownloads Download content from the specified URLs and save to specified file nggfilesystem Dump file structure of", "spans": {"System: Python": [[338, 344]]}, "info": {"id": "cyner_mitre_test_00120", "source": "cyner_mitre_test"}} |
| {"text": "the C : path , save it to the file in json format and zip it nggstart_screen nggstop_screen Enable/disable screenshot module .", "spans": {}, "info": {"id": "cyner_mitre_test_00121", "source": "cyner_mitre_test"}} |
| {"text": "When enabled , it makes a screenshot every 25 seconds nggstart_key nggstop_key Enable/disable keylogging module nggstart_rec nggstop_rec Enable/disable surrounding sounds recording module ngg_status Send components status to the C & C socket * any other * Execute received command via Python ’ s subprocess.Popen ( ) , output result will be sent to the C & C socket .", "spans": {"System: Python": [[285, 291]]}, "info": {"id": "cyner_mitre_test_00122", "source": "cyner_mitre_test"}} |
| {"text": "All modules set hidden attributes to their files : Module Paths Exfiltrated data format msconf.exe % APPDATA % /myupd/gen/ % Y % m % d- % H % M % S_filesystem.zip ( file structure dump ) system.exe % APPDATA % /myupd/aud/ % d % m % Y % H % M % S.wav ( surrounding sounds ) update.exe % APPDATA % /myupd_tmp/txt/ % APPDATA % /myupd/txt/ % Y % m", "spans": {"Indicator: msconf.exe": [[88, 98]], "Indicator: % APPDATA % /myupd/gen/ % Y % m % d- % H % M % S_filesystem.zip ( file structure dump ) system.exe % APPDATA % /myupd/aud/ % d % m % Y % H % M % S.wav ( surrounding sounds ) update.exe % APPDATA % /myupd_tmp/txt/ % APPDATA % /myupd/txt/ % Y % m": [[99, 343]]}, "info": {"id": "cyner_mitre_test_00123", "source": "cyner_mitre_test"}} |
| {"text": "% d- % H % M % S.txt ( keylogging ) wow.exe % APPDATA % /myupd/scr/ % Y % m % d- % H % M % S.jpg ( screenshots ) skype_sync2.exe % APPDATA % /myupd_tmp/skype/ % APPDATA % /myupd/skype/ yyyyMMddHHmmss_in.mp3 yyyyMMddHHmmss_out.mp3 ( skype calls records ) Moreover , we found one module written", "spans": {"Indicator: yyyyMMddHHmmss_out.mp3": [[207, 229]]}, "info": {"id": "cyner_mitre_test_00124", "source": "cyner_mitre_test"}} |
| {"text": "in .Net – skype_sync2.exe .", "spans": {"System: .Net": [[3, 7]], "Indicator: skype_sync2.exe": [[10, 25]]}, "info": {"id": "cyner_mitre_test_00125", "source": "cyner_mitre_test"}} |
| {"text": "The main purpose of this module is to exfiltrate Skype call recordings .", "spans": {"System: Skype": [[49, 54]]}, "info": {"id": "cyner_mitre_test_00126", "source": "cyner_mitre_test"}} |
| {"text": "Just like the previous modules , it contains multiple strings in Italian .", "spans": {}, "info": {"id": "cyner_mitre_test_00127", "source": "cyner_mitre_test"}} |
| {"text": "After launch , it downloads a codec for MP3 encoding directly from the C & C server : http : //54.67.109.199/skype_resource/libmp3lame.dll The skype_sync2.exe module has a compilation timestamp – Feb 06 2017 and the following PDB string : \\\\vmware-host\\Shared Folders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb network.exe is a", "spans": {"Indicator: http : //54.67.109.199/skype_resource/libmp3lame.dll": [[86, 138]], "Indicator: skype_sync2.exe": [[143, 158]], "Indicator: \\\\vmware-host\\Shared": [[239, 259]], "Indicator: Folders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb": [[260, 338]], "Indicator: network.exe": [[339, 350]]}, "info": {"id": "cyner_mitre_test_00128", "source": "cyner_mitre_test"}} |
| {"text": "module for submitting all exfiltrated data to the server .", "spans": {}, "info": {"id": "cyner_mitre_test_00129", "source": "cyner_mitre_test"}} |
| {"text": "In the observed version of the implant it doesn ’ t have an interface to work with the skype_sync2.exe module .", "spans": {"Indicator: skype_sync2.exe": [[87, 102]]}, "info": {"id": "cyner_mitre_test_00130", "source": "cyner_mitre_test"}} |
| {"text": "network.exe submitting to the server code snippet Code similarities We found some code similarities between the implant for Windows and other public accessible projects .", "spans": {"Indicator: network.exe": [[0, 11]], "System: Windows": [[124, 131]]}, "info": {"id": "cyner_mitre_test_00131", "source": "cyner_mitre_test"}} |
| {"text": "https : //github.com/El3ct71k/Keylogger/ It appears the developers have copied the functional part of the keylogger module from this project .", "spans": {"Indicator: https : //github.com/El3ct71k/Keylogger/": [[0, 40]]}, "info": {"id": "cyner_mitre_test_00132", "source": "cyner_mitre_test"}} |
| {"text": "update.exe module and Keylogger by ‘ El3ct71k ’ code comparison Xenotix Python Keylogger including specified mutex ‘ mutex_var_xboz ’ .", "spans": {"Indicator: update.exe": [[0, 10]], "System: Xenotix Python Keylogger": [[64, 88]]}, "info": {"id": "cyner_mitre_test_00133", "source": "cyner_mitre_test"}} |
| {"text": "update.exe module and Xenotix Python Keylogger code comparison ‘ addStartup ’ method from msconf.exe module ‘ addStartup ’ method from Xenotix Python Keylogger Distribution We found several landing pages that spread the Android implants .", "spans": {"Indicator: update.exe": [[0, 10]], "System: Xenotix Python Keylogger": [[22, 46], [135, 159]], "Indicator: msconf.exe": [[90, 100]], "System: Android": [[220, 227]]}, "info": {"id": "cyner_mitre_test_00134", "source": "cyner_mitre_test"}} |
| {"text": "Malicious URL Referrer Dates http : //217.194.13.133/tre/internet/Configuratore_3.apk http : //217.194.13.133/tre/internet/ 2015-02-04 to present time http : //217.194.13.133/appPro_AC.apk – 2015-07-01 http : //217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html", "spans": {"Indicator: http : //217.194.13.133/tre/internet/Configuratore_3.apk": [[29, 85]], "Indicator: http : //217.194.13.133/tre/internet/": [[86, 123]], "Indicator: http : //217.194.13.133/appPro_AC.apk": [[151, 188]], "Indicator: http : //217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk": [[202, 306]], "Indicator: http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html": [[307, 380]]}, "info": {"id": "cyner_mitre_test_00135", "source": "cyner_mitre_test"}} |
| {"text": "2015-01-20 to present time http : //217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone % 20Configuratore.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html currently active http : //vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk http : //vodafoneinfinity.sytes.net/tim/internet/ 2015-03-04 http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE", "spans": {"Indicator: http : //217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone % 20Configuratore.apk": [[27, 120]], "Indicator: http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html": [[121, 194]], "Indicator: http : //vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk": [[212, 282]], "Indicator: http : //vodafoneinfinity.sytes.net/tim/internet/": [[283, 332]], "Indicator: http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE": [[344, 427]]}, "info": {"id": "cyner_mitre_test_00136", "source": "cyner_mitre_test"}} |
| {"text": "% 20Configuratore % 20v5_4_2.apk http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/ 2015-01-14 http : //windupdate.serveftp.com/wind/LTE/WIND % 20Configuratore % 20v5_4_2.apk http : //windupdate.serveftp.com/wind/LTE/ 2015-03-31 http : //119.network/lte/Internet-TIM-4G-LTE.apk http : //119.network/lte/download.html", "spans": {"Indicator: http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/": [[33, 108]], "Indicator: http : //windupdate.serveftp.com/wind/LTE/WIND % 20Configuratore % 20v5_4_2.apk": [[120, 199]], "Indicator: http : //windupdate.serveftp.com/wind/LTE/": [[200, 242]], "Indicator: http : //119.network/lte/Internet-TIM-4G-LTE.apk": [[254, 302]], "Indicator: http : //119.network/lte/download.html": [[303, 341]]}, "info": {"id": "cyner_mitre_test_00137", "source": "cyner_mitre_test"}} |
| {"text": "2015-02-04 2015-07-20 http : //119.network/lte/Configuratore_TIM.apk 2015-07-08 Many of these domains are outdated , but almost all ( except one – appPro_AC.apk ) samples located on the 217.194.13.133 server are still accessible .", "spans": {"Indicator: http : //119.network/lte/Configuratore_TIM.apk": [[22, 68]], "Indicator: appPro_AC.apk": [[147, 160]], "Indicator: 217.194.13.133": [[186, 200]]}, "info": {"id": "cyner_mitre_test_00138", "source": "cyner_mitre_test"}} |
| {"text": "All the observed landing pages mimic the mobile operators ’ web pages through their domain name and web page content as well .", "spans": {}, "info": {"id": "cyner_mitre_test_00139", "source": "cyner_mitre_test"}} |
| {"text": "Further research of the attacker ’ s infrastructure revealed more related mimicking domains .", "spans": {}, "info": {"id": "cyner_mitre_test_00140", "source": "cyner_mitre_test"}} |
| {"text": "Unfortunately , for now we can ’ t say in what environment these landing pages were used in the wild , but according to all the information at our dsiposal , we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks .", "spans": {}, "info": {"id": "cyner_mitre_test_00141", "source": "cyner_mitre_test"}} |
| {"text": "For example , this could be when the victim ’ s device connects to a Wi-Fi access point that is infected or controlled by the attackers .", "spans": {}, "info": {"id": "cyner_mitre_test_00142", "source": "cyner_mitre_test"}} |
| {"text": "Artifacts During the research , we found plenty of traces of the developers and those doing the maintaining .", "spans": {}, "info": {"id": "cyner_mitre_test_00143", "source": "cyner_mitre_test"}} |
| {"text": "As already stated in the ‘ malware features ’ part , there are multiple giveaways in the code .", "spans": {}, "info": {"id": "cyner_mitre_test_00144", "source": "cyner_mitre_test"}} |
| {"text": "Here are just some of them : ngglobal – FirebaseCloudMessaging topic name Issuer : CN = negg – from several certificates negg.ddns [ .", "spans": {"Indicator: negg.ddns [ .": [[121, 134]]}, "info": {"id": "cyner_mitre_test_00145", "source": "cyner_mitre_test"}} |
| {"text": "] net , negg1.ddns [ .", "spans": {"Indicator: negg1.ddns [ .": [[8, 22]]}, "info": {"id": "cyner_mitre_test_00146", "source": "cyner_mitre_test"}} |
| {"text": "] net , negg2.ddns [ .", "spans": {"Indicator: negg2.ddns [ .": [[8, 22]]}, "info": {"id": "cyner_mitre_test_00147", "source": "cyner_mitre_test"}} |
| {"text": "] net – C & C servers NG SuperShell – string from the reverse shell payload ngg – prefix in commands names of the implant for Windows Signature with specific issuer Whois records and IP relationships provide many interesting insights as well .", "spans": {"System: Windows": [[126, 133]]}, "info": {"id": "cyner_mitre_test_00148", "source": "cyner_mitre_test"}} |
| {"text": "There are a lot of other ‘ Negg ’ mentions in Whois records and references to it .", "spans": {}, "info": {"id": "cyner_mitre_test_00149", "source": "cyner_mitre_test"}} |
| {"text": "For example : Conclusions The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform .", "spans": {"Malware: Skygofree": [[30, 39]], "System: Android": [[40, 47]]}, "info": {"id": "cyner_mitre_test_00150", "source": "cyner_mitre_test"}} |
| {"text": "As a result of the long-term development process , there are multiple , exceptional capabilities : usage of multiple exploits for gaining root privileges , a complex payload structure , never-before-seen surveillance features such as recording surrounding audio in specified locations .", "spans": {}, "info": {"id": "cyner_mitre_test_00151", "source": "cyner_mitre_test"}} |
| {"text": "Given the many artifacts we discovered in the malware code , as well as infrastructure analysis , we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions , just like HackingTeam .", "spans": {"Malware: Skygofree": [[148, 157]], "Organization: HackingTeam": [[241, 252]]}, "info": {"id": "cyner_mitre_test_00152", "source": "cyner_mitre_test"}} |
| {"text": "HenBox : The Chickens Come Home to Roost March 13 , 2018 at 5:00 AM Unit 42 recently discovered a new Android malware family we named “ HenBox ” masquerading as a variety of legitimate Android apps .", "spans": {"Malware: HenBox": [[0, 6], [136, 142]], "System: Android": [[102, 109], [185, 192]]}, "info": {"id": "cyner_mitre_test_00153", "source": "cyner_mitre_test"}} |
| {"text": "We chose the name “ HenBox ” based on metadata found in most of the malicious apps such as package names and signer detail .", "spans": {"Malware: HenBox": [[20, 26]]}, "info": {"id": "cyner_mitre_test_00154", "source": "cyner_mitre_test"}} |
| {"text": "HenBox masquerades as apps such as VPN and Android system apps and often installs legitimate versions of these apps along with HenBox to trick users into thinking they downloaded the legitimate app .", "spans": {"Malware: HenBox": [[0, 6], [127, 133]], "System: Android": [[43, 50]]}, "info": {"id": "cyner_mitre_test_00155", "source": "cyner_mitre_test"}} |
| {"text": "While some of the legitimate apps HenBox use as decoys can be found on Google Play , HenBox apps themselves have only been found on third-party ( non-Google Play ) app stores .", "spans": {"Malware: HenBox": [[34, 40], [85, 91]], "System: Google Play": [[71, 82]], "System: Play": [[157, 161]]}, "info": {"id": "cyner_mitre_test_00156", "source": "cyner_mitre_test"}} |
| {"text": "HenBox appears to primarily target the Uyghurs – a minority Turkic ethnic group that is primarily Muslim and lives mainly in the Xinjiang Uyghur Autonomous Region in North West China .", "spans": {"Malware: HenBox": [[0, 6]]}, "info": {"id": "cyner_mitre_test_00157", "source": "cyner_mitre_test"}} |
| {"text": "It also targets devices made by Chinese manufacturer Xiaomi and those running MIUI , an operating system based on Google Android made by Xiaomi .", "spans": {"Organization: Xiaomi": [[53, 59], [137, 143]], "System: MIUI": [[78, 82]], "System: Google Android": [[114, 128]]}, "info": {"id": "cyner_mitre_test_00158", "source": "cyner_mitre_test"}} |
| {"text": "Smartphones are the dominant form of internet access in the region and Xinjiang was recently above the national average of internet users in China .", "spans": {}, "info": {"id": "cyner_mitre_test_00159", "source": "cyner_mitre_test"}} |
| {"text": "The result is a large online population who have been the subject of numerous cyber-attacks in the past .", "spans": {}, "info": {"id": "cyner_mitre_test_00160", "source": "cyner_mitre_test"}} |
| {"text": "Once installed , HenBox steals information from the devices from a myriad of sources , including many mainstream chat , communication , and social media apps .", "spans": {"Malware: HenBox": [[17, 23]]}, "info": {"id": "cyner_mitre_test_00161", "source": "cyner_mitre_test"}} |
| {"text": "The stolen information includes personal and device information .", "spans": {}, "info": {"id": "cyner_mitre_test_00162", "source": "cyner_mitre_test"}} |
| {"text": "Of note , in addition to tracking the compromised device ’ s location , HenBox also harvests all outgoing phone numbers with an “ 86 ” prefix , which is the country code for the People ’ s Republic of China ( PRC ) .", "spans": {"Malware: HenBox": [[72, 78]]}, "info": {"id": "cyner_mitre_test_00163", "source": "cyner_mitre_test"}} |
| {"text": "It can also access the phone ’ s cameras and microphone .", "spans": {}, "info": {"id": "cyner_mitre_test_00164", "source": "cyner_mitre_test"}} |
| {"text": "HenBox has ties to infrastructure used in targeted attacks with a focus on politics in South East Asia .", "spans": {"Malware: HenBox": [[0, 6]]}, "info": {"id": "cyner_mitre_test_00165", "source": "cyner_mitre_test"}} |
| {"text": "These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX , Zupdax , 9002 , and Poison Ivy .", "spans": {"Malware: PlugX": [[112, 117]], "Malware: Zupdax": [[120, 126]], "Malware: 9002": [[129, 133]], "Malware: Poison Ivy": [[140, 150]]}, "info": {"id": "cyner_mitre_test_00166", "source": "cyner_mitre_test"}} |
| {"text": "This also aligns with HenBox ’ s timeline , as in total we have identified almost 200 HenBox samples , with the oldest dating to 2015 .", "spans": {"Malware: HenBox": [[22, 28], [86, 92]]}, "info": {"id": "cyner_mitre_test_00167", "source": "cyner_mitre_test"}} |
| {"text": "Most of the samples we found date from the last half of 2017 , fewer samples date from 2016 , and a handful date back to 2015 .", "spans": {}, "info": {"id": "cyner_mitre_test_00168", "source": "cyner_mitre_test"}} |
| {"text": "In 2018 , we have already observed a small but consistent number of samples .", "spans": {}, "info": {"id": "cyner_mitre_test_00169", "source": "cyner_mitre_test"}} |
| {"text": "We believe this indicates a fairly sustained campaign that has gained momentum over recent months .", "spans": {}, "info": {"id": "cyner_mitre_test_00170", "source": "cyner_mitre_test"}} |
| {"text": "HenBox Enters the Uyghur App Store In May 2016 , a HenBox app was downloaded from uyghurapps [ .", "spans": {"Malware: HenBox": [[0, 6], [51, 57]], "System: Uyghur App Store": [[18, 34]], "Indicator: uyghurapps [ .": [[82, 96]]}, "info": {"id": "cyner_mitre_test_00171", "source": "cyner_mitre_test"}} |
| {"text": "] net .", "spans": {}, "info": {"id": "cyner_mitre_test_00172", "source": "cyner_mitre_test"}} |
| {"text": "Specifically , the app was an Android Package ( APK ) file that will be discussed in more detail shortly .", "spans": {"System: Android Package": [[30, 45]]}, "info": {"id": "cyner_mitre_test_00173", "source": "cyner_mitre_test"}} |
| {"text": "The domain name , language of the site and app content hosted suggest this site is a third-party app store for whom the intended users are the Uyghurs .", "spans": {}, "info": {"id": "cyner_mitre_test_00174", "source": "cyner_mitre_test"}} |
| {"text": "Such app stores are so-called because they are not officially supported by Android , nor are they provided by Google , unlike the Play Store .", "spans": {"System: Android": [[75, 82]], "Organization: Google": [[110, 116]], "System: Play Store": [[130, 140]]}, "info": {"id": "cyner_mitre_test_00175", "source": "cyner_mitre_test"}} |
| {"text": "Third-party app stores are ubiquitous in China for a number of reasons including : evermore powerful Chinese Original Equipment Manufacturers ( OEM ) , a lack of an official Chinese Google Play app store , and a growing smartphone market .", "spans": {"Organization: Chinese Original Equipment Manufacturers ( OEM )": [[101, 149]], "System: Google Play": [[182, 193]]}, "info": {"id": "cyner_mitre_test_00176", "source": "cyner_mitre_test"}} |
| {"text": "The HenBox app downloaded in May 2016 was masquerading as the DroidVPN app .", "spans": {"Malware: HenBox": [[4, 10]], "Indicator: DroidVPN": [[62, 70]]}, "info": {"id": "cyner_mitre_test_00177", "source": "cyner_mitre_test"}} |
| {"text": "At the time of writing , the content served at the given URL on uyghurapps [ .", "spans": {"Indicator: uyghurapps [ .": [[64, 78]]}, "info": {"id": "cyner_mitre_test_00178", "source": "cyner_mitre_test"}} |
| {"text": "] net , is now a legitimate version of the DroidVPN app , and looks as shown in Figure 1 below .", "spans": {"Indicator: DroidVPN": [[43, 51]]}, "info": {"id": "cyner_mitre_test_00179", "source": "cyner_mitre_test"}} |
| {"text": "henbox_2 Figure 1 Uyghurapps [ .", "spans": {"Indicator: Uyghurapps [ .": [[18, 32]]}, "info": {"id": "cyner_mitre_test_00180", "source": "cyner_mitre_test"}} |
| {"text": "] net app store showing the current DroidVPN app Virtual Private Network ( VPN ) tools allow connections to remote private networks , increasing the security and privacy of the user ’ s communications .", "spans": {"Indicator: DroidVPN": [[36, 44]]}, "info": {"id": "cyner_mitre_test_00181", "source": "cyner_mitre_test"}} |
| {"text": "According to the DroidVPN app description , it “ helps bypass regional internet restrictions , web filtering and firewalls by tunneling traffic over ICMP. ” Some features may require devices to be rooted to function and according to some 3rd party app stores , unconditional rooting is required , which has additional security implications for the device .", "spans": {"Indicator: DroidVPN": [[17, 25]]}, "info": {"id": "cyner_mitre_test_00182", "source": "cyner_mitre_test"}} |
| {"text": "We have not been able to ascertain how the DroidVPN app on the uyghurapps [ .", "spans": {"Indicator: DroidVPN": [[43, 51]], "Indicator: uyghurapps [ .": [[63, 77]]}, "info": {"id": "cyner_mitre_test_00183", "source": "cyner_mitre_test"}} |
| {"text": "] net app store was replaced with the malicious HenBox app ; however , some indicators point to the server running an outdated version of Apache Web Server on a Windows 32-Bit operating system .", "spans": {"Malware: HenBox": [[48, 54]], "System: Windows": [[161, 168]]}, "info": {"id": "cyner_mitre_test_00184", "source": "cyner_mitre_test"}} |
| {"text": "In light of this , we believe an attack against unpatched vulnerabilities is a reasonable conjecture for how the server was compromised .", "spans": {"Vulnerability: unpatched vulnerabilities": [[48, 73]]}, "info": {"id": "cyner_mitre_test_00185", "source": "cyner_mitre_test"}} |
| {"text": "The HenBox app downloaded in May 2016 , as described in Table 1 below , masquerades as a legitimate version of the DroidVPN app by using the same app name “ DroidVPN ” and the same iconography used when displaying the app in Android ’ s launcher view , as highlighted in Figure 2 below Table 1 .", "spans": {"Indicator: DroidVPN": [[115, 123]], "System: DroidVPN": [[157, 165]], "System: Android": [[225, 232]]}, "info": {"id": "cyner_mitre_test_00186", "source": "cyner_mitre_test"}} |
| {"text": "APK SHA256 Size ( bytes ) First Seen App Package name App name 0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7 2,740,860 May 2016 com.android.henbox DroidVPN Table 1 Details of the HenBox DroidVPN app on the uyghurapps [ .", "spans": {"Indicator: 0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7": [[63, 127]], "Indicator: com.android.henbox": [[147, 165]], "System: DroidVPN": [[166, 174], [205, 213]], "Malware: HenBox": [[198, 204]], "Indicator: uyghurapps [ .": [[225, 239]]}, "info": {"id": "cyner_mitre_test_00187", "source": "cyner_mitre_test"}} |
| {"text": "] net app store henbox_3 Figure 2 HenBox app installed , purporting to be DroidVPN Depending on the language setting on the device , and for this particular variant of HenBox , the installed HenBox app may have the name “ Backup ” but uses the same DroidVPN logo .", "spans": {"Malware: HenBox": [[34, 40], [168, 174], [191, 197]], "Indicator: DroidVPN": [[74, 82], [249, 257]]}, "info": {"id": "cyner_mitre_test_00188", "source": "cyner_mitre_test"}} |
| {"text": "Other variants use other names and logos , as described later .", "spans": {}, "info": {"id": "cyner_mitre_test_00189", "source": "cyner_mitre_test"}} |
| {"text": "Given the DroidVPN look and feel being used by this variant of HenBox , it ’ s highly likely the uyghurapps [ .", "spans": {"Indicator: DroidVPN": [[10, 18]], "Malware: HenBox": [[63, 69]], "Indicator: uyghurapps [ .": [[97, 111]]}, "info": {"id": "cyner_mitre_test_00190", "source": "cyner_mitre_test"}} |
| {"text": "] net page for DroidVPN remained identical when serving either HenBox or DroidVPN apps , just that the legitimate APK file had been replaced with HenBox for an unknown period of time .", "spans": {"Indicator: DroidVPN": [[15, 23], [73, 81]], "Malware: HenBox": [[63, 69]]}, "info": {"id": "cyner_mitre_test_00191", "source": "cyner_mitre_test"}} |
| {"text": "In addition to the look and feel of DroidVPN , this HenBox variant also contained a legitimate DroidVPN app within its APK package as an asset , which could be compared to a resource item within a Windows Portable Executable ( PE ) file .", "spans": {"Indicator: DroidVPN": [[36, 44], [95, 103]], "Malware: HenBox": [[52, 58]], "System: Windows Portable Executable": [[197, 224]]}, "info": {"id": "cyner_mitre_test_00192", "source": "cyner_mitre_test"}} |
| {"text": "Once the HenBox app is installed and launched , it launches an install process for the embedded app as a decoy to other malicious behaviors occurring in the background , and to satisfy the victim with the app they were requesting , assuming they requested to download a particular app , such as DroidVPN .", "spans": {"Malware: HenBox": [[9, 15]], "System: DroidVPN": [[295, 303]]}, "info": {"id": "cyner_mitre_test_00193", "source": "cyner_mitre_test"}} |
| {"text": "The version of the legitimate DroidVPN embedded inside this HenBox variant is the same version of DroidVPN available for download from uyghurapps [ .", "spans": {"Indicator: DroidVPN": [[30, 38], [98, 106]], "Malware: HenBox": [[60, 66]], "Indicator: uyghurapps [ .": [[135, 149]]}, "info": {"id": "cyner_mitre_test_00194", "source": "cyner_mitre_test"}} |
| {"text": "] net , at the time of writing .", "spans": {}, "info": {"id": "cyner_mitre_test_00195", "source": "cyner_mitre_test"}} |
| {"text": "It ’ s worth noting , newer versions of the DroidVPN app are available on Google Play , as well as in some other third-party app stores , which could indicate uyghurapps [ .", "spans": {"System: DroidVPN": [[44, 52]], "System: Google Play": [[74, 85]], "Indicator: uyghurapps [ .": [[159, 173]]}, "info": {"id": "cyner_mitre_test_00196", "source": "cyner_mitre_test"}} |
| {"text": "] net is not awfully well maintained or updated to the latest apps available .", "spans": {}, "info": {"id": "cyner_mitre_test_00197", "source": "cyner_mitre_test"}} |
| {"text": "At the time of writing , to our knowledge no other third-party app stores , nor the official Google Play store , were or are hosting this malicious HenBox variant masquerading as DroidVPN .", "spans": {"System: Google Play": [[93, 104]], "Malware: HenBox": [[148, 154]], "Indicator: DroidVPN": [[179, 187]]}, "info": {"id": "cyner_mitre_test_00198", "source": "cyner_mitre_test"}} |
| {"text": "The Right App at the Right Time The malicious HenBox and embedded DroidVPN app combination is one instance of the type of legitimate apps the attackers choose to mimic to compromise their victims .", "spans": {"Malware: HenBox": [[46, 52]], "Indicator: DroidVPN": [[66, 74]]}, "info": {"id": "cyner_mitre_test_00199", "source": "cyner_mitre_test"}} |
| {"text": "These threat actors frequently offer malicious apps purporting to be legitimate apps that are broadly used or important to a targeted population .", "spans": {}, "info": {"id": "cyner_mitre_test_00200", "source": "cyner_mitre_test"}} |
| {"text": "It ’ s worth noting however , about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps .", "spans": {"Malware: HenBox": [[53, 59]]}, "info": {"id": "cyner_mitre_test_00201", "source": "cyner_mitre_test"}} |
| {"text": "Some were only 3 bytes long , containing strings such as “ ddd ” and “ 333 ” , or were otherwise corrupted .", "spans": {}, "info": {"id": "cyner_mitre_test_00202", "source": "cyner_mitre_test"}} |
| {"text": "Beyond the previously mentioned DroidVPN example , other viable embedded apps we found include apps currently available on Google Play , as well as many third-party app stores .", "spans": {"Indicator: DroidVPN": [[32, 40]], "System: Google Play": [[123, 134]]}, "info": {"id": "cyner_mitre_test_00203", "source": "cyner_mitre_test"}} |
| {"text": "Table 2 below lists some of these apps with their respective metadata .", "spans": {}, "info": {"id": "cyner_mitre_test_00204", "source": "cyner_mitre_test"}} |
| {"text": "Sample 1 marks the first HenBox sample we saw embedding a legitimate app within its assets to be dropped and installed on the victim device as a decoy .", "spans": {"Malware: HenBox": [[25, 31]]}, "info": {"id": "cyner_mitre_test_00205", "source": "cyner_mitre_test"}} |
| {"text": "The legitimate app in question was a Uyghur language keyboard app targeted at native speakers of the Uyghur language and their smartphones .", "spans": {}, "info": {"id": "cyner_mitre_test_00206", "source": "cyner_mitre_test"}} |
| {"text": "Sample 2 , has the package name cn.android.setting masquerading as Android ’ s Settings app , which has a similar package name ( com.android.settings ) .", "spans": {"Indicator: cn.android.setting": [[32, 50]], "System: Settings app": [[79, 91]], "Indicator: com.android.settings": [[129, 149]]}, "info": {"id": "cyner_mitre_test_00207", "source": "cyner_mitre_test"}} |
| {"text": "This variant of HenBox also used the common green Android figure as the app logo and was named 设置 ( “ Backup ” in English ) .", "spans": {"Malware: HenBox": [[16, 22]], "System: Android": [[50, 57]]}, "info": {"id": "cyner_mitre_test_00208", "source": "cyner_mitre_test"}} |
| {"text": "This variant ’ s app name , along with many others , is written in Chinese and describes the app as a backup tool .", "spans": {}, "info": {"id": "cyner_mitre_test_00209", "source": "cyner_mitre_test"}} |
| {"text": "Please see the IOCs section for all app and package name combinations .", "spans": {}, "info": {"id": "cyner_mitre_test_00210", "source": "cyner_mitre_test"}} |
| {"text": "Interestingly , the embedded app in sample 2 is not a version of the Android Settings app but instead the “ Amaq Agency ” app , which reports on ISIS related news .", "spans": {"System: Android Settings": [[69, 85]], "System: Amaq Agency": [[108, 119]]}, "info": {"id": "cyner_mitre_test_00211", "source": "cyner_mitre_test"}} |
| {"text": "Reports indicate fake versions of the Amaq app exist , likely in order to spy on those that use it .", "spans": {"System: Amaq": [[38, 42]]}, "info": {"id": "cyner_mitre_test_00212", "source": "cyner_mitre_test"}} |
| {"text": "A month after observing sample 2 , we obtained another which used the same package name as sample 2 ( cn.android.setting ) .", "spans": {"Indicator: cn.android.setting": [[102, 120]]}, "info": {"id": "cyner_mitre_test_00213", "source": "cyner_mitre_test"}} |
| {"text": "However , this time the app name for both HenBox and the embedded app were identical : Islamawazi .", "spans": {"Malware: HenBox": [[42, 48]], "System: Islamawazi": [[87, 97]]}, "info": {"id": "cyner_mitre_test_00214", "source": "cyner_mitre_test"}} |
| {"text": "Islamawazi is also known as the Turkistan Islamic Party or “ TIP ” .", "spans": {"System: Islamawazi": [[0, 10]], "Organization: Turkistan Islamic Party": [[32, 55]]}, "info": {"id": "cyner_mitre_test_00215", "source": "cyner_mitre_test"}} |
| {"text": "This organization was formerly known as the East Turkestan Islamic Party and is purported to be an Islamic extremist separatist organization founded by Uyghur jihadists .", "spans": {"Organization: East Turkestan Islamic Party": [[44, 72]]}, "info": {"id": "cyner_mitre_test_00216", "source": "cyner_mitre_test"}} |
| {"text": "The embedded app appears to be a media player .", "spans": {}, "info": {"id": "cyner_mitre_test_00217", "source": "cyner_mitre_test"}} |
| {"text": "These examples , together with the HenBox app placed on a very specific third-party app store , point clearly to at least some of the intended targets of these malicious apps being Uyghurs , specifically those with interest in or association with terrorist groups .", "spans": {"Malware: HenBox": [[35, 41]]}, "info": {"id": "cyner_mitre_test_00218", "source": "cyner_mitre_test"}} |
| {"text": "These threat actors appear to be choosing the right apps – those that could be popular with locals in the region , at the right time – while tensions grow in this region of China , to ensure a good victim install-base .", "spans": {}, "info": {"id": "cyner_mitre_test_00219", "source": "cyner_mitre_test"}} |
| {"text": "HenBox Roosts HenBox has evolved over the past three years , and of the almost two hundred HenBox apps in AutoFocus , the vast majority contain several native libraries as well as other components in order to achieve their objective .", "spans": {"Malware: HenBox": [[0, 6], [14, 20], [91, 97]]}, "info": {"id": "cyner_mitre_test_00220", "source": "cyner_mitre_test"}} |
| {"text": "Most components are obfuscated in some way , whether it be simple XOR with a single-byte key , or through the use of ZIP or Zlib compression wrapped with RC4 encryption .", "spans": {"System: ZIP": [[117, 120]], "System: Zlib": [[124, 128]]}, "info": {"id": "cyner_mitre_test_00221", "source": "cyner_mitre_test"}} |
| {"text": "These components are responsible for a myriad of functions including handling decryption , network communications , gaining super-user privileges , monitoring system logs , loading additional Dalvik code files , tracking the device location and more .", "spans": {}, "info": {"id": "cyner_mitre_test_00222", "source": "cyner_mitre_test"}} |
| {"text": "The remainder of this section describes at a high-level what HenBox is capable of , and how it operates .", "spans": {}, "info": {"id": "cyner_mitre_test_00223", "source": "cyner_mitre_test"}} |
| {"text": "The description is based on analysis of the sample described in Table 3 below , which was of interest given its C2 domain mefound [ .", "spans": {"Indicator: domain mefound [ .": [[115, 133]]}, "info": {"id": "cyner_mitre_test_00224", "source": "cyner_mitre_test"}} |
| {"text": "] com overlaps with PlugX , Zupdax , and Poison Ivy malware families discussed in more detail later .", "spans": {"Malware: PlugX": [[20, 25]], "Malware: Zupdax": [[28, 34]], "Malware: Poison Ivy": [[41, 51]]}, "info": {"id": "cyner_mitre_test_00225", "source": "cyner_mitre_test"}} |
| {"text": "SHA256 Package Name App Name a6c7351b09a733a1b3ff8a0901c5bde fdc3b566bfcedcdf5a338c3a97c9f249b com.android.henbox 备份 ( Backup ) Table 3 HenBox variant used in description Once this variant of HenBox is installed on the victim ’ s device , the app can be executed in two different ways : One method for executing HenBox is for the victim to launch the malicious app ( named “ Backup ” , in", "spans": {"Indicator: a6c7351b09a733a1b3ff8a0901c5bde": [[29, 60]], "Indicator: com.android.henbox": [[95, 113]], "Malware: HenBox": [[136, 142], [192, 198], [312, 318]]}, "info": {"id": "cyner_mitre_test_00226", "source": "cyner_mitre_test"}} |
| {"text": "this instance ) from the launcher view on their device , as shown in Figure 3 below .", "spans": {}, "info": {"id": "cyner_mitre_test_00227", "source": "cyner_mitre_test"}} |
| {"text": "This runs code in the onCreate ( ) method of the app ’ s MainActivity class , which in effect is the program ’ s entry point .", "spans": {}, "info": {"id": "cyner_mitre_test_00228", "source": "cyner_mitre_test"}} |
| {"text": "This process is defined in the app ’ s AndroidManifest.xml config file , as shown in the following snippet .", "spans": {}, "info": {"id": "cyner_mitre_test_00229", "source": "cyner_mitre_test"}} |
| {"text": "Doing so executes code checking if the device is manufactured by Xiaomi , or if Xiaomi ’ s fork of Android is running on the device .", "spans": {"Organization: Xiaomi": [[65, 71]], "Organization: Xiaomi ’ s": [[80, 90]], "System: Android": [[99, 106]]}, "info": {"id": "cyner_mitre_test_00230", "source": "cyner_mitre_test"}} |
| {"text": "Under these conditions , the app continues executing and the intent of targeting Xiaomi devices and users could be inferred , however poorly written code results in execution in more environments than perhaps intended ; further checks are made to ascertain whether the app is running on an emulator , perhaps to evade researcher analysis environments .", "spans": {"Organization: Xiaomi": [[81, 87]]}, "info": {"id": "cyner_mitre_test_00231", "source": "cyner_mitre_test"}} |
| {"text": "Assuming these checks pass , one of the main ELF libraries is loaded that orchestrates other components and provides functionality to the app ’ s Dalvik code through the Java Native Interface ( JNI ) .", "spans": {}, "info": {"id": "cyner_mitre_test_00232", "source": "cyner_mitre_test"}} |
| {"text": "HenBox checks whether this execution is its first by using Android ’ s shared preferences feature to persist XML key-value pair data .", "spans": {"Malware: HenBox": [[0, 6]], "System: Android": [[59, 66]]}, "info": {"id": "cyner_mitre_test_00233", "source": "cyner_mitre_test"}} |
| {"text": "If it is the first execution , and if the app ’ s path does not contain “ /system/app ” ( i.e .", "spans": {"Indicator: /system/app": [[74, 85]]}, "info": {"id": "cyner_mitre_test_00234", "source": "cyner_mitre_test"}} |
| {"text": "HenBox is not running as a system app ) , another ELF library is loaded to aid with executing super-user commands .", "spans": {"Malware: HenBox": [[0, 6]]}, "info": {"id": "cyner_mitre_test_00235", "source": "cyner_mitre_test"}} |
| {"text": "The second method uses intents , broadcasts , and receivers to execute HenBox code .", "spans": {}, "info": {"id": "cyner_mitre_test_00236", "source": "cyner_mitre_test"}} |
| {"text": "Providing the app has registered an intent to process particular events from the system , and one of said events occurs , HenBox is effectively brought to life through external stimulus from another app on the system broadcasting a request , or the system itself broadcasting a particular event has occurred .", "spans": {}, "info": {"id": "cyner_mitre_test_00237", "source": "cyner_mitre_test"}} |
| {"text": "These intents are typically defined statically in the app ’ s AndroidManifest.xml config file ; some HenBox variants register further intents from their code at run-time .", "spans": {"Malware: HenBox": [[101, 107]]}, "info": {"id": "cyner_mitre_test_00238", "source": "cyner_mitre_test"}} |
| {"text": "Once a matching intent is triggered , the respective Receiver code will be executed , leading to other HenBox behaviors being launched , which are described later .", "spans": {}, "info": {"id": "cyner_mitre_test_00239", "source": "cyner_mitre_test"}} |
| {"text": "Table 4 below lists the intents that are statically registered in this HenBox variant ’ s AndroidManifest.xml config file , together with a description of what that intent does , and when it would be used .", "spans": {"Malware: HenBox": [[71, 77]]}, "info": {"id": "cyner_mitre_test_00240", "source": "cyner_mitre_test"}} |
| {"text": "Depending on the intent triggered , one of two Receivers would be called , in this instance they are called Boot or Time but the name is somewhat immaterial .", "spans": {}, "info": {"id": "cyner_mitre_test_00241", "source": "cyner_mitre_test"}} |
| {"text": "Receiver Intent Name Description BootReceiver android.intent.action.BOOT_COMPLETED System notification that the device has finished booting .", "spans": {"Indicator: android.intent.action.BOOT_COMPLETED": [[46, 82]]}, "info": {"id": "cyner_mitre_test_00242", "source": "cyner_mitre_test"}} |
| {"text": "android.intent.action.restart A legacy intent used to indicate a system restart .", "spans": {"Indicator: android.intent.action.restart": [[0, 29]]}, "info": {"id": "cyner_mitre_test_00243", "source": "cyner_mitre_test"}} |
| {"text": "android.intent.action.SIM_STATE_CHANGED System notification that the SIM card has changed or been removed .", "spans": {"Indicator: android.intent.action.SIM_STATE_CHANGED": [[0, 39]]}, "info": {"id": "cyner_mitre_test_00244", "source": "cyner_mitre_test"}} |
| {"text": "android.intent.action.PACKAGE_INSTALL System notification that the download and eventual installation of an app package is happening ( this is deprecated ) android.intent.action.PACKAGE_ADDED System notification that a new app package has been installed on the device , including the name of said package .", "spans": {"Indicator: android.intent.action.PACKAGE_INSTALL": [[0, 37]], "Indicator: android.intent.action.PACKAGE_ADDED": [[156, 191]]}, "info": {"id": "cyner_mitre_test_00245", "source": "cyner_mitre_test"}} |
| {"text": "com.xiaomi.smarthome.receive_alarm Received notifications from Xiaomi ’ s smart home IoT devices .", "spans": {"Indicator: com.xiaomi.smarthome.receive_alarm": [[0, 34]], "Organization: Xiaomi": [[63, 69]]}, "info": {"id": "cyner_mitre_test_00246", "source": "cyner_mitre_test"}} |
| {"text": "TimeReceiver android.intent.action.ACTION_TIME_CHANGED System notification that the time was set .", "spans": {"Indicator: android.intent.action.ACTION_TIME_CHANGED": [[13, 54]]}, "info": {"id": "cyner_mitre_test_00247", "source": "cyner_mitre_test"}} |
| {"text": "android.intent.action.CONNECTIVITY_CHANGE System notification that a change in network connectivity has occurred , either lost or established .", "spans": {"Indicator: android.intent.action.CONNECTIVITY_CHANGE": [[0, 41]]}, "info": {"id": "cyner_mitre_test_00248", "source": "cyner_mitre_test"}} |
| {"text": "Since Android version 7 ( Nougat ) this information is gathered using other means , perhaps inferring the devices used by potential victim run older versions of Android .", "spans": {"System: Android": [[6, 13], [161, 168]], "System: Nougat": [[26, 32]]}, "info": {"id": "cyner_mitre_test_00249", "source": "cyner_mitre_test"}} |
| {"text": "Table 4 HenBox variant 's Intents and Receivers Most of the intents registered in the AndroidManifest.xml file , or loaded during run-time , are commonly found in malicious Android apps .", "spans": {"Malware: HenBox": [[8, 14]], "System: Android": [[173, 180]]}, "info": {"id": "cyner_mitre_test_00250", "source": "cyner_mitre_test"}} |
| {"text": "What ’ s more interesting , and much less common , is the inclusion of the com.xiaomi.smarthome.receive_alarm intent filter .", "spans": {"Indicator: com.xiaomi.smarthome.receive_alarm": [[75, 109]]}, "info": {"id": "cyner_mitre_test_00251", "source": "cyner_mitre_test"}} |
| {"text": "Xiaomi , a privately owned Chinese electronics and software company , is the 5th largest smart phone manufacturer in the world and also manufactures IoT devices for the home .", "spans": {"Organization: Xiaomi": [[0, 6]]}, "info": {"id": "cyner_mitre_test_00252", "source": "cyner_mitre_test"}} |
| {"text": "Most devices can be controlled by Xiaomi ’ s “ MiHome ” Android app , which is available on Google Play with between 1,000,000 and 5,000,000 downloads .", "spans": {"Organization: Xiaomi": [[34, 40]], "System: MiHome": [[47, 53]], "System: Android": [[56, 63]], "System: Google Play": [[92, 103]]}, "info": {"id": "cyner_mitre_test_00253", "source": "cyner_mitre_test"}} |
| {"text": "Given the nature of connected devices in smart homes , it ’ s highly likely many of these devices , and indeed the controller app itself , communicate with one another sending status notifications , alerts and so on .", "spans": {}, "info": {"id": "cyner_mitre_test_00254", "source": "cyner_mitre_test"}} |
| {"text": "Such notifications would be received by the MiHome app or any other , such as HenBox , so long as they register their intent to do so .", "spans": {"System: MiHome": [[44, 50]], "Malware: HenBox": [[78, 84]]}, "info": {"id": "cyner_mitre_test_00255", "source": "cyner_mitre_test"}} |
| {"text": "This could essentially allow for external devices to act as a trigger to execute the malicious HenBox code , or perhaps afford additional data HenBox can collect and exfiltrate .", "spans": {"Malware: HenBox": [[95, 101], [143, 149]]}, "info": {"id": "cyner_mitre_test_00256", "source": "cyner_mitre_test"}} |
| {"text": "Either method to load HenBox ultimately results in an instance of a service being launched .", "spans": {"Malware: HenBox": [[22, 28]]}, "info": {"id": "cyner_mitre_test_00257", "source": "cyner_mitre_test"}} |
| {"text": "This service hides the app from plain sight and loads another ELF library to gather environmental information about the device , such as running processes and apps , and details about device hardware , primarily through parsing system logs and querying running processes .", "spans": {}, "info": {"id": "cyner_mitre_test_00258", "source": "cyner_mitre_test"}} |
| {"text": "The service continues by loading an ELF , created by Baidu , which is capable of tracking the device location before setting up a monitor to harvest phone numbers associated with outgoing calls for those numbers with a country code “ +86 ” prefix , which relates to the People ’ s Republic of China .", "spans": {"Organization: Baidu": [[53, 58]]}, "info": {"id": "cyner_mitre_test_00259", "source": "cyner_mitre_test"}} |
| {"text": "Further assets are decrypted and deployed , including another Dalvik DEX code file , which has various capabilities including registering itself as the incoming SMS handler for the device to intercept SMS messages , loading another ELF library that includes a version of BusyBox - a package containing various stripped-down Unix tools useful for administering such systems – and , interestingly , is capable of turning off the sound played when the device ’ s cameras take pictures .", "spans": {"System: BusyBox": [[271, 278]]}, "info": {"id": "cyner_mitre_test_00260", "source": "cyner_mitre_test"}} |
| {"text": "The Android permissions requested by HenBox , as defined in the apps ’ AndroidManifest.xml files , range from accessing location and network settings to messages , call , and contact data .", "spans": {"System: Android": [[4, 11]], "Malware: HenBox": [[37, 43]]}, "info": {"id": "cyner_mitre_test_00261", "source": "cyner_mitre_test"}} |
| {"text": "HenBox can also access sensors such as the device camera ( s ) and the microphone .", "spans": {"Malware: HenBox": [[0, 6]]}, "info": {"id": "cyner_mitre_test_00262", "source": "cyner_mitre_test"}} |
| {"text": "Beyond the Android app itself , other components such as the aforementioned ELF libraries have additional data-stealing capabilities .", "spans": {"System: Android": [[11, 18]]}, "info": {"id": "cyner_mitre_test_00263", "source": "cyner_mitre_test"}} |
| {"text": "One ELF library , libloc4d.so , handles amongst other things the loading of the app-decoded ELF library file “ sux ” , as well as handling connectivity to the C2 .", "spans": {"Indicator: libloc4d.so": [[18, 29]]}, "info": {"id": "cyner_mitre_test_00264", "source": "cyner_mitre_test"}} |
| {"text": "The sux library appears to be a customized super user ( su ) tool that includes code from the com.koushikdutta.superuser app and carries the equivalent of a super user ( su ) binary in order to run privileged commands on the system .", "spans": {"Indicator: com.koushikdutta.superuser": [[94, 120]]}, "info": {"id": "cyner_mitre_test_00265", "source": "cyner_mitre_test"}} |
| {"text": "The primary goal of sux appears to be steal messages and other data from popular messaging and social media apps specified within the HenBox sample .", "spans": {"Malware: HenBox": [[134, 140]]}, "info": {"id": "cyner_mitre_test_00266", "source": "cyner_mitre_test"}} |
| {"text": "A similar tool , with the same filename , has been discussed in previous research but the SpyDealer malware appears unrelated to HenBox .", "spans": {"Malware: SpyDealer": [[90, 99]], "Malware: HenBox": [[129, 135]]}, "info": {"id": "cyner_mitre_test_00267", "source": "cyner_mitre_test"}} |
| {"text": "More likely , this is a case of common attack tools being re-used between different threat actor groups .", "spans": {}, "info": {"id": "cyner_mitre_test_00268", "source": "cyner_mitre_test"}} |
| {"text": "This particular HenBox variant , as listed in Table 3 above , harvests data from two popular messaging and social media apps : Voxer Walkie Talkie Messenger ( com.rebelvox.voxer ) and Tencent ’ s WeChat ( com.tencent.mm ) .", "spans": {"Malware: HenBox": [[16, 22]], "System: Voxer": [[127, 132]], "System: Walkie Talkie": [[133, 146]], "System: Messenger": [[147, 156]], "Indicator: com.rebelvox.voxer": [[159, 177]], "Organization: Tencent": [[184, 191]], "System: WeChat": [[196, 202]], "Indicator: com.tencent.mm": [[205, 219]]}, "info": {"id": "cyner_mitre_test_00269", "source": "cyner_mitre_test"}} |
| {"text": "These types of apps tend to store their data in databases and , as an example , HenBox accesses Voxer ’ s database from the file “ /data/data/com.rebelvox.voxer/databases/rv.db ” .", "spans": {"Malware: HenBox": [[80, 86]], "Indicator: /data/data/com.rebelvox.voxer/databases/rv.db": [[131, 176]]}, "info": {"id": "cyner_mitre_test_00270", "source": "cyner_mitre_test"}} |
| {"text": "Once opened , HenBox runs the following query to gather message information .", "spans": {"Malware: HenBox": [[14, 20]]}, "info": {"id": "cyner_mitre_test_00271", "source": "cyner_mitre_test"}} |
| {"text": "Not long after this variant was public , newer variants of HenBox were seen , and some had significant increases in the number of targeted apps .", "spans": {"Malware: HenBox": [[59, 65]]}, "info": {"id": "cyner_mitre_test_00272", "source": "cyner_mitre_test"}} |
| {"text": "Table 5 describes the latest variant seen in AutoFocus .", "spans": {}, "info": {"id": "cyner_mitre_test_00273", "source": "cyner_mitre_test"}} |
| {"text": "SHA256 Package Name App Name First Seen 07994c9f2eeeede199dd6b4e760fce3 71f03f3cc4307e6551c18d2fbd024a24f com.android.henbox 备份 ( Backup ) January 3rd 2018 Table 6 contains an updated list of targeted apps from which this newer variant of HenBox is capable of harvesting data .", "spans": {"Indicator: 07994c9f2eeeede199dd6b4e760fce3": [[40, 71]], "Indicator: 71f03f3cc4307e6551c18d2fbd024a24f": [[72, 105]], "Indicator: com.android.henbox": [[106, 124]], "Malware: HenBox": [[239, 245]]}, "info": {"id": "cyner_mitre_test_00274", "source": "cyner_mitre_test"}} |
| {"text": "Interestingly , the two communication apps described above as being targeted by the HenBox variant listed in Table 3 do not appear in this updated list .", "spans": {}, "info": {"id": "cyner_mitre_test_00275", "source": "cyner_mitre_test"}} |
| {"text": "Package Name App Name com.whatsapp WhatsApp Messenger com.pugna.magiccall n/a org.telegram.messenger Telegram com.facebook.katana Facebook com.twitter.android Twitter jp.naver.line.android LINE : Free Calls & Messages com.instanza.cocovoice Coco com.beetalk BeeTalk com.gtomato.talkbox TalkBox Voice Messenger - PTT com.viber.voip Viber Messenger com.immomo.momo MOMO陌陌 com.facebook.orca Messenger – Text and Video Chat for Free com.skype.rover", "spans": {"Indicator: com.whatsapp": [[22, 34]], "System: WhatsApp": [[35, 43]], "System: Messenger": [[44, 53], [300, 309], [337, 346], [388, 397]], "Indicator: com.pugna.magiccall": [[54, 73]], "Indicator: org.telegram.messenger": [[78, 100]], "System: Telegram": [[101, 109]], "Indicator: com.facebook.katana": [[110, 129]], "System: Facebook": [[130, 138]], "Indicator: com.twitter.android": [[139, 158]], "System: Twitter": [[159, 166]], "Indicator: jp.naver.line.android": [[167, 188]], "System: LINE": [[189, 193]], "Indicator: com.instanza.cocovoice": [[218, 240]], "Indicator: com.beetalk": [[246, 257]], "System: BeeTalk": [[258, 265]], "Indicator: com.gtomato.talkbox": [[266, 285]], "System: TalkBox": [[286, 293]], "Indicator: com.viber.voip": [[316, 330]], "System: Viber": [[331, 336]], "Indicator: com.immomo.momo": [[347, 362]], "System: MOMO陌陌": [[363, 369]], "Indicator: com.facebook.orca": [[370, 387]], "Indicator: com.skype.rover": [[429, 444]]}, "info": {"id": "cyner_mitre_test_00276", "source": "cyner_mitre_test"}} |
| {"text": "Skype ; 3rd party stores only Most of these apps are well established and available on Google Play , however , com.skype.rover appears to be available only on third-party app stores .", "spans": {"System: Skype": [[0, 5]], "System: Google Play": [[87, 98]], "Indicator: com.skype.rover": [[111, 126]]}, "info": {"id": "cyner_mitre_test_00277", "source": "cyner_mitre_test"}} |
| {"text": "The same is likely to be the case for com.pugna.magiccall but this is unknown currently .", "spans": {"Indicator: com.pugna.magiccall": [[38, 57]]}, "info": {"id": "cyner_mitre_test_00278", "source": "cyner_mitre_test"}} |
| {"text": "It ’ s clear to see that the capabilities of HenBox are very comprehensive , both in terms of an Android app with its native libraries and given the amount of data it can glean from a victim .", "spans": {"Malware: HenBox": [[45, 51]], "System: Android": [[97, 104]]}, "info": {"id": "cyner_mitre_test_00279", "source": "cyner_mitre_test"}} |
| {"text": "Such data includes contact and location information , phone and message activity , the ability to record from the microphone , camera , and other sensors as well as the capability to access data from many popular messaging and social media apps .", "spans": {}, "info": {"id": "cyner_mitre_test_00280", "source": "cyner_mitre_test"}} |
| {"text": "Infrastructure While investigating HenBox we discovered infrastructure ties to other malware families associated with targeted attacks against Windows users – notable overlaps included PlugX , Zupdax , 9002 , and Poison Ivy .", "spans": {"Malware: HenBox": [[35, 41]], "System: Windows": [[143, 150]], "Malware: PlugX": [[185, 190]], "Malware: Zupdax": [[193, 199]], "Malware: 9002": [[202, 206]], "Malware: Poison Ivy": [[213, 223]]}, "info": {"id": "cyner_mitre_test_00281", "source": "cyner_mitre_test"}} |
| {"text": "The overall image of these ties is below in Figure 5 and paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015 .", "spans": {}, "info": {"id": "cyner_mitre_test_00282", "source": "cyner_mitre_test"}} |
| {"text": "The overlap between the HenBox and 9002 malware families Unit 42 has seen involves three shared C2s between several samples ; the first IP below is used for more than half of the HenBox samples we have seen to date : 47.90.81 [ .", "spans": {"Malware: HenBox": [[24, 30], [179, 185]], "Malware: 9002": [[35, 39]], "Indicator: 47.90.81 [ .": [[217, 229]]}, "info": {"id": "cyner_mitre_test_00283", "source": "cyner_mitre_test"}} |
| {"text": "] 23 222.139.212 [ .", "spans": {"Indicator: 222.139.212 [ .": [[5, 20]]}, "info": {"id": "cyner_mitre_test_00284", "source": "cyner_mitre_test"}} |
| {"text": "] 16 lala513.gicp [ .", "spans": {"Indicator: lala513.gicp [ .": [[5, 21]]}, "info": {"id": "cyner_mitre_test_00285", "source": "cyner_mitre_test"}} |
| {"text": "] net The overlaps between the Henbox , PlugX , Zupdax , and Poison Ivy malware families involves a web of shared C2s and IP resolutions centered around the below : 59.188.196 [ .", "spans": {"Malware: Henbox": [[31, 37]], "Malware: PlugX": [[40, 45]], "Malware: Zupdax": [[48, 54]], "Malware: Poison Ivy": [[61, 71]], "Indicator: 59.188.196 [ .": [[165, 179]]}, "info": {"id": "cyner_mitre_test_00286", "source": "cyner_mitre_test"}} |
| {"text": "] 172 cdncool [ .", "spans": {"Indicator: cdncool [ .": [[6, 17]]}, "info": {"id": "cyner_mitre_test_00287", "source": "cyner_mitre_test"}} |
| {"text": "] com ( and third-levels of this domain ) www3.mefound [ .", "spans": {"Indicator: www3.mefound [ .": [[42, 58]]}, "info": {"id": "cyner_mitre_test_00288", "source": "cyner_mitre_test"}} |
| {"text": "] com www5.zyns [ .", "spans": {"Indicator: www5.zyns [ .": [[6, 19]]}, "info": {"id": "cyner_mitre_test_00289", "source": "cyner_mitre_test"}} |
| {"text": "] com w3.changeip [ .", "spans": {"Indicator: w3.changeip [ .": [[6, 21]]}, "info": {"id": "cyner_mitre_test_00290", "source": "cyner_mitre_test"}} |
| {"text": "] org Ties to previous activity The registrant of cdncool [ .", "spans": {"Indicator: cdncool [ .": [[50, 61]]}, "info": {"id": "cyner_mitre_test_00291", "source": "cyner_mitre_test"}} |
| {"text": "] com also registered six other domains .", "spans": {}, "info": {"id": "cyner_mitre_test_00292", "source": "cyner_mitre_test"}} |
| {"text": "To date , Unit 42 has seen four of the seven ( the first three in the list below , along with cdncool [ .", "spans": {"Indicator: cdncool [ .": [[94, 105]]}, "info": {"id": "cyner_mitre_test_00293", "source": "cyner_mitre_test"}} |
| {"text": "] com ) used in malicious activity and it is reasonable to assume the remaining three are or were intended to serve the same purpose .", "spans": {"Indicator: purpose .": [[125, 134]]}, "info": {"id": "cyner_mitre_test_00294", "source": "cyner_mitre_test"}} |
| {"text": "tcpdo [ .", "spans": {}, "info": {"id": "cyner_mitre_test_00295", "source": "cyner_mitre_test"}} |
| {"text": "] net adminsysteminfo [ .", "spans": {"Indicator: adminsysteminfo [ .": [[6, 25]]}, "info": {"id": "cyner_mitre_test_00296", "source": "cyner_mitre_test"}} |
| {"text": "] com md5c [ .", "spans": {"Indicator: md5c [ .": [[6, 14]]}, "info": {"id": "cyner_mitre_test_00297", "source": "cyner_mitre_test"}} |
| {"text": "] net linkdatax [ .", "spans": {"Indicator: linkdatax [ .": [[6, 19]]}, "info": {"id": "cyner_mitre_test_00298", "source": "cyner_mitre_test"}} |
| {"text": "] com csip6 [ .", "spans": {"Indicator: csip6 [ .": [[6, 15]]}, "info": {"id": "cyner_mitre_test_00299", "source": "cyner_mitre_test"}} |
| {"text": "] biz adminloader [ .", "spans": {"Indicator: adminloader [ .": [[6, 21]]}, "info": {"id": "cyner_mitre_test_00300", "source": "cyner_mitre_test"}} |
| {"text": "] com Unit 42 published a blog in July 2016 about 9002 malware being delivered using a combination of shortened links and a file hosted on Google Drive .", "spans": {"Malware: 9002": [[50, 54]]}, "info": {"id": "cyner_mitre_test_00301", "source": "cyner_mitre_test"}} |
| {"text": "The spear phishing emails had Myanmar political-themed lures and , if the 9002 C2 server responded , the Trojan sent system specific information along with the string “ jackhex ” .", "spans": {"Malware: 9002": [[74, 78]]}, "info": {"id": "cyner_mitre_test_00302", "source": "cyner_mitre_test"}} |
| {"text": "“ jackhex ” has also been part of a C2 for what is likely related Poison Ivy activity detailed below , along with additional infrastructure ties .", "spans": {"Malware: Poison Ivy": [[66, 76]]}, "info": {"id": "cyner_mitre_test_00303", "source": "cyner_mitre_test"}} |
| {"text": "The C2 for the aforementioned 9002 sample was logitechwkgame [ .", "spans": {"Malware: 9002": [[30, 34]], "Indicator: logitechwkgame [ .": [[46, 64]]}, "info": {"id": "cyner_mitre_test_00304", "source": "cyner_mitre_test"}} |
| {"text": "] com , which resolved to the IP address 222.239.91 [ .", "spans": {"Indicator: 222.239.91 [ .": [[41, 55]]}, "info": {"id": "cyner_mitre_test_00305", "source": "cyner_mitre_test"}} |
| {"text": "] 30 .", "spans": {}, "info": {"id": "cyner_mitre_test_00306", "source": "cyner_mitre_test"}} |
| {"text": "At the same time , the domain admin.nslookupdns [ .", "spans": {"Indicator: domain admin.nslookupdns [ .": [[23, 51]]}, "info": {"id": "cyner_mitre_test_00307", "source": "cyner_mitre_test"}} |
| {"text": "] com also resolved to the same IP address , suggesting that these two domains are associated with the same threat actors .", "spans": {}, "info": {"id": "cyner_mitre_test_00308", "source": "cyner_mitre_test"}} |
| {"text": "In addition , admin.nslookupdns [ .", "spans": {"Indicator: admin.nslookupdns [ .": [[14, 35]]}, "info": {"id": "cyner_mitre_test_00309", "source": "cyner_mitre_test"}} |
| {"text": "] com was a C2 for Poison Ivy samples associated with attacks on Myanmar and other Asian countries discussed in a blog published by Arbor Networks in April 2016 .", "spans": {"Malware: Poison Ivy": [[19, 29]], "Organization: Arbor Networks": [[132, 146]]}, "info": {"id": "cyner_mitre_test_00310", "source": "cyner_mitre_test"}} |
| {"text": "Another tie between the activity is the C2 jackhex.md5c [ .", "spans": {"Indicator: jackhex.md5c [ .": [[43, 59]]}, "info": {"id": "cyner_mitre_test_00311", "source": "cyner_mitre_test"}} |
| {"text": "] net , which was also used as a Poison Ivy C2 in the Arbor Networks blog .", "spans": {"Malware: Poison Ivy": [[33, 43]], "Organization: Arbor Networks": [[54, 68]]}, "info": {"id": "cyner_mitre_test_00312", "source": "cyner_mitre_test"}} |
| {"text": "“ jackhex ” is not a common word or phrase and , as noted above , was also seen in the beacon activity with the previously discussed 9002 sample .", "spans": {"Malware: 9002": [[133, 137]]}, "info": {"id": "cyner_mitre_test_00313", "source": "cyner_mitre_test"}} |
| {"text": "Finally , since publishing the 9002 blog , Unit 42 has also seen the aforementioned 9002 C2 used as a Poison Ivy C2 with a Myanmar political-themed lure .", "spans": {"Malware: 9002": [[31, 35], [84, 88]], "Malware: Poison Ivy": [[102, 112]]}, "info": {"id": "cyner_mitre_test_00314", "source": "cyner_mitre_test"}} |
| {"text": "In our 9002 blog we noted some additional infrastructure used either as C2s for related Poison Ivy samples , or domain registrant overlap with those C2 domains .", "spans": {"Malware: 9002": [[7, 11]], "Malware: Poison Ivy": [[88, 98]]}, "info": {"id": "cyner_mitre_test_00315", "source": "cyner_mitre_test"}} |
| {"text": "When we published that blog Unit 42 hadn ’ t seen any of the three registrants overlap domains used in malicious activity .", "spans": {}, "info": {"id": "cyner_mitre_test_00316", "source": "cyner_mitre_test"}} |
| {"text": "Since then , we have seen Poison Ivy samples using third-levels of querlyurl [ .", "spans": {"Malware: Poison Ivy": [[26, 36]], "Indicator: querlyurl [ .": [[67, 80]]}, "info": {"id": "cyner_mitre_test_00317", "source": "cyner_mitre_test"}} |
| {"text": "] com , lending further credence the remaining two domains , gooledriveservice [ .", "spans": {"Indicator: gooledriveservice [ .": [[61, 82]]}, "info": {"id": "cyner_mitre_test_00318", "source": "cyner_mitre_test"}} |
| {"text": "] com and appupdatemoremagic [ .", "spans": {"Indicator: appupdatemoremagic [ .": [[10, 32]]}, "info": {"id": "cyner_mitre_test_00319", "source": "cyner_mitre_test"}} |
| {"text": "] com are or were intended for malicious use .", "spans": {}, "info": {"id": "cyner_mitre_test_00320", "source": "cyner_mitre_test"}} |
| {"text": "While we do not have complete targeting , information associated with these Poison Ivy samples , several of the decoy files were in Chinese and appear to be part of a 2016 campaign targeting organizations in Taiwan with political-themed lures .", "spans": {"Malware: Poison Ivy": [[76, 86]]}, "info": {"id": "cyner_mitre_test_00321", "source": "cyner_mitre_test"}} |
| {"text": "Conclusion Typically masquerading as legitimate Android system apps , and sometimes embedding legitimate apps within them , the primary goal of the malicious HenBox appears to be to spy on those who install them .", "spans": {"Malware: Android": [[48, 55]], "Malware: HenBox": [[158, 164]]}, "info": {"id": "cyner_mitre_test_00322", "source": "cyner_mitre_test"}} |
| {"text": "Using similar traits , such as copycat iconography and app or package names , victims are likely socially engineered into installing the malicious apps , especially when available on so-called third-party ( i.e .", "spans": {}, "info": {"id": "cyner_mitre_test_00323", "source": "cyner_mitre_test"}} |
| {"text": "non-Google Play ) app stores which often have fewer security and vetting procedures for the apps they host .", "spans": {"System: Play": [[11, 15]]}, "info": {"id": "cyner_mitre_test_00324", "source": "cyner_mitre_test"}} |
| {"text": "It ’ s possible , as with other Android malware , that some apps may also be available on forums , file-sharing sites or even sent to victims as email attachments , and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find .", "spans": {"System: Android": [[32, 39]]}, "info": {"id": "cyner_mitre_test_00325", "source": "cyner_mitre_test"}} |
| {"text": "The hosting locations seen for some HenBox samples , together with the nature of some embedded apps including : those targeted at extremist groups , those who use VPN or other privacy-enabling apps , and those who speak the Uyghur language , highlights the victim profile the threat actors were seeking to attack .", "spans": {"Malware: HenBox": [[36, 42]]}, "info": {"id": "cyner_mitre_test_00326", "source": "cyner_mitre_test"}} |
| {"text": "The targets and capabilities of HenBox , in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries , indicates this activity likely represents an at least three-year-old espionage campaign .", "spans": {"Malware: HenBox": [[32, 38]]}, "info": {"id": "cyner_mitre_test_00327", "source": "cyner_mitre_test"}} |
| {"text": "THURSDAY , OCTOBER 11 , 2018 GPlayed Trojan - .Net playing with Google Market Introduction In a world where everything is always connected , and mobile devices are involved in individuals ' day-to-day lives more and more often , malicious actors are seeing increased opportunities to attack these devices .", "spans": {"Malware: GPlayed": [[29, 36]], "Organization: Google": [[64, 70]]}, "info": {"id": "cyner_mitre_test_00328", "source": "cyner_mitre_test"}} |
| {"text": "Cisco Talos has identified the latest attempt to penetrate mobile devices — a new Android trojan that we have dubbed \" GPlayed .", "spans": {"Organization: Cisco Talos": [[0, 11]], "System: Android": [[82, 89]], "Malware: GPlayed": [[119, 126]]}, "info": {"id": "cyner_mitre_test_00329", "source": "cyner_mitre_test"}} |
| {"text": "'' This is a trojan with many built-in capabilities .", "spans": {}, "info": {"id": "cyner_mitre_test_00330", "source": "cyner_mitre_test"}} |
| {"text": "At the same time , it 's extremely flexible , making it a very effective tool for malicious actors .", "spans": {}, "info": {"id": "cyner_mitre_test_00331", "source": "cyner_mitre_test"}} |
| {"text": "The sample we analyzed uses an icon very similar to Google Apps , with the label \" Google Play Marketplace '' to disguise itself .", "spans": {"System: Google Apps": [[52, 63]], "System: Google Play Marketplace": [[83, 106]]}, "info": {"id": "cyner_mitre_test_00332", "source": "cyner_mitre_test"}} |
| {"text": "The malicious application is on the left-hand side .", "spans": {}, "info": {"id": "cyner_mitre_test_00333", "source": "cyner_mitre_test"}} |
| {"text": "What makes this malware extremely powerful is the capability to adapt after it 's deployed .", "spans": {}, "info": {"id": "cyner_mitre_test_00334", "source": "cyner_mitre_test"}} |
| {"text": "In order to achieve this adaptability , the operator has the capability to remotely load plugins , inject scripts and even compile new .NET code that can be executed .", "spans": {"System: .NET": [[135, 139]]}, "info": {"id": "cyner_mitre_test_00335", "source": "cyner_mitre_test"}} |
| {"text": "Our analysis indicates that this trojan is in its testing stage but given its potential , every mobile user should be aware of GPlayed .", "spans": {"Malware: GPlayed": [[127, 134]]}, "info": {"id": "cyner_mitre_test_00336", "source": "cyner_mitre_test"}} |
| {"text": "Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means .", "spans": {}, "info": {"id": "cyner_mitre_test_00337", "source": "cyner_mitre_test"}} |
| {"text": "But GPlayed is an example of where this can go wrong , especially if a mobile user is not aware of how to distinguish a fake app versus a real one .", "spans": {"Malware: GPlayed": [[4, 11]]}, "info": {"id": "cyner_mitre_test_00338", "source": "cyner_mitre_test"}} |
| {"text": "Trojan architecture and capabilities This malware is written in .NET using the Xamarin environment for mobile applications .", "spans": {"System: .NET": [[64, 68]], "System: Xamarin": [[79, 86]]}, "info": {"id": "cyner_mitre_test_00339", "source": "cyner_mitre_test"}} |
| {"text": "The main DLL is called \" Reznov.DLL .", "spans": {"Indicator: Reznov.DLL": [[25, 35]]}, "info": {"id": "cyner_mitre_test_00340", "source": "cyner_mitre_test"}} |
| {"text": "'' This DLL contains one root class called \" eClient , '' which is the core of the trojan .", "spans": {}, "info": {"id": "cyner_mitre_test_00341", "source": "cyner_mitre_test"}} |
| {"text": "The imports reveal the use of a second DLL called \" eCommon.dll .", "spans": {"Indicator: eCommon.dll": [[52, 63]]}, "info": {"id": "cyner_mitre_test_00342", "source": "cyner_mitre_test"}} |
| {"text": "'' We determined that the \" eCommon '' file contains support code and structures that are platform independent .", "spans": {}, "info": {"id": "cyner_mitre_test_00343", "source": "cyner_mitre_test"}} |
| {"text": "The main DLL also contains eClient subclasses that implement some of the native capabilities .", "spans": {}, "info": {"id": "cyner_mitre_test_00344", "source": "cyner_mitre_test"}} |
| {"text": "The package certificate is issued under the package name , which also resembles the name of the main DLL name .", "spans": {}, "info": {"id": "cyner_mitre_test_00345", "source": "cyner_mitre_test"}} |
| {"text": "Certificate information The Android package is named \" verReznov.Coampany .", "spans": {"System: Android": [[28, 35]], "Indicator: verReznov.Coampany": [[55, 73]]}, "info": {"id": "cyner_mitre_test_00346", "source": "cyner_mitre_test"}} |
| {"text": "'' The application uses the label \" Installer '' and its name is \" android.app.Application .", "spans": {"Indicator: Installer": [[36, 45]], "Indicator: android.app.Application": [[67, 90]]}, "info": {"id": "cyner_mitre_test_00347", "source": "cyner_mitre_test"}} |
| {"text": "'' Package permissions The trojan declares numerous permissions in the manifest , from which we should highlight the BIND_DEVICE_ADMIN , which provides nearly full control of the device to the trojan .", "spans": {}, "info": {"id": "cyner_mitre_test_00348", "source": "cyner_mitre_test"}} |
| {"text": "This trojan is highly evolved in its design .", "spans": {}, "info": {"id": "cyner_mitre_test_00349", "source": "cyner_mitre_test"}} |
| {"text": "It has modular architecture implemented in the form of plugins , or it can receive new .NET source code , which will be compiled on the device in runtime .", "spans": {"System: .NET": [[87, 91]]}, "info": {"id": "cyner_mitre_test_00350", "source": "cyner_mitre_test"}} |
| {"text": "Initialization of the compiler object The plugins can be added in runtime , or they can be added as a package resource at packaging time .", "spans": {}, "info": {"id": "cyner_mitre_test_00351", "source": "cyner_mitre_test"}} |
| {"text": "This means that the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package on the device .", "spans": {}, "info": {"id": "cyner_mitre_test_00352", "source": "cyner_mitre_test"}} |
| {"text": "Trojan native capabilities This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan .", "spans": {}, "info": {"id": "cyner_mitre_test_00353", "source": "cyner_mitre_test"}} |
| {"text": "This means that the malware can do anything from harvest the user 's banking credentials , to monitoring the device 's location .", "spans": {}, "info": {"id": "cyner_mitre_test_00354", "source": "cyner_mitre_test"}} |
| {"text": "There are several indicators ( see section \" trojan activity '' below ) that it is in its last stages of development , but it has the potential to be a serious threat .", "spans": {}, "info": {"id": "cyner_mitre_test_00355", "source": "cyner_mitre_test"}} |
| {"text": "Trojan details Upon boot , the trojan will start by populating a shared preferences file with the configuration it has on its internal structures .", "spans": {}, "info": {"id": "cyner_mitre_test_00356", "source": "cyner_mitre_test"}} |
| {"text": "Afterward , it will start several timers to execute different tasks .", "spans": {}, "info": {"id": "cyner_mitre_test_00357", "source": "cyner_mitre_test"}} |
| {"text": "The first timer will be fired on the configured interval ( 20 seconds in this case ) , pinging the command and control ( C2 ) server .", "spans": {}, "info": {"id": "cyner_mitre_test_00358", "source": "cyner_mitre_test"}} |
| {"text": "The response can either be a simple \" OK , '' or can be a request to perform some action on the device .", "spans": {}, "info": {"id": "cyner_mitre_test_00359", "source": "cyner_mitre_test"}} |
| {"text": "The second timer will run every five seconds and it will try to enable the WiFi if it 's disabled .", "spans": {}, "info": {"id": "cyner_mitre_test_00360", "source": "cyner_mitre_test"}} |
| {"text": "The third timer will fire every 10 seconds and will attempt to register the device into the C2 and register wake-up locks on the system to control the device 's status .", "spans": {}, "info": {"id": "cyner_mitre_test_00361", "source": "cyner_mitre_test"}} |
| {"text": "During the trojan registration stage , the trojan exfiltrates private information such as the phone 's model , IMEI , phone number and country .", "spans": {}, "info": {"id": "cyner_mitre_test_00362", "source": "cyner_mitre_test"}} |
| {"text": "It will also report the version of Android that the phone is running and any additional capabilities .", "spans": {"System: Android": [[35, 42]]}, "info": {"id": "cyner_mitre_test_00363", "source": "cyner_mitre_test"}} |
| {"text": "Device registration This is the last of the three main timers that are created .", "spans": {}, "info": {"id": "cyner_mitre_test_00364", "source": "cyner_mitre_test"}} |
| {"text": "The trojan will register the SMS handler , which will forward the contents and the sender of all of the SMS messages on the phone to the C2 .", "spans": {}, "info": {"id": "cyner_mitre_test_00365", "source": "cyner_mitre_test"}} |
| {"text": "The final step in the trojan 's initialization is the escalation and maintenance of privileges in the device .", "spans": {}, "info": {"id": "cyner_mitre_test_00366", "source": "cyner_mitre_test"}} |
| {"text": "This is done both by requesting admin privileges on the device and asking the user to allow the application to access the device 's settings .", "spans": {}, "info": {"id": "cyner_mitre_test_00367", "source": "cyner_mitre_test"}} |
| {"text": "Privilege escalation requests The screens asking for the user 's approval wo n't close unless the user approves the privilege escalation .", "spans": {}, "info": {"id": "cyner_mitre_test_00368", "source": "cyner_mitre_test"}} |
| {"text": "If the user closes the windows , they will appear again due to the timer configuration .", "spans": {}, "info": {"id": "cyner_mitre_test_00369", "source": "cyner_mitre_test"}} |
| {"text": "After the installation of the trojan , it will wait randomly between three and five minutes to activate one of the native capabilities — these are implemented on the eClient subclass called \" GoogleCC .", "spans": {}, "info": {"id": "cyner_mitre_test_00370", "source": "cyner_mitre_test"}} |
| {"text": "'' This class will open a WebView with a Google-themed page asking for payment in order to use the Google services .", "spans": {"Organization: Google-themed": [[41, 54]], "Organization: Google": [[99, 105]]}, "info": {"id": "cyner_mitre_test_00371", "source": "cyner_mitre_test"}} |
| {"text": "This will take the user through several steps until it collects all the necessary credit card information , which will be checked online and exfiltrated to the C2 .", "spans": {}, "info": {"id": "cyner_mitre_test_00372", "source": "cyner_mitre_test"}} |
| {"text": "During this process , an amount of money , configured by the malicious operator , is requested to the user .", "spans": {}, "info": {"id": "cyner_mitre_test_00373", "source": "cyner_mitre_test"}} |
| {"text": "Steps to request the user 's credit card information In our sample configuration , the request for the views above can not be canceled or removed from the screen — behaving just like a screen lock that wo n't be disabled without providing credit card information .", "spans": {}, "info": {"id": "cyner_mitre_test_00374", "source": "cyner_mitre_test"}} |
| {"text": "All communication with the C2 is done over HTTP .", "spans": {}, "info": {"id": "cyner_mitre_test_00375", "source": "cyner_mitre_test"}} |
| {"text": "It will use either a standard web request or it will write data into a web socket if the first method fails .", "spans": {}, "info": {"id": "cyner_mitre_test_00376", "source": "cyner_mitre_test"}} |
| {"text": "The C2 can also use WebSocket as a backup communication channel .", "spans": {}, "info": {"id": "cyner_mitre_test_00377", "source": "cyner_mitre_test"}} |
| {"text": "Before sending any data to the C2 using the trojan attempts to disguise its data , the data is serialized using JSON , which is then encoded in Base64 .", "spans": {}, "info": {"id": "cyner_mitre_test_00378", "source": "cyner_mitre_test"}} |
| {"text": "However , the trojan replaces the '= ' by 'AAAZZZXXX ' , the '+ ' by '| ' and the '/ ' by ' .", "spans": {}, "info": {"id": "cyner_mitre_test_00379", "source": "cyner_mitre_test"}} |
| {"text": "' to disguise the Base64 .", "spans": {}, "info": {"id": "cyner_mitre_test_00380", "source": "cyner_mitre_test"}} |
| {"text": "Request encoding process The HTTP requests follow the format below , while on the WebSocket only the query data is written .", "spans": {}, "info": {"id": "cyner_mitre_test_00381", "source": "cyner_mitre_test"}} |
| {"text": "?", "spans": {}, "info": {"id": "cyner_mitre_test_00382", "source": "cyner_mitre_test"}} |
| {"text": "q= - : As is common with trojans , the communication is always initiated by the trojan on the device to the C2 .", "spans": {}, "info": {"id": "cyner_mitre_test_00383", "source": "cyner_mitre_test"}} |
| {"text": "The request codes are actually replies to the C2 action requests , which are actually called \" responses .", "spans": {}, "info": {"id": "cyner_mitre_test_00384", "source": "cyner_mitre_test"}} |
| {"text": "'' There are 27 response codes that the C2 can use to make requests to the trojan , which pretty much match what 's listed in the capabilities section .", "spans": {}, "info": {"id": "cyner_mitre_test_00385", "source": "cyner_mitre_test"}} |
| {"text": "Error Registration Ok Empty SendSMS RequestGoogleCC Wipe OpenBrowser SendUSSD RequestSMSList RequestAppList RequestLocation ShowNotification SetLockPassword LockNow MuteSound LoadScript LoadPlugin ServerChange StartApp CallPhone SetPingTimer SMSBroadcast RequestContacts AddInject RemoveInject Evaluate Another feature of this trojan is the ability to register injects , which are JavaScript snippets of code .", "spans": {}, "info": {"id": "cyner_mitre_test_00386", "source": "cyner_mitre_test"}} |
| {"text": "These will be executed in a WebView object created by the trojan .", "spans": {}, "info": {"id": "cyner_mitre_test_00387", "source": "cyner_mitre_test"}} |
| {"text": "This gives the operators the capability to trick the user into accessing any site while stealing the user 's cookies or forging form fields , like account numbers or phone numbers .", "spans": {}, "info": {"id": "cyner_mitre_test_00388", "source": "cyner_mitre_test"}} |
| {"text": "Trojan activity At the time of the writing of this post , all URLs ( see IOC section ) found on the sample were inactive , and it does not seem to be widespread .", "spans": {}, "info": {"id": "cyner_mitre_test_00389", "source": "cyner_mitre_test"}} |
| {"text": "There are some indicators that this sample is just a test sample on its final stages of development .", "spans": {}, "info": {"id": "cyner_mitre_test_00390", "source": "cyner_mitre_test"}} |
| {"text": "There are several strings and labels still mentioning 'test ' or 'testcc ' — even the URL used for the credit card data exfiltration is named \" testcc.php .", "spans": {"Indicator: testcc.php": [[144, 154]]}, "info": {"id": "cyner_mitre_test_00391", "source": "cyner_mitre_test"}} |
| {"text": "'' Debug information on logcat Another indicator is the amount of debugging information the trojan is still generating — a production-level trojan would keep its logging to a minimum .", "spans": {}, "info": {"id": "cyner_mitre_test_00392", "source": "cyner_mitre_test"}} |
| {"text": "The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample .", "spans": {}, "info": {"id": "cyner_mitre_test_00393", "source": "cyner_mitre_test"}} |
| {"text": "We have observed this trojan being submitted to public antivirus testing platforms , once as a package and once for each DLL to determine the detection ratio .", "spans": {}, "info": {"id": "cyner_mitre_test_00394", "source": "cyner_mitre_test"}} |
| {"text": "The sample analyzed was targeted at Russian-speaking users , as most of the user interaction pages are written in Russian .", "spans": {}, "info": {"id": "cyner_mitre_test_00395", "source": "cyner_mitre_test"}} |
| {"text": "However , given the way the trojan is built , it is highly customizable , meaning that adapting it to a different language would be extremely easy .", "spans": {}, "info": {"id": "cyner_mitre_test_00396", "source": "cyner_mitre_test"}} |
| {"text": "The wide range of capabilities does n't limit this trojan to a specific malicious activity like a banking trojan or a ransomware .", "spans": {}, "info": {"id": "cyner_mitre_test_00397", "source": "cyner_mitre_test"}} |
| {"text": "This makes it impossible to create a target profile .", "spans": {}, "info": {"id": "cyner_mitre_test_00398", "source": "cyner_mitre_test"}} |
| {"text": "Conclusion This trojan shows a new path for threats to evolve .", "spans": {}, "info": {"id": "cyner_mitre_test_00399", "source": "cyner_mitre_test"}} |
| {"text": "Having the ability to move code from desktops to mobile platforms with no effort , like the eCommon.DLL demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before .", "spans": {"Indicator: eCommon.DLL": [[92, 103]]}, "info": {"id": "cyner_mitre_test_00400", "source": "cyner_mitre_test"}} |
| {"text": "This trojan 's design and implementation is of an uncommonly high level , making it a dangerous threat .", "spans": {}, "info": {"id": "cyner_mitre_test_00401", "source": "cyner_mitre_test"}} |
| {"text": "These kinds of threats will become more common , as more and more companies decide to publish their software directly to consumers .", "spans": {}, "info": {"id": "cyner_mitre_test_00402", "source": "cyner_mitre_test"}} |
| {"text": "There have been several recent examples of companies choosing to release their software directly to consumers , bypassing traditional storefronts .", "spans": {}, "info": {"id": "cyner_mitre_test_00403", "source": "cyner_mitre_test"}} |
| {"text": "The average user might not have the necessary skills to distinguish legitimate sites from malicious ones .", "spans": {}, "info": {"id": "cyner_mitre_test_00404", "source": "cyner_mitre_test"}} |
| {"text": "We 've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms , so , unfortunately , it does n't seem that this will change any time soon .", "spans": {}, "info": {"id": "cyner_mitre_test_00405", "source": "cyner_mitre_test"}} |
| {"text": "And this just means attackers will continue to be successful .", "spans": {}, "info": {"id": "cyner_mitre_test_00406", "source": "cyner_mitre_test"}} |
| {"text": "Coverage Additional ways our customers can detect and block this threat are listed below .", "spans": {}, "info": {"id": "cyner_mitre_test_00407", "source": "cyner_mitre_test"}} |
| {"text": "Advanced Malware Protection ( AMP ) is ideally suited to prevent the execution of the malware used by these threat actors .", "spans": {"System: Advanced Malware Protection ( AMP )": [[0, 35]]}, "info": {"id": "cyner_mitre_test_00408", "source": "cyner_mitre_test"}} |
| {"text": "Cisco Cloud Web Security ( CWS ) or Web Security Appliance ( WSA ) web scanning prevents access to malicious websites and detects malware used in these attacks .", "spans": {"System: Cisco Cloud Web Security ( CWS )": [[0, 32]], "System: Web Security Appliance ( WSA )": [[36, 66]]}, "info": {"id": "cyner_mitre_test_00409", "source": "cyner_mitre_test"}} |
| {"text": "Email Security can block malicious emails sent by threat actors as part of their campaign .", "spans": {}, "info": {"id": "cyner_mitre_test_00410", "source": "cyner_mitre_test"}} |
| {"text": "Network Security appliances such as Next-Generation Firewall ( NGFW ) , Next-Generation Intrusion Prevention System ( NGIPS ) , and Meraki MX can detect malicious activity associated with this threat .", "spans": {"System: Next-Generation Firewall ( NGFW )": [[36, 69]], "System: Next-Generation Intrusion Prevention System ( NGIPS )": [[72, 125]], "System: Meraki MX": [[132, 141]]}, "info": {"id": "cyner_mitre_test_00411", "source": "cyner_mitre_test"}} |
| {"text": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products .", "spans": {"Organization: Cisco": [[80, 85]]}, "info": {"id": "cyner_mitre_test_00412", "source": "cyner_mitre_test"}} |
| {"text": "Umbrella , our secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network .", "spans": {"System: Umbrella": [[0, 8]]}, "info": {"id": "cyner_mitre_test_00413", "source": "cyner_mitre_test"}} |
| {"text": "Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org .", "spans": {}, "info": {"id": "cyner_mitre_test_00414", "source": "cyner_mitre_test"}} |
| {"text": "Indicators of compromise ( IOC ) URLs hxxp : //5.9.33.226:5416 hxxp : //172.110.10.171:85/testcc.php hxxp : //sub1.tdsworker.ru:5555/3ds/ Hash values Package.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f eCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1", "spans": {"Indicator: hxxp : //5.9.33.226:5416": [[38, 62]], "Indicator: hxxp : //172.110.10.171:85/testcc.php": [[63, 100]], "Indicator: hxxp : //sub1.tdsworker.ru:5555/3ds/": [[101, 137]], "Indicator: Package.apk": [[150, 161]], "Indicator: A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f": [[164, 228]], "Indicator: eCommon.dl": [[229, 239]], "Indicator: 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1": [[242, 306]]}, "info": {"id": "cyner_mitre_test_00415", "source": "cyner_mitre_test"}} |
| {"text": "Reznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3 Custom activity prefix com.cact.CAct Cerberus - A new banking Trojan from the underworld August 2019 In June 2019 , ThreatFabric analysts found a new Android malware , dubbed “ Cerberus ” , being rented out on underground forums .", "spans": {"Indicator: Reznov.dll": [[0, 10]], "Indicator: 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3": [[13, 77]], "Indicator: com.cact.CAct": [[101, 114]], "Malware: Cerberus": [[115, 123], [255, 263]], "Organization: ThreatFabric": [[194, 206]], "System: Android": [[228, 235]]}, "info": {"id": "cyner_mitre_test_00416", "source": "cyner_mitre_test"}} |
| {"text": "Its authors claim that it was used for private operations for two years preceding the start of the rental .", "spans": {}, "info": {"id": "cyner_mitre_test_00417", "source": "cyner_mitre_test"}} |
| {"text": "They also state that the code is written from scratch and is not using parts of other existing banking Trojans unlike many other Trojans that are either based completely on the source of another Trojan ( such as the leaked Anubis source code that is now being resold ) or at least borrow parts of other Trojans .", "spans": {"Malware: Anubis": [[223, 229]]}, "info": {"id": "cyner_mitre_test_00418", "source": "cyner_mitre_test"}} |
| {"text": "After thorough analysis we can confirm that Cerberus was indeed not based on the Anubis source code .", "spans": {"Malware: Cerberus": [[44, 52]], "Malware: Anubis": [[81, 87]]}, "info": {"id": "cyner_mitre_test_00419", "source": "cyner_mitre_test"}} |
| {"text": "One peculiar thing about the actor group behind this banking malware is that they have an “ official ” twitter account that they use to post promotional content ( even videos ) about the malware .", "spans": {"Organization: twitter": [[103, 110]]}, "info": {"id": "cyner_mitre_test_00420", "source": "cyner_mitre_test"}} |
| {"text": "Oddly enough they also use it to make fun of the AV community , sharing detection screenshots from VirusTotal ( thus leaking IoC ) and even engaging in discussions with malware researchers directly The following screenshot shows tweets from their advertisement campaign : That unusual behavior could be explained by the combination of the need for attention and a probable lack of experience .", "spans": {"Organization: VirusTotal": [[99, 109]]}, "info": {"id": "cyner_mitre_test_00421", "source": "cyner_mitre_test"}} |
| {"text": "What is sure is that the gap in the Android banking malware rental business left open after the rental of the Anubis 2 and RedAlert 2 Trojans ended provides a good opportunity for the actors behind Cerberus to grow their business quickly .", "spans": {"System: Android": [[36, 43]], "Malware: Anubis 2": [[110, 118]], "Malware: RedAlert 2": [[123, 133]], "Malware: Cerberus": [[198, 206]]}, "info": {"id": "cyner_mitre_test_00422", "source": "cyner_mitre_test"}} |
| {"text": "The Android banking Trojan rental business Rental of banking Trojans is not new .", "spans": {"System: Android": [[4, 11]]}, "info": {"id": "cyner_mitre_test_00423", "source": "cyner_mitre_test"}} |
| {"text": "It was an existing business model when computer-based banking malware was the only form of banking malware and has shifted to the Android equivalent a few years later .", "spans": {"System: Android": [[130, 137]]}, "info": {"id": "cyner_mitre_test_00424", "source": "cyner_mitre_test"}} |
| {"text": "The life span of Android banking malware is limited to either the will of its author ( s ) to support it or the arrest of those actors .", "spans": {"System: Android": [[17, 24]]}, "info": {"id": "cyner_mitre_test_00425", "source": "cyner_mitre_test"}} |
| {"text": "This malware-life-cycle has been observed to reoccur every few years , bringing new malware families into light .", "spans": {}, "info": {"id": "cyner_mitre_test_00426", "source": "cyner_mitre_test"}} |
| {"text": "Each time a rented malware reaches the end of its life it provides the opportunity for other actors a to take over the malware rental market-share .", "spans": {}, "info": {"id": "cyner_mitre_test_00427", "source": "cyner_mitre_test"}} |
| {"text": "As visible on following chart , the lifespan of many well-known rented Android bankers is usually no more than one or two years .", "spans": {"System: Android": [[71, 78]]}, "info": {"id": "cyner_mitre_test_00428", "source": "cyner_mitre_test"}} |
| {"text": "When the family ceases to exist a new one is already available to fill the void , proving that the demand for such malware is always present and that therefore Cerberus has a good chance to survive .", "spans": {"Malware: Cerberus": [[160, 168]]}, "info": {"id": "cyner_mitre_test_00429", "source": "cyner_mitre_test"}} |
| {"text": "After the actor behind RedAlert 2 decided to quit the rental business , we observed a surge in Anubis samples in the wild .", "spans": {"Malware: RedAlert 2": [[23, 33]], "Malware: Anubis": [[95, 101]]}, "info": {"id": "cyner_mitre_test_00430", "source": "cyner_mitre_test"}} |
| {"text": "After the Anubis actor was allegedly arrested and the source code was leaked there was also huge increase in the number of Anubis samples found in the wild , but the new actors using Anubis have no support or updates .", "spans": {"Malware: Anubis": [[10, 16], [123, 129], [183, 189]]}, "info": {"id": "cyner_mitre_test_00431", "source": "cyner_mitre_test"}} |
| {"text": "Due to this Cerberus will come in handy for actors that want to focus on performing fraud without having to develop and maintain a botnet and C2 infrastructure .", "spans": {"Malware: Cerberus": [[12, 20]]}, "info": {"id": "cyner_mitre_test_00432", "source": "cyner_mitre_test"}} |
| {"text": "Analysis of evasion techniques Along with the standard payload and string obfuscation , Cerberus uses a rather interesting technique to prevent analysis of the Trojan .", "spans": {"Malware: Cerberus": [[88, 96]]}, "info": {"id": "cyner_mitre_test_00433", "source": "cyner_mitre_test"}} |
| {"text": "Using the device accelerometer sensor it implements a simple pedometer that is used to measure movements of the victim .", "spans": {}, "info": {"id": "cyner_mitre_test_00434", "source": "cyner_mitre_test"}} |
| {"text": "The idea is simple - if the infected device belongs to a real person , sooner or later this person will move around , increasing the step counter .", "spans": {}, "info": {"id": "cyner_mitre_test_00435", "source": "cyner_mitre_test"}} |
| {"text": "The Trojan uses this counter to activate the bot - if aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe .", "spans": {}, "info": {"id": "cyner_mitre_test_00436", "source": "cyner_mitre_test"}} |
| {"text": "This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments ( sandboxes ) and on the test devices of malware analysts .", "spans": {}, "info": {"id": "cyner_mitre_test_00437", "source": "cyner_mitre_test"}} |
| {"text": "The code responsible for this verification is shown in the following snippet : How it works When the malware is first started on the device it will begin by hiding its icon from the application drawer .", "spans": {}, "info": {"id": "cyner_mitre_test_00438", "source": "cyner_mitre_test"}} |
| {"text": "Then it will ask for the accessibility service privilege as visible in the following screenshot : After the user grants the requested privilege , Cerberus starts to abuse it by granting itself additional permissions , such as permissions needed to send messages and make calls , without requiring any user interaction .", "spans": {"Malware: Cerberus": [[146, 154]]}, "info": {"id": "cyner_mitre_test_00439", "source": "cyner_mitre_test"}} |
| {"text": "It also disables Play Protect ( Google ’ s preinstalled antivirus solution ) to prevent its discovery and deletion in the future .", "spans": {"System: Play Protect": [[17, 29]], "Organization: Google": [[32, 38]]}, "info": {"id": "cyner_mitre_test_00440", "source": "cyner_mitre_test"}} |
| {"text": "After conveniently granting itself additional privileges and securing its persistence on the device , Cerberus registers the infected device in the botnet and waits for commands from the C2 server while also being ready to perform overlay attacks .", "spans": {"Malware: Cerberus": [[102, 110]]}, "info": {"id": "cyner_mitre_test_00441", "source": "cyner_mitre_test"}} |
| {"text": "The commands supported by the analyzed version of the Cerberus bot are listed below .", "spans": {"Malware: Cerberus": [[54, 62]]}, "info": {"id": "cyner_mitre_test_00442", "source": "cyner_mitre_test"}} |
| {"text": "As can be seen , the possibilities offered by the bot are pretty common .", "spans": {}, "info": {"id": "cyner_mitre_test_00443", "source": "cyner_mitre_test"}} |
| {"text": "Command Description push Shows a push notification .", "spans": {}, "info": {"id": "cyner_mitre_test_00444", "source": "cyner_mitre_test"}} |
| {"text": "Clicking on thenotification will result in launching a specified app startApp Starts the specified application getInstallApps Gets the list of installedapplications on the infected device getContacts Gets the contact names and phone numbers from the addressbook on the infected device deleteApplication Triggers the deletion of the specified application forwardCall Enables call forwarding to the specified number sendSms Sends a text message with specified text from the infecteddevice to the specified phone number startInject Triggers the overlay attack against the specified application startUssd", "spans": {}, "info": {"id": "cyner_mitre_test_00445", "source": "cyner_mitre_test"}} |
| {"text": "Calls the specified USSD code openUrl Opens the specified URL in the WebView getSMS Gets all text messages from the infected device killMe Triggers the kill switch for the bot updateModule Updates the payload module Cerberus features Cerberus malware has the same capabilities as most other Android banking Trojans such as the use of overlay attacks , SMS control and contact list harvesting .", "spans": {"Malware: Cerberus": [[216, 224], [234, 242]], "System: Android": [[291, 298]]}, "info": {"id": "cyner_mitre_test_00446", "source": "cyner_mitre_test"}} |
| {"text": "The Trojan can also leverage keylogging to broaden the attack scope .", "spans": {}, "info": {"id": "cyner_mitre_test_00447", "source": "cyner_mitre_test"}} |
| {"text": "Overall , Cerberus has a pretty common feature list and although the malware seems to have been written from scratch there does not seem to be any innovative functionality at this time .", "spans": {"Malware: Cerberus": [[10, 18]]}, "info": {"id": "cyner_mitre_test_00448", "source": "cyner_mitre_test"}} |
| {"text": "For example , some of the more advanced banking Trojans now offer features such as a back-connect proxy , screen-streaming and even remote control .", "spans": {}, "info": {"id": "cyner_mitre_test_00449", "source": "cyner_mitre_test"}} |
| {"text": "Cerberus embeds the following set of features that allows itself to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( Local injects obtained from C2 ) Keylogging SMS harvesting : SMS listing SMS harvesting : SMS forwarding Device info collection Contact list collection Application listing Location collection Overlaying : Targets list update SMS : Sending Calls : USSD request making Calls : Call forwarding Remote actions : App installing Remote actions : App starting Remote actions : App removal Remote actions : Showing arbitrary web pages Remote actions : Screen-locking", "spans": {"Malware: Cerberus": [[0, 8]]}, "info": {"id": "cyner_mitre_test_00450", "source": "cyner_mitre_test"}} |
| {"text": "Notifications : Push notifications C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Architecture : Modular Overlay attack Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information ( such as but not limited to : credit card information , banking credentials , mail credentials ) and Cerberus is no exception .", "spans": {"Malware: Cerberus": [[433, 441]]}, "info": {"id": "cyner_mitre_test_00451", "source": "cyner_mitre_test"}} |
| {"text": "In this particular case , the bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window , as shown in the following code snippet : Targets Some examples of phishing overlays are shown below .", "spans": {}, "info": {"id": "cyner_mitre_test_00452", "source": "cyner_mitre_test"}} |
| {"text": "They exist in two types : the credentials stealers ( first 2 screenshots ) and the credit card grabbers ( last screenshot ) .", "spans": {}, "info": {"id": "cyner_mitre_test_00453", "source": "cyner_mitre_test"}} |
| {"text": "The only active target list observed in the wild is available in the appendix and contains a total of 30 unique targets .", "spans": {}, "info": {"id": "cyner_mitre_test_00454", "source": "cyner_mitre_test"}} |
| {"text": "It is interesting to observe that the actual target list contains : 7 French banking apps 7 U.S. banking apps 1 Japanese banking app 15 non-banking apps This uncommon target list might either be the result of specific customer demand , or due to some actors having partially reused an existing target list .", "spans": {}, "info": {"id": "cyner_mitre_test_00455", "source": "cyner_mitre_test"}} |
| {"text": "Conclusion Although not yet mature enough to provide the equivalent of a full-blown set of Android banking malware features ( such as RAT , RAT with ATS ( Automated Transaction Script ) , back-connect proxy , media streaming ) , or providing an exhaustive target list , Cerberus should not be taken lightly .", "spans": {"System: Android": [[91, 98]], "Malware: Cerberus": [[270, 278]]}, "info": {"id": "cyner_mitre_test_00456", "source": "cyner_mitre_test"}} |
| {"text": "Due to the current absence of maintained and supported Android banking Malware-as-a-Service in the underground community , there is a certainly demand for a new service .", "spans": {"Malware: Android": [[55, 62]]}, "info": {"id": "cyner_mitre_test_00457", "source": "cyner_mitre_test"}} |
| {"text": "Cerberus is already capable to fulfill this demand .", "spans": {"Malware: Cerberus": [[0, 8]]}, "info": {"id": "cyner_mitre_test_00458", "source": "cyner_mitre_test"}} |
| {"text": "In addition to the feature base it already possesses and the money that can be made from the rental , it could evolve to compete with the mightiest Android banking Trojans .", "spans": {"System: Android": [[148, 155]]}, "info": {"id": "cyner_mitre_test_00459", "source": "cyner_mitre_test"}} |
| {"text": "Next to the features , we expect the target list to be expanded to contain additional ( banking ) apps in the near future .", "spans": {}, "info": {"id": "cyner_mitre_test_00460", "source": "cyner_mitre_test"}} |
| {"text": "Knowledge of the threat landscape and implementation of the right detection tools remains crucial to be able to protect yourself from fraud ; Cerberus is yet a new Trojan active in the wild !", "spans": {"Malware: Cerberus": [[142, 150]]}, "info": {"id": "cyner_mitre_test_00461", "source": "cyner_mitre_test"}} |
| {"text": "Appendix Samples Some of the latest Cerberus samples found in the wild : App name Package name SHA 256 hash Flash Player com.uxlgtsvfdc.zipvwntdy 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f Flash Player com.ognbsfhszj.hqpquokjdp fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329", "spans": {"Malware: Cerberus": [[36, 44]], "System: Flash Player": [[108, 120], [211, 223]], "Indicator: com.uxlgtsvfdc.zipvwntdy": [[121, 145]], "Indicator: 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f": [[146, 210]], "Indicator: com.ognbsfhszj.hqpquokjdp": [[224, 249]], "Indicator: fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329": [[250, 314]]}, "info": {"id": "cyner_mitre_test_00462", "source": "cyner_mitre_test"}} |
| {"text": "Flash Player com.mwmnfwt.arhkrgajn ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c Flash Player com.wogdjywtwq.oiofvpzpxyo 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4 Flash Player com.hvdnaiujzwo.fovzeukzywfr", "spans": {"System: Flash Player": [[0, 12], [100, 112], [205, 217]], "Indicator: com.mwmnfwt.arhkrgajn": [[13, 34]], "Indicator: ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c": [[35, 99]], "Indicator: com.wogdjywtwq.oiofvpzpxyo": [[113, 139]], "Indicator: 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4": [[140, 204]], "Indicator: com.hvdnaiujzwo.fovzeukzywfr": [[218, 246]]}, "info": {"id": "cyner_mitre_test_00463", "source": "cyner_mitre_test"}} |
| {"text": "cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b Flash Player com.gzhlubw.pmevdiexmn 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63 Target list The actual observed list of mobile apps targeted by Cerberus contains a total of 30 unique applications .", "spans": {"Indicator: cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b": [[0, 64]], "System: Flash Player": [[65, 77]], "Indicator: com.gzhlubw.pmevdiexmn": [[78, 100]], "Indicator: 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63": [[101, 165]], "Malware: Cerberus": [[230, 238]]}, "info": {"id": "cyner_mitre_test_00464", "source": "cyner_mitre_test"}} |
| {"text": "This list is expected to expand : Package name Application name com.android.vending Play Market com.boursorama.android.clients Boursorama Banque com.caisseepargne.android.mobilebanking Banque com.chase.sig.android Chase Mobile com.clairmail.fth Fifth Third Mobile Banking com.connectivityapps.hotmail Connect for Hotmail com.google.android.gm Gmail com.imo.android.imoim imo free video calls and chat com.infonow.bofa Bank of America", "spans": {"Indicator: com.android.vending": [[64, 83]], "System: Play Market": [[84, 95]], "Indicator: com.boursorama.android.clients Boursorama": [[96, 137]], "System: Banque": [[138, 144], [185, 191]], "Indicator: com.caisseepargne.android.mobilebanking": [[145, 184]], "Indicator: com.chase.sig.android": [[192, 213]], "System: Chase Mobile": [[214, 226]], "Indicator: com.clairmail.fth": [[227, 244]], "System: Fifth Third Mobile Banking": [[245, 271]], "Indicator: com.connectivityapps.hotmail": [[272, 300]], "System: Connect for Hotmail": [[301, 320]], "Indicator: com.google.android.gm": [[321, 342]], "System: Gmail": [[343, 348]], "Indicator: com.imo.android.imoim": [[349, 370]], "System: imo": [[371, 374]], "Indicator: com.infonow.bofa": [[401, 417]], "System: Bank of America": [[418, 433]]}, "info": {"id": "cyner_mitre_test_00465", "source": "cyner_mitre_test"}} |
| {"text": "Mobile Banking com.IngDirectAndroid ING com.instagram.android Instagram com.konylabs.capitalone Capital One® Mobile com.mail.mobile.android.mail mail.com mail com.microsoft.office.outlook Microsoft Outlook com.snapchat.android Snapchat com.tencent.mm WeChat com.twitter.android Twitter com.ubercab Uber com.usaa.mobile.android.usaa USAA Mobile com.usbank.mobilebanking U.S. Bank - Inspired by customers com.viber.voip Viber com.wf.wellsfargomobile", "spans": {"Indicator: com.IngDirectAndroid": [[15, 35]], "Indicator: com.instagram.android Instagram": [[40, 71]], "Indicator: com.konylabs.capitalone": [[72, 95]], "System: Capital One® Mobile": [[96, 115]], "Indicator: com.mail.mobile.android.mail mail.com": [[116, 153]], "System: mail": [[154, 158]], "Indicator: com.microsoft.office.outlook": [[159, 187]], "System: Microsoft Outlook": [[188, 205]], "Indicator: com.snapchat.android": [[206, 226]], "System: Snapchat": [[227, 235]], "Indicator: com.tencent.mm": [[236, 250]], "System: WeChat": [[251, 257]], "Indicator: com.twitter.android": [[258, 277]], "System: Twitter": [[278, 285]], "Indicator: com.ubercab": [[286, 297]], "Organization: Uber": [[298, 302]], "Indicator: com.usaa.mobile.android.usaa": [[303, 331]], "System: USAA Mobile": [[332, 343]], "Indicator: com.usbank.mobilebanking U.S.": [[344, 373]], "Indicator: com.viber.voip": [[403, 417]], "System: Viber": [[418, 423]], "Indicator: com.wf.wellsfargomobile": [[424, 447]]}, "info": {"id": "cyner_mitre_test_00466", "source": "cyner_mitre_test"}} |
| {"text": "Wells Fargo Mobile com.whatsapp WhatsApp com.yahoo.mobile.client.android.mail Yahoo Mail – Organized Email fr.banquepopulaire.cyberplus Banque Populaire fr.creditagricole.androidapp Ma Banque jp.co.rakuten_bank.rakutenbank 楽天銀行 -個人のお客様向けアプリ mobi.societegenerale.mobile.lappli L ’ Appli Société Générale net.bnpparibas.mescomptes Mes Comptes BNP Paribas org.telegram.messenger Telegram Triout - Spyware Framework", "spans": {"System: Wells Fargo Mobile": [[0, 18]], "Indicator: com.whatsapp": [[19, 31]], "System: WhatsApp": [[32, 40]], "Indicator: com.yahoo.mobile.client.android.mail": [[41, 77]], "System: Yahoo Mail": [[78, 88]], "Indicator: fr.banquepopulaire.cyberplus": [[107, 135]], "System: Banque": [[136, 142]], "Indicator: fr.creditagricole.androidapp": [[153, 181]], "System: Ma Banque": [[182, 191]], "Indicator: jp.co.rakuten_bank.rakutenbank": [[192, 222]], "Indicator: mobi.societegenerale.mobile.lappli": [[241, 275]], "Indicator: net.bnpparibas.mescomptes": [[303, 328]], "Indicator: org.telegram.messenger Telegram": [[353, 384]], "Malware: Triout": [[385, 391]]}, "info": {"id": "cyner_mitre_test_00467", "source": "cyner_mitre_test"}} |
| {"text": "for Android with Extensive Surveillance Capabilities August 20 , 2018 No operating system is safe from malware , as cyber criminals will always want to steal , spy or tamper with your data .", "spans": {"System: Android": [[4, 11]]}, "info": {"id": "cyner_mitre_test_00468", "source": "cyner_mitre_test"}} |
| {"text": "The proliferation of Android devices – from smartphones to tablets and smart TVs – has opened up new possibilities for malware developers , as all these devices pack microphones , cameras and location-tracking hardware they can turn into the perfect spy tools .", "spans": {"Malware: Android": [[21, 28]]}, "info": {"id": "cyner_mitre_test_00469", "source": "cyner_mitre_test"}} |
| {"text": "Bitdefender researchers have identified a new Android spyware , dubbed Triout , which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications .", "spans": {"Organization: Bitdefender": [[0, 11]], "System: Android": [[46, 53]], "Malware: Triout": [[71, 77]]}, "info": {"id": "cyner_mitre_test_00470", "source": "cyner_mitre_test"}} |
| {"text": "Found bundled with a repackaged app , the spyware ’ s surveillance capabilities involve hiding its presence on the device , recording phone calls , logging incoming text messages , recoding videos , taking pictures and collecting GPS coordinates , then broadcasting all of that to an attacker-controlled C & C ( command and control ) server .", "spans": {"System: GPS": [[230, 233]]}, "info": {"id": "cyner_mitre_test_00471", "source": "cyner_mitre_test"}} |
| {"text": "It ’ s interesting that Triout , which is detected by Bitdefender ’ s machine learning algorithms , was first submitted from Russia , and most scans/reports came from Israel .", "spans": {"Malware: Triout": [[24, 30]], "Organization: Bitdefender": [[54, 65]]}, "info": {"id": "cyner_mitre_test_00472", "source": "cyner_mitre_test"}} |
| {"text": "The sample ’ s first appearance seems to be May 15 , 2018 , when it was uploaded to VirusTotal , but it ’ s unclear how the tainted sample is disseminated .", "spans": {"Organization: VirusTotal": [[84, 94]]}, "info": {"id": "cyner_mitre_test_00473", "source": "cyner_mitre_test"}} |
| {"text": "Third-party marketplaces or some other attacker-controlled domains are likely used to host the sample .", "spans": {}, "info": {"id": "cyner_mitre_test_00474", "source": "cyner_mitre_test"}} |
| {"text": "A subsequent investigation revealed that the spyware has the following capabilities : Records every phone call ( literally the conversation as a media file ) , then sends it together with the caller id to the C & C ( incall3.php and outcall3.php ) Logs every incoming SMS message ( SMS body and SMS sender ) to C & C ( script3.php ) Has capability to hide self Can send all call logs ( “ content : //call_log/calls ” , info : callname , callnum , calldate , calltype , callduration", "spans": {"Indicator: incall3.php": [[217, 228]], "Indicator: outcall3.php": [[233, 245]], "Indicator: script3.php": [[319, 330]], "Indicator: content : //call_log/calls": [[388, 414]]}, "info": {"id": "cyner_mitre_test_00475", "source": "cyner_mitre_test"}} |
| {"text": ") to C & C ( calllog.php ) Whenever the user snaps a picture , either with the front or rear camera , it gets sent to the C & C ( uppc.php , fi npic.php orreqpic.php ) Can send GPS coordinates to C & C ( gps3.php ) The C & C server to which the application seems to be sending collected data appears to be operational , as of this writing , and running since May 2018 .", "spans": {"Indicator: calllog.php": [[13, 24]], "Indicator: uppc.php": [[130, 138]], "Indicator: npic.php": [[144, 152]], "Indicator: orreqpic.php": [[153, 165]], "System: GPS": [[177, 180]], "Indicator: gps3.php": [[204, 212]]}, "info": {"id": "cyner_mitre_test_00476", "source": "cyner_mitre_test"}} |
| {"text": "January 23 , 2017 SpyNote RAT posing as Netflix app As users have become more attached to their mobile devices , they want everything on those devices .", "spans": {"Malware: SpyNote RAT": [[18, 29]], "System: Netflix app": [[40, 51]]}, "info": {"id": "cyner_mitre_test_00477", "source": "cyner_mitre_test"}} |
| {"text": "There ’ s an app for just about any facet of one ’ s personal and professional life , from booking travel and managing projects , to buying groceries and binge-watching the latest Netflix series .", "spans": {"Organization: Netflix": [[180, 187]]}, "info": {"id": "cyner_mitre_test_00478", "source": "cyner_mitre_test"}} |
| {"text": "The iOS and Android apps for Netflix are enormously popular , effectively turning a mobile device into a television with which users can stream full movies and TV programs anytime , anywhere .", "spans": {"System: iOS": [[4, 7]], "System: Android": [[12, 19]], "Organization: Netflix": [[29, 36]]}, "info": {"id": "cyner_mitre_test_00479", "source": "cyner_mitre_test"}} |
| {"text": "But the apps , with their many millions of users , have captured the attention of the bad actors , too , who are exploiting the popularity of Netflix to spread malware .", "spans": {"Organization: Netflix": [[142, 149]]}, "info": {"id": "cyner_mitre_test_00480", "source": "cyner_mitre_test"}} |
| {"text": "Recently , the ThreatLabZ research team came across a fake Netflix app , which turned out to be a new variant of SpyNote RAT ( Remote Access Trojan ) .", "spans": {"Organization: ThreatLabZ": [[15, 25]], "System: fake Netflix app": [[54, 70]], "Malware: SpyNote RAT": [[113, 124]]}, "info": {"id": "cyner_mitre_test_00481", "source": "cyner_mitre_test"}} |
| {"text": "SpyNote RAT is capable of performing a variety of alarming functions that includes : Activating the device ’ s microphone and listening to live conversations Executing commands on the device Copying files from the device to a Command & Control ( C & C ) center Recording screen captures Viewing contacts Reading SMS messages The screenshot below shows part of the sandbox ’ s report on the SpyNote RAT ’ s signature and detected functions : The fake Netflix app we are analyzing in this blog appears to be built using an updated version of SpyNote RAT builder ,", "spans": {"Malware: SpyNote RAT": [[0, 11], [390, 401], [540, 551]], "Organization: Netflix": [[450, 457]]}, "info": {"id": "cyner_mitre_test_00482", "source": "cyner_mitre_test"}} |
| {"text": "which was leaked last year .", "spans": {}, "info": {"id": "cyner_mitre_test_00483", "source": "cyner_mitre_test"}} |
| {"text": "Technical details Please note that our research is not about the legitimate Netflix app on Google Play .", "spans": {"System: Netflix app": [[76, 87]], "System: Google Play": [[91, 102]]}, "info": {"id": "cyner_mitre_test_00484", "source": "cyner_mitre_test"}} |
| {"text": "The spyware in this analysis was portraying itself as the Netflix app .", "spans": {"System: Netflix app": [[58, 69]]}, "info": {"id": "cyner_mitre_test_00485", "source": "cyner_mitre_test"}} |
| {"text": "Once installed , it displayed the icon found in the actual Netflix app on Google Play .", "spans": {"System: Netflix app": [[59, 70]], "System: Google Play": [[74, 85]]}, "info": {"id": "cyner_mitre_test_00486", "source": "cyner_mitre_test"}} |
| {"text": "As soon as the user clicks the spyware ’ s icon for the first time , nothing seems to happen and the icon disappears from the home screen .", "spans": {}, "info": {"id": "cyner_mitre_test_00487", "source": "cyner_mitre_test"}} |
| {"text": "This is a common trick played by malware developers , making the user think the app may have been removed .", "spans": {}, "info": {"id": "cyner_mitre_test_00488", "source": "cyner_mitre_test"}} |
| {"text": "But , behind the scenes , the malware has not been removed ; instead it starts preparing its onslaught of attacks .", "spans": {}, "info": {"id": "cyner_mitre_test_00489", "source": "cyner_mitre_test"}} |
| {"text": "For contacting C & C , the spyware was found to be using free DNS services , as shown in the screenshot below : SpyNote RAT uses an unusual trick to make sure that it remains up and running and that the spying does not stop .", "spans": {"Indicator: DNS": [[62, 65]], "Malware: SpyNote RAT": [[112, 123]]}, "info": {"id": "cyner_mitre_test_00490", "source": "cyner_mitre_test"}} |
| {"text": "It does so using the Services , Broadcast Receivers , and Activities components of the Android platform .", "spans": {"System: Android": [[87, 94]]}, "info": {"id": "cyner_mitre_test_00491", "source": "cyner_mitre_test"}} |
| {"text": "Services can perform long-running operations in the background and does not need a user interface .", "spans": {}, "info": {"id": "cyner_mitre_test_00492", "source": "cyner_mitre_test"}} |
| {"text": "Broadcast Receivers are Android components that can register themselves for particular events .", "spans": {"System: Android": [[24, 31]]}, "info": {"id": "cyner_mitre_test_00493", "source": "cyner_mitre_test"}} |
| {"text": "Activities are key building blocks , central to an app ’ s navigation , for example .", "spans": {}, "info": {"id": "cyner_mitre_test_00494", "source": "cyner_mitre_test"}} |
| {"text": "The SpyNote RAT registers a service called AutoStartup and a broadcast receiver named BootComplete .", "spans": {"Malware: SpyNote RAT": [[4, 15]]}, "info": {"id": "cyner_mitre_test_00495", "source": "cyner_mitre_test"}} |
| {"text": "MainActivity registers BootComplete with a boot event , so that whenever the device is booted , BootComplete gets triggered .", "spans": {}, "info": {"id": "cyner_mitre_test_00496", "source": "cyner_mitre_test"}} |
| {"text": "BootComplete starts the AutoStartup service and the AutoStartup service makes sure that MainActivity is always running .", "spans": {}, "info": {"id": "cyner_mitre_test_00497", "source": "cyner_mitre_test"}} |
| {"text": "What follows are some of the features exhibited by SpyNote RAT .", "spans": {"Malware: SpyNote RAT": [[51, 62]]}, "info": {"id": "cyner_mitre_test_00498", "source": "cyner_mitre_test"}} |
| {"text": "Command execution Command execution can create havoc for victim if the malware developer decides to execute commands in the victim ’ s device .", "spans": {}, "info": {"id": "cyner_mitre_test_00499", "source": "cyner_mitre_test"}} |
| {"text": "Leveraging this feature , the malware developer can root the device using a range of vulnerabilities , well-known or zero-day .", "spans": {}, "info": {"id": "cyner_mitre_test_00500", "source": "cyner_mitre_test"}} |
| {"text": "The following screenshot shows the command execution functionality in action : The paramString parameter shown in the above screenshot can be any command received from C & C .", "spans": {}, "info": {"id": "cyner_mitre_test_00501", "source": "cyner_mitre_test"}} |
| {"text": "Screen capture and audio recording SpyNote RAT was able to take screen captures and , using the device ’ s microphone , listen to audio conversations .", "spans": {"Malware: SpyNote RAT": [[35, 46]]}, "info": {"id": "cyner_mitre_test_00502", "source": "cyner_mitre_test"}} |
| {"text": "This capability was confirmed when the Android permission , called android.permission.RECORD_AUDIO , was being requested along with code found in the app .", "spans": {"System: Android": [[39, 46]], "Indicator: android.permission.RECORD_AUDIO": [[67, 98]]}, "info": {"id": "cyner_mitre_test_00503", "source": "cyner_mitre_test"}} |
| {"text": "SpyNote RAT captured the device ’ s screen activities along with audio using the MediaProjectionCallback functionality ( available with Lollipop , the Android 5.0 release , and later ) and saved the output in a file named \" video.mp4 '' as shown in the following screenshot SMS stealing SpyNote RAT was also observed stealing SMS messages from the affected devices , as shown in screenshot below : Stealing contacts The ability to steal contacts is a favorite feature for spyware developers , as the stolen contacts can be used to further spread the spyware", "spans": {"Malware: SpyNote RAT": [[0, 11], [287, 298]], "System: Lollipop": [[136, 144]], "System: Android 5.0": [[151, 162]], "Indicator: video.mp4": [[224, 233]]}, "info": {"id": "cyner_mitre_test_00504", "source": "cyner_mitre_test"}} |
| {"text": ".", "spans": {}, "info": {"id": "cyner_mitre_test_00505", "source": "cyner_mitre_test"}} |
| {"text": "The following screenshot shows the contacts being stolen and written in a local array , which is then sent to C & C : Uninstalling apps Uninstalling apps is another function favored by developers of Android spyware and malware .", "spans": {"System: Android": [[199, 206]]}, "info": {"id": "cyner_mitre_test_00506", "source": "cyner_mitre_test"}} |
| {"text": "They tend to target any antivirus protections on the device and uninstall them , which increases the possibility of their malware persisting on the device .", "spans": {}, "info": {"id": "cyner_mitre_test_00507", "source": "cyner_mitre_test"}} |
| {"text": "Following screenshot shows this functionality in action : Other functions In addition to the functionalities we ’ ve described , the SpyNote RAT was exhibiting many other behaviors that make it more robust than most off-the-shelf malware .", "spans": {"Malware: SpyNote RAT": [[133, 144]]}, "info": {"id": "cyner_mitre_test_00508", "source": "cyner_mitre_test"}} |
| {"text": "SpyNote RAT was designed to function only over Wi-Fi , which is the preferable mode for Android malware to send files to C & C .", "spans": {"Malware: SpyNote RAT": [[0, 11]], "System: Android": [[88, 95]]}, "info": {"id": "cyner_mitre_test_00509", "source": "cyner_mitre_test"}} |
| {"text": "The screenshot below shows SpyNote RAT scanning for Wi-Fi and enabling it if a known channel is found : Additional features - SpyNote RAT could click photos using the device 's camera , based on commands from C & C .", "spans": {"Malware: SpyNote RAT": [[27, 38], [126, 137]]}, "info": {"id": "cyner_mitre_test_00510", "source": "cyner_mitre_test"}} |
| {"text": "- There were two interesting sub-classes found inside Main Activity : Receiver and Sender .", "spans": {}, "info": {"id": "cyner_mitre_test_00511", "source": "cyner_mitre_test"}} |
| {"text": "Receiver was involved in receiving commands from the Server and the main functionality of Sender was to send all the data collected to the C & C over Wi-Fi .", "spans": {}, "info": {"id": "cyner_mitre_test_00512", "source": "cyner_mitre_test"}} |
| {"text": "- SpyNote RAT was also collecting the device ’ s location to identify the exact location of the victim .", "spans": {"Malware: SpyNote RAT": [[2, 13]]}, "info": {"id": "cyner_mitre_test_00513", "source": "cyner_mitre_test"}} |
| {"text": "SpyNote RAT builder The SpyNote Remote Access Trojan ( RAT ) builder is gaining popularity in the hacking community , so we decided to study its pervasiveness .", "spans": {"Malware: SpyNote RAT": [[0, 11]], "Malware: SpyNote": [[24, 31]]}, "info": {"id": "cyner_mitre_test_00514", "source": "cyner_mitre_test"}} |
| {"text": "What we found were several other fake apps developed using the SpyNote builder , which should come as a warning to Android users .", "spans": {"Malware: SpyNote": [[63, 70]], "System: Android": [[115, 122]]}, "info": {"id": "cyner_mitre_test_00515", "source": "cyner_mitre_test"}} |
| {"text": "Some of the targeted apps were : Whatsapp YouTube Video Downloader Google Update Instagram Hack Wifi AirDroid WifiHacker Facebook Photoshop SkyTV Hotstar Trump Dash PokemonGo With many more to come .", "spans": {"System: Whatsapp": [[33, 41]], "System: YouTube Video Downloader": [[42, 66]], "System: Google Update": [[67, 80]], "System: Instagram": [[81, 90]], "System: Hack Wifi": [[91, 100]], "System: AirDroid": [[101, 109]], "System: WifiHacker": [[110, 120]], "System: Facebook": [[121, 129]], "System: Photoshop": [[130, 139]], "System: SkyTV": [[140, 145]], "System: Hotstar": [[146, 153]], "System: Trump Dash": [[154, 164]], "System: PokemonGo": [[165, 174]]}, "info": {"id": "cyner_mitre_test_00516", "source": "cyner_mitre_test"}} |
| {"text": "Furthermore , we found that in just the first two weeks of 2017 , there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild .", "spans": {"Malware: SpyNote": [[147, 154]], "Malware: SpyNote RAT": [[173, 184]]}, "info": {"id": "cyner_mitre_test_00517", "source": "cyner_mitre_test"}} |
| {"text": "A complete list of sample hashes is available here .", "spans": {}, "info": {"id": "cyner_mitre_test_00518", "source": "cyner_mitre_test"}} |
| {"text": "Conclusion The days when one needed in-depth coding knowledge to develop malware are long gone .", "spans": {}, "info": {"id": "cyner_mitre_test_00519", "source": "cyner_mitre_test"}} |
| {"text": "Nowadays , script kiddies can build a piece of malware that can create real havoc .", "spans": {}, "info": {"id": "cyner_mitre_test_00520", "source": "cyner_mitre_test"}} |
| {"text": "Moreover , there are many toolkits like the SpyNote Trojan builder that enable users to build malware with ease and few clicks .", "spans": {"Malware: SpyNote": [[44, 51]]}, "info": {"id": "cyner_mitre_test_00521", "source": "cyner_mitre_test"}} |
| {"text": "In particular , avoid side-loading apps from third-party app stores and avoid the temptation to play games that are not yet available on Android .", "spans": {"System: Android": [[137, 144]]}, "info": {"id": "cyner_mitre_test_00522", "source": "cyner_mitre_test"}} |
| {"text": "Yes , we are talking about SuperMarioRun , which was recently launched by Nintendo only for iOS users .", "spans": {"System: SuperMarioRun": [[27, 40]], "Organization: Nintendo": [[74, 82]], "System: iOS": [[92, 95]]}, "info": {"id": "cyner_mitre_test_00523", "source": "cyner_mitre_test"}} |
| {"text": "Recent blogs by the Zscaler research team explain how some variants of Android malware are exploiting the popularity of this game and tricking Android users into downloading a fake version .", "spans": {"Organization: Zscaler": [[20, 27]], "Malware: Android": [[71, 78]], "System: Android": [[143, 150]]}, "info": {"id": "cyner_mitre_test_00524", "source": "cyner_mitre_test"}} |
| {"text": "( Have a look here and here .", "spans": {}, "info": {"id": "cyner_mitre_test_00525", "source": "cyner_mitre_test"}} |
| {"text": ") You should also avoid the temptation to play games from sources other than legitimate app stores ; such games are not safe and may bring harm to your reputation and your bank account .", "spans": {}, "info": {"id": "cyner_mitre_test_00526", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy Masquerades as Postal Service Apps Around the World July 1 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating a new campaign involving FakeSpy , an Android mobile malware that emerged around October 2017 .", "spans": {"Malware: FakeSpy": [[0, 7], [159, 166]], "Organization: Cybereason Nocturnus": [[91, 111]], "System: Android": [[172, 179]]}, "info": {"id": "cyner_mitre_test_00527", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy is an information stealer used to steal SMS messages , send SMS messages , steal financial data , read account information and contact lists , steal application data , and do much more .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00528", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy first targeted South Korean and Japanese speakers .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00529", "source": "cyner_mitre_test"}} |
| {"text": "However , it has begun to target users all around the world , especially users in countries like China , Taiwan , France , Switzerland , Germany , United Kingdom , United States , and others .", "spans": {}, "info": {"id": "cyner_mitre_test_00530", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy masquerades as legitimate postal service apps and transportation services in order to gain the users ' trust .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00531", "source": "cyner_mitre_test"}} |
| {"text": "Once installed , the application requests permissions so that it may control SMS messages and steal sensitive data on the device , as well as proliferate to other devices in the target device ’ s contact list .", "spans": {}, "info": {"id": "cyner_mitre_test_00532", "source": "cyner_mitre_test"}} |
| {"text": "Cybereason 's investigation shows that the threat actor behind the FakeSpy campaign is a Chinese-speaking group dubbed \" Roaming Mantis '' , a group that has led similar campaigns .", "spans": {"Organization: Cybereason": [[0, 10]], "Malware: FakeSpy": [[67, 74]], "Organization: Roaming Mantis": [[121, 135]]}, "info": {"id": "cyner_mitre_test_00533", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy has been in the wild since 2017 ; this latest campaign indicates that it has become more powerful .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00534", "source": "cyner_mitre_test"}} |
| {"text": "Code improvements , new capabilities , anti-emulation techniques , and new , global targets all suggest that this malware is well-maintained by its authors and continues to evolve .", "spans": {}, "info": {"id": "cyner_mitre_test_00535", "source": "cyner_mitre_test"}} |
| {"text": "TABLE OF CONTENTS Key Findings Introduction Threat Analysis Fakespy Code Analysis Dynamic Library Loading Stealing Sensitive Information Anti-Emulator Techniques Under Active Development Who is Behind Fakespy 's Smishing Campaigns ?", "spans": {"Malware: Fakespy": [[60, 67], [201, 208]]}, "info": {"id": "cyner_mitre_test_00536", "source": "cyner_mitre_test"}} |
| {"text": "Conclusions Cybereason Mobile Detects and Stops FakeSpy Indicators of Compromise INTRODUCTION For the past several weeks , Cybereason has been investigating a new version of Android malware dubbed FakeSpy , which was first identified in October 2017 and reported again in October 2018 .", "spans": {"Organization: Cybereason Mobile": [[12, 29]], "Malware: FakeSpy": [[48, 55], [197, 204]], "Organization: Cybereason": [[123, 133]], "System: Android": [[174, 181]]}, "info": {"id": "cyner_mitre_test_00537", "source": "cyner_mitre_test"}} |
| {"text": "A new campaign is up and running using newly improved , significantly more powerful malware as compared to previous versions .", "spans": {}, "info": {"id": "cyner_mitre_test_00538", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy is under active development and is evolving rapidly ; new versions are released every week with additional evasion techniques and capabilities .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00539", "source": "cyner_mitre_test"}} |
| {"text": "Our analysis shows that the threat actor behind the FakeSpy malware is a Chinese-speaking group , commonly referred to as \" Roaming Mantis '' , a group that is known to have launched similar campaigns in the past .", "spans": {"Malware: FakeSpy": [[52, 59]], "Organization: Roaming Mantis": [[124, 138]]}, "info": {"id": "cyner_mitre_test_00540", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy is an information stealer that exfiltrates and sends SMS messages , steals financial and application data , reads account information and contact lists , and more .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00541", "source": "cyner_mitre_test"}} |
| {"text": "The malware uses smishing , or SMS phishing , to infiltrate target devices , which is a technique that relies on social engineering .", "spans": {}, "info": {"id": "cyner_mitre_test_00542", "source": "cyner_mitre_test"}} |
| {"text": "The attackers send fake text messages to lure the victims to click on a malicious link .", "spans": {}, "info": {"id": "cyner_mitre_test_00543", "source": "cyner_mitre_test"}} |
| {"text": "The link directs them to a malicious web page , which prompts them to download an Android application package ( APK ) .", "spans": {}, "info": {"id": "cyner_mitre_test_00544", "source": "cyner_mitre_test"}} |
| {"text": "This most recent FakeSpy campaign appears to target users of postal services around the world .", "spans": {"Malware: FakeSpy": [[17, 24]]}, "info": {"id": "cyner_mitre_test_00545", "source": "cyner_mitre_test"}} |
| {"text": "New versions of FakeSpy masquerade as government post office apps and transportation services apps .", "spans": {"Malware: FakeSpy": [[16, 23]]}, "info": {"id": "cyner_mitre_test_00546", "source": "cyner_mitre_test"}} |
| {"text": "Our analysis indicates that the threat actors are no longer limiting their campaigns to East Asian countries , but are targeting additional countries around the world .", "spans": {}, "info": {"id": "cyner_mitre_test_00547", "source": "cyner_mitre_test"}} |
| {"text": "THREAT ANALYSIS Infection Vector : Smishing Your Device Thus far , FakeSpy campaigns are characterized by SMS phishing ( a.k.a .", "spans": {"Malware: FakeSpy": [[67, 74]]}, "info": {"id": "cyner_mitre_test_00548", "source": "cyner_mitre_test"}} |
| {"text": "smishing ) .", "spans": {}, "info": {"id": "cyner_mitre_test_00549", "source": "cyner_mitre_test"}} |
| {"text": "These SMS messages masquerade as a message from the local post office and link to the FakeSpy download .", "spans": {"Malware: FakeSpy": [[86, 93]]}, "info": {"id": "cyner_mitre_test_00550", "source": "cyner_mitre_test"}} |
| {"text": "In a previous campaign reported by JPCERT , mobile users were alerted by phishy messages containing “ delivery updates ” purportedly from Sagawa Express .", "spans": {"Organization: JPCERT": [[35, 41]], "Organization: Sagawa Express": [[138, 152]]}, "info": {"id": "cyner_mitre_test_00551", "source": "cyner_mitre_test"}} |
| {"text": "Fake SMS message luring users to enter a fake website , which contains the malicious APK ( JPCERT report ) .", "spans": {"Organization: JPCERT": [[91, 97]]}, "info": {"id": "cyner_mitre_test_00552", "source": "cyner_mitre_test"}} |
| {"text": "Clicking the SMS link brings the user to a fake website that prompts them to download and install the FakeSpy APK , which is masquerading as a local postal service app .", "spans": {"Malware: FakeSpy": [[102, 109]]}, "info": {"id": "cyner_mitre_test_00553", "source": "cyner_mitre_test"}} |
| {"text": "Targeting Postal and Transportation Services Companies One of the most significant findings is that new versions of FakeSpy target not only Korean and Japanese speakers , but also almost any postal service company around the world .", "spans": {"Malware: FakeSpy": [[116, 123]]}, "info": {"id": "cyner_mitre_test_00554", "source": "cyner_mitre_test"}} |
| {"text": "Example of more recent FakeSpy campaigns targeting France .", "spans": {"Malware: FakeSpy": [[23, 30]]}, "info": {"id": "cyner_mitre_test_00555", "source": "cyner_mitre_test"}} |
| {"text": "New FakeSpy campaign applications leveraging fake postal services apps .", "spans": {"Malware: FakeSpy": [[4, 11]]}, "info": {"id": "cyner_mitre_test_00556", "source": "cyner_mitre_test"}} |
| {"text": "All recent FakeSpy versions contain the same code with minor changes .", "spans": {"Malware: FakeSpy": [[11, 18]]}, "info": {"id": "cyner_mitre_test_00557", "source": "cyner_mitre_test"}} |
| {"text": "The FakeSpy malware has been found to masquerade as any of the following companies : United States Postal Service - An independent agency of the executive branch of the United States federal government .", "spans": {"Malware: FakeSpy": [[4, 11]], "Organization: United States Postal Service": [[85, 113]]}, "info": {"id": "cyner_mitre_test_00558", "source": "cyner_mitre_test"}} |
| {"text": "USPS is the most well-known branch of the US government and provides a publicly funded postal service .", "spans": {"Organization: USPS": [[0, 4]]}, "info": {"id": "cyner_mitre_test_00559", "source": "cyner_mitre_test"}} |
| {"text": "Royal Mail - British postal service and courier company .", "spans": {"Organization: Royal Mail": [[0, 10]]}, "info": {"id": "cyner_mitre_test_00560", "source": "cyner_mitre_test"}} |
| {"text": "For most of its history it operated as a government department or public corporation .", "spans": {}, "info": {"id": "cyner_mitre_test_00561", "source": "cyner_mitre_test"}} |
| {"text": "Deutsche Post - Deutsche Post DHL Group , a German multinational package delivery and supply chain management company headquartered in Bonn .", "spans": {"Organization: Deutsche Post": [[0, 13]], "Organization: DHL Group": [[30, 39]]}, "info": {"id": "cyner_mitre_test_00562", "source": "cyner_mitre_test"}} |
| {"text": "La Poste - La Poste is a public limited postal service company in France .", "spans": {"Organization: La Poste": [[0, 8]]}, "info": {"id": "cyner_mitre_test_00563", "source": "cyner_mitre_test"}} |
| {"text": "Japan Post - A private Japanese post , logistics and courier headquartered in Tokyo .", "spans": {"Organization: Japan Post": [[0, 10]]}, "info": {"id": "cyner_mitre_test_00564", "source": "cyner_mitre_test"}} |
| {"text": "Yamato Transport - One of Japan 's largest door-to-door delivery service companies , also in Tokyo .", "spans": {"Organization: Yamato Transport": [[0, 16]]}, "info": {"id": "cyner_mitre_test_00565", "source": "cyner_mitre_test"}} |
| {"text": "Chunghwa Post - The government-owned corporation Chunghwa is the official postal service of Taiwan .", "spans": {"Organization: Chunghwa Post": [[0, 13]], "Organization: Chunghwa": [[49, 57]]}, "info": {"id": "cyner_mitre_test_00566", "source": "cyner_mitre_test"}} |
| {"text": "Swiss Post - The national postal service of Switzerland , a fully state-owned limited company ( AG ) regulated by public law .", "spans": {"Organization: Swiss Post": [[0, 10]]}, "info": {"id": "cyner_mitre_test_00567", "source": "cyner_mitre_test"}} |
| {"text": "The fake applications are built using WebView , a popular extension of Android ’ s View class that lets the developer show a webpage .", "spans": {"System: WebView": [[38, 45]], "System: Android": [[71, 78]]}, "info": {"id": "cyner_mitre_test_00568", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy uses this view to redirect users to the original post office carrier webpage on launch of the application , continuing the deception .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00569", "source": "cyner_mitre_test"}} |
| {"text": "This allows the application to appear legitimate , especially given these applications icons and user interface .", "spans": {}, "info": {"id": "cyner_mitre_test_00570", "source": "cyner_mitre_test"}} |
| {"text": "New FakeSpy applications masquerading as post office apps .", "spans": {"Malware: FakeSpy": [[4, 11]]}, "info": {"id": "cyner_mitre_test_00571", "source": "cyner_mitre_test"}} |
| {"text": "FAKESPY CODE ANALYSIS Once the user clicks on the malicious link from the SMS message , the app asks them to approve installation from unknown resources .", "spans": {"Malware: FAKESPY": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00572", "source": "cyner_mitre_test"}} |
| {"text": "This configuration can be toggled on by going to ‘ Settings ’ - > ‘ Security ’ - > ‘ Unknown Resources ’ .", "spans": {}, "info": {"id": "cyner_mitre_test_00573", "source": "cyner_mitre_test"}} |
| {"text": "PackageInstaller shows the app ’ s permission access and asks for the user 's approval , which then installs the application .", "spans": {}, "info": {"id": "cyner_mitre_test_00574", "source": "cyner_mitre_test"}} |
| {"text": "This analysis dissects FakeSpy ’ s Chunghwa Post app version , which emerged in April 2020 .", "spans": {"Malware: FakeSpy": [[23, 30]]}, "info": {"id": "cyner_mitre_test_00575", "source": "cyner_mitre_test"}} |
| {"text": "During the installation , the malware asks for the following permissions : READ_PHONE_STATE - Allows read-only access to the phone state , including the current cellular network information , the status of any ongoing calls , and a list of any PhoneAccounts registered on the device .", "spans": {}, "info": {"id": "cyner_mitre_test_00576", "source": "cyner_mitre_test"}} |
| {"text": "READ_SMS - Allows the application to read text messages .", "spans": {}, "info": {"id": "cyner_mitre_test_00577", "source": "cyner_mitre_test"}} |
| {"text": "RECEIVE_SMS - Allows the application to receive SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_test_00578", "source": "cyner_mitre_test"}} |
| {"text": "WRITE_SMS - Allows the application to write to SMS messages stored on the device or SIM card , including y deleting messages .", "spans": {}, "info": {"id": "cyner_mitre_test_00579", "source": "cyner_mitre_test"}} |
| {"text": "SEND_SMS - Allows the application to send SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_test_00580", "source": "cyner_mitre_test"}} |
| {"text": "INTERNET - Allows the application to open network sockets .", "spans": {}, "info": {"id": "cyner_mitre_test_00581", "source": "cyner_mitre_test"}} |
| {"text": "WRITE_EXTERNAL_STORAGE - Allows the application to write to external storage .", "spans": {}, "info": {"id": "cyner_mitre_test_00582", "source": "cyner_mitre_test"}} |
| {"text": "READ_EXTERNAL_STORAGE - Allows the application to read from external storage .", "spans": {}, "info": {"id": "cyner_mitre_test_00583", "source": "cyner_mitre_test"}} |
| {"text": "RECEIVE_BOOT_COMPLETED - Allows the application to receive a broadcast after the system finishes booting .", "spans": {}, "info": {"id": "cyner_mitre_test_00584", "source": "cyner_mitre_test"}} |
| {"text": "GET_TASKS - Allows the application to get information about current or recently run tasks .", "spans": {}, "info": {"id": "cyner_mitre_test_00585", "source": "cyner_mitre_test"}} |
| {"text": "( deprecated in API level 21 ) SYSTEM_ALERT_WINDOW - Allows the application to create windows shown on top of all other apps .", "spans": {}, "info": {"id": "cyner_mitre_test_00586", "source": "cyner_mitre_test"}} |
| {"text": "WAKE_LOCK - Allows the application to use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming .", "spans": {}, "info": {"id": "cyner_mitre_test_00587", "source": "cyner_mitre_test"}} |
| {"text": "ACCESS_NETWORK_STATE - Allows the application to access information about networks .", "spans": {}, "info": {"id": "cyner_mitre_test_00588", "source": "cyner_mitre_test"}} |
| {"text": "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - Whitelists the application to allow it to ignore battery optimizations .", "spans": {}, "info": {"id": "cyner_mitre_test_00589", "source": "cyner_mitre_test"}} |
| {"text": "READ_CONTACTS - Allows the application to read the user 's contacts data .", "spans": {}, "info": {"id": "cyner_mitre_test_00590", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy package permissions .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00591", "source": "cyner_mitre_test"}} |
| {"text": "On opening the app , two pop-up messages appear on screen : Change SMS App : This sets permissions to intercept every SMS received on the device and send a copy of these messages to the C2 server .", "spans": {}, "info": {"id": "cyner_mitre_test_00592", "source": "cyner_mitre_test"}} |
| {"text": "Ignore Battery Optimization : This sets permissions to continue to operate at full capacity while the phone 's screen is turned off and the phone locked .", "spans": {}, "info": {"id": "cyner_mitre_test_00593", "source": "cyner_mitre_test"}} |
| {"text": "These requests rely on the end user accepting the permission changes and points to the importance of healthy skepticism when giving applications permissions .", "spans": {}, "info": {"id": "cyner_mitre_test_00594", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy Chunghwa Post version installation process and application UI .", "spans": {"Malware: FakeSpy": [[0, 7]], "Organization: Chunghwa Post": [[8, 21]]}, "info": {"id": "cyner_mitre_test_00595", "source": "cyner_mitre_test"}} |
| {"text": "DYNAMIC LIBRARY LOADING Once the application has finished the installation process , the malware starts its real malicious activity .", "spans": {}, "info": {"id": "cyner_mitre_test_00596", "source": "cyner_mitre_test"}} |
| {"text": "The malicious application da.hao.pao.bin ( Chunghwa Post ) loads a library file libmsy.so used to execute the packed mycode.jar file .", "spans": {"Indicator: da.hao.pao.bin": [[26, 40]], "Organization: Chunghwa Post": [[43, 56]], "Indicator: libmsy.so": [[80, 89]], "Indicator: mycode.jar file": [[117, 132]]}, "info": {"id": "cyner_mitre_test_00597", "source": "cyner_mitre_test"}} |
| {"text": "The JAR file is the decrypted version of the file tong.luo , which is located in the assets folder .", "spans": {"Indicator: tong.luo": [[50, 58]]}, "info": {"id": "cyner_mitre_test_00598", "source": "cyner_mitre_test"}} |
| {"text": "Decompiled APK resources .", "spans": {}, "info": {"id": "cyner_mitre_test_00599", "source": "cyner_mitre_test"}} |
| {"text": "By comparing the sizes of the encrypted asset file tong.luo vs the decrypted JAR file mycode.jar , it is interesting to note that it is the same file ( almost the same size ) .", "spans": {"Indicator: tong.luo": [[51, 59]], "Indicator: mycode.jar": [[86, 96]]}, "info": {"id": "cyner_mitre_test_00600", "source": "cyner_mitre_test"}} |
| {"text": "Comparing encrypted vs decrypted asset file .", "spans": {}, "info": {"id": "cyner_mitre_test_00601", "source": "cyner_mitre_test"}} |
| {"text": "After libmsy.so decrypts the asset file tong.luo , it loads mycode.jar dynamically into FakeSpy ’ s process , as is shown from the output of the “ adb logcat ” command .", "spans": {"Indicator: libmsy.so": [[6, 15]], "Indicator: tong.luo": [[40, 48]], "Indicator: mycode.jar": [[60, 70]], "Malware: FakeSpy": [[88, 95]]}, "info": {"id": "cyner_mitre_test_00602", "source": "cyner_mitre_test"}} |
| {"text": "Logcat logs show FakeSpy uses libmsy.so to execute the malicious packed mycode.jar file .", "spans": {"Malware: FakeSpy": [[17, 24]], "Indicator: libmsy.so": [[30, 39]], "Indicator: mycode.jar file": [[72, 87]]}, "info": {"id": "cyner_mitre_test_00603", "source": "cyner_mitre_test"}} |
| {"text": "By analyzing running processes on the infected device , it shows that the malware creates a child process of itself to perform the multi-process ptrace anti-debugging technique .", "spans": {}, "info": {"id": "cyner_mitre_test_00604", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy uses an anti-debugging technique by creating another child process of itself .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00605", "source": "cyner_mitre_test"}} |
| {"text": "By performing a deep analysis of the malware , we were able to extract the unpacked JAR file mycode.jar and reveal some very interesting code .", "spans": {"Indicator: mycode.jar": [[93, 103]]}, "info": {"id": "cyner_mitre_test_00606", "source": "cyner_mitre_test"}} |
| {"text": "STEALING SENSITIVE INFORMATION FakeSpy has multiple built in information stealing capabilities .", "spans": {"Malware: FakeSpy": [[31, 38]]}, "info": {"id": "cyner_mitre_test_00607", "source": "cyner_mitre_test"}} |
| {"text": "The first function is used for contact information stealing : the function upCon steals all contacts in the contact list and their information .", "spans": {}, "info": {"id": "cyner_mitre_test_00608", "source": "cyner_mitre_test"}} |
| {"text": "Then , it sends it to the C2 server using the URL that ends with /servlet/ContactUpload .", "spans": {"Indicator: /servlet/ContactUpload": [[65, 87]]}, "info": {"id": "cyner_mitre_test_00609", "source": "cyner_mitre_test"}} |
| {"text": "The stolen data fields are : Mobile - The infected device phone number and contact ’ s phone number Contacts - A headline used for the attacker to distinguish between the type of stolen information he gets Name - Contact ’ s full name ( Display name ) upCon ( upload contact ) function used for stealing contact list information .", "spans": {}, "info": {"id": "cyner_mitre_test_00610", "source": "cyner_mitre_test"}} |
| {"text": "For testing purposes we inserted a fake contacts list to our Android Emulator and observed resultant behavior .", "spans": {"System: Android": [[61, 68]]}, "info": {"id": "cyner_mitre_test_00611", "source": "cyner_mitre_test"}} |
| {"text": "Exfiltrated contact list data sent to the C2 server .", "spans": {}, "info": {"id": "cyner_mitre_test_00612", "source": "cyner_mitre_test"}} |
| {"text": "The second stealing function is the onStartCommand , which steals infected device data and additional information .", "spans": {}, "info": {"id": "cyner_mitre_test_00613", "source": "cyner_mitre_test"}} |
| {"text": "The stolen data is sent to the C2 server using the URL ending with /servlet/xx .", "spans": {"Indicator: /servlet/xx": [[67, 78]]}, "info": {"id": "cyner_mitre_test_00614", "source": "cyner_mitre_test"}} |
| {"text": "The stolen data fields are : Mobile - The infected device phone number Machine - The device model ( in our example : Google Pixel 2 ) Sversion - The OS version Bank - Checks if there are any banking-related or cryptocurrency trading apps Provider - The telecommunication provider ( IMSI value in device settings ) npki - Checks if the folder named NPKI ( National Public Key Infrastructure ) might contain authentication certificates related to financial transactions onStartCommand function for stealing device information and additional sensitive data .", "spans": {"System: Google Pixel 2": [[117, 131]]}, "info": {"id": "cyner_mitre_test_00615", "source": "cyner_mitre_test"}} |
| {"text": "Exfiltrated device information and additional sensitive data sent to the C2 server .", "spans": {}, "info": {"id": "cyner_mitre_test_00616", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy asks to be the default SMS app because it uses the function onReceive to intercept incoming SMS messages .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00617", "source": "cyner_mitre_test"}} |
| {"text": "It saves the messages ’ metadata and content , filters the information by fields , and sends them to the C2 server using the URL /servlet/SendMassage2 .", "spans": {"Indicator: /servlet/SendMassage2": [[129, 150]]}, "info": {"id": "cyner_mitre_test_00618", "source": "cyner_mitre_test"}} |
| {"text": "The fields it collects are : Mobile - The phone number which sent the SMS Content - The message body Sender - The contact name who sent the message Time - The time the message was received onReceive function used to intercept incoming SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_test_00619", "source": "cyner_mitre_test"}} |
| {"text": "The malware uses the function sendAll to send messages that spread the malware to other devices .", "spans": {}, "info": {"id": "cyner_mitre_test_00620", "source": "cyner_mitre_test"}} |
| {"text": "It sends a smishing message to the entire contact list of the infected device along with the malicious link to the FakeSpy installation page .", "spans": {"Malware: FakeSpy": [[115, 122]]}, "info": {"id": "cyner_mitre_test_00621", "source": "cyner_mitre_test"}} |
| {"text": "sendAll function used to spread malicious messages to the contact list .", "spans": {}, "info": {"id": "cyner_mitre_test_00622", "source": "cyner_mitre_test"}} |
| {"text": "Another interesting feature in FakeSpy ’ s code is the collection of the device 's IMEI ( International Mobile Station Equipment Identity ) number and all installed applications using the function upAppinfos .", "spans": {"Malware: FakeSpy": [[31, 38]]}, "info": {"id": "cyner_mitre_test_00623", "source": "cyner_mitre_test"}} |
| {"text": "It sends all of this data to the C2 server using the URL ending with /servlet/AppInfos .", "spans": {"Indicator: /servlet/AppInfos": [[69, 86]]}, "info": {"id": "cyner_mitre_test_00624", "source": "cyner_mitre_test"}} |
| {"text": "upAppinfos function used for obtaining the device IMEI and all of its installed applications .", "spans": {}, "info": {"id": "cyner_mitre_test_00625", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy is able to check the network connectivity status by using the function isNetworkAvailable .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00626", "source": "cyner_mitre_test"}} |
| {"text": "What makes this function more suspicious is the two strings written in Chinese characters : ===状态=== ( ===Status=== ) - Checks whether the device is connected to a network ===类型=== ( ===Type=== ) - Checks whether the device sees available nearby Wifi networks isNetworkAvailable function used for monitoring network connectivity status .", "spans": {}, "info": {"id": "cyner_mitre_test_00627", "source": "cyner_mitre_test"}} |
| {"text": "ANTI-EMULATOR TECHNIQUES FakeSpy appears to use multiple techniques to evade detection via the emulator .", "spans": {"Malware: FakeSpy": [[25, 32]]}, "info": {"id": "cyner_mitre_test_00628", "source": "cyner_mitre_test"}} |
| {"text": "It shows that the malware can detect whether it ’ s running in an emulated environment or a real mobile device , and can change its code pattern accordingly .", "spans": {}, "info": {"id": "cyner_mitre_test_00629", "source": "cyner_mitre_test"}} |
| {"text": "The first example of this is in the onStart function , where the malware looks for the string “ Emulator ” and a x86 processor model .", "spans": {}, "info": {"id": "cyner_mitre_test_00630", "source": "cyner_mitre_test"}} |
| {"text": "Anti-emulator code .", "spans": {}, "info": {"id": "cyner_mitre_test_00631", "source": "cyner_mitre_test"}} |
| {"text": "In order to simulate this technique , we took two videos side by side of how FakeSpy ( the Royal Mail sample ) behaves differently on a physical device versus an emulator .", "spans": {"Malware: FakeSpy": [[77, 84]], "Organization: Royal Mail": [[91, 101]]}, "info": {"id": "cyner_mitre_test_00632", "source": "cyner_mitre_test"}} |
| {"text": "FakeSpy behavior on physical device vs emulator ( anti-emulator ) .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_test_00633", "source": "cyner_mitre_test"}} |
| {"text": "This simulation shows that FakeSpy behaves differently on a physical device versus an emulator .", "spans": {"Malware: FakeSpy": [[27, 34]]}, "info": {"id": "cyner_mitre_test_00634", "source": "cyner_mitre_test"}} |
| {"text": "When executed the second time by clicking on the app on the physical device , FakeSpy redirects to the app settings .", "spans": {"Malware: FakeSpy": [[78, 85]]}, "info": {"id": "cyner_mitre_test_00635", "source": "cyner_mitre_test"}} |
| {"text": "In contrast , on the emulator , a toast message is displayed that shows “ Install completed ” , at which point FakeSpy removes its shortcut from the device 's homescreen .", "spans": {"Malware: FakeSpy": [[111, 118]]}, "info": {"id": "cyner_mitre_test_00636", "source": "cyner_mitre_test"}} |
| {"text": "Another example of FakeSpy ’ s anti-emulation techniques is how it uses the getMachine function , which uses the TelephonyManager class to check for the deviceID , phone number , IMEI , and IMSI .", "spans": {"Malware: FakeSpy": [[19, 26]]}, "info": {"id": "cyner_mitre_test_00637", "source": "cyner_mitre_test"}} |
| {"text": "Some emulators build their phone number out of the default number created in the emulator software and the port number : 5554. getMachine function using anti-emulator technique .", "spans": {"Indicator: port number : 5554.": [[107, 126]]}, "info": {"id": "cyner_mitre_test_00638", "source": "cyner_mitre_test"}} |
| {"text": "UNDER ACTIVE DEVELOPMENT An analysis of new FakeSpy samples to old ones showed code discrepancies and new features .", "spans": {"Malware: FakeSpy": [[44, 51]]}, "info": {"id": "cyner_mitre_test_00639", "source": "cyner_mitre_test"}} |
| {"text": "These artifacts indicate that FakeSpy 's campaign is still live and under development .", "spans": {"Malware: FakeSpy": [[30, 37]]}, "info": {"id": "cyner_mitre_test_00640", "source": "cyner_mitre_test"}} |
| {"text": "The newer version of FakeSpy uses new URL addresses for malicious communication with FakeSpy .", "spans": {"Malware: FakeSpy": [[21, 28], [85, 92]]}, "info": {"id": "cyner_mitre_test_00641", "source": "cyner_mitre_test"}} |
| {"text": "The function main uses a DES encryption algorithm to encode these addresses .", "spans": {}, "info": {"id": "cyner_mitre_test_00642", "source": "cyner_mitre_test"}} |
| {"text": "The examples below show the plaintext key “ TEST ” to decrypt encoded hexadecimal strings ( jUtils.decrypt ( ) ) .", "spans": {}, "info": {"id": "cyner_mitre_test_00643", "source": "cyner_mitre_test"}} |
| {"text": "These encoded strings contain the new URL addresses not seen in older versions of FakeSpy .", "spans": {"Malware: FakeSpy": [[82, 89]]}, "info": {"id": "cyner_mitre_test_00644", "source": "cyner_mitre_test"}} |
| {"text": "Comparing strings from an old FakeSpy sample to a new one .", "spans": {"Malware: FakeSpy": [[30, 37]]}, "info": {"id": "cyner_mitre_test_00645", "source": "cyner_mitre_test"}} |
| {"text": "WHO IS BEHIND FAKESPY ’ S SMISHING CAMPAIGNS ?", "spans": {"Malware: FAKESPY": [[14, 21]]}, "info": {"id": "cyner_mitre_test_00646", "source": "cyner_mitre_test"}} |
| {"text": "The Cybereason Nocturnus team suspects that the malware operators and authors are Chinese speakers .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]]}, "info": {"id": "cyner_mitre_test_00647", "source": "cyner_mitre_test"}} |
| {"text": "Our findings , along with previous research , indicates that the threat actor behind these recent campaigns is likely a Chinese group dubbed “ Roaming Mantis ” .", "spans": {"Organization: Roaming Mantis": [[143, 157]]}, "info": {"id": "cyner_mitre_test_00648", "source": "cyner_mitre_test"}} |
| {"text": "Roaming Mantis is believed to be a Chinese threat actor group first discovered in April 2018 that has continuously evolved .", "spans": {"Organization: Roaming Mantis": [[0, 14]]}, "info": {"id": "cyner_mitre_test_00649", "source": "cyner_mitre_test"}} |
| {"text": "In the beginning , this threat group mainly targeted Asian countries .", "spans": {}, "info": {"id": "cyner_mitre_test_00650", "source": "cyner_mitre_test"}} |
| {"text": "Now , they are expanding their activity to audiences all around the world .", "spans": {}, "info": {"id": "cyner_mitre_test_00651", "source": "cyner_mitre_test"}} |
| {"text": "As part of their activities , they are known for hijacking DNS settings on Japanese routers that redirect users to malicious IP addresses , creating disguised malicious Android apps that appear as popular apps , stealing Apple ID credentials by creating Apple phishing pages , as well as performing web crypto mining on browsers .", "spans": {"System: Android": [[169, 176]], "Organization: Apple": [[221, 226], [254, 259]]}, "info": {"id": "cyner_mitre_test_00652", "source": "cyner_mitre_test"}} |
| {"text": "CONNECTION TO CHINA Chinese server infrastructure : FakeSpy applications send stolen information to C2 domains with .club TLDs and URLs ending with /servlet/ [ C2 Command ] ( mentioned above in the “ Stealing Sensitive Information ” section ) .", "spans": {"Malware: FakeSpy": [[52, 59]], "Indicator: .club TLDs": [[116, 126]], "Indicator: /servlet/ [ C2 Command ]": [[148, 172]]}, "info": {"id": "cyner_mitre_test_00653", "source": "cyner_mitre_test"}} |
| {"text": "All of these domains are registered to ‘ Li Jun Biao ’ on Bizcn , Inc , a Chinese Internet application service provider .", "spans": {"Organization: Bizcn , Inc": [[58, 69]]}, "info": {"id": "cyner_mitre_test_00654", "source": "cyner_mitre_test"}} |
| {"text": "Chinese language traces in the code : During the investigation , the Cybereason Nocturnus team discovered code artifacts that may indicate Chinese threat actors .", "spans": {"Organization: Cybereason Nocturnus": [[69, 89]]}, "info": {"id": "cyner_mitre_test_00655", "source": "cyner_mitre_test"}} |
| {"text": "For example , we found several suspicious strings written in the Chinese language in a function called isNetworkAvailable , previously discussed in this blog : An almost identical function is mentioned in an earlier research , that ties FakeSpy and other malware to the Roaming Mantis group .", "spans": {"Malware: FakeSpy": [[237, 244]], "Organization: Roaming Mantis": [[270, 284]]}, "info": {"id": "cyner_mitre_test_00656", "source": "cyner_mitre_test"}} |
| {"text": "Chinese APK names : Some of FakeSpy ’ s APK package names contain anglicized Chinese ( Mandarin ) words that might be related to Chinese songs and lyrics , food , provinces , etc .", "spans": {"Malware: FakeSpy": [[28, 35]]}, "info": {"id": "cyner_mitre_test_00657", "source": "cyner_mitre_test"}} |
| {"text": "CONCLUSIONS FakeSpy was first seen in October 2017 and until recently mainly targeted East Asian countries .", "spans": {"Malware: FakeSpy": [[12, 19]]}, "info": {"id": "cyner_mitre_test_00658", "source": "cyner_mitre_test"}} |
| {"text": "Our research shows fresh developments in the malware ’ s code and sophistication , as well as an expansion to target Europe and North America .", "spans": {}, "info": {"id": "cyner_mitre_test_00659", "source": "cyner_mitre_test"}} |
| {"text": "This mobile malware masquerades as legitimate , trusted postal service applications so that it can gain the users trust .", "spans": {}, "info": {"id": "cyner_mitre_test_00660", "source": "cyner_mitre_test"}} |
| {"text": "Once it has been installed , it requests permissions from the user so that it can steal sensitive data , manipulate SMS messages , and potentially infect contacts of the user .", "spans": {}, "info": {"id": "cyner_mitre_test_00661", "source": "cyner_mitre_test"}} |
| {"text": "The malware now targets more countries all over the world by masquerading as official post office and transportation services apps .", "spans": {}, "info": {"id": "cyner_mitre_test_00662", "source": "cyner_mitre_test"}} |
| {"text": "These apps appear legitimate due to their app logo , UI appearance , and redirects to the carrier webpage -- all luring end users to believe it ’ s the original one .", "spans": {}, "info": {"id": "cyner_mitre_test_00663", "source": "cyner_mitre_test"}} |
| {"text": "In this blog , we showed that the threat actor behind the recent FakeSpy campaign is a Chinese-speaking group called “ Roaming Mantis ” known to operate mainly in Asia .", "spans": {"Malware: FakeSpy": [[65, 72]], "Organization: Roaming Mantis": [[119, 133]]}, "info": {"id": "cyner_mitre_test_00664", "source": "cyner_mitre_test"}} |
| {"text": "It is interesting to see that the group has expanded their operation to other regions , such as the United States and Europe .", "spans": {}, "info": {"id": "cyner_mitre_test_00665", "source": "cyner_mitre_test"}} |
| {"text": "The malware authors seem to be putting a lot of effort into improving this malware , bundling it with numerous new upgrades that make it more sophisticated , evasive , and well-equipped .", "spans": {}, "info": {"id": "cyner_mitre_test_00666", "source": "cyner_mitre_test"}} |
| {"text": "These improvements render FakeSpy one of the most powerful information stealers on the market .", "spans": {"Malware: FakeSpy": [[26, 33]]}, "info": {"id": "cyner_mitre_test_00667", "source": "cyner_mitre_test"}} |
| {"text": "We anticipate this malware to continue to evolve with additional new features ; the only question now is when we will see the next wave .", "spans": {}, "info": {"id": "cyner_mitre_test_00668", "source": "cyner_mitre_test"}} |
| {"text": "First Twitter‑controlled Android botnet discovered Detected by ESET as Android/Twitoor , this malware is unique because of its resilience mechanism .", "spans": {"System: Twitter‑controlled": [[6, 24]], "System: Android": [[25, 32]], "Organization: ESET": [[63, 67]], "Malware: Android/Twitoor": [[71, 86]]}, "info": {"id": "cyner_mitre_test_00669", "source": "cyner_mitre_test"}} |
| {"text": "Instead of being controlled by a traditional command-and-control server , it receives instructions via tweets .", "spans": {}, "info": {"id": "cyner_mitre_test_00670", "source": "cyner_mitre_test"}} |
| {"text": "24 Aug 2016 - 02:05PM Android/Twitoor is a backdoor capable of downloading other malware onto an infected device .", "spans": {"Malware: Android/Twitoor": [[22, 37]]}, "info": {"id": "cyner_mitre_test_00671", "source": "cyner_mitre_test"}} |
| {"text": "It has been active for around one month .", "spans": {}, "info": {"id": "cyner_mitre_test_00672", "source": "cyner_mitre_test"}} |
| {"text": "This malicious app , detected by ESET as a variant of Android/Twitoor.A , can ’ t be found on any official Android app store – it probably spreads by SMS or via malicious URLs .", "spans": {"Organization: ESET": [[33, 37]], "Malware: Android/Twitoor.A": [[54, 71]], "System: Android app store": [[107, 124]]}, "info": {"id": "cyner_mitre_test_00673", "source": "cyner_mitre_test"}} |
| {"text": "It impersonates a porn player app or MMS application but without having their functionality .", "spans": {}, "info": {"id": "cyner_mitre_test_00674", "source": "cyner_mitre_test"}} |
| {"text": "After launching , it hides its presence on the system and checks the defined Twitter account at regular intervals for commands .", "spans": {"System: Twitter": [[77, 84]]}, "info": {"id": "cyner_mitre_test_00675", "source": "cyner_mitre_test"}} |
| {"text": "Based on received commands , it can either download malicious apps or switch the C & C Twitter account to another one .", "spans": {"System: Twitter": [[87, 94]]}, "info": {"id": "cyner_mitre_test_00676", "source": "cyner_mitre_test"}} |
| {"text": "“ Using Twitter instead of command-and-control ( C & C ) servers is pretty innovative for an Android botnet. ” “ Using Twitter instead of command-and-control ( C & C ) servers is pretty innovative for an Android botnet , ” says Lukáš Štefanko , the ESET malware researcher who discovered the malicious app .", "spans": {"System: Twitter": [[8, 15]], "System: Android": [[93, 100], [204, 211]], "Organization: Twitter": [[119, 126]], "Organization: ESET": [[249, 253]]}, "info": {"id": "cyner_mitre_test_00677", "source": "cyner_mitre_test"}} |
| {"text": "Malware that enslaves devices to form botnets needs to be able to receive updated instructions .", "spans": {}, "info": {"id": "cyner_mitre_test_00678", "source": "cyner_mitre_test"}} |
| {"text": "That communication is an Achilles heel for any botnet – it may raise suspicion and , cutting the bots off is always lethal to the botnet ’ s functioning .", "spans": {}, "info": {"id": "cyner_mitre_test_00679", "source": "cyner_mitre_test"}} |
| {"text": "Additionally , should the command-and-control ( C & C ) servers get seized by the authorities , it would ultimately lead to disclosing information about the entire botnet .", "spans": {}, "info": {"id": "cyner_mitre_test_00680", "source": "cyner_mitre_test"}} |
| {"text": "To make the Twitoor botnet ’ s communication more resilient , botnet designers took various steps like encrypting their messages , using complex topologies of the C & C network – or using innovative means for communication , among them the use of social networks .", "spans": {"Malware: Twitoor": [[12, 19]]}, "info": {"id": "cyner_mitre_test_00681", "source": "cyner_mitre_test"}} |
| {"text": "“ These communication channels are hard to discover and even harder to block entirely .", "spans": {}, "info": {"id": "cyner_mitre_test_00682", "source": "cyner_mitre_test"}} |
| {"text": "On the other hand , it ’ s extremely easy for the crooks to re-direct communications to another freshly created account , ” explains Štefanko .", "spans": {}, "info": {"id": "cyner_mitre_test_00683", "source": "cyner_mitre_test"}} |
| {"text": "In the Windows space , Twitter , founded in 2006 , was first used to control botnets as early as in 2009 .", "spans": {"System: Windows": [[7, 14]], "Organization: Twitter": [[23, 30]]}, "info": {"id": "cyner_mitre_test_00684", "source": "cyner_mitre_test"}} |
| {"text": "Android bots have also already been found being controlled via other non-traditional means – blogs or some of the many cloud messaging systems like Google ’ s or Baidu ’ s – but Twitoor is the first Twitter-based bot malware , according to Štefanko .", "spans": {"System: Android": [[0, 7]], "Organization: Google": [[148, 154]], "Organization: Baidu": [[162, 167]], "Malware: Twitoor": [[178, 185]], "System: Twitter-based": [[199, 212]]}, "info": {"id": "cyner_mitre_test_00685", "source": "cyner_mitre_test"}} |
| {"text": "“ In the future , we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks ” , states ESET ’ s researcher .", "spans": {"System: Facebook": [[74, 82]], "System: LinkedIn": [[102, 110]], "Organization: ESET": [[148, 152]]}, "info": {"id": "cyner_mitre_test_00686", "source": "cyner_mitre_test"}} |
| {"text": "Currently , the Twitoor trojan has been downloading several versions of mobile banking malware .", "spans": {"Malware: Twitoor": [[16, 23]]}, "info": {"id": "cyner_mitre_test_00687", "source": "cyner_mitre_test"}} |
| {"text": "However , the botnet operators can start distributing other malware , including ransomware , at any time warns Štefanko .", "spans": {}, "info": {"id": "cyner_mitre_test_00688", "source": "cyner_mitre_test"}} |
| {"text": "“ Twitoor serves as another example of how cybercriminals keep on innovating their business , ” Stefanko continues .", "spans": {"Malware: Twitoor": [[2, 9]]}, "info": {"id": "cyner_mitre_test_00689", "source": "cyner_mitre_test"}} |
| {"text": "“ The takeaway ?", "spans": {}, "info": {"id": "cyner_mitre_test_00690", "source": "cyner_mitre_test"}} |
| {"text": "Internet users should keep on securing their activities with good security solutions for both computers and mobile devices. ” Hashes : E5212D4416486AF42E7ED1F58A526AEF77BE89BE A9891222232145581FE8D0D483EDB4B18836BCFC AFF9F39A6CA5D68C599B30012D79DA29E2672C6E Insidious Android malware gives up all malicious features but one to gain stealth ESET researchers detect a new way of misusing Accessibility", "spans": {"Indicator: E5212D4416486AF42E7ED1F58A526AEF77BE89BE": [[135, 175]], "Indicator: A9891222232145581FE8D0D483EDB4B18836BCFC": [[176, 216]], "Indicator: AFF9F39A6CA5D68C599B30012D79DA29E2672C6E": [[217, 257]], "System: Android": [[268, 275]], "Organization: ESET": [[340, 344]]}, "info": {"id": "cyner_mitre_test_00691", "source": "cyner_mitre_test"}} |
| {"text": "Service , the Achilles ’ heel of Android security 22 May 2020 - 03:00PM ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions , notably wiping out the victim ’ s bank account or cryptocurrency wallet and taking over their email or social media accounts .", "spans": {"System: Android": [[33, 40], [126, 133]], "Organization: ESET": [[72, 76]]}, "info": {"id": "cyner_mitre_test_00692", "source": "cyner_mitre_test"}} |
| {"text": "Called “ DEFENSOR ID ” , the banking trojan was available on Google Play at the time of the analysis .", "spans": {"Malware: DEFENSOR ID": [[9, 20]], "System: Google Play": [[61, 72]]}, "info": {"id": "cyner_mitre_test_00693", "source": "cyner_mitre_test"}} |
| {"text": "The app is fitted with standard information-stealing capabilities ; however , this banker is exceptionally insidious in that after installation it requires a single action from the victim – enable Android ’ s Accessibility Service – to fully unleash the app ’ s malicious functionality .", "spans": {"System: Android": [[197, 204]]}, "info": {"id": "cyner_mitre_test_00694", "source": "cyner_mitre_test"}} |
| {"text": "The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth .", "spans": {"Malware: DEFENSOR ID": [[4, 15]], "System: Google Play store": [[53, 70]]}, "info": {"id": "cyner_mitre_test_00695", "source": "cyner_mitre_test"}} |
| {"text": "Its creators reduced the app ’ s malicious surface to the bare minimum by removing all potentially malicious functionalities but one : abusing Accessibility Service .", "spans": {}, "info": {"id": "cyner_mitre_test_00696", "source": "cyner_mitre_test"}} |
| {"text": "Accessibility Service is long known to be the Achilles ’ heel of the Android operating system .", "spans": {"System: Android": [[69, 76]]}, "info": {"id": "cyner_mitre_test_00697", "source": "cyner_mitre_test"}} |
| {"text": "Security solutions can detect it in countless combinations with other suspicious permissions and functions , or malicious functionalities – but when faced with no additional functionality nor permission , all failed to trigger any alarm on DEFENSOR ID .", "spans": {"Malware: DEFENSOR ID": [[240, 251]]}, "info": {"id": "cyner_mitre_test_00698", "source": "cyner_mitre_test"}} |
| {"text": "By “ all ” we mean all security mechanisms guarding the official Android app store ( including the detection engines of the members of the App Defense Alliance ) and all security vendors participating in the VirusTotal program ( see Figure 1 ) .", "spans": {"System: Android app store": [[65, 82]], "Organization: App Defense Alliance": [[139, 159]], "Organization: VirusTotal": [[208, 218]]}, "info": {"id": "cyner_mitre_test_00699", "source": "cyner_mitre_test"}} |
| {"text": "DEFENSOR ID was released on Feb 3 , 2020 and last updated to v1.4 on May 6 , 2020 .", "spans": {"Malware: DEFENSOR ID": [[0, 11]]}, "info": {"id": "cyner_mitre_test_00700", "source": "cyner_mitre_test"}} |
| {"text": "The latest version is analyzed here ; we weren ’ t able to determine if the earlier versions were also malicious .", "spans": {}, "info": {"id": "cyner_mitre_test_00701", "source": "cyner_mitre_test"}} |
| {"text": "According to its profile at Google Play ( see Figure 2 ) the app reached a mere 10+ downloads .", "spans": {"System: Google Play": [[28, 39]]}, "info": {"id": "cyner_mitre_test_00702", "source": "cyner_mitre_test"}} |
| {"text": "We reported it to Google on May 16 , 2020 and since May 19 , 2020 the app has no longer been available on Google Play .", "spans": {"Organization: Google": [[18, 24]], "System: Google Play": [[106, 117]]}, "info": {"id": "cyner_mitre_test_00703", "source": "cyner_mitre_test"}} |
| {"text": "The developer name used , GAS Brazil , suggests the criminals behind the app targeted Brazilian users .", "spans": {}, "info": {"id": "cyner_mitre_test_00704", "source": "cyner_mitre_test"}} |
| {"text": "Apart from including the country ’ s name , the app ’ s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia .", "spans": {"System: GAS Tecnologia": [[140, 154]]}, "info": {"id": "cyner_mitre_test_00705", "source": "cyner_mitre_test"}} |
| {"text": "That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking .", "spans": {}, "info": {"id": "cyner_mitre_test_00706", "source": "cyner_mitre_test"}} |
| {"text": "However , there is also an English version of the DEFENSOR ID app ( see Figure 3 ) besides the Portuguese one , and that app has neither geographical nor language restrictions .", "spans": {"Malware: DEFENSOR ID": [[50, 61]]}, "info": {"id": "cyner_mitre_test_00707", "source": "cyner_mitre_test"}} |
| {"text": "Playing further off the suggested GAS Tecnologia link , the app promises better security for its users .", "spans": {"System: GAS Tecnologia": [[34, 48]]}, "info": {"id": "cyner_mitre_test_00708", "source": "cyner_mitre_test"}} |
| {"text": "The description in Portuguese promises more protection for the user ’ s applications , including end-to-end encryption .", "spans": {}, "info": {"id": "cyner_mitre_test_00709", "source": "cyner_mitre_test"}} |
| {"text": "Deceptively , the app was listed in the Education section .", "spans": {}, "info": {"id": "cyner_mitre_test_00710", "source": "cyner_mitre_test"}} |
| {"text": "Functionality After starting , DEFENSOR ID requests the following permissions : allow modify system settings permit drawing over other apps , and activate accessibility services .", "spans": {"Malware: DEFENSOR ID": [[31, 42]]}, "info": {"id": "cyner_mitre_test_00711", "source": "cyner_mitre_test"}} |
| {"text": "If an unsuspecting user grants these permissions ( see Figure 4 ) , the trojan can read any text displayed in any app the user may launch – and send it to the attackers .", "spans": {}, "info": {"id": "cyner_mitre_test_00712", "source": "cyner_mitre_test"}} |
| {"text": "This means the attackers can steal the victim ’ s credentials for logging into apps , SMS and email messages , displayed cryptocurrency private keys , and even software-generated 2FA codes .", "spans": {}, "info": {"id": "cyner_mitre_test_00713", "source": "cyner_mitre_test"}} |
| {"text": "The fact the trojan can steal both the victim ’ s credentials and also can control their SMS messages and generated 2FA codes means DEFENSOR ID ’ s operators can bypass two-factor authentication .", "spans": {"Malware: DEFENSOR ID": [[132, 143]]}, "info": {"id": "cyner_mitre_test_00714", "source": "cyner_mitre_test"}} |
| {"text": "This opens the door to , for example , fully controlling the victim ’ s bank account .", "spans": {}, "info": {"id": "cyner_mitre_test_00715", "source": "cyner_mitre_test"}} |
| {"text": "To make sure the trojan survives a device restart , it abuses already activated accessibility services that will launch the trojan right after start .", "spans": {}, "info": {"id": "cyner_mitre_test_00716", "source": "cyner_mitre_test"}} |
| {"text": "Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app , launching an app and then performing any click/tap action controlled remotely by the attacker ( see Figure 5 ) .", "spans": {"Malware: DEFENSOR ID": [[23, 34]]}, "info": {"id": "cyner_mitre_test_00717", "source": "cyner_mitre_test"}} |
| {"text": "In 2018 , we saw similar behavior , but all the click actions were hardcoded and suited only for the app of the attacker ’ s choice .", "spans": {}, "info": {"id": "cyner_mitre_test_00718", "source": "cyner_mitre_test"}} |
| {"text": "In this case , the attacker can get the list of all installed apps and then remotely launch the victim ’ s app of their choice to either steal credentials or perform malicious actions ( e.g .", "spans": {}, "info": {"id": "cyner_mitre_test_00719", "source": "cyner_mitre_test"}} |
| {"text": "send funds via a wire transfer ) .", "spans": {}, "info": {"id": "cyner_mitre_test_00720", "source": "cyner_mitre_test"}} |
| {"text": "We believe that this is the reason the DEFENSOR ID trojan requests the user to allow “ Modify system settings ” .", "spans": {"Malware: DEFENSOR ID": [[39, 50]]}, "info": {"id": "cyner_mitre_test_00721", "source": "cyner_mitre_test"}} |
| {"text": "Subsequently , the malware will change the screen off time-out to 10 minutes .", "spans": {}, "info": {"id": "cyner_mitre_test_00722", "source": "cyner_mitre_test"}} |
| {"text": "This means that , unless victims lock their devices via the hardware button , the timer provides plenty of time for the malware to remotely perform malicious , in-app operations .", "spans": {}, "info": {"id": "cyner_mitre_test_00723", "source": "cyner_mitre_test"}} |
| {"text": "If the device gets locked , the malware can ’ t unlock it .", "spans": {}, "info": {"id": "cyner_mitre_test_00724", "source": "cyner_mitre_test"}} |
| {"text": "Malware data leak When we analyzed the sample , we realized that the malware operators left the remote database with some of the victims ’ data freely accessible , without any authentication .", "spans": {}, "info": {"id": "cyner_mitre_test_00725", "source": "cyner_mitre_test"}} |
| {"text": "The database contained the last activity performed on around 60 compromised devices .", "spans": {}, "info": {"id": "cyner_mitre_test_00726", "source": "cyner_mitre_test"}} |
| {"text": "We found no other information stolen from the victims to be accessible .", "spans": {}, "info": {"id": "cyner_mitre_test_00727", "source": "cyner_mitre_test"}} |
| {"text": "Thanks to this data leak , we were able to confirm that the malware really worked as designed : the attacker had access to the victims ’ entered credentials , displayed or written emails and messages , etc .", "spans": {}, "info": {"id": "cyner_mitre_test_00728", "source": "cyner_mitre_test"}} |
| {"text": "Once we reached the non-secured database , we were able to directly observe the app ’ s malicious behavior .", "spans": {}, "info": {"id": "cyner_mitre_test_00729", "source": "cyner_mitre_test"}} |
| {"text": "To illustrate the level of threat the DEFENSOR ID app posed , we performed three tests .", "spans": {"Malware: DEFENSOR ID": [[38, 49]]}, "info": {"id": "cyner_mitre_test_00730", "source": "cyner_mitre_test"}} |
| {"text": "First , we launched a banking app and entered the credentials there .", "spans": {}, "info": {"id": "cyner_mitre_test_00731", "source": "cyner_mitre_test"}} |
| {"text": "The credentials were immediately available in the leaky database – see Figure 6 .", "spans": {}, "info": {"id": "cyner_mitre_test_00732", "source": "cyner_mitre_test"}} |
| {"text": "Figure 6 .", "spans": {}, "info": {"id": "cyner_mitre_test_00733", "source": "cyner_mitre_test"}} |
| {"text": "The banking app test : the credentials as entered ( left ) and as available in the database ( right ) Second , we wrote a test message in an email client .", "spans": {}, "info": {"id": "cyner_mitre_test_00734", "source": "cyner_mitre_test"}} |
| {"text": "We saw the message uploaded to the attackers ’ server within a second – see Figure 7 .", "spans": {}, "info": {"id": "cyner_mitre_test_00735", "source": "cyner_mitre_test"}} |
| {"text": "Figure 7 .", "spans": {}, "info": {"id": "cyner_mitre_test_00736", "source": "cyner_mitre_test"}} |
| {"text": "The email message test : the message as written ( left ) and as available in the database ( right ) Third , we documented the trojan retrieving the Google Authenticator 2FA code .", "spans": {"System: Google Authenticator": [[148, 168]]}, "info": {"id": "cyner_mitre_test_00737", "source": "cyner_mitre_test"}} |
| {"text": "Figure 8 .", "spans": {}, "info": {"id": "cyner_mitre_test_00738", "source": "cyner_mitre_test"}} |
| {"text": "The software generated 2FA code as it appeared on the device ’ s display ( left ) and as available in the database ( right ) Along with the malicious DEFENSOR ID app , another malicious app named Defensor Digital was discovered .", "spans": {"Malware: Defensor Digital": [[196, 212]]}, "info": {"id": "cyner_mitre_test_00739", "source": "cyner_mitre_test"}} |
| {"text": "Both apps shared the same C & C server , but we couldn ’ t investigate the latter as it had already been removed from the Google Play store .", "spans": {"System: Google Play store": [[122, 139]]}, "info": {"id": "cyner_mitre_test_00740", "source": "cyner_mitre_test"}} |
| {"text": "Indicators of Compromise ( IoCs ) Package Name Hash ESET detection name com.secure.protect.world F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A com.brazil.android.free EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App", "spans": {"Organization: ESET": [[52, 56]], "Indicator: com.secure.protect.world": [[72, 96]], "Indicator: F17AEBC741957AA21CFE7C7D7BAEC0900E863F61": [[97, 137]], "Indicator: Android/Spy.BanBra.A": [[138, 158], [224, 244]], "Indicator: com.brazil.android.free": [[159, 182]], "Indicator: EA069A5C96DC1DB0715923EB68192FD325F3D3CE": [[183, 223]], "Organization: MITRE": [[245, 250]]}, "info": {"id": "cyner_mitre_test_00741", "source": "cyner_mitre_test"}} |
| {"text": "via Authorized App Store Impersonates security app on Google Play .", "spans": {"System: App Store": [[15, 24]], "System: Google Play": [[54, 65]]}, "info": {"id": "cyner_mitre_test_00742", "source": "cyner_mitre_test"}} |
| {"text": "T1444 Masquerade as Legitimate Application Impersonates legitimate GAS Tecnologia application .", "spans": {"System: GAS Tecnologia": [[67, 81]]}, "info": {"id": "cyner_mitre_test_00743", "source": "cyner_mitre_test"}} |
| {"text": "Discovery T1418 Application Discovery Sends list of installed apps on device .", "spans": {}, "info": {"id": "cyner_mitre_test_00744", "source": "cyner_mitre_test"}} |
| {"text": "Impact T1516 Input Injection Can enter text and perform clicks on behalf of user .", "spans": {}, "info": {"id": "cyner_mitre_test_00745", "source": "cyner_mitre_test"}} |
| {"text": "Collection T1417 Input Capture Records user input data .", "spans": {}, "info": {"id": "cyner_mitre_test_00746", "source": "cyner_mitre_test"}} |
| {"text": "Command and Control T1437 Standard Application Layer Protocol Uses Firebase Cloud Messaging for C & C .", "spans": {}, "info": {"id": "cyner_mitre_test_00747", "source": "cyner_mitre_test"}} |
|
|
