| {"text": "Riltok mobile Trojan : A banker with global reach 25 JUN 2019 Riltok is one of numerous families of mobile banking Trojans with standard ( for such malware ) functions and distribution methods .", "spans": {"Malware: Riltok": [[0, 6], [62, 68]]}, "info": {"id": "cyner_mitre_valid_00000", "source": "cyner_mitre_valid"}} | |
| {"text": "Originally intended to target the Russian audience , the banker was later adapted , with minimal modifications , for the European β market. β The bulk of its victims ( more than 90 % ) reside in Russia , with France in second place ( 4 % ) .", "spans": {}, "info": {"id": "cyner_mitre_valid_00001", "source": "cyner_mitre_valid"}} | |
| {"text": "Third place is shared by Italy , Ukraine , and the United Kingdom .", "spans": {}, "info": {"id": "cyner_mitre_valid_00002", "source": "cyner_mitre_valid"}} | |
| {"text": "We first detected members of this family back in March 2018 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00003", "source": "cyner_mitre_valid"}} | |
| {"text": "Like many other bankers , they were disguised as apps for popular free ad services in Russia .", "spans": {}, "info": {"id": "cyner_mitre_valid_00004", "source": "cyner_mitre_valid"}} | |
| {"text": "The malware was distributed from infected devices via SMS in the form β % USERNAME % , I β ll buy under a secure transaction .", "spans": {}, "info": {"id": "cyner_mitre_valid_00005", "source": "cyner_mitre_valid"}} | |
| {"text": "youlabuy [ .", "spans": {"Indicator: youlabuy [ .": [[0, 12]]}, "info": {"id": "cyner_mitre_valid_00006", "source": "cyner_mitre_valid"}} | |
| {"text": "] ru/7 * * * * * 3 β or β % USERNAME % , accept 25,000 on Youla youla-protect [ .", "spans": {"Indicator: youla-protect [ .": [[64, 81]]}, "info": {"id": "cyner_mitre_valid_00007", "source": "cyner_mitre_valid"}} | |
| {"text": "] ru/4 * * * * * 7 β , containing a link to download the Trojan .", "spans": {}, "info": {"id": "cyner_mitre_valid_00008", "source": "cyner_mitre_valid"}} | |
| {"text": "Other samples were also noticed , posing as a client of a ticket-finding service or as an app store for Android .", "spans": {"System: Android": [[104, 111]]}, "info": {"id": "cyner_mitre_valid_00009", "source": "cyner_mitre_valid"}} | |
| {"text": "It was late 2018 when Riltok climbed onto the international stage .", "spans": {"Malware: Riltok": [[22, 28]]}, "info": {"id": "cyner_mitre_valid_00010", "source": "cyner_mitre_valid"}} | |
| {"text": "The cybercriminals behind it kept the same masking and distribution methods , using names and icons imitating those of popular free ad services .", "spans": {}, "info": {"id": "cyner_mitre_valid_00011", "source": "cyner_mitre_valid"}} | |
| {"text": "In November 2018 , a version of the Trojan for the English market appeared in the shape of Gumtree.apk .", "spans": {"Indicator: Gumtree.apk": [[91, 102]]}, "info": {"id": "cyner_mitre_valid_00012", "source": "cyner_mitre_valid"}} | |
| {"text": "The SMS message with a link to a banker looked as follows : β % USERNAME % , i send you prepayment gumtree [ .", "spans": {"Indicator: gumtree [ .": [[99, 110]]}, "info": {"id": "cyner_mitre_valid_00013", "source": "cyner_mitre_valid"}} | |
| {"text": "] cc/3 * * * * * 1 β .", "spans": {}, "info": {"id": "cyner_mitre_valid_00014", "source": "cyner_mitre_valid"}} | |
| {"text": "Italian ( Subito.apk ) and French ( Leboncoin.apk ) versions appeared shortly afterwards in January 2019 .", "spans": {"Indicator: Subito.apk": [[10, 20]], "Indicator: Leboncoin.apk": [[36, 49]]}, "info": {"id": "cyner_mitre_valid_00015", "source": "cyner_mitre_valid"}} | |
| {"text": "The messages looked as follows : β % USERNAME % , ti ho inviato il soldi sul subito subito-a [ .", "spans": {"Indicator: subito-a [ .": [[84, 96]]}, "info": {"id": "cyner_mitre_valid_00016", "source": "cyner_mitre_valid"}} | |
| {"text": "] pw/6 * * * * * 5 β ( It .", "spans": {}, "info": {"id": "cyner_mitre_valid_00017", "source": "cyner_mitre_valid"}} | |
| {"text": ") β % USERNAME % , ti ho inviato il pagamento subitop [ .", "spans": {"Indicator: subitop [ .": [[46, 57]]}, "info": {"id": "cyner_mitre_valid_00018", "source": "cyner_mitre_valid"}} | |
| {"text": "] pw/4 * * * * * 7 β ( It .", "spans": {}, "info": {"id": "cyner_mitre_valid_00019", "source": "cyner_mitre_valid"}} | |
| {"text": ") β % USERNAME % , je vous ai envoyΓ© un prepaiement m-leboncoin [ .", "spans": {"Indicator: m-leboncoin [ .": [[52, 67]]}, "info": {"id": "cyner_mitre_valid_00020", "source": "cyner_mitre_valid"}} | |
| {"text": "] top/7 * * * * * 3 β ( Fr .", "spans": {}, "info": {"id": "cyner_mitre_valid_00021", "source": "cyner_mitre_valid"}} | |
| {"text": ") β % USERNAME % , j β ai fait l β avance ( suivi d β un lien ) : leboncoin-le [ .", "spans": {"Indicator: leboncoin-le [ .": [[66, 82]]}, "info": {"id": "cyner_mitre_valid_00022", "source": "cyner_mitre_valid"}} | |
| {"text": "] com/8 * * * * * 9 β ( Fr .", "spans": {}, "info": {"id": "cyner_mitre_valid_00023", "source": "cyner_mitre_valid"}} | |
| {"text": ") Let β s take a more detailed look at how this banking Trojan works .", "spans": {}, "info": {"id": "cyner_mitre_valid_00024", "source": "cyner_mitre_valid"}} | |
| {"text": "Infection The user receives an SMS with a malicious link pointing to a fake website simulating a popular free ad service .", "spans": {}, "info": {"id": "cyner_mitre_valid_00025", "source": "cyner_mitre_valid"}} | |
| {"text": "There , they are prompted to download a new version of the mobile app , under which guise the Trojan is hidden .", "spans": {}, "info": {"id": "cyner_mitre_valid_00026", "source": "cyner_mitre_valid"}} | |
| {"text": "To be installed , it needs the victim to allow installation of apps from unknown sources in the device settings .", "spans": {}, "info": {"id": "cyner_mitre_valid_00027", "source": "cyner_mitre_valid"}} | |
| {"text": "During installation , Riltok asks the user for permission to use special features in AccessibilityService by displaying a fake warning : If the user ignores or declines the request , the window keeps opening ad infinitum .", "spans": {"Malware: Riltok": [[22, 28]]}, "info": {"id": "cyner_mitre_valid_00028", "source": "cyner_mitre_valid"}} | |
| {"text": "After obtaining the desired rights , the Trojan sets itself as the default SMS app ( by independently clicking Yes in AccessibilityService ) , before vanishing from the device screen .", "spans": {}, "info": {"id": "cyner_mitre_valid_00029", "source": "cyner_mitre_valid"}} | |
| {"text": "After enabling AccessibilityService , the malware sets itself as the default SMS app Now installed and having obtained the necessary permissions from the user , Riltok contacts its C & C server .", "spans": {"Malware: Riltok": [[161, 167]]}, "info": {"id": "cyner_mitre_valid_00030", "source": "cyner_mitre_valid"}} | |
| {"text": "In later versions , when it starts , the Trojan additionally opens a phishing site in the browser that simulates a free ad service so as to dupe the user into entering their login credentials and bank card details .", "spans": {}, "info": {"id": "cyner_mitre_valid_00031", "source": "cyner_mitre_valid"}} | |
| {"text": "The entered data is forwarded to the cybercriminals .", "spans": {}, "info": {"id": "cyner_mitre_valid_00032", "source": "cyner_mitre_valid"}} | |
| {"text": "Phishing page from the French version of the Trojan Communication with C & C Riltok actively communicates with its C & C server .", "spans": {"Malware: Riltok": [[77, 83]]}, "info": {"id": "cyner_mitre_valid_00033", "source": "cyner_mitre_valid"}} | |
| {"text": "First off , it registers the infected device in the administrative panel by sending a GET request to the relative address gate.php ( in later versions gating.php ) with the ID ( device identifier generated by the setPsuedoID function in a pseudo-random way based on the device IMEI ) and screen ( shows if the device is active , possible values are β on β , β off β , β none β ) parameters .", "spans": {"Indicator: gate.php": [[122, 130]], "Indicator: gating.php": [[151, 161]]}, "info": {"id": "cyner_mitre_valid_00034", "source": "cyner_mitre_valid"}} | |
| {"text": "Then , using POST requests to the relative address report.php , it sends data about the device ( IMEI , phone number , country , mobile operator , phone model , availability of root rights , OS version ) , list of contacts , list of installed apps , incoming SMS , and other information .", "spans": {"Indicator: report.php": [[51, 61]]}, "info": {"id": "cyner_mitre_valid_00035", "source": "cyner_mitre_valid"}} | |
| {"text": "From the server , the Trojan receives commands ( for example , to send SMS ) and changes in the configuration .", "spans": {}, "info": {"id": "cyner_mitre_valid_00036", "source": "cyner_mitre_valid"}} | |
| {"text": "Trojan anatomy The family was named Riltok after the librealtalk-jni.so library contained in the APK file of the Trojan .", "spans": {"Malware: Riltok": [[36, 42]], "Indicator: librealtalk-jni.so": [[53, 71]]}, "info": {"id": "cyner_mitre_valid_00037", "source": "cyner_mitre_valid"}} | |
| {"text": "The library includes such operations as : Get address of cybercriminal C & C server Get configuration file with web injects from C & C , as well as default list of injects Scan for app package names that generated AccessibilityEvent events in the list of known banking/antivirus/other popular apps Set malware as default SMS app Get address of the phishing page that opens when the app runs , and others getStartWebUrl function β get address of phishing page The configuration file contains a list of injects for mobile banking apps β links to phishing pages matching the mobile", "spans": {}, "info": {"id": "cyner_mitre_valid_00038", "source": "cyner_mitre_valid"}} | |
| {"text": "banking app used by the user .", "spans": {}, "info": {"id": "cyner_mitre_valid_00039", "source": "cyner_mitre_valid"}} | |
| {"text": "In most so-called Western versions of the Trojan , the package names in the default configuration file are erased .", "spans": {}, "info": {"id": "cyner_mitre_valid_00040", "source": "cyner_mitre_valid"}} | |
| {"text": "Sample configuration file of the Trojan Through AccessibilityService , the malware monitors AccessibilityEvent events .", "spans": {}, "info": {"id": "cyner_mitre_valid_00041", "source": "cyner_mitre_valid"}} | |
| {"text": "Depending on which app ( package name ) generated the event , Riltok can : Open a fake Google Play screen requesting bank card details Open a fake screen or phishing page in a browser ( inject ) mimicking the screen of the relevant mobile banking app and requesting user/bank card details Minimize the app ( for example , antivirus applications or device security settings ) Additionally , the Trojan can hide notifications from certain banking apps .", "spans": {"Malware: Riltok": [[62, 68]], "System: Google Play": [[87, 98]]}, "info": {"id": "cyner_mitre_valid_00042", "source": "cyner_mitre_valid"}} | |
| {"text": "List of package names of apps on events from which the Trojan opens a fake Google Play window ( for the Russian version of the Trojan ) Example of Trojan screen overlapping other apps When bank card details are entered in the fake window , Riltok performs basic validation checks : card validity period , number checksum , CVC length , whether the number is in the denylist sewn into the Trojan code : Examples of phishing pages imitating mobile banks At the time of writing , the functionality of most of the Western versions of Riltok", "spans": {"System: Google Play": [[75, 86]]}, "info": {"id": "cyner_mitre_valid_00043", "source": "cyner_mitre_valid"}} | |
| {"text": "was somewhat pared down compared to the Russian one .", "spans": {}, "info": {"id": "cyner_mitre_valid_00044", "source": "cyner_mitre_valid"}} | |
| {"text": "For example , the default configuration file with injects is non-operational , and the malware contains no fake built-in windows requesting bank card details .", "spans": {}, "info": {"id": "cyner_mitre_valid_00045", "source": "cyner_mitre_valid"}} | |
| {"text": "Conclusion Threats are better prevented than cured , so do not follow suspicious links in SMS , and be sure to install apps only from official sources and check what permissions you are granting during installation .", "spans": {}, "info": {"id": "cyner_mitre_valid_00046", "source": "cyner_mitre_valid"}} | |
| {"text": "As Riltok shows , cybercriminals can apply the same methods of infection to victims in different countries with more or less the same success .", "spans": {"Malware: Riltok": [[3, 9]]}, "info": {"id": "cyner_mitre_valid_00047", "source": "cyner_mitre_valid"}} | |
| {"text": "Kaspersky products detect the above-described threat with the verdict Trojan-Banker.AndroidOS.Riltok .", "spans": {"Organization: Kaspersky": [[0, 9]], "Indicator: Trojan-Banker.AndroidOS.Riltok": [[70, 100]]}, "info": {"id": "cyner_mitre_valid_00048", "source": "cyner_mitre_valid"}} | |
| {"text": "IoCs C & C 100.51.100.00 108.62.118.131 172.81.134.165 172.86.120.207 185.212.128.152 185.212.128.192 185.61.000.108 185.61.138.108 185.61.138.37 188.209.52.101 5.206.225.57 alr992.date avito-app.pw backfround2.pw background1.xyz blacksolider93.com blass9g087.com brekelter2.com broplar3hf.xyz buy-youla.ru", "spans": {"Indicator: 100.51.100.00": [[11, 24]], "Indicator: 108.62.118.131": [[25, 39]], "Indicator: 172.81.134.165": [[40, 54]], "Indicator: 172.86.120.207": [[55, 69]], "Indicator: 185.212.128.152": [[70, 85]], "Indicator: 185.212.128.192": [[86, 101]], "Indicator: 185.61.000.108": [[102, 116]], "Indicator: 185.61.138.108": [[117, 131]], "Indicator: 185.61.138.37": [[132, 145]], "Indicator: 188.209.52.101": [[146, 160]], "Indicator: 5.206.225.57": [[161, 173]], "Indicator: alr992.date": [[174, 185]], "Indicator: avito-app.pw": [[186, 198]], "Indicator: backfround2.pw": [[199, 213]], "Indicator: background1.xyz": [[214, 229]], "Indicator: blacksolider93.com": [[230, 248]], "Indicator: blass9g087.com": [[249, 263]], "Indicator: brekelter2.com": [[264, 278]], "Indicator: broplar3hf.xyz": [[279, 293]], "Indicator: buy-youla.ru": [[294, 306]]}, "info": {"id": "cyner_mitre_valid_00049", "source": "cyner_mitre_valid"}} | |
| {"text": "cd78cg210xy0.com copsoiteess.com farmatefc93.org firstclinsop.com holebrhuhh3.com holebrhuhh45.com karambga3j.net le22999a.pw leboncoin-bk.top leboncoin-buy.pw leboncoin-cz.info leboncoin-f.pw leboncoin-jp.info leboncoin-kp.top leboncoin-ny.info leboncoin-ql.top leboncoin-tr.info", "spans": {"Indicator: cd78cg210xy0.com": [[0, 16]], "Indicator: copsoiteess.com": [[17, 32]], "Indicator: farmatefc93.org": [[33, 48]], "Indicator: firstclinsop.com": [[49, 65]], "Indicator: holebrhuhh3.com": [[66, 81]], "Indicator: holebrhuhh45.com": [[82, 98]], "Indicator: karambga3j.net": [[99, 113]], "Indicator: le22999a.pw": [[114, 125]], "Indicator: leboncoin-bk.top": [[126, 142]], "Indicator: leboncoin-buy.pw": [[143, 159]], "Indicator: leboncoin-cz.info": [[160, 177]], "Indicator: leboncoin-f.pw": [[178, 192]], "Indicator: leboncoin-jp.info": [[193, 210]], "Indicator: leboncoin-kp.top": [[211, 227]], "Indicator: leboncoin-ny.info": [[228, 245]], "Indicator: leboncoin-ql.top": [[246, 262]], "Indicator: leboncoin-tr.info": [[263, 280]]}, "info": {"id": "cyner_mitre_valid_00050", "source": "cyner_mitre_valid"}} | |
| {"text": "myyoula.ru sell-avito.ru sell-youla.ru sentel8ju67.com subito-li.pw subitop.pw web-gumtree.com whitehousejosh.com whitekalgoy3.com youlaprotect.ru Examples of malware 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa", "spans": {"Indicator: myyoula.ru": [[0, 10]], "Indicator: sell-avito.ru": [[11, 24]], "Indicator: sell-youla.ru": [[25, 38]], "Indicator: sentel8ju67.com": [[39, 54]], "Indicator: subito-li.pw": [[55, 67]], "Indicator: subitop.pw": [[68, 78]], "Indicator: web-gumtree.com": [[79, 94]], "Indicator: whitehousejosh.com": [[95, 113]], "Indicator: whitekalgoy3.com": [[114, 130]], "Indicator: youlaprotect.ru": [[131, 146]], "Indicator: 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98": [[167, 231]], "Indicator: 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa": [[232, 296]]}, "info": {"id": "cyner_mitre_valid_00051", "source": "cyner_mitre_valid"}} | |
| {"text": "54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745 bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811", "spans": {"Indicator: 54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe": [[0, 64]], "Indicator: 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745": [[65, 129]], "Indicator: bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a": [[130, 194]], "Indicator: dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811": [[195, 259]]}, "info": {"id": "cyner_mitre_valid_00052", "source": "cyner_mitre_valid"}} | |
| {"text": "e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049 ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5 f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df Tracking down the developer of Android adware affecting", "spans": {"Indicator: e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049": [[0, 64]], "Indicator: ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5": [[65, 129]], "Indicator: f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df": [[130, 194]], "System: Android": [[226, 233]]}, "info": {"id": "cyner_mitre_valid_00053", "source": "cyner_mitre_valid"}} | |
| {"text": "millions of users 24 Oct 2019 - 11:30AM We detected a large adware campaign running for about a year , with the involved apps installed eight million times from Google Play alone .", "spans": {"System: Google Play": [[161, 172]]}, "info": {"id": "cyner_mitre_valid_00054", "source": "cyner_mitre_valid"}} | |
| {"text": "We identified 42 apps on Google Play as belonging to the campaign , which had been running since July 2018 .", "spans": {"System: Google Play": [[25, 36]]}, "info": {"id": "cyner_mitre_valid_00055", "source": "cyner_mitre_valid"}} | |
| {"text": "Of those , 21 were still available at the time of discovery .", "spans": {}, "info": {"id": "cyner_mitre_valid_00056", "source": "cyner_mitre_valid"}} | |
| {"text": "We reported the apps to the Google security team and they were swiftly removed .", "spans": {}, "info": {"id": "cyner_mitre_valid_00057", "source": "cyner_mitre_valid"}} | |
| {"text": "However , the apps are still available in third-party app stores .", "spans": {}, "info": {"id": "cyner_mitre_valid_00058", "source": "cyner_mitre_valid"}} | |
| {"text": "ESET detects this adware , collectively , as Android/AdDisplay.Ashas .", "spans": {"Organization: ESET": [[0, 4]], "Malware: Android/AdDisplay.Ashas": [[45, 68]]}, "info": {"id": "cyner_mitre_valid_00059", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 1 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00060", "source": "cyner_mitre_valid"}} | |
| {"text": "Apps of the Android/AdDisplay.Ashas family reported to Google by ESET Figure 2 .", "spans": {"Malware: Android/AdDisplay.Ashas": [[12, 35]], "Organization: ESET": [[65, 69]]}, "info": {"id": "cyner_mitre_valid_00061", "source": "cyner_mitre_valid"}} | |
| {"text": "The most popular member of the Android/AdDisplay.Ashas family on Google Play was β Video downloader master β with over five million downloads Ashas functionality All the apps provide the functionality they promise , besides working as adware .", "spans": {"Malware: Android/AdDisplay.Ashas family": [[31, 61]], "System: Google Play": [[65, 76]], "Malware: Ashas": [[142, 147]]}, "info": {"id": "cyner_mitre_valid_00062", "source": "cyner_mitre_valid"}} | |
| {"text": "The adware functionality is the same in all the apps we analyzed .", "spans": {}, "info": {"id": "cyner_mitre_valid_00063", "source": "cyner_mitre_valid"}} | |
| {"text": "[ Note : The analysis of the functionality below describes a single app , but applies to all apps of the Android/AdDisplay.Ashas family .", "spans": {"Malware: Android/AdDisplay.Ashas family": [[105, 135]]}, "info": {"id": "cyner_mitre_valid_00064", "source": "cyner_mitre_valid"}} | |
| {"text": "] Once launched , the app starts to communicate with its C & C server ( whose IP address is base64-encoded in the app ) .", "spans": {}, "info": {"id": "cyner_mitre_valid_00065", "source": "cyner_mitre_valid"}} | |
| {"text": "It sends β home β key data about the affected device : device type , OS version , language , number of installed apps , free storage space , battery status , whether the device is rooted and Developer mode enabled , and whether Facebook and FB Messenger are installed .", "spans": {"Organization: Facebook": [[228, 236]], "System: Messenger": [[244, 253]]}, "info": {"id": "cyner_mitre_valid_00066", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 3 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00067", "source": "cyner_mitre_valid"}} | |
| {"text": "Sending information about the affected device The app receives configuration data from the C & C server , needed for displaying ads , and for stealth and resilience .", "spans": {}, "info": {"id": "cyner_mitre_valid_00068", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 4 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00069", "source": "cyner_mitre_valid"}} | |
| {"text": "Configuration file received from the C & C server As for stealth and resilience , the attacker uses a number of tricks .", "spans": {}, "info": {"id": "cyner_mitre_valid_00070", "source": "cyner_mitre_valid"}} | |
| {"text": "First , the malicious app tries to determine whether it is being tested by the Google Play security mechanism .", "spans": {"System: Google Play": [[79, 90]]}, "info": {"id": "cyner_mitre_valid_00071", "source": "cyner_mitre_valid"}} | |
| {"text": "For this purpose , the app receives from the C & C server the isGoogleIp flag , which indicates whether the IP address of the affected device falls within the range of known IP addresses for Google servers .", "spans": {}, "info": {"id": "cyner_mitre_valid_00072", "source": "cyner_mitre_valid"}} | |
| {"text": "If the server returns this flag as positive , the app will not trigger the adware payload .", "spans": {}, "info": {"id": "cyner_mitre_valid_00073", "source": "cyner_mitre_valid"}} | |
| {"text": "Second , the app can set a custom delay between displaying ads .", "spans": {}, "info": {"id": "cyner_mitre_valid_00074", "source": "cyner_mitre_valid"}} | |
| {"text": "The samples we have seen had their configuration set to delay displaying the first ad by 24 minutes after the device unlocks .", "spans": {}, "info": {"id": "cyner_mitre_valid_00075", "source": "cyner_mitre_valid"}} | |
| {"text": "This delay means that a typical testing procedure , which takes less than 10 minutes , will not detect any unwanted behavior .", "spans": {}, "info": {"id": "cyner_mitre_valid_00076", "source": "cyner_mitre_valid"}} | |
| {"text": "Also , the longer the delay , the lower the risk of the user associating the unwanted ads with a particular app .", "spans": {}, "info": {"id": "cyner_mitre_valid_00077", "source": "cyner_mitre_valid"}} | |
| {"text": "Third , based on the server response , the app can also hide its icon and create a shortcut instead .", "spans": {}, "info": {"id": "cyner_mitre_valid_00078", "source": "cyner_mitre_valid"}} | |
| {"text": "If a typical user tries to get rid of the malicious app , chances are that only the shortcut ends up getting removed .", "spans": {}, "info": {"id": "cyner_mitre_valid_00079", "source": "cyner_mitre_valid"}} | |
| {"text": "The app then continues to run in the background without the user β s knowledge .", "spans": {}, "info": {"id": "cyner_mitre_valid_00080", "source": "cyner_mitre_valid"}} | |
| {"text": "This stealth technique has been gaining popularity among adware-related threats distributed via Google Play .", "spans": {"System: Google Play": [[96, 107]]}, "info": {"id": "cyner_mitre_valid_00081", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 5 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00082", "source": "cyner_mitre_valid"}} | |
| {"text": "Time delay to postpone displaying ads implemented by the adware Once the malicious app receives its configuration data , the affected device is ready to display ads as per the attacker β s choice ; each ad is displayed as a full screen activity .", "spans": {}, "info": {"id": "cyner_mitre_valid_00083", "source": "cyner_mitre_valid"}} | |
| {"text": "If the user wants to check which app is responsible for the ad being displayed , by hitting the β Recent apps β button , another trick is used : the app displays a Facebook or Google icon , as seen in Figure 6 .", "spans": {"Organization: Facebook": [[164, 172]], "Organization: Google": [[176, 182]]}, "info": {"id": "cyner_mitre_valid_00084", "source": "cyner_mitre_valid"}} | |
| {"text": "The adware mimics these two apps to look legitimate and avoid suspicion β and thus stay on the affected device for as long as possible .", "spans": {}, "info": {"id": "cyner_mitre_valid_00085", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 6 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00086", "source": "cyner_mitre_valid"}} | |
| {"text": "The adware activity impersonates Facebook ( left ) .", "spans": {"Organization: Facebook": [[33, 41]]}, "info": {"id": "cyner_mitre_valid_00087", "source": "cyner_mitre_valid"}} | |
| {"text": "If the user long-presses the icon , the name of the app responsible for the activity is revealed ( right ) .", "spans": {}, "info": {"id": "cyner_mitre_valid_00088", "source": "cyner_mitre_valid"}} | |
| {"text": "Finally , the Ashas adware family has its code hidden under the com.google.xxx package name .", "spans": {"Malware: Ashas": [[14, 19]]}, "info": {"id": "cyner_mitre_valid_00089", "source": "cyner_mitre_valid"}} | |
| {"text": "This trick β posing as a part of a legitimate Google service β may help avoid scrutiny .", "spans": {"Organization: Google": [[46, 52]]}, "info": {"id": "cyner_mitre_valid_00090", "source": "cyner_mitre_valid"}} | |
| {"text": "Some detection mechanisms and sandboxes may whitelist such package names , in an effort to prevent wasting resources .", "spans": {}, "info": {"id": "cyner_mitre_valid_00091", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 7 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00092", "source": "cyner_mitre_valid"}} | |
| {"text": "Malicious code hidden in a package named β com.google β Hunting down the developer Using open-source information , we tracked down the developer of the adware , who we also identified as the campaign β s operator and owner of the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_valid_00093", "source": "cyner_mitre_valid"}} | |
| {"text": "In the following paragraphs , we outline our efforts to discover other applications from the same developer and protect our users from it .", "spans": {}, "info": {"id": "cyner_mitre_valid_00094", "source": "cyner_mitre_valid"}} | |
| {"text": "First , based on information that is associated with the registered C & C domain , we identified the name of the registrant , along with further data like country and email address , as seen in Figure 8 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00095", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 8 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00096", "source": "cyner_mitre_valid"}} | |
| {"text": "Information about the C & C domain used by the Ashas adware Knowing that the information provided to a domain registrar might be fake , we continued our search .", "spans": {"Malware: Ashas": [[47, 52]]}, "info": {"id": "cyner_mitre_valid_00097", "source": "cyner_mitre_valid"}} | |
| {"text": "The email address and country information drove us to a list of students attending a class at a Vietnamese university β corroborating the existence of the person under whose name the domain was registered .", "spans": {}, "info": {"id": "cyner_mitre_valid_00098", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 9 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00099", "source": "cyner_mitre_valid"}} | |
| {"text": "A university class student list including the C & C domain registrant Due to poor privacy practices on the part of our culprit β s university , we now know his date of birth ( probably : he seemingly used his birth year as part of his Gmail address , as further partial confirmation ) , we know that he was a student and what university he attended .", "spans": {"System: Gmail": [[235, 240]]}, "info": {"id": "cyner_mitre_valid_00100", "source": "cyner_mitre_valid"}} | |
| {"text": "We were also able to confirm that the phone number he provided to the domain registrar was genuine .", "spans": {}, "info": {"id": "cyner_mitre_valid_00101", "source": "cyner_mitre_valid"}} | |
| {"text": "Moreover , we retrieved his University ID ; a quick googling showed some of his exam grades .", "spans": {}, "info": {"id": "cyner_mitre_valid_00102", "source": "cyner_mitre_valid"}} | |
| {"text": "However , his study results are out of the scope of our research .", "spans": {}, "info": {"id": "cyner_mitre_valid_00103", "source": "cyner_mitre_valid"}} | |
| {"text": "Based on our culprit β s email address , we were able to find his GitHub repository .", "spans": {"Organization: GitHub": [[66, 72]]}, "info": {"id": "cyner_mitre_valid_00104", "source": "cyner_mitre_valid"}} | |
| {"text": "His repository proves that he is indeed an Android developer , but it contained no publicly available code of the Ashas adware at the time of writing of this blogpost .", "spans": {"System: Android": [[43, 50]], "Malware: Ashas": [[114, 119]]}, "info": {"id": "cyner_mitre_valid_00105", "source": "cyner_mitre_valid"}} | |
| {"text": "However , a simple Google search for the adware package name returned a β TestDelete β project that had been available in his repository at some point The malicious developer also has apps in Apple β s App Store .", "spans": {"Organization: Google": [[19, 25]], "Organization: Apple": [[192, 197]], "System: App Store": [[202, 211]]}, "info": {"id": "cyner_mitre_valid_00106", "source": "cyner_mitre_valid"}} | |
| {"text": "Some of them are iOS versions of the ones removed from Google Play , but none contain adware functionality .", "spans": {"System: iOS": [[17, 20]], "System: Google Play": [[55, 66]]}, "info": {"id": "cyner_mitre_valid_00107", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 10 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00108", "source": "cyner_mitre_valid"}} | |
| {"text": "The malicious developer β s apps published on the App Store which don β t contain the Ashas adware Searching further for the malicious developer β s activities , we also discovered his Youtube channel propagating the Ashas adware and his other projects .", "spans": {"Malware: Ashas": [[86, 91], [217, 222]], "System: Youtube": [[185, 192]]}, "info": {"id": "cyner_mitre_valid_00109", "source": "cyner_mitre_valid"}} | |
| {"text": "As for the Ashas family , one of the associated promotional videos , β Head Soccer World Champion 2018 β Android , ios β was viewed almost three million times and two others reached hundreds of thousands of views , as seen in Figure 11 .", "spans": {"Malware: Ashas": [[11, 16]], "System: Android": [[105, 112]], "System: ios": [[115, 118]]}, "info": {"id": "cyner_mitre_valid_00110", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 11 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00111", "source": "cyner_mitre_valid"}} | |
| {"text": "YouTube channel of the malicious developer His YouTube channel provided us with another valuable piece of information : he himself features in a video tutorial for one of his other projects .", "spans": {"System: YouTube": [[0, 7], [47, 54]]}, "info": {"id": "cyner_mitre_valid_00112", "source": "cyner_mitre_valid"}} | |
| {"text": "Thanks to that project , we were able to extract his Facebook profile β which lists his studies at the aforementioned university .", "spans": {"Organization: Facebook": [[53, 61]]}, "info": {"id": "cyner_mitre_valid_00113", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 12 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00114", "source": "cyner_mitre_valid"}} | |
| {"text": "Facebook profile of the C & C domain registrar ( cover picture and profile picture edited out ) Linked on the malicious developer β s Facebook profile , we discovered a Facebook page , Minigameshouse , and an associated domain , minigameshouse [ .", "spans": {"Organization: Facebook": [[0, 8], [134, 142], [169, 177]], "Indicator: Minigameshouse": [[185, 199]], "Indicator: minigameshouse [ .": [[229, 247]]}, "info": {"id": "cyner_mitre_valid_00115", "source": "cyner_mitre_valid"}} | |
| {"text": "] net .", "spans": {}, "info": {"id": "cyner_mitre_valid_00116", "source": "cyner_mitre_valid"}} | |
| {"text": "This domain is similar to the one the malware author used for his adware C & C communication , minigameshouse [ .", "spans": {"Indicator: minigameshouse [ .": [[95, 113]]}, "info": {"id": "cyner_mitre_valid_00117", "source": "cyner_mitre_valid"}} | |
| {"text": "] us .", "spans": {}, "info": {"id": "cyner_mitre_valid_00118", "source": "cyner_mitre_valid"}} | |
| {"text": "Checking this Minigameshouse page further indicates that this person is indeed the owner of the minigameshouse [ .", "spans": {"Indicator: Minigameshouse": [[14, 28]], "Indicator: minigameshouse [ .": [[96, 114]]}, "info": {"id": "cyner_mitre_valid_00119", "source": "cyner_mitre_valid"}} | |
| {"text": "] us domain : the phone number registered with this domain is the same as the phone number appearing on the Facebook page .", "spans": {"Organization: Facebook": [[108, 116]]}, "info": {"id": "cyner_mitre_valid_00120", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 13 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00121", "source": "cyner_mitre_valid"}} | |
| {"text": "Facebook page managed by the C & C domain registrant uses the same base domain name ( minigameshouse ) and phone number as the registered malicious C & C used by the Ashas adware Of interest is that on the Minigameshouse Facebook page , the malicious developer promotes a slew of games beyond the Ashas family for download on both Google Play and the App Store .", "spans": {"Organization: Facebook": [[0, 8], [221, 229]], "Malware: Ashas": [[166, 171], [297, 302]], "System: Google Play": [[331, 342]], "System: App Store": [[351, 360]]}, "info": {"id": "cyner_mitre_valid_00122", "source": "cyner_mitre_valid"}} | |
| {"text": "However , all of those have been removed from Google Play β despite the fact that some of them didn β t contain any adware functionality .", "spans": {"System: Google Play": [[46, 57]]}, "info": {"id": "cyner_mitre_valid_00123", "source": "cyner_mitre_valid"}} | |
| {"text": "On top of all this , one of the malicious developer β s YouTube videos β a tutorial on developing an β Instant Game β for Facebook β serves as an example of operational security completely ignored .", "spans": {"System: YouTube": [[56, 63]], "Organization: Facebook": [[122, 130]]}, "info": {"id": "cyner_mitre_valid_00124", "source": "cyner_mitre_valid"}} | |
| {"text": "We were able to see that his recently visited web sites were Google Play pages belonging to apps containing the Ashas adware .", "spans": {"System: Google Play": [[61, 72]], "Malware: Ashas adware": [[112, 124]]}, "info": {"id": "cyner_mitre_valid_00125", "source": "cyner_mitre_valid"}} | |
| {"text": "He also used his email account to log into various services in the video , which identifies him as the adware domain owner , beyond any doubt .", "spans": {}, "info": {"id": "cyner_mitre_valid_00126", "source": "cyner_mitre_valid"}} | |
| {"text": "Thanks to the video , we were even able to identify three further apps that contained adware functionality and were available on Google Play .", "spans": {"System: Google Play": [[129, 140]]}, "info": {"id": "cyner_mitre_valid_00127", "source": "cyner_mitre_valid"}} | |
| {"text": "Figure 14 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00128", "source": "cyner_mitre_valid"}} | |
| {"text": "Screenshots from this developer β s YouTube video shows history of checking Ashas adware on Google Play ESET telemetry Figure 15 .", "spans": {"System: YouTube": [[36, 43]], "Malware: Ashas": [[76, 81]], "System: Google Play": [[92, 103]], "Organization: ESET": [[104, 108]]}, "info": {"id": "cyner_mitre_valid_00129", "source": "cyner_mitre_valid"}} | |
| {"text": "ESET detections of Android/AdDisplay.Ashas on Android devices by country Is adware harmful ?", "spans": {"Organization: ESET": [[0, 4]], "Malware: Android/AdDisplay.Ashas": [[19, 42]]}, "info": {"id": "cyner_mitre_valid_00130", "source": "cyner_mitre_valid"}} | |
| {"text": "Because the real nature of apps containing adware is usually hidden to the user , these apps and their developers should be considered untrustworthy .", "spans": {}, "info": {"id": "cyner_mitre_valid_00131", "source": "cyner_mitre_valid"}} | |
| {"text": "When installed on a device , apps containing adware may , among other things : Annoy users with intrusive advertisements , including scam ads Waste the device β s battery resources Generate increased network traffic Gather users β personal information Hide their presence on the affected device to achieve persistence Generate revenue for their operator without any user interaction Conclusion Based solely on open source intelligence , we were able to trace the developer of the Ashas adware and establish his identity and discover additional related adware-infected apps .", "spans": {"Malware: Ashas": [[480, 485]]}, "info": {"id": "cyner_mitre_valid_00132", "source": "cyner_mitre_valid"}} | |
| {"text": "Seeing that the developer did not take any measures to protect his identity , it seems likely that his intentions weren β t dishonest at first β and this is also supported by the fact that not all his published apps contained unwanted ads .", "spans": {}, "info": {"id": "cyner_mitre_valid_00133", "source": "cyner_mitre_valid"}} | |
| {"text": "At some point in his Google Play β career β , he apparently decided to increase his ad revenue by implementing adware functionality in his apps β code .", "spans": {"System: Google Play": [[21, 32]]}, "info": {"id": "cyner_mitre_valid_00134", "source": "cyner_mitre_valid"}} | |
| {"text": "The various stealth and resilience techniques implemented in the adware show us that the culprit was aware of the malicious nature of the added functionality and attempted to keep it hidden .", "spans": {}, "info": {"id": "cyner_mitre_valid_00135", "source": "cyner_mitre_valid"}} | |
| {"text": "Sneaking unwanted or harmful functionality into popular , benign apps is a common practice among β bad β developers , and we are committed to tracking down such apps .", "spans": {}, "info": {"id": "cyner_mitre_valid_00136", "source": "cyner_mitre_valid"}} | |
| {"text": "We report them to Google and take other steps to disrupt malicious campaigns we discover .", "spans": {"Organization: Google": [[18, 24]]}, "info": {"id": "cyner_mitre_valid_00137", "source": "cyner_mitre_valid"}} | |
| {"text": "Last but not least , we publish our findings to help Android users protect themselves .", "spans": {"System: Android": [[53, 60]]}, "info": {"id": "cyner_mitre_valid_00138", "source": "cyner_mitre_valid"}} | |
| {"text": "MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App via Authorized App Store The malware impersonates legitimate services on Google Play Persistence T1402 App Auto-Start at Device Boot An Android application can listen for the BOOT_COMPLETED broadcast , ensuring that the app 's functionality will be activated every time the device starts Impact T1472 Generate Fraudulent Advertising Revenue Generates revenue by automatically displaying ads The Rotexy mobile Trojan β banker and ransomware 22 NOV 2018 On", "spans": {"Organization: MITRE": [[0, 5]], "System: Google Play": [[169, 180]], "Malware: Rotexy": [[491, 497]]}, "info": {"id": "cyner_mitre_valid_00139", "source": "cyner_mitre_valid"}} | |
| {"text": "the back of a surge in Trojan activity , we decided to carry out an in-depth analysis and track the evolution of some other popular malware families besides Asacub .", "spans": {"Malware: Asacub": [[157, 163]]}, "info": {"id": "cyner_mitre_valid_00140", "source": "cyner_mitre_valid"}} | |
| {"text": "One of the most interesting and active specimens to date was a mobile Trojan from the Rotexy family .", "spans": {"Malware: Rotexy": [[86, 92]]}, "info": {"id": "cyner_mitre_valid_00141", "source": "cyner_mitre_valid"}} | |
| {"text": "In a three-month period from August to October 2018 , it launched over 70,000 attacks against users located primarily in Russia .", "spans": {}, "info": {"id": "cyner_mitre_valid_00142", "source": "cyner_mitre_valid"}} | |
| {"text": "An interesting feature of this family of banking Trojans is the simultaneous use of three command sources : Google Cloud Messaging ( GCM ) service β used to send small messages in JSON format to a mobile device via Google servers ; malicious C & C server ; incoming SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_valid_00143", "source": "cyner_mitre_valid"}} | |
| {"text": "This β versatility β was present in the first version of Rotexy and has been a feature of all the family β s subsequent representatives .", "spans": {"Malware: Rotexy": [[57, 63]]}, "info": {"id": "cyner_mitre_valid_00144", "source": "cyner_mitre_valid"}} | |
| {"text": "During our research we also arrived at the conclusion that this Trojan evolved from an SMS spyware Trojan that was first spotted in October 2014 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00145", "source": "cyner_mitre_valid"}} | |
| {"text": "Back then it was detected as Trojan-Spy.AndroidOS.SmsThief , but later versions were assigned to another family β Trojan-Banker.AndroidOS.Rotexy .", "spans": {"Malware: Trojan-Spy.AndroidOS.SmsThief": [[29, 58]], "Malware: Trojan-Banker.AndroidOS.Rotexy": [[114, 144]]}, "info": {"id": "cyner_mitre_valid_00146", "source": "cyner_mitre_valid"}} | |
| {"text": "The modern version of Rotexy combines the functions of a banking Trojan and ransomware .", "spans": {"Malware: Rotexy": [[22, 28]]}, "info": {"id": "cyner_mitre_valid_00147", "source": "cyner_mitre_valid"}} | |
| {"text": "It spreads under the name AvitoPay.apk ( or similar ) and downloads from websites with names like youla9d6h.tk , prodam8n9.tk , prodamfkz.ml , avitoe0ys.tk , etc .", "spans": {"Indicator: AvitoPay.apk": [[26, 38]], "Indicator: youla9d6h.tk": [[98, 110]], "Indicator: prodam8n9.tk": [[113, 125]], "Indicator: prodamfkz.ml": [[128, 140]], "Indicator: avitoe0ys.tk": [[143, 155]]}, "info": {"id": "cyner_mitre_valid_00148", "source": "cyner_mitre_valid"}} | |
| {"text": "These website names are generated according to a clear algorithm : the first few letters are suggestive of popular classified ad services , followed by a random string of characters , followed by a two-letter top-level domain .", "spans": {}, "info": {"id": "cyner_mitre_valid_00149", "source": "cyner_mitre_valid"}} | |
| {"text": "But before we go into the details of what the latest version of Rotexy can do and why it β s distinctive , we would like to give a summary of the path the Trojan has taken since 2014 up to the present day .", "spans": {"Malware: Rotexy": [[64, 70]]}, "info": {"id": "cyner_mitre_valid_00150", "source": "cyner_mitre_valid"}} | |
| {"text": "Evolution of Rotexy 2014β2015 Since the malicious program was detected in 2014 , its main functions and propagation method have not changed : Rotexy spreads via links sent in phishing SMSs that prompt the user to install an app .", "spans": {"Malware: Rotexy": [[13, 19], [142, 148]]}, "info": {"id": "cyner_mitre_valid_00151", "source": "cyner_mitre_valid"}} | |
| {"text": "As it launches , it requests device administrator rights , and then starts communicating with its C & C server .", "spans": {}, "info": {"id": "cyner_mitre_valid_00152", "source": "cyner_mitre_valid"}} | |
| {"text": "Until mid-2015 , Rotexy used a plain-text JSON format to communicate with its C & C .", "spans": {"Malware: Rotexy": [[17, 23]]}, "info": {"id": "cyner_mitre_valid_00153", "source": "cyner_mitre_valid"}} | |
| {"text": "The C & C address was specified in the code and was also unencrypted : In some versions , a dynamically generated low-level domain was used as an address : In its first communication , the Trojan sent the infected device β s IMEI to the C & C , and in return it received a set of rules for processing incoming SMSs ( phone numbers , keywords and regular expressions ) β these applied mainly to messages from banks , payment systems and mobile network operators .", "spans": {}, "info": {"id": "cyner_mitre_valid_00154", "source": "cyner_mitre_valid"}} | |
| {"text": "For instance , the Trojan could automatically reply to an SMS and immediately delete it .", "spans": {}, "info": {"id": "cyner_mitre_valid_00155", "source": "cyner_mitre_valid"}} | |
| {"text": "Rotexy then sent information about the smartphone to the C & C , including the phone model , number , name of the mobile network operator , versions of the operating system and IMEI .", "spans": {"Malware: Rotexy": [[0, 6]]}, "info": {"id": "cyner_mitre_valid_00156", "source": "cyner_mitre_valid"}} | |
| {"text": "With each subsequent request , a new subdomain was generated .", "spans": {}, "info": {"id": "cyner_mitre_valid_00157", "source": "cyner_mitre_valid"}} | |
| {"text": "The algorithm for generating the lowest-level domain name was hardwired in the Trojan β s code .", "spans": {}, "info": {"id": "cyner_mitre_valid_00158", "source": "cyner_mitre_valid"}} | |
| {"text": "The Trojan also registered in Google Cloud Messaging ( GCM ) , meaning it could then receive commands via that service .", "spans": {"System: Google Cloud Messaging ( GCM )": [[30, 60]]}, "info": {"id": "cyner_mitre_valid_00159", "source": "cyner_mitre_valid"}} | |
| {"text": "The Trojan β s list of possible commands has remained practically unchanged throughout its life , and will be described below in detail .", "spans": {}, "info": {"id": "cyner_mitre_valid_00160", "source": "cyner_mitre_valid"}} | |
| {"text": "The Trojan β s assets folder contained the file data.db with a list of possible values for the User-Agent field for the PAGE command ( which downloads the specified webpage ) .", "spans": {"Indicator: data.db": [[48, 55]]}, "info": {"id": "cyner_mitre_valid_00161", "source": "cyner_mitre_valid"}} | |
| {"text": "If the value of this field failed to arrive from the C & C , it was selected from the file data.db using a pseudo-random algorithm .", "spans": {"Indicator: data.db": [[91, 98]]}, "info": {"id": "cyner_mitre_valid_00162", "source": "cyner_mitre_valid"}} | |
| {"text": "2015β2016 Starting from mid-2015 , the Trojan began using the AES algorithm to encrypt data communicated between the infected device and the C & C : Also starting with the same version , data is sent in a POST request to the relative address with the format β / [ number ] β ( a pseudo-randomly generated number in the range 0β9999 ) .", "spans": {}, "info": {"id": "cyner_mitre_valid_00163", "source": "cyner_mitre_valid"}} | |
| {"text": "In some samples , starting from January 2016 , an algorithm has been implemented for unpacking the encrypted executable DEX file from the assets folder .", "spans": {}, "info": {"id": "cyner_mitre_valid_00164", "source": "cyner_mitre_valid"}} | |
| {"text": "In this version of Rotexy , dynamic generation of lowest-level domains was not used .", "spans": {"Malware: Rotexy": [[19, 25]]}, "info": {"id": "cyner_mitre_valid_00165", "source": "cyner_mitre_valid"}} | |
| {"text": "2016 From mid-2016 on , the cybercriminals returned to dynamic generation of lowest-level domains .", "spans": {}, "info": {"id": "cyner_mitre_valid_00166", "source": "cyner_mitre_valid"}} | |
| {"text": "No other significant changes were observed in the Trojan β s network behavior .", "spans": {}, "info": {"id": "cyner_mitre_valid_00167", "source": "cyner_mitre_valid"}} | |
| {"text": "In late 2016 , versions of the Trojan emerged that contained the card.html phishing page in the assets/www folder .", "spans": {"Indicator: card.html": [[65, 74]], "Indicator: assets/www": [[96, 106]]}, "info": {"id": "cyner_mitre_valid_00168", "source": "cyner_mitre_valid"}} | |
| {"text": "The page was designed to steal users β bank card details : 2017β2018 From early 2017 , the HTML phishing pages bank.html , update.html and extortionist.html started appearing in the assets folder .", "spans": {"Indicator: bank.html": [[111, 120]], "Indicator: update.html": [[123, 134]], "Indicator: extortionist.html": [[139, 156]]}, "info": {"id": "cyner_mitre_valid_00169", "source": "cyner_mitre_valid"}} | |
| {"text": "Also , in some versions of the Trojan the file names were random strings of characters .", "spans": {}, "info": {"id": "cyner_mitre_valid_00170", "source": "cyner_mitre_valid"}} | |
| {"text": "In 2018 , versions of Rotexy emerged that contacted the C & C using its IP address .", "spans": {"Malware: Rotexy": [[22, 28]]}, "info": {"id": "cyner_mitre_valid_00171", "source": "cyner_mitre_valid"}} | |
| {"text": "β One-time β domains also appeared with names made up of random strings of characters and numbers , combined with the top-level domains .cf , .ga , .gq , .ml , or .tk .", "spans": {}, "info": {"id": "cyner_mitre_valid_00172", "source": "cyner_mitre_valid"}} | |
| {"text": "At this time , the Trojan also began actively using different methods of obfuscation .", "spans": {}, "info": {"id": "cyner_mitre_valid_00173", "source": "cyner_mitre_valid"}} | |
| {"text": "For example , the DEX file is packed with garbage strings and/or operations , and contains a key to decipher the main executable file from the APK .", "spans": {}, "info": {"id": "cyner_mitre_valid_00174", "source": "cyner_mitre_valid"}} | |
| {"text": "Latest version ( 2018 ) Let β s now return to the present day and a detailed description of the functionality of a current representative of the Rotexy family ( SHA256 : ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84 ) .", "spans": {"Malware: Rotexy": [[145, 151]], "Indicator: ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84": [[170, 234]]}, "info": {"id": "cyner_mitre_valid_00175", "source": "cyner_mitre_valid"}} | |
| {"text": "Application launch When launching for the first time , the Trojan checks if it is being launched in an emulation environment , and in which country it is being launched .", "spans": {}, "info": {"id": "cyner_mitre_valid_00176", "source": "cyner_mitre_valid"}} | |
| {"text": "If the device is located outside Russia or is an emulator , the application displays a stub page : In this case , the Trojan β s logs contain records in Russian with grammatical errors and spelling mistakes : If the check is successful , Rotexy registers with GCM and launches SuperService which tracks if the Trojan has device administrator privileges .", "spans": {"Malware: Rotexy": [[238, 244]], "System: GCM": [[260, 263]]}, "info": {"id": "cyner_mitre_valid_00177", "source": "cyner_mitre_valid"}} | |
| {"text": "SuperService also tracks its own status and relaunches if stopped .", "spans": {}, "info": {"id": "cyner_mitre_valid_00178", "source": "cyner_mitre_valid"}} | |
| {"text": "It performs a privilege check once every second ; if unavailable , the Trojan starts requesting them from the user in an infinite loop : If the user agrees and gives the application the requested privileges , another stub page is displayed , and the app hides its icon : If the Trojan detects an attempt to revoke its administrator privileges , it starts periodically switching off the phone screen , trying to stop the user actions .", "spans": {}, "info": {"id": "cyner_mitre_valid_00179", "source": "cyner_mitre_valid"}} | |
| {"text": "If the privileges are revoked successfully , the Trojan relaunches the cycle of requesting administrator privileges .", "spans": {}, "info": {"id": "cyner_mitre_valid_00180", "source": "cyner_mitre_valid"}} | |
| {"text": "If , for some reason , SuperService does not switch off the screen when there is an attempt to revoke the device administrator privileges , the Trojan tries to intimidate the user : While running , Rotexy tracks the following : switching on and rebooting of the phone ; termination of its operation β in this case , it relaunches ; sending of an SMS by the app β in this case , the phone is switched to silent mode .", "spans": {"Malware: Rotexy": [[198, 204]]}, "info": {"id": "cyner_mitre_valid_00181", "source": "cyner_mitre_valid"}} | |
| {"text": "C & C communications The default C & C address is hardwired in the Rotexy code : The relative address to which the Trojan will send information from the device is generated in a pseudo-random manner .", "spans": {"Malware: Rotexy": [[67, 73]]}, "info": {"id": "cyner_mitre_valid_00182", "source": "cyner_mitre_valid"}} | |
| {"text": "Depending on the Trojan version , dynamically generated subdomains can also be used .", "spans": {}, "info": {"id": "cyner_mitre_valid_00183", "source": "cyner_mitre_valid"}} | |
| {"text": "The Trojan stores information about C & C servers and the data harvested from the infected device in a local SQLite database .", "spans": {}, "info": {"id": "cyner_mitre_valid_00184", "source": "cyner_mitre_valid"}} | |
| {"text": "First off , the Trojan registers in the administration panel and receives the information it needs to operate from the C & C ( the SMS interception templates and the text that will be displayed on HTML pages ) : Rotexy intercepts all incoming SMSs and processes them according to the templates it received from the C & C .", "spans": {"Malware: Rotexy": [[212, 218]]}, "info": {"id": "cyner_mitre_valid_00185", "source": "cyner_mitre_valid"}} | |
| {"text": "Also , when an SMS arrives , the Trojan puts the phone into silent mode and switches off the screen so the user doesn β t notice that a new SMS has arrived .", "spans": {}, "info": {"id": "cyner_mitre_valid_00186", "source": "cyner_mitre_valid"}} | |
| {"text": "When required , the Trojan sends an SMS to the specified phone number with the information it has received from the intercepted message .", "spans": {}, "info": {"id": "cyner_mitre_valid_00187", "source": "cyner_mitre_valid"}} | |
| {"text": "( It is specified in the interception template whether a reply must be sent , and which text should be sent to which address .", "spans": {}, "info": {"id": "cyner_mitre_valid_00188", "source": "cyner_mitre_valid"}} | |
| {"text": ") If the application hasn β t received instructions about the rules for processing incoming SMSs , it simply saves all SMSs to a local database and uploads them to the C & C .", "spans": {}, "info": {"id": "cyner_mitre_valid_00189", "source": "cyner_mitre_valid"}} | |
| {"text": "Apart from general information about the device , the Trojan sends a list of all the running processes and installed applications to the C & C .", "spans": {}, "info": {"id": "cyner_mitre_valid_00190", "source": "cyner_mitre_valid"}} | |
| {"text": "It β s possible the threat actors use this list to find running antivirus or banking applications .", "spans": {}, "info": {"id": "cyner_mitre_valid_00191", "source": "cyner_mitre_valid"}} | |
| {"text": "Rotexy will perform further actions after it receives the corresponding commands : START , STOP , RESTART β start , stop , restart SuperService .", "spans": {"Malware: Rotexy": [[0, 6]]}, "info": {"id": "cyner_mitre_valid_00192", "source": "cyner_mitre_valid"}} | |
| {"text": "URL β update C & C address .", "spans": {}, "info": {"id": "cyner_mitre_valid_00193", "source": "cyner_mitre_valid"}} | |
| {"text": "MESSAGE β send SMS containing specified text to a specified number .", "spans": {}, "info": {"id": "cyner_mitre_valid_00194", "source": "cyner_mitre_valid"}} | |
| {"text": "UPDATE_PATTERNS β reregister in the administration panel .", "spans": {}, "info": {"id": "cyner_mitre_valid_00195", "source": "cyner_mitre_valid"}} | |
| {"text": "UNBLOCK β unblock the telephone ( revoke device administrator privileges from the app ) .", "spans": {}, "info": {"id": "cyner_mitre_valid_00196", "source": "cyner_mitre_valid"}} | |
| {"text": "UPDATE β download APK file from C & C and install it .", "spans": {}, "info": {"id": "cyner_mitre_valid_00197", "source": "cyner_mitre_valid"}} | |
| {"text": "This command can be used not just to update the app but to install any other software on the infected device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00198", "source": "cyner_mitre_valid"}} | |
| {"text": "CONTACTS β send text received from C & C to all user contacts .", "spans": {}, "info": {"id": "cyner_mitre_valid_00199", "source": "cyner_mitre_valid"}} | |
| {"text": "This is most probably how the application spreads .", "spans": {}, "info": {"id": "cyner_mitre_valid_00200", "source": "cyner_mitre_valid"}} | |
| {"text": "CONTACTS_PRO β request unique message text for contacts from the address book .", "spans": {}, "info": {"id": "cyner_mitre_valid_00201", "source": "cyner_mitre_valid"}} | |
| {"text": "PAGE β contact URL received from C & C using User-Agent value that was also received from C & C or local database .", "spans": {}, "info": {"id": "cyner_mitre_valid_00202", "source": "cyner_mitre_valid"}} | |
| {"text": "ALLMSG β send C & C all SMSs received and sent by user , as stored in phone memory .", "spans": {}, "info": {"id": "cyner_mitre_valid_00203", "source": "cyner_mitre_valid"}} | |
| {"text": "ALLCONTACTS β send all contacts from phone memory to C & C .", "spans": {}, "info": {"id": "cyner_mitre_valid_00204", "source": "cyner_mitre_valid"}} | |
| {"text": "ONLINE β send information about Trojan β s current status to C & C : whether it has device administrator privileges , which HTML page is currently displayed , whether screen is on or off , etc .", "spans": {}, "info": {"id": "cyner_mitre_valid_00205", "source": "cyner_mitre_valid"}} | |
| {"text": "NEWMSG β write an SMS to the device memory containing the text and sender number sent from C & C .", "spans": {}, "info": {"id": "cyner_mitre_valid_00206", "source": "cyner_mitre_valid"}} | |
| {"text": "CHANGE_GCM_ID β change GCM ID .", "spans": {}, "info": {"id": "cyner_mitre_valid_00207", "source": "cyner_mitre_valid"}} | |
| {"text": "BLOCKER_BANKING_START β display phishing HTML page for entry of bank card details .", "spans": {}, "info": {"id": "cyner_mitre_valid_00208", "source": "cyner_mitre_valid"}} | |
| {"text": "BLOCKER_EXTORTIONIST_START β display HTML page of the ransomware .", "spans": {}, "info": {"id": "cyner_mitre_valid_00209", "source": "cyner_mitre_valid"}} | |
| {"text": "BLOCKER_UPDATE_START β display fake HTML page for update .", "spans": {}, "info": {"id": "cyner_mitre_valid_00210", "source": "cyner_mitre_valid"}} | |
| {"text": "BLOCKER_STOP β block display of all HTML pages .", "spans": {}, "info": {"id": "cyner_mitre_valid_00211", "source": "cyner_mitre_valid"}} | |
| {"text": "The C & C role for Rotexy can be filled not only by a web server but also by any device that can send SMSs .", "spans": {"Malware: Rotexy": [[19, 25]]}, "info": {"id": "cyner_mitre_valid_00212", "source": "cyner_mitre_valid"}} | |
| {"text": "The Trojan intercepts incoming SMSs and can receive the following commands from them : β 3458 β β revoke device administrator privileges from the app ; β hi β , β ask β β enable and disable mobile internet ; β privet β , β ru β β enable and disable Wi-Fi ; β check β β send text β install : [ device IMEI ] β to phone number from which SMS was sent ; β stop_blocker β β stop displaying all blocking HTML pages ; β 393838 β β change C & C address to that specified in the", "spans": {}, "info": {"id": "cyner_mitre_valid_00213", "source": "cyner_mitre_valid"}} | |
| {"text": "SMS .", "spans": {}, "info": {"id": "cyner_mitre_valid_00214", "source": "cyner_mitre_valid"}} | |
| {"text": "Information about all actions performed by Rotexy is logged in the local database and sent to the C & C .", "spans": {"Malware: Rotexy": [[43, 49]]}, "info": {"id": "cyner_mitre_valid_00215", "source": "cyner_mitre_valid"}} | |
| {"text": "The server then sends a reply that contains instructions on further actions to be taken .", "spans": {}, "info": {"id": "cyner_mitre_valid_00216", "source": "cyner_mitre_valid"}} | |
| {"text": "Displaying HTML pages We β ll now look at the HTML pages that Rotexy displays and the actions performed with them .", "spans": {"Malware: Rotexy": [[62, 68]]}, "info": {"id": "cyner_mitre_valid_00217", "source": "cyner_mitre_valid"}} | |
| {"text": "The Trojan displays a fake HTML update page ( update.html ) that blocks the device β s screen for a long period of time .", "spans": {"Indicator: update.html": [[46, 57]]}, "info": {"id": "cyner_mitre_valid_00218", "source": "cyner_mitre_valid"}} | |
| {"text": "The Trojan displays the extortion page ( extortionist.html ) that blocks the device and demands a ransom for unblocking it .", "spans": {"Indicator: extortionist.html": [[41, 58]]}, "info": {"id": "cyner_mitre_valid_00219", "source": "cyner_mitre_valid"}} | |
| {"text": "The sexually explicit images in this screenshot have been covered with a black box .", "spans": {}, "info": {"id": "cyner_mitre_valid_00220", "source": "cyner_mitre_valid"}} | |
| {"text": "The Trojan displays a phishing page ( bank.html ) prompting the user to enter their bank card details .", "spans": {"Indicator: bank.html": [[38, 47]]}, "info": {"id": "cyner_mitre_valid_00221", "source": "cyner_mitre_valid"}} | |
| {"text": "This page mimics a legitimate bank form and blocks the device screen until the user enters all the information .", "spans": {}, "info": {"id": "cyner_mitre_valid_00222", "source": "cyner_mitre_valid"}} | |
| {"text": "It even has its own virtual keyboard that supposedly protects the victim from keyloggers .", "spans": {}, "info": {"id": "cyner_mitre_valid_00223", "source": "cyner_mitre_valid"}} | |
| {"text": "In the areas marked β { text } β Rotexy displays the text it receives from the C & C .", "spans": {"Malware: Rotexy": [[33, 39]]}, "info": {"id": "cyner_mitre_valid_00224", "source": "cyner_mitre_valid"}} | |
| {"text": "Typically , it is a message saying that the user has received a money transfer , and that they must enter their bank card details so the money can be transferred to their account .", "spans": {}, "info": {"id": "cyner_mitre_valid_00225", "source": "cyner_mitre_valid"}} | |
| {"text": "The entered data is then checked and the last four digits of the bank card number are also checked against the data sent in the C & C command .", "spans": {}, "info": {"id": "cyner_mitre_valid_00226", "source": "cyner_mitre_valid"}} | |
| {"text": "The following scenario may play out : according to the templates for processing incoming SMSs , Rotexy intercepts a message from the bank that contains the last four digits of the bank card connected to the phone number .", "spans": {"Malware: Rotexy": [[96, 102]]}, "info": {"id": "cyner_mitre_valid_00227", "source": "cyner_mitre_valid"}} | |
| {"text": "The Trojan sends these digits to the C & C , which in turn sends a command to display a fake data entry window to check the four digits .", "spans": {}, "info": {"id": "cyner_mitre_valid_00228", "source": "cyner_mitre_valid"}} | |
| {"text": "If the user has provided the details of another card , then the following window is displayed : The application leaves the user with almost no option but to enter the correct card number , as it checks the entered number against the bank card details the cybercriminals received earlier .", "spans": {}, "info": {"id": "cyner_mitre_valid_00229", "source": "cyner_mitre_valid"}} | |
| {"text": "When all the necessary card details are entered and have been checked , all the information is uploaded to the C & C .", "spans": {}, "info": {"id": "cyner_mitre_valid_00230", "source": "cyner_mitre_valid"}} | |
| {"text": "How to unblock the phone Now for some good news : Rotexy doesn β t have a very well-designed module for processing commands that arrive in SMSs .", "spans": {"Malware: Rotexy": [[50, 56]]}, "info": {"id": "cyner_mitre_valid_00231", "source": "cyner_mitre_valid"}} | |
| {"text": "It means the phone can be unblocked in some cases when it has been blocked by one of the above HTML pages .", "spans": {}, "info": {"id": "cyner_mitre_valid_00232", "source": "cyner_mitre_valid"}} | |
| {"text": "This is done by sending β 3458 β in an SMS to the blocked device β this will revoke the administrator privileges from the Trojan .", "spans": {}, "info": {"id": "cyner_mitre_valid_00233", "source": "cyner_mitre_valid"}} | |
| {"text": "After that it β s necessary to send β stop_blocker β to the same number β this will disable the display of HTML pages that extort money and block the screen .", "spans": {}, "info": {"id": "cyner_mitre_valid_00234", "source": "cyner_mitre_valid"}} | |
| {"text": "Rotexy may start requesting device administrator privileges again in an infinite loop ; in that case , restart the device in safe mode and remove the malicious program .", "spans": {"Malware: Rotexy": [[0, 6]]}, "info": {"id": "cyner_mitre_valid_00235", "source": "cyner_mitre_valid"}} | |
| {"text": "However , this method may not work if the threat actors react quickly to an attempt to remove the Trojan .", "spans": {}, "info": {"id": "cyner_mitre_valid_00236", "source": "cyner_mitre_valid"}} | |
| {"text": "In that case , you first need to send the text β 393838 β in an SMS to the infected device and then repeat all the actions described above ; that text message will change the C & C address to β : // β , so the phone will no longer receive commands from the real C & C .", "spans": {}, "info": {"id": "cyner_mitre_valid_00237", "source": "cyner_mitre_valid"}} | |
| {"text": "Please note that these unblocking instructions are based on an analysis of the current version of Rotexy and have been tested on it .", "spans": {"Malware: Rotexy": [[98, 104]]}, "info": {"id": "cyner_mitre_valid_00238", "source": "cyner_mitre_valid"}} | |
| {"text": "However , it β s possible the set of commands may change in future versions of the Trojan .", "spans": {}, "info": {"id": "cyner_mitre_valid_00239", "source": "cyner_mitre_valid"}} | |
| {"text": "Geography of Rotexy attacks According to our data , 98 % of all Rotexy attacks target users in Russia .", "spans": {"Malware: Rotexy": [[13, 19], [64, 70]]}, "info": {"id": "cyner_mitre_valid_00240", "source": "cyner_mitre_valid"}} | |
| {"text": "Indeed , the Trojan explicitly targets Russian-speaking users .", "spans": {}, "info": {"id": "cyner_mitre_valid_00241", "source": "cyner_mitre_valid"}} | |
| {"text": "There have also been cases of users in Ukraine , Germany , Turkey and several other countries being affected .", "spans": {}, "info": {"id": "cyner_mitre_valid_00242", "source": "cyner_mitre_valid"}} | |
| {"text": "Kaspersky Internet Security for Android and the Sberbank Online app securely protect users against attacks by this Trojan .", "spans": {"System: Kaspersky Internet Security": [[0, 27]], "System: Android": [[32, 39]], "System: Sberbank Online app": [[48, 67]]}, "info": {"id": "cyner_mitre_valid_00243", "source": "cyner_mitre_valid"}} | |
| {"text": "IOCs SHA256 0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7 4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96 76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b 7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386", "spans": {"Indicator: 0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7": [[12, 76]], "Indicator: 4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96": [[77, 141]], "Indicator: 76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b": [[142, 206]], "Indicator: 7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386": [[207, 271]]}, "info": {"id": "cyner_mitre_valid_00244", "source": "cyner_mitre_valid"}} | |
| {"text": "9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba ac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7 b1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84", "spans": {"Indicator: 9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba": [[0, 64]], "Indicator: ac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7": [[65, 129]], "Indicator: b1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b": [[130, 194]], "Indicator: ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84": [[195, 259]]}, "info": {"id": "cyner_mitre_valid_00245", "source": "cyner_mitre_valid"}} | |
| {"text": "ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec Π‘ & C 2014β2015 : secondby.ru darkclub.net holerole.org googleapis.link 2015β2016 : test2016.ru blackstar.pro synchronize.pw lineout.pw sync-weather.pw", "spans": {"Indicator: ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c": [[0, 64]], "Indicator: e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec": [[65, 129]], "Indicator: secondby.ru": [[148, 159]], "Indicator: darkclub.net": [[160, 172]], "Indicator: holerole.org": [[173, 185]], "Indicator: googleapis.link": [[186, 201]], "Indicator: test2016.ru": [[214, 225]], "Indicator: blackstar.pro": [[226, 239]], "Indicator: synchronize.pw": [[240, 254]], "Indicator: lineout.pw": [[255, 265]], "Indicator: sync-weather.pw": [[266, 281]]}, "info": {"id": "cyner_mitre_valid_00246", "source": "cyner_mitre_valid"}} | |
| {"text": "2016 freedns.website streamout.space 2017β2018 : streamout.space sky-sync.pw gms-service.info EventBot : A New Mobile Banking Trojan is Born April 30 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating EventBot , a new type of Android mobile malware that emerged around March 2020 .", "spans": {"Indicator: streamout.space": [[21, 36], [49, 64]], "Indicator: sky-sync.pw": [[65, 76]], "Indicator: gms-service.info": [[77, 93]], "Malware: EventBot": [[94, 102], [217, 225]], "Organization: Cybereason Nocturnus": [[174, 194]], "System: Android": [[242, 249]]}, "info": {"id": "cyner_mitre_valid_00247", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot is a mobile banking trojan and infostealer that abuses Android β s accessibility features to steal user data from financial applications , read user SMS messages , and steal SMS messages to allow the malware to bypass two-factor authentication .", "spans": {"Malware: EventBot": [[0, 8]], "System: Android": [[64, 71]]}, "info": {"id": "cyner_mitre_valid_00248", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot targets users of over 200 different financial applications , including banking , money transfer services , and crypto-currency wallets .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00249", "source": "cyner_mitre_valid"}} | |
| {"text": "Those targeted include applications like Paypal Business , Revolut , Barclays , UniCredit , CapitalOne UK , HSBC UK , Santander UK , TransferWise , Coinbase , paysafecard , and many more .", "spans": {"System: Paypal Business": [[41, 56]], "System: Revolut": [[59, 66]], "System: Barclays": [[69, 77]], "System: UniCredit": [[80, 89]], "System: CapitalOne UK": [[92, 105]], "System: HSBC UK": [[108, 115]], "System: Santander UK": [[118, 130]], "System: TransferWise": [[133, 145]], "System: Coinbase": [[148, 156]], "System: paysafecard": [[159, 170]]}, "info": {"id": "cyner_mitre_valid_00250", "source": "cyner_mitre_valid"}} | |
| {"text": "It specifically targets financial banking applications across the United States and Europe , including Italy , the UK , Spain , Switzerland , France , and Germany .", "spans": {}, "info": {"id": "cyner_mitre_valid_00251", "source": "cyner_mitre_valid"}} | |
| {"text": "The full list of banking applications targeted is included in the appendix .", "spans": {}, "info": {"id": "cyner_mitre_valid_00252", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot is particularly interesting because it is in such early stages .", "spans": {"Organization: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00253", "source": "cyner_mitre_valid"}} | |
| {"text": "This brand new malware has real potential to become the next big mobile malware , as it is under constant iterative improvements , abuses a critical operating system feature , and targets financial applications .", "spans": {}, "info": {"id": "cyner_mitre_valid_00254", "source": "cyner_mitre_valid"}} | |
| {"text": "This research gives a rare look into the process improvements malware authors make when optimizing before launch .", "spans": {}, "info": {"id": "cyner_mitre_valid_00255", "source": "cyner_mitre_valid"}} | |
| {"text": "By going on the offensive and hunting the attackers , our team was able to unearth the early stages of what may be a very dangerous mobile malware .", "spans": {}, "info": {"id": "cyner_mitre_valid_00256", "source": "cyner_mitre_valid"}} | |
| {"text": "TABLE OF CONTENTS Security Recommendations Introduction Threat Analysis Common Features Unique Features by Version Malware Under Active Development Suspected Detection Tests by the Threat Actor EventBot Infrastructure Cybereason Mobile Conclusion Indicators of Compromise MITRE ATT & CK for Mobile Breakdown SECURITY RECOMMENDATIONS Keep your mobile device up-to-date with the latest software updates from legitimate sources .", "spans": {"Malware: EventBot": [[194, 202]], "Organization: MITRE": [[272, 277]]}, "info": {"id": "cyner_mitre_valid_00257", "source": "cyner_mitre_valid"}} | |
| {"text": "Keep Google Play Protect on .", "spans": {"System: Google Play Protect": [[5, 24]]}, "info": {"id": "cyner_mitre_valid_00258", "source": "cyner_mitre_valid"}} | |
| {"text": "Do not download mobile apps from unofficial or unauthorized sources .", "spans": {}, "info": {"id": "cyner_mitre_valid_00259", "source": "cyner_mitre_valid"}} | |
| {"text": "Most legitimate Android apps are available on the Google Play Store .", "spans": {"System: Android": [[16, 23]], "System: Google Play Store": [[50, 67]]}, "info": {"id": "cyner_mitre_valid_00260", "source": "cyner_mitre_valid"}} | |
| {"text": "Always apply critical thinking and consider whether you should give a certain app the permissions it requests .", "spans": {}, "info": {"id": "cyner_mitre_valid_00261", "source": "cyner_mitre_valid"}} | |
| {"text": "When in doubt , check the APK signature and hash in sources like VirusTotal before installing it on your device .", "spans": {"Organization: VirusTotal": [[65, 75]]}, "info": {"id": "cyner_mitre_valid_00262", "source": "cyner_mitre_valid"}} | |
| {"text": "Use mobile threat detection solutions for enhanced security .", "spans": {}, "info": {"id": "cyner_mitre_valid_00263", "source": "cyner_mitre_valid"}} | |
| {"text": "INTRODUCTION For the past few weeks , the Cybereason Nocturnus team has been investigating a new type of Android malware dubbed EventBot , which was first identified in March 2020 .", "spans": {"Organization: Cybereason Nocturnus": [[42, 62]], "System: Android": [[105, 112]], "Malware: EventBot": [[128, 136]]}, "info": {"id": "cyner_mitre_valid_00264", "source": "cyner_mitre_valid"}} | |
| {"text": "This malware appears to be newly developed with code that differs significantly from previously known Android malware .", "spans": {"System: Android": [[102, 109]]}, "info": {"id": "cyner_mitre_valid_00265", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot is under active development and is evolving rapidly ; new versions are released every few days with improvements and new capabilities .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00266", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot abuses Android β s accessibility feature to access valuable user information , system information , and data stored in other applications .", "spans": {"Malware: EventBot": [[0, 8]], "System: Android": [[16, 23]]}, "info": {"id": "cyner_mitre_valid_00267", "source": "cyner_mitre_valid"}} | |
| {"text": "In particular , EventBot can intercept SMS messages and bypass two-factor authentication mechanisms .", "spans": {"Malware: EventBot": [[16, 24]]}, "info": {"id": "cyner_mitre_valid_00268", "source": "cyner_mitre_valid"}} | |
| {"text": "The Cybereason Nocturnus team has concluded that EventBot is designed to target over 200 different banking and finance applications , the majority of which are European bank and crypto-currency exchange applications .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]], "Malware: EventBot": [[49, 57]]}, "info": {"id": "cyner_mitre_valid_00269", "source": "cyner_mitre_valid"}} | |
| {"text": "By accessing and stealing this data , Eventbot has the potential to access key business data , including financial data .", "spans": {"Malware: Eventbot": [[38, 46]]}, "info": {"id": "cyner_mitre_valid_00270", "source": "cyner_mitre_valid"}} | |
| {"text": "60 % of devices containing or accessing enterprise data are mobile , and mobile devices tend to include a significant amount of personal and business data , assuming the organization has a bring-your-own-device policy in place .", "spans": {}, "info": {"id": "cyner_mitre_valid_00271", "source": "cyner_mitre_valid"}} | |
| {"text": "Mobile malware is a significant risk for organizations and consumers alike , and must be considered when protecting personal and business data .", "spans": {}, "info": {"id": "cyner_mitre_valid_00272", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot mobile banking applications targetedApplications targeted by EventBot .", "spans": {"Malware: EventBot": [[0, 8], [70, 78]]}, "info": {"id": "cyner_mitre_valid_00273", "source": "cyner_mitre_valid"}} | |
| {"text": "Cybereason Mobile Detecting EventBotCybereason Mobile detecting EventBot .", "spans": {"Organization: Cybereason Mobile": [[0, 17]], "Malware: EventBot": [[64, 72]]}, "info": {"id": "cyner_mitre_valid_00274", "source": "cyner_mitre_valid"}} | |
| {"text": "THREAT ANALYSIS Initial Access Though EventBot is not currently on the Google Play Store , we were able to find several icons EventBot is using to masquerade as a legitimate application .", "spans": {"Malware: EventBot": [[38, 46], [126, 134]], "System: Google Play": [[71, 82]]}, "info": {"id": "cyner_mitre_valid_00275", "source": "cyner_mitre_valid"}} | |
| {"text": "We believe that , when it is officially released , it will most likely be uploaded to rogue APK stores and other shady websites , while masquerading as real applications .", "spans": {}, "info": {"id": "cyner_mitre_valid_00276", "source": "cyner_mitre_valid"}} | |
| {"text": "Icons used for EventBot masqueraded as legitimate with these icons.application .", "spans": {"Malware: EventBot": [[15, 23]]}, "info": {"id": "cyner_mitre_valid_00277", "source": "cyner_mitre_valid"}} | |
| {"text": "Malware Capabilities The Cybereason Nocturnus team has been following EventBot since the beginning of March 2020 .", "spans": {"Organization: Cybereason Nocturnus": [[25, 45]], "Malware: EventBot": [[70, 78]]}, "info": {"id": "cyner_mitre_valid_00278", "source": "cyner_mitre_valid"}} | |
| {"text": "The team has encountered different versions of the malware over time as it has rapidly evolved .", "spans": {}, "info": {"id": "cyner_mitre_valid_00279", "source": "cyner_mitre_valid"}} | |
| {"text": "At the time of writing this research , four versions of the EventBot malware were observed : Version 0.0.0.1 , 0.0.0.2 , and 0.3.0.1 and 0.4.0.1 .", "spans": {"Malware: EventBot": [[60, 68]]}, "info": {"id": "cyner_mitre_valid_00280", "source": "cyner_mitre_valid"}} | |
| {"text": "Each version expands the bot β s functionality and works to obfuscate the malware against analysis .", "spans": {}, "info": {"id": "cyner_mitre_valid_00281", "source": "cyner_mitre_valid"}} | |
| {"text": "In this research , we review common features of the malware and examine the improvements the threat actor made in each version .", "spans": {}, "info": {"id": "cyner_mitre_valid_00282", "source": "cyner_mitre_valid"}} | |
| {"text": "COMMON FEATURES Permissions When installed , EventBot requests the following permissions on the device : SYSTEM_ALERT_WINDOW - allow the app to create windows that are shown on top of other apps .", "spans": {"Malware: EventBot": [[45, 53]]}, "info": {"id": "cyner_mitre_valid_00283", "source": "cyner_mitre_valid"}} | |
| {"text": "READ_EXTERNAL_STORAGE - read from external storage .", "spans": {}, "info": {"id": "cyner_mitre_valid_00284", "source": "cyner_mitre_valid"}} | |
| {"text": "REQUEST_INSTALL_PACKAGES - make a request to install packages .", "spans": {}, "info": {"id": "cyner_mitre_valid_00285", "source": "cyner_mitre_valid"}} | |
| {"text": "INTERNET - open network sockets .", "spans": {}, "info": {"id": "cyner_mitre_valid_00286", "source": "cyner_mitre_valid"}} | |
| {"text": "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - whitelist the app to allow it to ignore battery optimizations .", "spans": {}, "info": {"id": "cyner_mitre_valid_00287", "source": "cyner_mitre_valid"}} | |
| {"text": "WAKE_LOCK - prevent the processor from sleeping and dimming the screen .", "spans": {}, "info": {"id": "cyner_mitre_valid_00288", "source": "cyner_mitre_valid"}} | |
| {"text": "ACCESS_NETWORK_STATE - allow the app to access information about networks .", "spans": {}, "info": {"id": "cyner_mitre_valid_00289", "source": "cyner_mitre_valid"}} | |
| {"text": "REQUEST_COMPANION_RUN_IN_BACKGROUND - let the app run in the background .", "spans": {}, "info": {"id": "cyner_mitre_valid_00290", "source": "cyner_mitre_valid"}} | |
| {"text": "REQUEST_COMPANION_USE_DATA_IN_BACKGROUND - let the app use data in the background .", "spans": {}, "info": {"id": "cyner_mitre_valid_00291", "source": "cyner_mitre_valid"}} | |
| {"text": "RECEIVE_BOOT_COMPLETED - allow the application to launch itself after system boot .", "spans": {}, "info": {"id": "cyner_mitre_valid_00292", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot uses this permission in order to achieve persistence and run in the background as a service .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00293", "source": "cyner_mitre_valid"}} | |
| {"text": "RECEIVE_SMS - allow the application to receive text messages .", "spans": {}, "info": {"id": "cyner_mitre_valid_00294", "source": "cyner_mitre_valid"}} | |
| {"text": "READ_SMS - allow the application to read text messages .", "spans": {}, "info": {"id": "cyner_mitre_valid_00295", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot permissions EventBot β s permissions as seen in the manifest file .", "spans": {"Malware: EventBot": [[0, 8], [21, 29]]}, "info": {"id": "cyner_mitre_valid_00296", "source": "cyner_mitre_valid"}} | |
| {"text": "THE INITIAL INSTALLATION PROCESS Once installed , EventBot prompts the user to give it access to accessibility services .", "spans": {"Malware: EventBot": [[50, 58]]}, "info": {"id": "cyner_mitre_valid_00297", "source": "cyner_mitre_valid"}} | |
| {"text": "Initial request by EventBot Initial request by EventBot to run as a service .", "spans": {"Malware: EventBot": [[19, 27], [47, 55]]}, "info": {"id": "cyner_mitre_valid_00298", "source": "cyner_mitre_valid"}} | |
| {"text": "Once the malware can use accessibility services , it has the ability to operate as a keylogger and can retrieve notifications about other installed applications and content of open windows .", "spans": {}, "info": {"id": "cyner_mitre_valid_00299", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot β s request to use accessibility services .", "spans": {}, "info": {"id": "cyner_mitre_valid_00300", "source": "cyner_mitre_valid"}} | |
| {"text": "In more up-to-date versions of Android , EventBot will ask for permissions to run in the background before deleting itself from the launcher .", "spans": {"System: Android": [[31, 38]], "Malware: EventBot": [[41, 49]]}, "info": {"id": "cyner_mitre_valid_00301", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot requests permissions to always run in the background .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00302", "source": "cyner_mitre_valid"}} | |
| {"text": "DOWNLOAD AND UPDATE THE TARGET CONFIGURATION FILE By analyzing and decoding the HTTP packets in EventBot Version 0.0.0.1 , we can see that EventBot downloads and updates a configuration file with almost 200 different financial application targets .", "spans": {"Malware: EventBot": [[96, 104], [139, 147]]}, "info": {"id": "cyner_mitre_valid_00303", "source": "cyner_mitre_valid"}} | |
| {"text": "Following is the HTTP response from the C2 server , containing the encrypted configuration : EventBot Encrypted HTTP response returned from the C2 Encrypted HTTP response returned from the C2 .", "spans": {"Malware: EventBot": [[93, 101]]}, "info": {"id": "cyner_mitre_valid_00304", "source": "cyner_mitre_valid"}} | |
| {"text": "In Version 0.0.0.1 , the communication with the C2 is encrypted using Base64 and RC4 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00305", "source": "cyner_mitre_valid"}} | |
| {"text": "The RC4 key is hardcoded in EventBot .", "spans": {"Malware: EventBot": [[28, 36]]}, "info": {"id": "cyner_mitre_valid_00306", "source": "cyner_mitre_valid"}} | |
| {"text": "Upon decryption , we can see that the response from the server is a JSON object of EventBot β s configuration , which contains C2 URLs and a targeted applications list .", "spans": {"Malware: EventBot": [[83, 91]]}, "info": {"id": "cyner_mitre_valid_00307", "source": "cyner_mitre_valid"}} | |
| {"text": "Decrypted EventBot configuration Decrypted EventBot configuration returned from the C2 .", "spans": {"Malware: EventBot": [[10, 18], [43, 51]]}, "info": {"id": "cyner_mitre_valid_00308", "source": "cyner_mitre_valid"}} | |
| {"text": "The configuration file contains a list of financial applications that can be targeted by EventBot .", "spans": {"Malware: EventBot": [[89, 97]]}, "info": {"id": "cyner_mitre_valid_00309", "source": "cyner_mitre_valid"}} | |
| {"text": "This version includes 185 different applications , including official applications of worldwide banks .", "spans": {}, "info": {"id": "cyner_mitre_valid_00310", "source": "cyner_mitre_valid"}} | |
| {"text": "26 of the targeted applications are from Italy , 25 are from the UK , 6 are from Germany , 5 are from France , and 3 are from Spain .", "spans": {}, "info": {"id": "cyner_mitre_valid_00311", "source": "cyner_mitre_valid"}} | |
| {"text": "However , it also targets applications from Romania , Ireland , India , Austria , Switzerland , Australia , Poland and the USA .", "spans": {}, "info": {"id": "cyner_mitre_valid_00312", "source": "cyner_mitre_valid"}} | |
| {"text": "In addition to official banking applications , the target list includes 111 other global financial applications for banking and credit card management , money transfers , and cryptocurrency wallets and exchanges .", "spans": {}, "info": {"id": "cyner_mitre_valid_00313", "source": "cyner_mitre_valid"}} | |
| {"text": "Those targeted include Paypal Business , Revolut , Barclays , UniCredit , CapitalOne UK , HSBC UK , Santander UK , TransferWise , Coinbase , paysafecard , and many more .", "spans": {"System: Paypal Business": [[23, 38]], "System: Revolut": [[41, 48]], "System: Barclays": [[51, 59]], "System: UniCredit": [[62, 71]], "System: CapitalOne UK": [[74, 87]], "System: HSBC UK": [[90, 97]], "System: Santander UK": [[100, 112]], "System: TransferWise": [[115, 127]], "System: Coinbase": [[130, 138]], "System: paysafecard": [[141, 152]]}, "info": {"id": "cyner_mitre_valid_00314", "source": "cyner_mitre_valid"}} | |
| {"text": "The full list of banking applications targeted is included in the appendix .", "spans": {}, "info": {"id": "cyner_mitre_valid_00315", "source": "cyner_mitre_valid"}} | |
| {"text": "ABUSE OF ACCESSIBILITY SERVICES EventBot abuses the accessibility services of Android devices for the majority of its activity .", "spans": {"Malware: EventBot": [[32, 40]], "System: Android": [[78, 85]]}, "info": {"id": "cyner_mitre_valid_00316", "source": "cyner_mitre_valid"}} | |
| {"text": "Accessibility features are typically used to help users with disabilities by giving the device the ability to write into input fields , auto-generate permissions , perform gestures for the user , etc .", "spans": {}, "info": {"id": "cyner_mitre_valid_00317", "source": "cyner_mitre_valid"}} | |
| {"text": "However , when used maliciously , accessibility features can be used to exploit legitimate services for malicious purposes , like with EventBot .", "spans": {"Malware: EventBot": [[135, 143]]}, "info": {"id": "cyner_mitre_valid_00318", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot uses multiple methods to exploit accessibility events for webinjects and other information stealing purposes .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00319", "source": "cyner_mitre_valid"}} | |
| {"text": "DATA GATHERING Getting a list of all installed applications : Once EventBot is installed on the target machine , it lists all the applications on the target machine and sends them to the C2 .", "spans": {"Malware: EventBot": [[67, 75]]}, "info": {"id": "cyner_mitre_valid_00320", "source": "cyner_mitre_valid"}} | |
| {"text": "Device information : EventBot queries for device information like OS , model , etc , and also sends that to the C2 .", "spans": {"Malware: EventBot": [[21, 29]]}, "info": {"id": "cyner_mitre_valid_00321", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot infected device to be sent to the C Information gathered about the infected device to be sent to the C2 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00322", "source": "cyner_mitre_valid"}} | |
| {"text": "Data encryption : In the initial version of EventBot , the data being exfiltrated is encrypted using Base64 and RC4 .", "spans": {"Malware: EventBot": [[44, 52]]}, "info": {"id": "cyner_mitre_valid_00323", "source": "cyner_mitre_valid"}} | |
| {"text": "In later versions , another encryption layer is added using Curve25519 encryption .", "spans": {}, "info": {"id": "cyner_mitre_valid_00324", "source": "cyner_mitre_valid"}} | |
| {"text": "All of the most recent versions of EventBot contain a ChaCha20 library that can improve performance when compared to other algorithms like RC4 and AES .", "spans": {"Malware: EventBot": [[35, 43]], "System: ChaCha20": [[54, 62]]}, "info": {"id": "cyner_mitre_valid_00325", "source": "cyner_mitre_valid"}} | |
| {"text": "This implies that the authors are actively working to optimize EventBot over time .", "spans": {"Malware: EventBot": [[63, 71]]}, "info": {"id": "cyner_mitre_valid_00326", "source": "cyner_mitre_valid"}} | |
| {"text": "SMS grabbing : EventBot has the ability to parse SMS messages by using the targeted device β s SDK version to parse them correctly .", "spans": {"Malware: EventBot": [[15, 23]]}, "info": {"id": "cyner_mitre_valid_00327", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot parsing of grabbed SMS messages Parsing of grabbed SMS messages .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00328", "source": "cyner_mitre_valid"}} | |
| {"text": "Webinjects : According to the bot β s configuration , if a webinject is set for a given application , it will be executed .", "spans": {}, "info": {"id": "cyner_mitre_valid_00329", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot web injects execution method Web injects execution method by a pre-established configuration .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00330", "source": "cyner_mitre_valid"}} | |
| {"text": "BOT UPDATES EventBot has a long method called parseCommand that can update EventBot β s configuration XML files , located in the shared preferences folder on the device .", "spans": {"Malware: EventBot": [[12, 20], [75, 83]]}, "info": {"id": "cyner_mitre_valid_00331", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot Dropped XML configuration files Dropped XML configuration files on the device .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00332", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot uses this function to update its C2s , the configuration of webinjects , etc .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00333", "source": "cyner_mitre_valid"}} | |
| {"text": "The following code shows EventBot parsing instructions sent from the C2 .", "spans": {"Malware: EventBot": [[25, 33]]}, "info": {"id": "cyner_mitre_valid_00334", "source": "cyner_mitre_valid"}} | |
| {"text": "Parsing of instructions by EventBot Parsing of instructions by the bot from the C2 .", "spans": {"Malware: EventBot": [[27, 35]]}, "info": {"id": "cyner_mitre_valid_00335", "source": "cyner_mitre_valid"}} | |
| {"text": "UNIQUE FEATURES BY VERSION EventBot Version 0.0.0.1 RC4 and Base64 Packet Encryption EventBot RC4 and Base64 data decryption from the C2 RC4 and Base64 data decryption from the C2 .", "spans": {"Malware: EventBot": [[27, 35], [85, 93]]}, "info": {"id": "cyner_mitre_valid_00336", "source": "cyner_mitre_valid"}} | |
| {"text": "As mentioned above , EventBot Version 0.0.0.1 sends a JSON object containing the Android package names of all the apps installed on the victim β s device alongside additional metadata , including the bot version , botnetID , and the reason this package is sent .", "spans": {"Malware: EventBot": [[21, 29]], "System: Android": [[81, 88]]}, "info": {"id": "cyner_mitre_valid_00337", "source": "cyner_mitre_valid"}} | |
| {"text": "For this particular packet , the reason is registration of the bot .", "spans": {}, "info": {"id": "cyner_mitre_valid_00338", "source": "cyner_mitre_valid"}} | |
| {"text": "If the connection to the C2 fails , it will continue to retry until it is successful .", "spans": {}, "info": {"id": "cyner_mitre_valid_00339", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot Logcat from the infected device Logcat from the infected device .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00340", "source": "cyner_mitre_valid"}} | |
| {"text": "EVENTBOT VERSION 0.0.0.2 Dynamic Library Loading As of Version 0.0.0.2 , EventBot attempts to hide its main functionality from static analysis .", "spans": {"Malware: EVENTBOT": [[0, 8]], "Malware: EventBot": [[73, 81]]}, "info": {"id": "cyner_mitre_valid_00341", "source": "cyner_mitre_valid"}} | |
| {"text": "With Version 0.0.0.1 , there is a dedicated functions class where all main malicious activity happens and can be observed .", "spans": {}, "info": {"id": "cyner_mitre_valid_00342", "source": "cyner_mitre_valid"}} | |
| {"text": "Instead , in Version 0.0.0.2 , EventBot dynamically loads its main module .", "spans": {"Malware: EventBot": [[31, 39]]}, "info": {"id": "cyner_mitre_valid_00343", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot loaded library Loaded library as seen in Logcat .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00344", "source": "cyner_mitre_valid"}} | |
| {"text": "By browsing EventBot β s installation path on the device , we can see the library dropped in the app_dex folder .", "spans": {"Malware: EventBot": [[12, 20]]}, "info": {"id": "cyner_mitre_valid_00345", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot loaded library The loaded library dropped on the device .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00346", "source": "cyner_mitre_valid"}} | |
| {"text": "The code to load the main module dynamically can also be seen statically .", "spans": {}, "info": {"id": "cyner_mitre_valid_00347", "source": "cyner_mitre_valid"}} | |
| {"text": "The malicious library is loaded from Eventbot β s assets that contain a font file called default.ttf which is actually the hidden library and then decoded using RC4 .", "spans": {"Malware: Eventbot": [[37, 45]], "Indicator: default.ttf": [[89, 100]]}, "info": {"id": "cyner_mitre_valid_00348", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot method responsible for the library loading The method responsible for the library loading .", "spans": {}, "info": {"id": "cyner_mitre_valid_00349", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot has the ability to update its library or potentially even download a second library when given a command from the C2 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00350", "source": "cyner_mitre_valid"}} | |
| {"text": "An updated library name is generated by calculating the md5sum of several device properties , while concatenating the build model twice in case of an update to the library .", "spans": {}, "info": {"id": "cyner_mitre_valid_00351", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot Updated library naming convention EventBot New library naming convention .", "spans": {"Malware: EventBot": [[43, 51]]}, "info": {"id": "cyner_mitre_valid_00352", "source": "cyner_mitre_valid"}} | |
| {"text": "Data Encryption The Curve25519 encryption algorithm was implemented as of EventBot Version 0.0.0.2 .", "spans": {"Malware: EventBot": [[74, 82]]}, "info": {"id": "cyner_mitre_valid_00353", "source": "cyner_mitre_valid"}} | |
| {"text": "This encryption algorithm is an extra security layer for communicating with the C2 , an improvement over the previous version of a plain RC4 encryption .", "spans": {}, "info": {"id": "cyner_mitre_valid_00354", "source": "cyner_mitre_valid"}} | |
| {"text": "When reviewing the decrypted packet , it β s clear it has the same content as previous versions .", "spans": {}, "info": {"id": "cyner_mitre_valid_00355", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot decryption of packets from the C2 Decryption of packets from the C2 using Curve25519 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00356", "source": "cyner_mitre_valid"}} | |
| {"text": "EVENTBOT VERSION 0.3.0.1 Additional Assets Based on Country / Region EventBot-23aEventBot Spanish and Italian Images in Spanish and Italian added in version 0.3.0.1 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00357", "source": "cyner_mitre_valid"}} | |
| {"text": "Version 0.3.0.1 includes Italian and Spanish language compatibility within the resources section .", "spans": {}, "info": {"id": "cyner_mitre_valid_00358", "source": "cyner_mitre_valid"}} | |
| {"text": "Presumably , this was done to make the app seem more credible to targeted users in different countries .", "spans": {}, "info": {"id": "cyner_mitre_valid_00359", "source": "cyner_mitre_valid"}} | |
| {"text": "Grabbing the Screen PIN with Support for Samsung Devices Version 0.3.0.1 added an ~800 line long method called grabScreenPin , which uses accessibility features to track pin code changes in the device β s settings .", "spans": {"Organization: Samsung": [[41, 48]]}, "info": {"id": "cyner_mitre_valid_00360", "source": "cyner_mitre_valid"}} | |
| {"text": "It listens to events like TYPE_VIEW_TEXT_CHANGED .", "spans": {}, "info": {"id": "cyner_mitre_valid_00361", "source": "cyner_mitre_valid"}} | |
| {"text": "We suspect the updated PIN is sent to the C2 , most likely to give the malware the option to perform privileged activities on the infected device related to payments , system configuration options , etc .", "spans": {}, "info": {"id": "cyner_mitre_valid_00362", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot Listening to TYPE_VIEW_TEXT_CHANGED accessibility event Listening to TYPE_VIEW_TEXT_CHANGED accessibility event .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00363", "source": "cyner_mitre_valid"}} | |
| {"text": "After collecting the changed PIN code , it is sent back to the C2 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00364", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot Sending the pin code back to the C2 Sending the pin code back to the C2 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00365", "source": "cyner_mitre_valid"}} | |
| {"text": "Eventually , the screen PIN preferences will be saved to an additional XML file in the shared preferences folder .", "spans": {}, "info": {"id": "cyner_mitre_valid_00366", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot screenPinPrefs.xml The content of screenPinPrefs.xml .", "spans": {"Indicator: screenPinPrefs.xml": [[9, 27], [43, 61]]}, "info": {"id": "cyner_mitre_valid_00367", "source": "cyner_mitre_valid"}} | |
| {"text": "The grabScreenPin method has separate conditioning to handle screen lock events in Samsung devices .", "spans": {"Organization: Samsung": [[83, 90]]}, "info": {"id": "cyner_mitre_valid_00368", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot screen lock with support for Samsung devices A new method to handle screen lock with support for Samsung devices .", "spans": {"Malware: EventBot": [[0, 8]], "Organization: Samsung": [[38, 45], [106, 113]]}, "info": {"id": "cyner_mitre_valid_00369", "source": "cyner_mitre_valid"}} | |
| {"text": "EVENTBOT VERSION 0.4.0.1 Package Name Randomization In this version , the package name is no longer named β com.example.eventbot β , which makes it more difficult to track down .", "spans": {"Indicator: com.example.eventbot": [[108, 128]]}, "info": {"id": "cyner_mitre_valid_00370", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot Randomized package name Randomized package name instead of com.example.eventbot .", "spans": {"Malware: EventBot": [[0, 8]], "Indicator: com.example.eventbot": [[68, 88]]}, "info": {"id": "cyner_mitre_valid_00371", "source": "cyner_mitre_valid"}} | |
| {"text": "ProGuard Obfuscation As with many other Android applications , EventBot is now using obfuscation .", "spans": {"System: ProGuard": [[0, 8]], "System: Android": [[40, 47]], "Malware: EventBot": [[63, 71]]}, "info": {"id": "cyner_mitre_valid_00372", "source": "cyner_mitre_valid"}} | |
| {"text": "Both the loader and dropped class are obfuscated using ProGuard , which obfuscates names using alphabet letters .", "spans": {"Indicator: ProGuard": [[55, 63]]}, "info": {"id": "cyner_mitre_valid_00373", "source": "cyner_mitre_valid"}} | |
| {"text": "The code itself is not modified by this type of obfuscation though , making the analysis easier .", "spans": {}, "info": {"id": "cyner_mitre_valid_00374", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot Obfuscated class names Obfuscated class names using letters of the alphabet .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00375", "source": "cyner_mitre_valid"}} | |
| {"text": "Hidden Configuration Data As mentioned above , EventBot begins using obfuscation .", "spans": {"Malware: EventBot": [[47, 55]]}, "info": {"id": "cyner_mitre_valid_00376", "source": "cyner_mitre_valid"}} | |
| {"text": "Due to this obfuscation , a part of the previously mentioned cfg class is now mapped to c/b/a/a/a or c/a/a/a/a .", "spans": {}, "info": {"id": "cyner_mitre_valid_00377", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot C2 URLs C2 URLs and other settings in a nested class .", "spans": {}, "info": {"id": "cyner_mitre_valid_00378", "source": "cyner_mitre_valid"}} | |
| {"text": "Other configuration data is located elsewhere , and some of it can been seen here : The encrypted library path The output folder on the device for the dropped library The name of the library after it is loaded eventBot name string Version number A string used as an RC4 key , both for decrypting the library and as a part of the network data encryption ( hasn β t changed from the previous version ) The C2 URLs A randomized class name using the device β s accessibility services EventBot extracted configuration Part of the extracted configuration of the new version", "spans": {"Malware: EventBot": [[480, 488]]}, "info": {"id": "cyner_mitre_valid_00379", "source": "cyner_mitre_valid"}} | |
| {"text": ".", "spans": {}, "info": {"id": "cyner_mitre_valid_00380", "source": "cyner_mitre_valid"}} | |
| {"text": "MALWARE UNDER ACTIVE DEVELOPMENT EventBot β cfg β class EventBot β cfg β class .", "spans": {"Malware: EventBot": [[33, 41], [56, 64]]}, "info": {"id": "cyner_mitre_valid_00381", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot is in constant development , as seen with the botnetID string above , which shows consecutive numbering across versions .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00382", "source": "cyner_mitre_valid"}} | |
| {"text": "This example is from a later version of EventBot , and in other versions the naming convention is very similar , with bot IDs such as word100 , word101 , word102 , and test2005 , test2006 etc .", "spans": {"Malware: EventBot": [[40, 48]]}, "info": {"id": "cyner_mitre_valid_00383", "source": "cyner_mitre_valid"}} | |
| {"text": "In the latest version , a layer of obfuscation was added , perhaps taking the malware one step closer to being fully operational .", "spans": {}, "info": {"id": "cyner_mitre_valid_00384", "source": "cyner_mitre_valid"}} | |
| {"text": "SUSPECTED DETECTION TESTS BY THE THREAT ACTOR In searching for EventBot , we β ve identified multiple submissions from the same submitter hash , 22b3c7b0 : EventBot 22b3c7b0 submitter hash The 22b3c7b0 submitter hash that submitted most of the EventBot samples to VirusTotal .", "spans": {"Malware: EventBot": [[63, 71], [156, 164], [244, 252]], "Indicator: 22b3c7b0": [[145, 153], [165, 173], [193, 201]]}, "info": {"id": "cyner_mitre_valid_00385", "source": "cyner_mitre_valid"}} | |
| {"text": "This submitter has thousands of other submissions in VirusTotal , however , it is the only one that continues to submit EventBot samples via the VirusTotal API .", "spans": {"Malware: EventBot": [[120, 128]]}, "info": {"id": "cyner_mitre_valid_00386", "source": "cyner_mitre_valid"}} | |
| {"text": "Also , the botnet IDs increment over time as they are submitted .", "spans": {}, "info": {"id": "cyner_mitre_valid_00387", "source": "cyner_mitre_valid"}} | |
| {"text": "Given this , and the naming convention of the submissions ( .virus ) , the submitter hash most likely belongs to an AV vendor or sandboxing environment that automatically submits samples to online malware databases .", "spans": {}, "info": {"id": "cyner_mitre_valid_00388", "source": "cyner_mitre_valid"}} | |
| {"text": "It may be that these submissions are made from the author β s machine , or that they submit it to a detection service that in turn submits to online malware databases .", "spans": {}, "info": {"id": "cyner_mitre_valid_00389", "source": "cyner_mitre_valid"}} | |
| {"text": "EVENTBOT THREAT ACTORS As a part of this investigation , the Cybereason Nocturnus team has attempted to identify the threat actors behind the development of EventBot .", "spans": {"Malware: EVENTBOT": [[0, 8]], "Organization: Cybereason Nocturnus": [[61, 81]], "Malware: EventBot": [[157, 165]]}, "info": {"id": "cyner_mitre_valid_00390", "source": "cyner_mitre_valid"}} | |
| {"text": "The evidence above suggests that EventBot is still in the development stage , and as such , is not likely to have been used for large attack campaigns thus far .", "spans": {"Malware: EventBot": [[33, 41]]}, "info": {"id": "cyner_mitre_valid_00391", "source": "cyner_mitre_valid"}} | |
| {"text": "The Cybereason Nocturnus team is monitoring multiple underground platforms in an attempt to identify chatter relating to EventBot .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]], "Malware: EventBot": [[121, 129]]}, "info": {"id": "cyner_mitre_valid_00392", "source": "cyner_mitre_valid"}} | |
| {"text": "New malware is often introduced to underground communities by being promoted and sold or offered as a giveaway .", "spans": {}, "info": {"id": "cyner_mitre_valid_00393", "source": "cyner_mitre_valid"}} | |
| {"text": "However , at the time of writing , we were unable to identify relevant conversations about the EventBot malware .", "spans": {"Malware: EventBot": [[95, 103]]}, "info": {"id": "cyner_mitre_valid_00394", "source": "cyner_mitre_valid"}} | |
| {"text": "This strengthens our suspicion that this malware is still undergoing development and has not been officially marketed or released yet .", "spans": {}, "info": {"id": "cyner_mitre_valid_00395", "source": "cyner_mitre_valid"}} | |
| {"text": "EVENTBOT INFRASTRUCTURE By mapping the C2 servers , a clear , repeated pattern emerges based on the specific URL gate_cb8a5aea1ab302f0_c .", "spans": {"Malware: EVENTBOT": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00396", "source": "cyner_mitre_valid"}} | |
| {"text": "As of this writing , all the domains were registered recently and some are already offline .", "spans": {}, "info": {"id": "cyner_mitre_valid_00397", "source": "cyner_mitre_valid"}} | |
| {"text": "URL Status IP Domain registration date http : //ora.studiolegalebasili [ .", "spans": {"Indicator: http : //ora.studiolegalebasili [ .": [[39, 74]]}, "info": {"id": "cyner_mitre_valid_00398", "source": "cyner_mitre_valid"}} | |
| {"text": "] com/gate_cb8a5aea1ab302f0_c offline 31.214.157 [ .", "spans": {"Indicator: 31.214.157 [ .": [[38, 52]]}, "info": {"id": "cyner_mitre_valid_00399", "source": "cyner_mitre_valid"}} | |
| {"text": "] 6 2020-02-29 http : //themoil [ .", "spans": {"Indicator: http : //themoil [ .": [[15, 35]]}, "info": {"id": "cyner_mitre_valid_00400", "source": "cyner_mitre_valid"}} | |
| {"text": "] site/gate_cb8a5aea1ab302f0_c online 208.91.197 [ .", "spans": {"Indicator: 208.91.197 [ .": [[38, 52]]}, "info": {"id": "cyner_mitre_valid_00401", "source": "cyner_mitre_valid"}} | |
| {"text": "] 91 2020-03-04 http : //ora.carlaarrabitoarchitetto [ .", "spans": {"Indicator: http : //ora.carlaarrabitoarchitetto [ .": [[16, 56]]}, "info": {"id": "cyner_mitre_valid_00402", "source": "cyner_mitre_valid"}} | |
| {"text": "] com/gate_cb8a5aea1ab302f0_c offline 31.214.157 [ .", "spans": {"Indicator: 31.214.157 [ .": [[38, 52]]}, "info": {"id": "cyner_mitre_valid_00403", "source": "cyner_mitre_valid"}} | |
| {"text": "] 6 2020-03-26 http : //rxc.rxcoordinator [ .", "spans": {"Indicator: http : //rxc.rxcoordinator [ .": [[15, 45]]}, "info": {"id": "cyner_mitre_valid_00404", "source": "cyner_mitre_valid"}} | |
| {"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.248 [ .", "spans": {"Indicator: 185.158.248 [ .": [[37, 52]]}, "info": {"id": "cyner_mitre_valid_00405", "source": "cyner_mitre_valid"}} | |
| {"text": "] 102 2020-03-29 http : //ora.blindsidefantasy [ .", "spans": {"Indicator: http : //ora.blindsidefantasy [ .": [[17, 50]]}, "info": {"id": "cyner_mitre_valid_00406", "source": "cyner_mitre_valid"}} | |
| {"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.248 [ .", "spans": {"Indicator: 185.158.248 [ .": [[37, 52]]}, "info": {"id": "cyner_mitre_valid_00407", "source": "cyner_mitre_valid"}} | |
| {"text": "] 102 2020-04-02 http : //marta.martatovaglieri [ .", "spans": {"Indicator: http : //marta.martatovaglieri [ .": [[17, 51]]}, "info": {"id": "cyner_mitre_valid_00408", "source": "cyner_mitre_valid"}} | |
| {"text": "] it/gate_cb8a5aea1ab302f0_c online 185.158.248 [ .", "spans": {"Indicator: 185.158.248 [ .": [[36, 51]]}, "info": {"id": "cyner_mitre_valid_00409", "source": "cyner_mitre_valid"}} | |
| {"text": "] 102 2020-04-14 http : //pub.douglasshome [ .", "spans": {"Indicator: http : //pub.douglasshome [ .": [[17, 46]]}, "info": {"id": "cyner_mitre_valid_00410", "source": "cyner_mitre_valid"}} | |
| {"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.249 [ .", "spans": {"Indicator: 185.158.249 [ .": [[37, 52]]}, "info": {"id": "cyner_mitre_valid_00411", "source": "cyner_mitre_valid"}} | |
| {"text": "] 141 2020-04-26 In the course of the investigation , the team discovered a potential link to an additional Android infostealer .", "spans": {"Malware: Android infostealer": [[108, 127]]}, "info": {"id": "cyner_mitre_valid_00412", "source": "cyner_mitre_valid"}} | |
| {"text": "The IP address of both ora.carlaarrabitoarchitetto [ .", "spans": {"Indicator: ora.carlaarrabitoarchitetto [ .": [[23, 54]]}, "info": {"id": "cyner_mitre_valid_00413", "source": "cyner_mitre_valid"}} | |
| {"text": "] com and ora.studiolegalebasili [ .", "spans": {"Indicator: ora.studiolegalebasili [ .": [[10, 36]]}, "info": {"id": "cyner_mitre_valid_00414", "source": "cyner_mitre_valid"}} | |
| {"text": "] com , 31.214.157 [ .", "spans": {"Indicator: 31.214.157 [ .": [[8, 22]]}, "info": {"id": "cyner_mitre_valid_00415", "source": "cyner_mitre_valid"}} | |
| {"text": "] 6 , was previously hosting the domain next.nextuptravel [ .", "spans": {"Indicator: domain next.nextuptravel [ .": [[33, 61]]}, "info": {"id": "cyner_mitre_valid_00416", "source": "cyner_mitre_valid"}} | |
| {"text": "] com .", "spans": {}, "info": {"id": "cyner_mitre_valid_00417", "source": "cyner_mitre_valid"}} | |
| {"text": "This was the C2 for an Android infostealer responsible for several attacks in Italy back in late 2019 .", "spans": {"Malware: Android infostealer": [[23, 42]]}, "info": {"id": "cyner_mitre_valid_00418", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot VirusTotal search for the malicious IP address VirusTotal search for the malicious IP address .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00419", "source": "cyner_mitre_valid"}} | |
| {"text": "IMPACT EventBot is a mobile malware banking trojan that steals financial information , is able to hijack transactions .", "spans": {"Malware: EventBot": [[7, 15]]}, "info": {"id": "cyner_mitre_valid_00420", "source": "cyner_mitre_valid"}} | |
| {"text": "Once this malware has successfully installed , it will collect personal data , passwords , keystrokes , banking information , and more .", "spans": {}, "info": {"id": "cyner_mitre_valid_00421", "source": "cyner_mitre_valid"}} | |
| {"text": "This information can give the attacker access to personal and business bank accounts , personal and business data , and more .", "spans": {}, "info": {"id": "cyner_mitre_valid_00422", "source": "cyner_mitre_valid"}} | |
| {"text": "Letting an attacker get access to this kind of data can have severe consequences .", "spans": {}, "info": {"id": "cyner_mitre_valid_00423", "source": "cyner_mitre_valid"}} | |
| {"text": "60 % of devices containing or accessing enterprise data are mobile .", "spans": {}, "info": {"id": "cyner_mitre_valid_00424", "source": "cyner_mitre_valid"}} | |
| {"text": "Giving an attacker access to a mobile device can have severe business consequences , especially if the end user is using their mobile device to discuss sensitive business topics or access enterprise financial information .", "spans": {}, "info": {"id": "cyner_mitre_valid_00425", "source": "cyner_mitre_valid"}} | |
| {"text": "This can result in brand degradation , loss of individual reputation , or loss of consumer trust .", "spans": {}, "info": {"id": "cyner_mitre_valid_00426", "source": "cyner_mitre_valid"}} | |
| {"text": "Much like we have seen in recent months , anyone can be impacted by a mobile device attack .", "spans": {}, "info": {"id": "cyner_mitre_valid_00427", "source": "cyner_mitre_valid"}} | |
| {"text": "These attacks are only becoming more common , with one third of all malware now targeting mobile endpoints .", "spans": {}, "info": {"id": "cyner_mitre_valid_00428", "source": "cyner_mitre_valid"}} | |
| {"text": "Care and concern both for using a mobile device and for securing a mobile device is critical , especially for those organizations that allow bring-your-own-devices .", "spans": {}, "info": {"id": "cyner_mitre_valid_00429", "source": "cyner_mitre_valid"}} | |
| {"text": "CYBEREASON MOBILE Cybereason Mobile detects EventBot and immediately takes remediation actions to protect the end user .", "spans": {"System: CYBEREASON MOBILE": [[0, 17]], "System: Cybereason Mobile detects": [[18, 43]], "Malware: EventBot": [[44, 52]]}, "info": {"id": "cyner_mitre_valid_00430", "source": "cyner_mitre_valid"}} | |
| {"text": "With Cybereason Mobile , analysts can address mobile threats in the same platform as traditional endpoint threats , all as part of one incident .", "spans": {"System: Cybereason Mobile": [[5, 22]]}, "info": {"id": "cyner_mitre_valid_00431", "source": "cyner_mitre_valid"}} | |
| {"text": "Without mobile threat detection , this attack would not be detected , leaving end users and organizations at risk .", "spans": {}, "info": {"id": "cyner_mitre_valid_00432", "source": "cyner_mitre_valid"}} | |
| {"text": "Cybereason Mobile detects EventBot and provides the user with immediate actions .", "spans": {"System: Cybereason Mobile": [[0, 17]], "Malware: EventBot": [[26, 34]]}, "info": {"id": "cyner_mitre_valid_00433", "source": "cyner_mitre_valid"}} | |
| {"text": "CONCLUSION In this research , the Nocturnus team has dissected a rapidly evolving Android malware in the making .", "spans": {"Organization: Nocturnus": [[34, 43]], "Malware: Android": [[82, 89]]}, "info": {"id": "cyner_mitre_valid_00434", "source": "cyner_mitre_valid"}} | |
| {"text": "This malware abuses the Android accessibility feature to steal user information and is able to update its code and release new features every few days .", "spans": {"System: Android": [[24, 31]]}, "info": {"id": "cyner_mitre_valid_00435", "source": "cyner_mitre_valid"}} | |
| {"text": "With each new version , the malware adds new features like dynamic library loading , encryption , and adjustments to different locales and manufacturers .", "spans": {}, "info": {"id": "cyner_mitre_valid_00436", "source": "cyner_mitre_valid"}} | |
| {"text": "EventBot appears to be a completely new malware in the early stages of development , giving us an interesting view into how attackers create and test their malware .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_mitre_valid_00437", "source": "cyner_mitre_valid"}} | |
| {"text": "Cybereason classifies EventBot as a mobile banking trojan and infostealer based on the stealing features discussed in this research .", "spans": {"Organization: Cybereason": [[0, 10]], "Malware: EventBot": [[22, 30]]}, "info": {"id": "cyner_mitre_valid_00438", "source": "cyner_mitre_valid"}} | |
| {"text": "It leverages webinjects and SMS reading capabilities to bypass two-factor authentication , and is clearly targeting financial applications .", "spans": {}, "info": {"id": "cyner_mitre_valid_00439", "source": "cyner_mitre_valid"}} | |
| {"text": "Although the threat actor responsible for the development of EventBot is still unknown and the malware does not appear to be involved in major attacks , it is interesting to follow the early stages of mobile malware development .", "spans": {"Malware: EventBot": [[61, 69]]}, "info": {"id": "cyner_mitre_valid_00440", "source": "cyner_mitre_valid"}} | |
| {"text": "The Cybereason Nocturnus team will continue to monitor EventBot β s development .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]], "Malware: EventBot": [[55, 63]]}, "info": {"id": "cyner_mitre_valid_00441", "source": "cyner_mitre_valid"}} | |
| {"text": "In recent years , online activity has gradually been shifting from personal computers to mobile devices .", "spans": {}, "info": {"id": "cyner_mitre_valid_00442", "source": "cyner_mitre_valid"}} | |
| {"text": "Naturally , this resulted in the introduction of malware for mobile platforms , especially Android devices , including Cerberus , Xhelper and the Anubis Banking Trojan .", "spans": {"System: Android": [[91, 98]], "Malware: Cerberus": [[119, 127]], "Malware: Xhelper": [[130, 137]], "Malware: Anubis": [[146, 152]]}, "info": {"id": "cyner_mitre_valid_00443", "source": "cyner_mitre_valid"}} | |
| {"text": "As many people use their mobile devices for online shopping and even to manage their bank accounts , the mobile arena became increasingly profitable for cyber criminals .", "spans": {}, "info": {"id": "cyner_mitre_valid_00444", "source": "cyner_mitre_valid"}} | |
| {"text": "This is why we recently released Cybereason Mobile , a new offering that strengthens the Cybereason Defense Platform by bringing prevention , detection , and response capabilities to mobile devices .", "spans": {"System: Cybereason Mobile": [[33, 50]], "System: Cybereason Defense Platform": [[89, 116]]}, "info": {"id": "cyner_mitre_valid_00445", "source": "cyner_mitre_valid"}} | |
| {"text": "With Cybereason Mobile , our customers can protect against modern threats across traditional and mobile endpoints , all within a single console .", "spans": {"System: Cybereason Mobile": [[5, 22]]}, "info": {"id": "cyner_mitre_valid_00446", "source": "cyner_mitre_valid"}} | |
| {"text": "Check Point Mobile Threat Prevention has detected two instances of a mobile malware variant infecting multiple devices within the Check Point customer base .", "spans": {"Organization: Check Point": [[0, 11], [130, 141]], "System: Mobile Threat Prevention": [[12, 36]]}, "info": {"id": "cyner_mitre_valid_00447", "source": "cyner_mitre_valid"}} | |
| {"text": "The malware , packaged within an Android game app called BrainTest , had been published to Google Play twice .", "spans": {"System: Android": [[33, 40]], "Malware: BrainTest": [[57, 66]], "System: Google Play": [[91, 102]]}, "info": {"id": "cyner_mitre_valid_00448", "source": "cyner_mitre_valid"}} | |
| {"text": "Each instance had between 100,000 and 500,000 downloads according to Google Play statistics , reaching an aggregated infection rate of between 200,000 and 1 million users .", "spans": {"System: Google Play": [[69, 80]]}, "info": {"id": "cyner_mitre_valid_00449", "source": "cyner_mitre_valid"}} | |
| {"text": "Check Point reached out to Google on September 10 , 2015 , and the app containing the malware was removed from Google Play on September 15 , 2015 .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google": [[27, 33]], "System: Google Play": [[111, 122]]}, "info": {"id": "cyner_mitre_valid_00450", "source": "cyner_mitre_valid"}} | |
| {"text": "Overview The malware was first detected on a Nexus 5 smartphone , and although the user attempted to remove the infected app , the malware reappeared on the same device shortly thereafter .", "spans": {"System: Nexus 5": [[45, 52]]}, "info": {"id": "cyner_mitre_valid_00451", "source": "cyner_mitre_valid"}} | |
| {"text": "Our analysis of the malware shows it uses multiple , advanced techniques to avoid Google Play malware detection and to maintain persistency on target devices .", "spans": {"System: Google Play": [[82, 93]]}, "info": {"id": "cyner_mitre_valid_00452", "source": "cyner_mitre_valid"}} | |
| {"text": "Once this malware was detected on a device , Mobile Threat Prevention adjusted security policies on the Mobile Device Management solution ( MobileIron ) managing the affected devices automatically , thereby blocking enterprise access from the infected devices .", "spans": {"System: Mobile Threat Prevention": [[45, 69]]}, "info": {"id": "cyner_mitre_valid_00453", "source": "cyner_mitre_valid"}} | |
| {"text": "While the malware is capable of facilitating various cyber-criminal goals , our team confirmed it β s currently installing additional apps on infected devices .", "spans": {}, "info": {"id": "cyner_mitre_valid_00454", "source": "cyner_mitre_valid"}} | |
| {"text": "Disturbingly , the malware establishes a rootkit on the device , allowing it to download and execute any code a cybercriminal would want to run on a device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00455", "source": "cyner_mitre_valid"}} | |
| {"text": "For example , it could be used to display unwanted and annoying advertisements on a device , or potentially , to download and deploy a payload that steals credentials from an infected device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00456", "source": "cyner_mitre_valid"}} | |
| {"text": "Highlights Samples of the malicious code found in BrainTest have been found on Google Play , and its creator has used multiple methods to evade detection by Google including Bypassing Google Bouncer by detecting if the malware is being run from an IP or domain mapped to Google Bouncer and , if so , it will not perform its intended malicious activities .", "spans": {"Malware: BrainTest": [[50, 59]], "System: Google Play": [[79, 90]], "Organization: Google": [[157, 163]], "System: Google Bouncer": [[184, 198], [271, 285]]}, "info": {"id": "cyner_mitre_valid_00457", "source": "cyner_mitre_valid"}} | |
| {"text": "Combining timebombs , dynamic code loading , and use of reflection to complicate reverse engineering of the malware .", "spans": {}, "info": {"id": "cyner_mitre_valid_00458", "source": "cyner_mitre_valid"}} | |
| {"text": "Using off-the-shelf obfuscation ( packer ) from Baidu to re-introduce the malware to Google Play after the first instance was removed on Aug 24th .", "spans": {"Organization: Baidu": [[48, 53]], "System: Google Play": [[85, 96]]}, "info": {"id": "cyner_mitre_valid_00459", "source": "cyner_mitre_valid"}} | |
| {"text": "BrainTest uses four privilege escalation exploits to gain root access on a device and to install a persistent malware as a system application .", "spans": {"Malware: BrainTest": [[0, 9]], "Vulnerability: privilege escalation exploits": [[20, 49]]}, "info": {"id": "cyner_mitre_valid_00460", "source": "cyner_mitre_valid"}} | |
| {"text": "BrainTest leverages an anti-uninstall watchdog that uses two system applications to monitor the removal of one of the components and reinstall the component .", "spans": {"Malware: BrainTest": [[0, 9]], "Vulnerability: anti-uninstall watchdog": [[23, 46]]}, "info": {"id": "cyner_mitre_valid_00461", "source": "cyner_mitre_valid"}} | |
| {"text": "After the the first instance of BrainTest was detected , Google removed the app from Google Play .", "spans": {"Malware: BrainTest": [[32, 41]], "Organization: Google": [[57, 63]], "System: Google Play": [[85, 96]]}, "info": {"id": "cyner_mitre_valid_00462", "source": "cyner_mitre_valid"}} | |
| {"text": "Within days , the Check Point research team detected another instance with a different package name but which uses the same code .", "spans": {"Organization: Check Point": [[18, 29]]}, "info": {"id": "cyner_mitre_valid_00463", "source": "cyner_mitre_valid"}} | |
| {"text": "The malware β s creators had used obfuscation to upload the new piece of malware to Google Play .", "spans": {"System: Google Play": [[84, 95]]}, "info": {"id": "cyner_mitre_valid_00464", "source": "cyner_mitre_valid"}} | |
| {"text": "Technical Analysis The malware consists of 2 applications : The Dropper : Brain Test ( Unpacked β com.mile.brain , Packed β com.zmhitlte.brain ) This is installed from Google Play and downloads an exploit pack from the server to obtain root access on a device .", "spans": {"Indicator: com.mile.brain": [[98, 112]], "Indicator: com.zmhitlte.brain": [[124, 142]], "System: Google Play": [[168, 179]]}, "info": {"id": "cyner_mitre_valid_00465", "source": "cyner_mitre_valid"}} | |
| {"text": "If root access is obtained , the application downloads a malicious .apk file ( The Backdoor ) from the server and installs it as system application .", "spans": {}, "info": {"id": "cyner_mitre_valid_00466", "source": "cyner_mitre_valid"}} | |
| {"text": "The Backdoor : System malware ( mcpef.apk and brother.apk ) This tries a few persistence methods by using few anti-uninstall techniques ( described below ) and downloads and executes code from server without user consent .", "spans": {"Indicator: mcpef.apk": [[32, 41]], "Indicator: brother.apk": [[46, 57]]}, "info": {"id": "cyner_mitre_valid_00467", "source": "cyner_mitre_valid"}} | |
| {"text": "Detailed Malware Structure Malware Strucutre com.mile.brain ( SHA256 : 135d6acff3ca27e6e7997429e5f8051f88215d12351e4103f8344cd66611e0f3 ) : This is the main application found on Google Play .", "spans": {"Indicator: com.mile.brain": [[45, 59]], "Indicator: 135d6acff3ca27e6e7997429e5f8051f88215d12351e4103f8344cd66611e0f3": [[71, 135]], "System: Google Play": [[178, 189]]}, "info": {"id": "cyner_mitre_valid_00468", "source": "cyner_mitre_valid"}} | |
| {"text": "It contains encrypted java archive β start.ogg β in the assets directory and dynamically loads code with dalvik.system.DexClassLoader .", "spans": {"Indicator: start.ogg": [[37, 46]], "Indicator: dalvik.system.DexClassLoader": [[105, 133]]}, "info": {"id": "cyner_mitre_valid_00469", "source": "cyner_mitre_valid"}} | |
| {"text": "do.jar ( SHA256 : a711e620246d9954510d3f1c8d5c784bacc78069a5c57b9ec09c3e234bc33a8b ) : The decrypted file that was created by β start.ogg. β It sends a request to the server with the device β s configuration .", "spans": {"Indicator: do.jar": [[0, 6]], "Indicator: a711e620246d9954510d3f1c8d5c784bacc78069a5c57b9ec09c3e234bc33a8b": [[18, 82]], "Indicator: start.ogg.": [[128, 138]]}, "info": {"id": "cyner_mitre_valid_00470", "source": "cyner_mitre_valid"}} | |
| {"text": "The server β s response is a json , containing a link to a .jar file , class name and method name to be executed with reflection API .", "spans": {}, "info": {"id": "cyner_mitre_valid_00471", "source": "cyner_mitre_valid"}} | |
| {"text": "The application downloads the file and dynamically loads it using dalvik.system.DexClassLoader and invokes class and method specified in json .", "spans": {"Indicator: json .": [[137, 143]]}, "info": {"id": "cyner_mitre_valid_00472", "source": "cyner_mitre_valid"}} | |
| {"text": "jhfrte.jar : This is a java archive file downloaded from server .", "spans": {}, "info": {"id": "cyner_mitre_valid_00473", "source": "cyner_mitre_valid"}} | |
| {"text": "If a device isn β t rooted , it downloads from the server an exploit pack and executes it to obtain root on device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00474", "source": "cyner_mitre_valid"}} | |
| {"text": "Once root is obtained , it downloads an additional APK file from the server ( mcpef.apk ) and installs it as system application ( /system directory ) .", "spans": {"Indicator: mcpef.apk": [[78, 87]]}, "info": {"id": "cyner_mitre_valid_00475", "source": "cyner_mitre_valid"}} | |
| {"text": "r1-r4 : This is a local privilege escalation ( root ) exploit , which includes : CVE-2013-6282 , camerageroot ( http : //www.77169.org/exploits/2013/20130414031700 ) , a rooting tool for mtk6592 and addtional exploit .", "spans": {"Vulnerability: CVE-2013-6282": [[81, 94]], "Indicator: http : //www.77169.org/exploits/2013/20130414031700 )": [[112, 165]]}, "info": {"id": "cyner_mitre_valid_00476", "source": "cyner_mitre_valid"}} | |
| {"text": "nis : The su application used to execute shell commands with root privileges .", "spans": {}, "info": {"id": "cyner_mitre_valid_00477", "source": "cyner_mitre_valid"}} | |
| {"text": "mcpef.apk ( SHA256 : a8e7dfac00adf661d371ac52bddc03b543bd6b7aa41314b255e53d810931ceac ) : The malicious system application downloaded from server ( package name β com.android.music.helper ) .", "spans": {"Indicator: mcpef.apk": [[0, 9]], "Indicator: a8e7dfac00adf661d371ac52bddc03b543bd6b7aa41314b255e53d810931ceac": [[21, 85]], "Indicator: com.android.music.helper": [[163, 187]]}, "info": {"id": "cyner_mitre_valid_00478", "source": "cyner_mitre_valid"}} | |
| {"text": "This installs additional application from assets directory ( brother.apk ) and listens for PACKAGE_REMOVED events .", "spans": {"System: brother.apk": [[61, 72]]}, "info": {"id": "cyner_mitre_valid_00479", "source": "cyner_mitre_valid"}} | |
| {"text": "If brother.apk application is removed , mcpef.apk reinstalls brother.apk from assets .", "spans": {"System: brother.apk": [[3, 14], [61, 72]], "System: mcpef.apk": [[40, 49]]}, "info": {"id": "cyner_mitre_valid_00480", "source": "cyner_mitre_valid"}} | |
| {"text": "brother.apk ( SHA256 : 422fec2e201600bb2ea3140951563f8c6fbd4f8279a04a164aca5e8e753c40e8 ) : The package name β com.android.system.certificate .", "spans": {"System: brother.apk": [[0, 11]], "Indicator: 422fec2e201600bb2ea3140951563f8c6fbd4f8279a04a164aca5e8e753c40e8": [[23, 87]], "Indicator: com.android.system.certificate": [[111, 141]]}, "info": {"id": "cyner_mitre_valid_00481", "source": "cyner_mitre_valid"}} | |
| {"text": "System application installed by mcpef.apk .", "spans": {"Indicator: mcpef.apk": [[32, 41]]}, "info": {"id": "cyner_mitre_valid_00482", "source": "cyner_mitre_valid"}} | |
| {"text": "This has the same functionality as mcpef.apk .", "spans": {"Indicator: mcpef.apk": [[35, 44]]}, "info": {"id": "cyner_mitre_valid_00483", "source": "cyner_mitre_valid"}} | |
| {"text": "In addition , it monitors to verify if com.android.music.helper package is removed .", "spans": {"Indicator: com.android.music.helper": [[39, 63]]}, "info": {"id": "cyner_mitre_valid_00484", "source": "cyner_mitre_valid"}} | |
| {"text": "If mcpef.apk is removed , brother.apk reinstalls it from a META-INF/brother file boy , post.sh : The shell scripts u sed for application persistency .", "spans": {"Indicator: mcpef.apk": [[3, 12]], "Indicator: brother.apk": [[26, 37]], "Indicator: post.sh": [[87, 94]]}, "info": {"id": "cyner_mitre_valid_00485", "source": "cyner_mitre_valid"}} | |
| {"text": "Application lifecycle Application Lifecycle Google Bouncer Bypass On start , the application checks if it is executed on one of the Google servers : IP ranges 209.85.128.0-209.85.255.255 , 216.58.192.0-216.58.223.255 , 173.194.0.0-173.194.255.255 , 74.125.0.0-74.125.255.255 or if it is executed on IP hosted domain that contains the following strings : β google β , β android β , β 1e100 β .", "spans": {"System: Google Bouncer": [[44, 58]], "Indicator: 209.85.128.0-209.85.255.255": [[159, 186]], "Indicator: 216.58.192.0-216.58.223.255": [[189, 216]], "Indicator: 173.194.0.0-173.194.255.255": [[219, 246]], "Indicator: 74.125.0.0-74.125.255.255": [[249, 274]], "System: android": [[369, 376]]}, "info": {"id": "cyner_mitre_valid_00486", "source": "cyner_mitre_valid"}} | |
| {"text": "If any of these conditions is true , the application does not continue to execute the malicious flow .", "spans": {}, "info": {"id": "cyner_mitre_valid_00487", "source": "cyner_mitre_valid"}} | |
| {"text": "This method is design to bypass the automatic Google Play protection mechanism called Bouncer .", "spans": {"System: Google Play": [[46, 57]], "System: Bouncer": [[86, 93]]}, "info": {"id": "cyner_mitre_valid_00488", "source": "cyner_mitre_valid"}} | |
| {"text": "Timebombs , Dynamic Code Loading and Reflection If Google Bouncer was not detected , the application starts a time bomb which initiates the malicious flow only after 20 seconds and will run every 2 hours .", "spans": {"System: Google Bouncer": [[51, 65]]}, "info": {"id": "cyner_mitre_valid_00489", "source": "cyner_mitre_valid"}} | |
| {"text": "The time bomb triggers unpacker thread .", "spans": {}, "info": {"id": "cyner_mitre_valid_00490", "source": "cyner_mitre_valid"}} | |
| {"text": "Unpacker thread decrypt java archive from assets directory β start.ogg β , and dynamically loads it and calls the method β a.a.a.b β from this archive .", "spans": {"Indicator: start.ogg": [[61, 70]]}, "info": {"id": "cyner_mitre_valid_00491", "source": "cyner_mitre_valid"}} | |
| {"text": "This method checks if eight hours have passed from the first run of application , and if so , request containing the device β s data to the server .", "spans": {}, "info": {"id": "cyner_mitre_valid_00492", "source": "cyner_mitre_valid"}} | |
| {"text": "The server sends back encoded json containing URL , class name and method name .", "spans": {}, "info": {"id": "cyner_mitre_valid_00493", "source": "cyner_mitre_valid"}} | |
| {"text": "Then the application downloads java archive from the URL specified in json , dynamically loads it with class loader API .", "spans": {}, "info": {"id": "cyner_mitre_valid_00494", "source": "cyner_mitre_valid"}} | |
| {"text": "Once archive is loaded , the application uses reflection api to call methods from the class names specified in the json .", "spans": {}, "info": {"id": "cyner_mitre_valid_00495", "source": "cyner_mitre_valid"}} | |
| {"text": "Rooting and Ad Network Presentation The reflection loaded methods check if the device is rooted .", "spans": {}, "info": {"id": "cyner_mitre_valid_00496", "source": "cyner_mitre_valid"}} | |
| {"text": "If not , the application downloads a pack of exploits from the server and runs them one-by-one up until root is achieved .", "spans": {}, "info": {"id": "cyner_mitre_valid_00497", "source": "cyner_mitre_valid"}} | |
| {"text": "As root , the application copies su binary to /system/bin directory and silently downloads apk file from the server .", "spans": {}, "info": {"id": "cyner_mitre_valid_00498", "source": "cyner_mitre_valid"}} | |
| {"text": "Then , the APK is installed as system application and registers listener on USER_PRESENT event .", "spans": {}, "info": {"id": "cyner_mitre_valid_00499", "source": "cyner_mitre_valid"}} | |
| {"text": "This event triggers archive downloading thread .", "spans": {}, "info": {"id": "cyner_mitre_valid_00500", "source": "cyner_mitre_valid"}} | |
| {"text": "Once the event is triggered , it registers a timer .", "spans": {}, "info": {"id": "cyner_mitre_valid_00501", "source": "cyner_mitre_valid"}} | |
| {"text": "The timer triggers additional thread which makes a request to the server .", "spans": {}, "info": {"id": "cyner_mitre_valid_00502", "source": "cyner_mitre_valid"}} | |
| {"text": "It expects a json with url , class and method name .", "spans": {}, "info": {"id": "cyner_mitre_valid_00503", "source": "cyner_mitre_valid"}} | |
| {"text": "It downloads one more archive and dynamically loads code from it .", "spans": {}, "info": {"id": "cyner_mitre_valid_00504", "source": "cyner_mitre_valid"}} | |
| {"text": "The final APK is downloaded from a different URL that is currently down , we assume that the apk purpose is overlaying ads on the screen , we assume this based on the research we have done on the API we found which returns URL of random APK file containing different advertising networks .", "spans": {}, "info": {"id": "cyner_mitre_valid_00505", "source": "cyner_mitre_valid"}} | |
| {"text": "Persistency Watch-Dog The application contains protection against its own removal .", "spans": {}, "info": {"id": "cyner_mitre_valid_00506", "source": "cyner_mitre_valid"}} | |
| {"text": "As outlined in the diagram above , It installs an additional application with the same functionality and these two applications monitor the removal of each other .", "spans": {}, "info": {"id": "cyner_mitre_valid_00507", "source": "cyner_mitre_valid"}} | |
| {"text": "If one of the applications is deleted , the second application downloads and re-installs the removed one .", "spans": {}, "info": {"id": "cyner_mitre_valid_00508", "source": "cyner_mitre_valid"}} | |
| {"text": "Network activity BrainTest communicates with five servers : APK files provider ( http : //psserviceonline [ .", "spans": {"Indicator: http : //psserviceonline [ .": [[81, 109]]}, "info": {"id": "cyner_mitre_valid_00509", "source": "cyner_mitre_valid"}} | |
| {"text": "] com/ ) : This server provides APK files with advertising network .", "spans": {}, "info": {"id": "cyner_mitre_valid_00510", "source": "cyner_mitre_valid"}} | |
| {"text": "We found two functions : The first function is http : //s.psserviceonline [ .", "spans": {"Indicator: http : //s.psserviceonline [ .": [[47, 77]]}, "info": {"id": "cyner_mitre_valid_00511", "source": "cyner_mitre_valid"}} | |
| {"text": "] com/api/s2s/tracks/ and is used for activation .", "spans": {}, "info": {"id": "cyner_mitre_valid_00512", "source": "cyner_mitre_valid"}} | |
| {"text": "The second function is http : //s.psserviceonline [ .", "spans": {"Indicator: http : //s.psserviceonline [ .": [[23, 53]]}, "info": {"id": "cyner_mitre_valid_00513", "source": "cyner_mitre_valid"}} | |
| {"text": "] com/api/ads/ which is used for obtaining a link to APK file .", "spans": {}, "info": {"id": "cyner_mitre_valid_00514", "source": "cyner_mitre_valid"}} | |
| {"text": "Regardless of the parameters , it returns a json containing a link for APK file .", "spans": {}, "info": {"id": "cyner_mitre_valid_00515", "source": "cyner_mitre_valid"}} | |
| {"text": "File Server ( http : //www.psservicedl [ .", "spans": {"Indicator: http : //www.psservicedl [ .": [[14, 42]]}, "info": {"id": "cyner_mitre_valid_00516", "source": "cyner_mitre_valid"}} | |
| {"text": "] com ) : Contains android packages , java archives and zip archives with exploits Archive Link domains : Three domains with the same functionality , but the application chooses one of them to send request for archive link .", "spans": {"System: android": [[19, 26]]}, "info": {"id": "cyner_mitre_valid_00517", "source": "cyner_mitre_valid"}} | |
| {"text": "http : //www.himobilephone [ .", "spans": {"Indicator: http : //www.himobilephone [ .": [[0, 30]]}, "info": {"id": "cyner_mitre_valid_00518", "source": "cyner_mitre_valid"}} | |
| {"text": "] com http : //www.adsuperiorstore [ .", "spans": {"Indicator: http : //www.adsuperiorstore [ .": [[6, 38]]}, "info": {"id": "cyner_mitre_valid_00519", "source": "cyner_mitre_valid"}} | |
| {"text": "] com http : //www.i4vip [ .", "spans": {"Indicator: http : //www.i4vip [ .": [[6, 28]]}, "info": {"id": "cyner_mitre_valid_00520", "source": "cyner_mitre_valid"}} | |
| {"text": "] com Counter Measures Use an up to date anti-malware software that is capable of identifying this threat .", "spans": {}, "info": {"id": "cyner_mitre_valid_00521", "source": "cyner_mitre_valid"}} | |
| {"text": "If the threat reappears on the device after the first installation , it means that the malware managed to install the persistency module in the System directory .", "spans": {}, "info": {"id": "cyner_mitre_valid_00522", "source": "cyner_mitre_valid"}} | |
| {"text": "In this case , the device should be re-flashed with an official ROM .", "spans": {}, "info": {"id": "cyner_mitre_valid_00523", "source": "cyner_mitre_valid"}} | |
| {"text": "Lookout Discovers Phishing Sites Distributing New IOS And Android Surveillanceware April 8 , 2019 For the past year , Lookout researchers have been tracking Android and iOS surveillanceware , that can exfiltrate contacts , audio recordings , photos , location , and more from devices .", "spans": {"Organization: Lookout": [[0, 7], [118, 125]], "System: IOS": [[50, 53]], "System: Android": [[58, 65], [157, 164]], "Malware: Surveillanceware": [[66, 82]], "System: iOS": [[169, 172]], "Malware: surveillanceware": [[173, 189]]}, "info": {"id": "cyner_mitre_valid_00524", "source": "cyner_mitre_valid"}} | |
| {"text": "As has been previously reported , some versions of the Android malware were present in the Google Play Store .", "spans": {"System: Android": [[55, 62]], "System: Google Play Store": [[91, 108]]}, "info": {"id": "cyner_mitre_valid_00525", "source": "cyner_mitre_valid"}} | |
| {"text": "The iOS versions were available outside the app store , through phishing sites , and abused the Apple Developer Enterprise program .", "spans": {"System: iOS": [[4, 7]], "System: app store": [[44, 53]], "Organization: Apple Developer Enterprise": [[96, 122]]}, "info": {"id": "cyner_mitre_valid_00526", "source": "cyner_mitre_valid"}} | |
| {"text": "Background : Android surveillanceware Early last year , Lookout discovered a sophisticated Android surveillanceware agent that appears to have been created for the lawful intercept market .", "spans": {"System: Android": [[13, 20], [91, 98]], "Organization: Lookout": [[56, 63]]}, "info": {"id": "cyner_mitre_valid_00527", "source": "cyner_mitre_valid"}} | |
| {"text": "The agent appears to have been under development for at least five years and consists of three stages .", "spans": {}, "info": {"id": "cyner_mitre_valid_00528", "source": "cyner_mitre_valid"}} | |
| {"text": "First , there is a small dropper , then a large second stage payload that contains multiple binaries ( where most of the surveillance functionality is implemented ) , and finally a third stage which typically uses the DirtyCOW exploit ( CVE-2016-5195 ) to obtain root .", "spans": {"Vulnerability: DirtyCOW exploit": [[218, 234]], "Vulnerability: CVE-2016-5195": [[237, 250]]}, "info": {"id": "cyner_mitre_valid_00529", "source": "cyner_mitre_valid"}} | |
| {"text": "Security Without Borders has recently published an analysis of this family , independently , through their blog .", "spans": {"Organization: Security Without Borders": [[0, 24]]}, "info": {"id": "cyner_mitre_valid_00530", "source": "cyner_mitre_valid"}} | |
| {"text": "Several technical details indicated that the software was likely the product of a well-funded development effort and aimed at the lawful intercept market .", "spans": {}, "info": {"id": "cyner_mitre_valid_00531", "source": "cyner_mitre_valid"}} | |
| {"text": "These included the use of certificate pinning and public key encryption for C2 communications , geo-restrictions imposed by the C2 when delivering the second stage , and the comprehensive and well implemented suite of surveillance features .", "spans": {}, "info": {"id": "cyner_mitre_valid_00532", "source": "cyner_mitre_valid"}} | |
| {"text": "Early versions of the Android application used infrastructure which belonged to a company named Connexxa S.R.L .", "spans": {"System: Android": [[22, 29]], "Organization: Connexxa S.R.L .": [[96, 112]]}, "info": {"id": "cyner_mitre_valid_00533", "source": "cyner_mitre_valid"}} | |
| {"text": "and were signed using the name of an engineer who appears to hold equity in Connexxa .", "spans": {"Organization: Connexxa": [[76, 84]]}, "info": {"id": "cyner_mitre_valid_00534", "source": "cyner_mitre_valid"}} | |
| {"text": "This engineer β s name is also associated with a company called eSurv S.R.L .", "spans": {"Organization: eSurv S.R.L .": [[64, 77]]}, "info": {"id": "cyner_mitre_valid_00535", "source": "cyner_mitre_valid"}} | |
| {"text": "eSurv β s public marketing is centered around video surveillance software and image recognition systems , but there are a number of individuals claiming to be mobile security researchers working at the company , including one who has publically made claims to be developing a mobile surveillance agent .", "spans": {"Organization: eSurv": [[0, 5]]}, "info": {"id": "cyner_mitre_valid_00536", "source": "cyner_mitre_valid"}} | |
| {"text": "Moreover , eSurv was a business unit of Connexxa and was leased to eSurv S.R.L in 2014 .", "spans": {"Organization: eSurv": [[11, 16]], "Organization: Connexxa": [[40, 48]], "Organization: eSurv S.R.L": [[67, 78]]}, "info": {"id": "cyner_mitre_valid_00537", "source": "cyner_mitre_valid"}} | |
| {"text": "This business unit and the eSurv software and brand was sold from Connexxa S.R.L .", "spans": {"Organization: eSurv": [[27, 32]], "Organization: Connexxa S.R.L .": [[66, 82]]}, "info": {"id": "cyner_mitre_valid_00538", "source": "cyner_mitre_valid"}} | |
| {"text": "to eSurv S.R.L .", "spans": {"Organization: eSurv S.R.L .": [[3, 16]]}, "info": {"id": "cyner_mitre_valid_00539", "source": "cyner_mitre_valid"}} | |
| {"text": "on Feb 28 , 2016 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00540", "source": "cyner_mitre_valid"}} | |
| {"text": "Lookout notified Google of the potential threat shortly after it was discovered .", "spans": {"Organization: Lookout": [[0, 7]], "Organization: Google": [[17, 23]]}, "info": {"id": "cyner_mitre_valid_00541", "source": "cyner_mitre_valid"}} | |
| {"text": "Together , during the latter half of 2018 , we worked to remove the apps from the Play store while it was being deployed in the wild .", "spans": {"System: Play store": [[82, 92]]}, "info": {"id": "cyner_mitre_valid_00542", "source": "cyner_mitre_valid"}} | |
| {"text": "iOS development Analysis of these Android samples led to the discovery of infrastructure that contained several samples of an iOS port .", "spans": {"System: iOS": [[0, 3], [126, 129]], "System: Android": [[34, 41]]}, "info": {"id": "cyner_mitre_valid_00543", "source": "cyner_mitre_valid"}} | |
| {"text": "So far , this software ( along with the Android version ) has been made available through phishing sites that imitated Italian and Turkmenistani mobile carriers .", "spans": {"System: Android": [[40, 47]]}, "info": {"id": "cyner_mitre_valid_00544", "source": "cyner_mitre_valid"}} | |
| {"text": "Wind Tre SpA - an Italian telecom operator TMCell - the state owned mobile operator in Turkmenistan Deployment to users outside Apple β s app store was made possible through abuse of Apple β s enterprise provisioning system .", "spans": {"Organization: Wind Tre SpA": [[0, 12]], "Organization: TMCell": [[43, 49]], "Organization: Apple": [[128, 133], [183, 188]]}, "info": {"id": "cyner_mitre_valid_00545", "source": "cyner_mitre_valid"}} | |
| {"text": "The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary , in-house apps to their employees without needing to use the iOS App Store .", "spans": {"Organization: Apple Developer Enterprise": [[4, 30]], "System: iOS": [[162, 165]], "System: App Store": [[166, 175]]}, "info": {"id": "cyner_mitre_valid_00546", "source": "cyner_mitre_valid"}} | |
| {"text": "A business can obtain access to this program only provided they meet requirements set out by Apple .", "spans": {"Organization: Apple": [[93, 98]]}, "info": {"id": "cyner_mitre_valid_00547", "source": "cyner_mitre_valid"}} | |
| {"text": "It is not common to use this program to distribute malware , although there have been past cases where malware authors have done so .", "spans": {}, "info": {"id": "cyner_mitre_valid_00548", "source": "cyner_mitre_valid"}} | |
| {"text": "Each of the phishing sites contained links to a distribution manifest , which contained metadata such as the application name , version , icon , and a URL for the IPA file .", "spans": {}, "info": {"id": "cyner_mitre_valid_00549", "source": "cyner_mitre_valid"}} | |
| {"text": "To be distributed outside the app store , an IPA package must contain a mobile provisioning profile with an enterprise β s certificate .", "spans": {}, "info": {"id": "cyner_mitre_valid_00550", "source": "cyner_mitre_valid"}} | |
| {"text": "All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L .", "spans": {"Organization: Connexxa S.R.L .": [[105, 121]]}, "info": {"id": "cyner_mitre_valid_00551", "source": "cyner_mitre_valid"}} | |
| {"text": "Certificate Used The apps themselves pretended to be carrier assistance apps which instructed the user to β keep the app installed on your device and stay under Wi-Fi coverage to be contacted by one of our operators β .", "spans": {}, "info": {"id": "cyner_mitre_valid_00552", "source": "cyner_mitre_valid"}} | |
| {"text": "One of the packages after initial launch The iOS variant is not as sophisticated as the Android version , and contained a subset of the functionality the Android releases offered .", "spans": {"System: iOS": [[45, 48]], "System: Android": [[88, 95], [154, 161]]}, "info": {"id": "cyner_mitre_valid_00553", "source": "cyner_mitre_valid"}} | |
| {"text": "In particular , these packages have not been observed to contain or to download exploits which would be required to perform certain types of activities on iOS devices .", "spans": {"System: iOS": [[155, 158]]}, "info": {"id": "cyner_mitre_valid_00554", "source": "cyner_mitre_valid"}} | |
| {"text": "Even without capabilities to exploit a device , the packages were able to exfiltrate the following types of data using documented APIs : Contacts Audio recordings Photos Videos GPS location Device information In addition , the packages offered a feature to perform remote audio recording .", "spans": {"System: GPS": [[177, 180]]}, "info": {"id": "cyner_mitre_valid_00555", "source": "cyner_mitre_valid"}} | |
| {"text": "Though different versions of the app vary in structure , malicious code was initialized at application launch without the user β s knowledge , and a number of timers were setup to gather and upload data periodically .", "spans": {}, "info": {"id": "cyner_mitre_valid_00556", "source": "cyner_mitre_valid"}} | |
| {"text": "Upload data was queued and transmitted via HTTP PUT requests to an endpoint on the C2 .", "spans": {"Indicator: HTTP": [[43, 47]]}, "info": {"id": "cyner_mitre_valid_00557", "source": "cyner_mitre_valid"}} | |
| {"text": "The iOS apps leverage the same C2 infrastructure as the Android version and use similar communications protocols .", "spans": {"System: iOS": [[4, 7]], "System: Android": [[56, 63]]}, "info": {"id": "cyner_mitre_valid_00558", "source": "cyner_mitre_valid"}} | |
| {"text": "Push notifications were also used to control audio recording .", "spans": {}, "info": {"id": "cyner_mitre_valid_00559", "source": "cyner_mitre_valid"}} | |
| {"text": "Lookout has shared information about this family with Apple , and they have revoked the affected certificates .", "spans": {"Organization: Lookout": [[0, 7]], "Organization: Apple": [[54, 59]]}, "info": {"id": "cyner_mitre_valid_00560", "source": "cyner_mitre_valid"}} | |
| {"text": "As a result , no new instances of this app can be installed on iOS devices and existing installations can no longer be run .", "spans": {"System: iOS": [[63, 66]]}, "info": {"id": "cyner_mitre_valid_00561", "source": "cyner_mitre_valid"}} | |
| {"text": "Lookout customers are also protected from this threat on both Android and iOS .", "spans": {"Organization: Lookout": [[0, 7]], "System: Android": [[62, 69]], "System: iOS": [[74, 77]]}, "info": {"id": "cyner_mitre_valid_00562", "source": "cyner_mitre_valid"}} | |
| {"text": "Android Trojan Found in Targeted Attack 26 MAR 2013 In the past , we β ve seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms .", "spans": {"System: Android": [[0, 7]], "System: Windows": [[136, 143]], "System: Mac OS X": [[148, 156]]}, "info": {"id": "cyner_mitre_valid_00563", "source": "cyner_mitre_valid"}} | |
| {"text": "We β ve documented several interesting attacks ( A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify ) which used ZIP files as well as DOC , XLS and PDF documents rigged with exploits .", "spans": {"System: Mac OS X": [[114, 122]]}, "info": {"id": "cyner_mitre_valid_00564", "source": "cyner_mitre_valid"}} | |
| {"text": "Several days ago , the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates .", "spans": {}, "info": {"id": "cyner_mitre_valid_00565", "source": "cyner_mitre_valid"}} | |
| {"text": "Perhaps the most interesting part is that the attack e-mails had an APK attachment β a malicious program for Android .", "spans": {"System: Android": [[109, 116]]}, "info": {"id": "cyner_mitre_valid_00566", "source": "cyner_mitre_valid"}} | |
| {"text": "The attack On March 24th , 2013 , the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list .", "spans": {}, "info": {"id": "cyner_mitre_valid_00567", "source": "cyner_mitre_valid"}} | |
| {"text": "This is what the spear phishing e-mail looked like : In regards to the message text above , multiple activist groups have recently organized a human rights conference event in Geneva .", "spans": {}, "info": {"id": "cyner_mitre_valid_00568", "source": "cyner_mitre_valid"}} | |
| {"text": "We β ve noticed an increase in the number of attacks using this event as a lure .", "spans": {}, "info": {"id": "cyner_mitre_valid_00569", "source": "cyner_mitre_valid"}} | |
| {"text": "Here β s another example of such an attack hitting Windows users : Going back to the Android Package ( APK ) file was attached to the e-mail , this is pushing an Android application named β WUC β s Conference.apk β .", "spans": {"System: Windows": [[51, 58]], "System: Android Package": [[85, 100]], "Malware: WUC β s Conference.apk": [[190, 212]]}, "info": {"id": "cyner_mitre_valid_00570", "source": "cyner_mitre_valid"}} | |
| {"text": "This malicious APK is 334326 bytes file , MD5 : 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as β Backdoor.AndroidOS.Chuli.a β .", "spans": {"Indicator: 0b8806b38b52bebfe39ff585639e2ea2": [[48, 80]], "Organization: Kaspersky Lab": [[100, 113]], "Indicator: Backdoor.AndroidOS.Chuli.a": [[128, 154]]}, "info": {"id": "cyner_mitre_valid_00571", "source": "cyner_mitre_valid"}} | |
| {"text": "After the installation , an application named β Conference β appears on the desktop : If the victim launches this app , he will see text which β enlightens β the information about the upcoming event : The full text reads follows .", "spans": {}, "info": {"id": "cyner_mitre_valid_00572", "source": "cyner_mitre_valid"}} | |
| {"text": "Notice notice the use of the mistaken β Word β instead of β World β : β On behalf of all at the Word Uyghur Congress ( WUC ) , the Unrepresented Nations and Peoples Organization ( UNPO ) and the Society for Threatened Peoples ( STP ) , Human Rights in China : Implications for East Turkestan , Tibet and Southern Mongolia In what was an unprecedented coming-together of leading Uyghur , Mongolian , Tibetan and Chinese activists , as well as other leading international experts , we were greatly humbled", "spans": {"Organization: Word Uyghur Congress ( WUC )": [[96, 124]], "Organization: Unrepresented Nations and Peoples Organization ( UNPO )": [[131, 186]], "Organization: Society for Threatened Peoples ( STP )": [[195, 233]]}, "info": {"id": "cyner_mitre_valid_00573", "source": "cyner_mitre_valid"}} | |
| {"text": "by the great enthusiasm , contribution and desire from all in attendance to make this occasion something meaningful , the outcome of which produced some concrete , action-orientated solutions to our shared grievances .", "spans": {}, "info": {"id": "cyner_mitre_valid_00574", "source": "cyner_mitre_valid"}} | |
| {"text": "We are especially delighted about the platform and programme of work established in the declaration of the conference , upon which we sincerely hope will be built a strong and resolute working relationship on our shared goals for the future .", "spans": {}, "info": {"id": "cyner_mitre_valid_00575", "source": "cyner_mitre_valid"}} | |
| {"text": "With this in mind , we thoroughly look forward to working with you on these matters .", "spans": {}, "info": {"id": "cyner_mitre_valid_00576", "source": "cyner_mitre_valid"}} | |
| {"text": "Dolkun lsa Chairman of the Executive Committee Word Uyghur Congress β While the victim reads this fake message , the malware secretly reports the infection to a command-and-control server .", "spans": {"Organization: Executive Committee Word Uyghur Congress": [[27, 67]]}, "info": {"id": "cyner_mitre_valid_00577", "source": "cyner_mitre_valid"}} | |
| {"text": "After that , it begins to harvest information stored on the device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00578", "source": "cyner_mitre_valid"}} | |
| {"text": "The stolen data includes : Contacts ( stored both on the phone and the SIM card ) .", "spans": {}, "info": {"id": "cyner_mitre_valid_00579", "source": "cyner_mitre_valid"}} | |
| {"text": "Call logs .", "spans": {}, "info": {"id": "cyner_mitre_valid_00580", "source": "cyner_mitre_valid"}} | |
| {"text": "SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_valid_00581", "source": "cyner_mitre_valid"}} | |
| {"text": "Geo-location .", "spans": {}, "info": {"id": "cyner_mitre_valid_00582", "source": "cyner_mitre_valid"}} | |
| {"text": "Phone data ( phone number , OS version , phone model , SDK version ) .", "spans": {}, "info": {"id": "cyner_mitre_valid_00583", "source": "cyner_mitre_valid"}} | |
| {"text": "It is important to note that the data won β t be uploaded to C & C server automatically .", "spans": {}, "info": {"id": "cyner_mitre_valid_00584", "source": "cyner_mitre_valid"}} | |
| {"text": "The Trojan waits for incoming SMS messages ( the β alarmReceiver.class β ) and checks whether these messages contain one of the following commands : β sms β , β contact β , β location β , β other β .", "spans": {"Indicator: alarmReceiver.class": [[51, 70]]}, "info": {"id": "cyner_mitre_valid_00585", "source": "cyner_mitre_valid"}} | |
| {"text": "If one these commands is found , then the malware will encode the stolen data with Base64 and upload it to the command and control server .", "spans": {}, "info": {"id": "cyner_mitre_valid_00586", "source": "cyner_mitre_valid"}} | |
| {"text": "The C2 URL is : hxxp : //64.78.161.133/ * victims β s_cell_phone_number * /process.php In addition to this , the malware also reports to another script , β hxxp : //64.78.161.33/android.php β .", "spans": {"Indicator: hxxp : //64.78.161.133/ * victims β s_cell_phone_number * /process.php": [[16, 86]], "Indicator: hxxp : //64.78.161.33/android.php": [[156, 189]]}, "info": {"id": "cyner_mitre_valid_00587", "source": "cyner_mitre_valid"}} | |
| {"text": "First , it will get the β nativenumber β variable from the β telmark β value of β AndroidManifest.xml β .", "spans": {"System: AndroidManifest.xml": [[82, 101]]}, "info": {"id": "cyner_mitre_valid_00588", "source": "cyner_mitre_valid"}} | |
| {"text": "This is hardcoded and equals β phone β .", "spans": {}, "info": {"id": "cyner_mitre_valid_00589", "source": "cyner_mitre_valid"}} | |
| {"text": "Then , it will add the result of the public method localDate.getTime ( ) , which simply gets the current date .", "spans": {}, "info": {"id": "cyner_mitre_valid_00590", "source": "cyner_mitre_valid"}} | |
| {"text": "An example of the string which is sent to the command-and-control would be β phone 26.03.2013 β .", "spans": {}, "info": {"id": "cyner_mitre_valid_00591", "source": "cyner_mitre_valid"}} | |
| {"text": "It is interesting that the attackers used Java Base64 library developed by Sauron Software .", "spans": {"Organization: Sauron Software": [[75, 90]]}, "info": {"id": "cyner_mitre_valid_00592", "source": "cyner_mitre_valid"}} | |
| {"text": "This software is free and distributed under LGPL license .", "spans": {}, "info": {"id": "cyner_mitre_valid_00593", "source": "cyner_mitre_valid"}} | |
| {"text": "Also , command communications with the malware are parsed with a function named β chuli ( ) β prior to POSTing stolen data to the command-and-control server .", "spans": {}, "info": {"id": "cyner_mitre_valid_00594", "source": "cyner_mitre_valid"}} | |
| {"text": "It appears that the attackers are somewhat familiar with the language and mountain-trekking culture of the targets β the meaning of β chuli β is β summit β : The command-and-control server and parameters can be easily seen in the decompiled source code : Command and control server interaction code Throughout the code , the attackers log all important actions , which include various messages in Chinese .", "spans": {}, "info": {"id": "cyner_mitre_valid_00595", "source": "cyner_mitre_valid"}} | |
| {"text": "This was probably done for debugging purposes , indicating the malware may be an early prototype version .", "spans": {}, "info": {"id": "cyner_mitre_valid_00596", "source": "cyner_mitre_valid"}} | |
| {"text": "Some actions include ( with rough translations ) : The command-and-control server The command-and-control server is located at IP 64.78.161.133 .", "spans": {"Indicator: 64.78.161.133": [[130, 143]]}, "info": {"id": "cyner_mitre_valid_00597", "source": "cyner_mitre_valid"}} | |
| {"text": "This IP is located in Los Angeles , U.S.A. , at a hosting company named β Emagine Concept Inc β .", "spans": {"Organization: Emagine Concept Inc": [[74, 93]]}, "info": {"id": "cyner_mitre_valid_00598", "source": "cyner_mitre_valid"}} | |
| {"text": "Interestingly , there is a domain which used to point there , β DlmDocumentsExchange.com β .", "spans": {"Indicator: DlmDocumentsExchange.com": [[64, 88]]}, "info": {"id": "cyner_mitre_valid_00599", "source": "cyner_mitre_valid"}} | |
| {"text": "The domain was registered on March 8th , 2013 : Registration Service Provided By : SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD. Domain Name : DLMDOCUMENTSEXCHANGE.COM Registration Date : 08-Mar-2013 Expiration Date : 08-Mar-2014 Status : LOCKED The domain registration data indicates the following owner : Registrant Contact Details : peng jia peng jia ( bdoufwke123010 @ gmail.com ) beijingshiahiidienquc.d beijingshi beijing,100000", "spans": {"Organization: SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD.": [[83, 146]], "Indicator: DLMDOCUMENTSEXCHANGE.COM": [[161, 185]], "Indicator: bdoufwke123010 @ gmail.com": [[374, 400]], "Indicator: beijingshiahiidienquc.d": [[403, 426]]}, "info": {"id": "cyner_mitre_valid_00600", "source": "cyner_mitre_valid"}} | |
| {"text": "CN Tel .", "spans": {}, "info": {"id": "cyner_mitre_valid_00601", "source": "cyner_mitre_valid"}} | |
| {"text": "+86.01078456689 Fax .", "spans": {}, "info": {"id": "cyner_mitre_valid_00602", "source": "cyner_mitre_valid"}} | |
| {"text": "+86.01078456689 The command-and-control server is hosting an index page which also serves an APK file : The referenced β Document.apk β is 333583 bytes in size , MD5 : c4c4077e9449147d754afd972e247efc .", "spans": {"Indicator: Document.apk": [[121, 133]], "Indicator: c4c4077e9449147d754afd972e247efc": [[168, 200]]}, "info": {"id": "cyner_mitre_valid_00603", "source": "cyner_mitre_valid"}} | |
| {"text": "It has the same functionality as the one described above but contains different text .", "spans": {}, "info": {"id": "cyner_mitre_valid_00604", "source": "cyner_mitre_valid"}} | |
| {"text": "The new text ( in Chinese , about relations between China , Japan and the disputed β Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands β ) is shown to the victims and reads as following : When opened in a browser , this is what the command-and-control index page looks like : The text on the top means β Title Title Title β in Chinese , while the other strings appear to be random characters typed from the keyboard .", "spans": {}, "info": {"id": "cyner_mitre_valid_00605", "source": "cyner_mitre_valid"}} | |
| {"text": "Interestingly , the command and control server includes a publicly accessible interface to work with the victims : Some of the commands with rough translations : The command-and-control server is running Windows Server 2003 and has been configured for Chinese language : This , together with the logs , is a strong indicator that the attackers are Chinese-speaking .", "spans": {"System: Windows Server": [[204, 218]]}, "info": {"id": "cyner_mitre_valid_00606", "source": "cyner_mitre_valid"}} | |
| {"text": "Conclusions Every day , there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters .", "spans": {}, "info": {"id": "cyner_mitre_valid_00607", "source": "cyner_mitre_valid"}} | |
| {"text": "The vast majority of these target Windows machines through Word documents exploiting known vulnerabilities such as CVE-2012-0158 , CVE-2010-3333 and CVE-2009-3129 .", "spans": {"System: Windows": [[34, 41]], "System: Word": [[59, 63]], "Vulnerability: CVE-2012-0158": [[115, 128]], "Vulnerability: CVE-2010-3333": [[131, 144]], "Vulnerability: CVE-2009-3129": [[149, 162]]}, "info": {"id": "cyner_mitre_valid_00608", "source": "cyner_mitre_valid"}} | |
| {"text": "In this case , the attackers hacked a Tibetan activist β s account and used it to attack Uyghur activists .", "spans": {}, "info": {"id": "cyner_mitre_valid_00609", "source": "cyner_mitre_valid"}} | |
| {"text": "It indicates perhaps an interesting trend which is exploiting the trust relationships between the two communities .", "spans": {}, "info": {"id": "cyner_mitre_valid_00610", "source": "cyner_mitre_valid"}} | |
| {"text": "This technique reminds us of a combination between ages old war strategies β Divide et impera β and β By way of deception β .", "spans": {}, "info": {"id": "cyner_mitre_valid_00611", "source": "cyner_mitre_valid"}} | |
| {"text": "Until now , we haven β t seen targeted attacks against mobile phones , although we β ve seen indications that these were in development .", "spans": {}, "info": {"id": "cyner_mitre_valid_00612", "source": "cyner_mitre_valid"}} | |
| {"text": "The current attack took advantage of the compromise of a high-profile Tibetan activist .", "spans": {}, "info": {"id": "cyner_mitre_valid_00613", "source": "cyner_mitre_valid"}} | |
| {"text": "It is perhaps the first in a new wave of targeted attacks aimed at Android users .", "spans": {"System: Android": [[67, 74]]}, "info": {"id": "cyner_mitre_valid_00614", "source": "cyner_mitre_valid"}} | |
| {"text": "So far , the attackers relied entirely on social engineering to infect the targets .", "spans": {}, "info": {"id": "cyner_mitre_valid_00615", "source": "cyner_mitre_valid"}} | |
| {"text": "History has shown us that , in time , these attacks will use zero-day vulnerabilities , exploits or a combination of techniques .", "spans": {"Vulnerability: zero-day vulnerabilities": [[61, 85]]}, "info": {"id": "cyner_mitre_valid_00616", "source": "cyner_mitre_valid"}} | |
| {"text": "For now , the best protection is to avoid any APK attachments that arrive on mobile phones via e-mail .", "spans": {}, "info": {"id": "cyner_mitre_valid_00617", "source": "cyner_mitre_valid"}} | |
| {"text": "We detect the malware used in this attack as β Backdoor.AndroidOS.Chuli.a β .", "spans": {"Malware: Backdoor.AndroidOS.Chuli.a": [[47, 73]]}, "info": {"id": "cyner_mitre_valid_00618", "source": "cyner_mitre_valid"}} | |
| {"text": "MD5s : c4c4077e9449147d754afd972e247efc Document.apk 0b8806b38b52bebfe39ff585639e2ea2 WUC β s Conference.apk Triada : organized crime on Android Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and uses several clever methods to become almost invisible March 3 , 2016 You know how armies typically move : first come the scouts to make sure everything is ok. Then the heavy troops", "spans": {"Indicator: c4c4077e9449147d754afd972e247efc": [[7, 39]], "Indicator: Document.apk": [[40, 52]], "Indicator: 0b8806b38b52bebfe39ff585639e2ea2": [[53, 85]], "Indicator: Conference.apk": [[94, 108]], "Malware: Triada": [[109, 115], [145, 151]], "System: Android": [[137, 144]]}, "info": {"id": "cyner_mitre_valid_00619", "source": "cyner_mitre_valid"}} | |
| {"text": "arrive ; at least that was how it used to be before the age of cyber wars .", "spans": {}, "info": {"id": "cyner_mitre_valid_00620", "source": "cyner_mitre_valid"}} | |
| {"text": "It turns out , that Trojans behave quite the same way .", "spans": {}, "info": {"id": "cyner_mitre_valid_00621", "source": "cyner_mitre_valid"}} | |
| {"text": "There are a lot of small Trojans for Android capable of leveraging access privileges , in other words β gaining root access .", "spans": {"System: Android": [[37, 44]]}, "info": {"id": "cyner_mitre_valid_00622", "source": "cyner_mitre_valid"}} | |
| {"text": "Our malware analysts Nikita Buchka and Mikhail Kuzin can easily name 11 families of such Trojans .", "spans": {}, "info": {"id": "cyner_mitre_valid_00623", "source": "cyner_mitre_valid"}} | |
| {"text": "Most of them are almost harmless β all they did until recently was injecting tons of ads and downloading others of their kind .", "spans": {}, "info": {"id": "cyner_mitre_valid_00624", "source": "cyner_mitre_valid"}} | |
| {"text": "If you want to know more about them β our researchers have an article about them on Securelist .", "spans": {"Organization: Securelist": [[84, 94]]}, "info": {"id": "cyner_mitre_valid_00625", "source": "cyner_mitre_valid"}} | |
| {"text": "If you follow the military analogy β those are the scouts .", "spans": {}, "info": {"id": "cyner_mitre_valid_00626", "source": "cyner_mitre_valid"}} | |
| {"text": "As you probably have noticed , gaining root access gives them the capability to download and install applications β that β s the reason why once one of them get into the system , in a few minutes there are all the others .", "spans": {}, "info": {"id": "cyner_mitre_valid_00627", "source": "cyner_mitre_valid"}} | |
| {"text": "But our researchers have predicted that these small Trojans would certainly be used to download some really bad malware that can actually harm the owners of the infected devices .", "spans": {}, "info": {"id": "cyner_mitre_valid_00628", "source": "cyner_mitre_valid"}} | |
| {"text": "And that β s exactly what has happened recently .", "spans": {}, "info": {"id": "cyner_mitre_valid_00629", "source": "cyner_mitre_valid"}} | |
| {"text": "Small Trojans like Leech , Ztorg and Gopro now download one of the most advanced mobile Trojans our malware analysts have ever encountered β we call it Triada .", "spans": {"Malware: Leech": [[19, 24]], "Malware: Ztorg": [[27, 32]], "Malware: Gopro": [[37, 42]], "Malware: Triada": [[152, 158]]}, "info": {"id": "cyner_mitre_valid_00630", "source": "cyner_mitre_valid"}} | |
| {"text": "Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and exists mostly in the device β s RAM , which makes it extremely hard to detect .", "spans": {"Malware: Triada": [[0, 6]]}, "info": {"id": "cyner_mitre_valid_00631", "source": "cyner_mitre_valid"}} | |
| {"text": "The dark ways of the Triada Once downloaded and installed , the Triada Trojan first tries to collect some information about the system β like the device model , the OS version , the amount of the SD card space , the list of the installed applications and other things .", "spans": {"Malware: Triada": [[21, 27], [64, 70]]}, "info": {"id": "cyner_mitre_valid_00632", "source": "cyner_mitre_valid"}} | |
| {"text": "Then it sends all that information to the Command & Control server .", "spans": {}, "info": {"id": "cyner_mitre_valid_00633", "source": "cyner_mitre_valid"}} | |
| {"text": "We have detected a total of 17 C & C servers on 4 different domains , which probably means the bad guys are quite familiar with what redundancy is .", "spans": {}, "info": {"id": "cyner_mitre_valid_00634", "source": "cyner_mitre_valid"}} | |
| {"text": "The C & C server then responds with a configuration file , containing the personal identification number for the device and some settings β the time interval between contacting the server , the list of modules to be installed and so on .", "spans": {}, "info": {"id": "cyner_mitre_valid_00635", "source": "cyner_mitre_valid"}} | |
| {"text": "After the modules are installed they are deployed to the short term memory and deleted from the device storage , which makes the Trojan a lot harder to catch .", "spans": {}, "info": {"id": "cyner_mitre_valid_00636", "source": "cyner_mitre_valid"}} | |
| {"text": "There are two more reasons why Triada is so hard to detect and why it had impressed our researchers so much .", "spans": {"Malware: Triada": [[31, 37]]}, "info": {"id": "cyner_mitre_valid_00637", "source": "cyner_mitre_valid"}} | |
| {"text": "First , it modifies the Zygote process .", "spans": {"System: Zygote": [[24, 30]]}, "info": {"id": "cyner_mitre_valid_00638", "source": "cyner_mitre_valid"}} | |
| {"text": "Zygote is the core process in the Android OS that is used as a template for every application , which means that once the Trojan gets into Zygote , it becomes a part of literally every app that is launched on the device .", "spans": {"System: Zygote": [[0, 6], [139, 145]], "System: Android": [[34, 41]]}, "info": {"id": "cyner_mitre_valid_00639", "source": "cyner_mitre_valid"}} | |
| {"text": "Triada : organized crime on Android Second , it substitutes the system functions and conceals its modules from the list of the running processes and installed apps .", "spans": {"Malware: Triada": [[0, 6]], "System: Android": [[28, 35]]}, "info": {"id": "cyner_mitre_valid_00640", "source": "cyner_mitre_valid"}} | |
| {"text": "So the system doesn β t see any strange processes running and thus does not cry the alarm .", "spans": {}, "info": {"id": "cyner_mitre_valid_00641", "source": "cyner_mitre_valid"}} | |
| {"text": "Those are not the only system functions Triada modifies .", "spans": {"Malware: Triada": [[40, 46]]}, "info": {"id": "cyner_mitre_valid_00642", "source": "cyner_mitre_valid"}} | |
| {"text": "As our researchers discovered , it also lays its hands on the outgoing SMS and filters the incoming ones .", "spans": {}, "info": {"id": "cyner_mitre_valid_00643", "source": "cyner_mitre_valid"}} | |
| {"text": "That is actually how the bad guys decided to monetize the Trojan .", "spans": {}, "info": {"id": "cyner_mitre_valid_00644", "source": "cyner_mitre_valid"}} | |
| {"text": "Some applications rely on SMS when it comes to in-app purchases β the transaction data is transferred via a short text message .", "spans": {}, "info": {"id": "cyner_mitre_valid_00645", "source": "cyner_mitre_valid"}} | |
| {"text": "The main reason for developers to choose SMS over traditional payments via Internet is that in the case with SMS no Internet connection is required .", "spans": {}, "info": {"id": "cyner_mitre_valid_00646", "source": "cyner_mitre_valid"}} | |
| {"text": "Users do not see those SMS because they are processed not by the SMS app , but by the app that has initiated the transaction β e.g a free-to-play game .", "spans": {}, "info": {"id": "cyner_mitre_valid_00647", "source": "cyner_mitre_valid"}} | |
| {"text": "Triada β s functionality allows it to modify those messages , so the money is sent not to some app developer , but to the malware operators .", "spans": {"Malware: Triada": [[0, 6]]}, "info": {"id": "cyner_mitre_valid_00648", "source": "cyner_mitre_valid"}} | |
| {"text": "Triada steals the money either from the users β if they haven β t succeeded in purchasing whatever they wanted , or from the app developers , in case the user has completed the purchase successfully .", "spans": {"Malware: Triada": [[0, 6]]}, "info": {"id": "cyner_mitre_valid_00649", "source": "cyner_mitre_valid"}} | |
| {"text": "For now , that is the only way how cybercriminals can profit from Triada , but don β t forget that it β s a modular Trojan , so it can be turned into literally everything on one command from the C & C server .", "spans": {"Malware: Triada": [[66, 72]]}, "info": {"id": "cyner_mitre_valid_00650", "source": "cyner_mitre_valid"}} | |
| {"text": "Fighting organized crime in your phone One of the main problems with Triada is that it can potentially hurt a LOT of people .", "spans": {"Malware: Triada": [[69, 75]]}, "info": {"id": "cyner_mitre_valid_00651", "source": "cyner_mitre_valid"}} | |
| {"text": "As we β ve mentioned earlier , Triada is downloaded by smaller Trojans that have leveraged the access privileges .", "spans": {"Malware: Triada": [[31, 37]]}, "info": {"id": "cyner_mitre_valid_00652", "source": "cyner_mitre_valid"}} | |
| {"text": "And our researchers estimate that in every 10 Android users 1 was attacked by either one or several of those Trojans during the second half of 2015 , so there are millions of devices with a huge possibility of being infected with Triada .", "spans": {"System: Android": [[46, 53]], "Malware: Triada": [[230, 236]]}, "info": {"id": "cyner_mitre_valid_00653", "source": "cyner_mitre_valid"}} | |
| {"text": "So , what can you do to protect yourself from this stealthy beast ?", "spans": {}, "info": {"id": "cyner_mitre_valid_00654", "source": "cyner_mitre_valid"}} | |
| {"text": "1 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00655", "source": "cyner_mitre_valid"}} | |
| {"text": "Never forget to update your system .", "spans": {}, "info": {"id": "cyner_mitre_valid_00656", "source": "cyner_mitre_valid"}} | |
| {"text": "It turns out that those smaller Trojans face serious problems trying to get root access on Android 4.4.4 and above , because a lot of vulnerabilities were patched in these versions .", "spans": {"System: Android 4.4.4": [[91, 104]]}, "info": {"id": "cyner_mitre_valid_00657", "source": "cyner_mitre_valid"}} | |
| {"text": "So if you have Android 4.4.4 or some more recent version of this OS on your device , your chances of getting infected with Triada are significantly lower .", "spans": {"System: Android 4.4.4": [[15, 28]], "Malware: Triada": [[123, 129]]}, "info": {"id": "cyner_mitre_valid_00658", "source": "cyner_mitre_valid"}} | |
| {"text": "Yet our statistics says that about 60 % of Android users are still sitting with Android 4.4.2 and below .", "spans": {"System: Android": [[43, 50]], "System: Android 4.4.2 and below": [[80, 103]]}, "info": {"id": "cyner_mitre_valid_00659", "source": "cyner_mitre_valid"}} | |
| {"text": "Triada : organized crime on Android 2 .", "spans": {"Malware: Triada": [[0, 6]], "System: Android": [[28, 35]]}, "info": {"id": "cyner_mitre_valid_00660", "source": "cyner_mitre_valid"}} | |
| {"text": "Better not to take any chances at all , no matter which version of the OS you use .", "spans": {}, "info": {"id": "cyner_mitre_valid_00661", "source": "cyner_mitre_valid"}} | |
| {"text": "So we recommend installing an anti-virus solution on your Android device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00662", "source": "cyner_mitre_valid"}} | |
| {"text": "Kaspersky Internet Security for Android detects all three of Triada β s modules , so it can save your money from cybercriminals that are behind Triada .", "spans": {"System: Kaspersky Internet Security": [[0, 27]], "System: Android": [[32, 39]], "Malware: Triada": [[61, 67], [144, 150]]}, "info": {"id": "cyner_mitre_valid_00663", "source": "cyner_mitre_valid"}} | |
| {"text": "Just don β t forget that the scan does not run automatically in the free version .", "spans": {}, "info": {"id": "cyner_mitre_valid_00664", "source": "cyner_mitre_valid"}} | |
| {"text": "But all in all Triada is yet another example of a really bad trend : malware developers are taking Android seriously , and the latest samples are almost as complex and hard to withstand , as their Windows-based kin .", "spans": {"Malware: Triada": [[15, 21]], "System: Android": [[99, 106]], "System: Windows-based": [[197, 210]]}, "info": {"id": "cyner_mitre_valid_00665", "source": "cyner_mitre_valid"}} | |
| {"text": "The only good way to fight all these threats is to be proactive , and so a good security solution is a must .", "spans": {}, "info": {"id": "cyner_mitre_valid_00666", "source": "cyner_mitre_valid"}} | |
| {"text": "TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany March 24 , 2020 IBM X-Force researchers analyzed an Android malware app that β s likely being pushed to infected users by the TrickBot Trojan .", "spans": {"Malware: TrickBot": [[0, 8], [189, 197]], "Organization: IBM X-Force": [[79, 90]], "System: Android": [[115, 122]]}, "info": {"id": "cyner_mitre_valid_00667", "source": "cyner_mitre_valid"}} | |
| {"text": "This app , dubbed β TrickMo β by our team , is designed to bypass second factor and strong authentication pushed to bank customers when they need to authorize a transaction .", "spans": {"Malware: TrickMo": [[20, 27]]}, "info": {"id": "cyner_mitre_valid_00668", "source": "cyner_mitre_valid"}} | |
| {"text": "While it β s not the first of its kind , this Android malware app is more sophisticated than similar apps and possesses interesting features that enable its operators to steal transaction authorization codes from victims who download the app .", "spans": {"System: Android": [[46, 53]]}, "info": {"id": "cyner_mitre_valid_00669", "source": "cyner_mitre_valid"}} | |
| {"text": "According to our research , TrickMo is still under active development as we expect to see frequent changes and updates .", "spans": {"Malware: TrickMo": [[28, 35]]}, "info": {"id": "cyner_mitre_valid_00670", "source": "cyner_mitre_valid"}} | |
| {"text": "While it can be used anywhere and target any bank or region , at this time , we are seeing it deployed specifically in Germany .", "spans": {}, "info": {"id": "cyner_mitre_valid_00671", "source": "cyner_mitre_valid"}} | |
| {"text": "Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016 .", "spans": {"Malware: TrickBot": [[41, 49]]}, "info": {"id": "cyner_mitre_valid_00672", "source": "cyner_mitre_valid"}} | |
| {"text": "In 2020 , it appears that TrickBot β s vast bank fraud is an ongoing project that helps the gang monetize compromised accounts .", "spans": {"Malware: TrickBot": [[26, 34]]}, "info": {"id": "cyner_mitre_valid_00673", "source": "cyner_mitre_valid"}} | |
| {"text": "First Signs in September 2019 In September 2019 , a tweet by CERT-Bund caught the attention of the IBM Trusteer Mobile Security Research team .", "spans": {"Organization: CERT-Bund": [[61, 70]], "Organization: IBM Trusteer Mobile Security Research": [[99, 136]]}, "info": {"id": "cyner_mitre_valid_00674", "source": "cyner_mitre_valid"}} | |
| {"text": "The tweet stated that TrickBot , a well-known banking Trojan owned by an organized cybercrime gang , uses man-in-the-browser ( MITB ) web injects in online banking sessions to ask infected users for their mobile phone number and device type .", "spans": {"Malware: TrickBot": [[22, 30]]}, "info": {"id": "cyner_mitre_valid_00675", "source": "cyner_mitre_valid"}} | |
| {"text": "Machine translation of this tweet reads : β Watch out for online banking : Emotet reloads TrickBot .", "spans": {"Malware: Emotet": [[75, 81]], "Malware: TrickBot": [[90, 98]]}, "info": {"id": "cyner_mitre_valid_00676", "source": "cyner_mitre_valid"}} | |
| {"text": "On infected PCs , TrickBot displays a query for the mobile phone number and the device type used for banking and then prompts users to install an alleged security app. β When banking Trojans ask for this type of information , it usually means the next step will be an attempt to infect the victim β s mobile device .", "spans": {"Malware: TrickBot": [[18, 26]]}, "info": {"id": "cyner_mitre_valid_00677", "source": "cyner_mitre_valid"}} | |
| {"text": "Our team went ahead and hunted for samples of the app and analyzed it in our labs .", "spans": {}, "info": {"id": "cyner_mitre_valid_00678", "source": "cyner_mitre_valid"}} | |
| {"text": "In this analysis , we get into the capabilities of the new variant and what we found to be a β kill switch β that can eliminate the malware remotely from an infected device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00679", "source": "cyner_mitre_valid"}} | |
| {"text": "Desktop Trojans and Their Mobile Component The process by which Trojans attempt to infect mobile devices is at least a decade old .", "spans": {}, "info": {"id": "cyner_mitre_valid_00680", "source": "cyner_mitre_valid"}} | |
| {"text": "Usually , when users are already infected with malware like TrickBot on their desktop , they will see a web injection asking for their mobile device operating system ( OS ) type and phone number .", "spans": {"Malware: TrickBot": [[60, 68]]}, "info": {"id": "cyner_mitre_valid_00681", "source": "cyner_mitre_valid"}} | |
| {"text": "Next , if they indicate that they use an Android-based device , the Trojan , impersonating their bank with web injections , fools the victim into installing a fake security app .", "spans": {"System: Android-based": [[41, 54]]}, "info": {"id": "cyner_mitre_valid_00682", "source": "cyner_mitre_valid"}} | |
| {"text": "The supposed purpose of that app is to obtain and use a required β security code β to log in to their online banking site .", "spans": {}, "info": {"id": "cyner_mitre_valid_00683", "source": "cyner_mitre_valid"}} | |
| {"text": "Our research team analyzed the malicious Android application that is most likely being spread by TrickBot and dubbed it β TrickMo. β Targeting users in Germany at this time , TrickMo is the latest variation in the transaction authentication number ( TAN ) -stealing malware category .", "spans": {"System: Android": [[41, 48]], "Malware: TrickBot": [[97, 105]], "Malware: TrickMo.": [[122, 130]], "Malware: TrickMo": [[175, 182]]}, "info": {"id": "cyner_mitre_valid_00684", "source": "cyner_mitre_valid"}} | |
| {"text": "Its main capabilities include : Stealing personal device information Intercepting SMS messages Recording targeted applications for one-time password ( TAN ) Lockdown of the phone Stealing pictures from the device Self-destruction and removal As banks release more advanced security measures , banking malware evolves to keep up with the perpetual arms race .", "spans": {}, "info": {"id": "cyner_mitre_valid_00685", "source": "cyner_mitre_valid"}} | |
| {"text": "From our analysis of the TrickMo mobile malware , it is apparent that TrickMo is designed to break the newest methods of OTP and , specifically , TAN codes often used in Germany .", "spans": {"Malware: TrickMo": [[25, 32], [70, 77]]}, "info": {"id": "cyner_mitre_valid_00686", "source": "cyner_mitre_valid"}} | |
| {"text": "Among the various features we discuss in this post , we believe that TrickMo β s most significant novelty is an app recording feature , which gives it the ability to overcome the newer pushTAN app validations used by German banks .", "spans": {"Malware: TrickMo": [[69, 76]]}, "info": {"id": "cyner_mitre_valid_00687", "source": "cyner_mitre_valid"}} | |
| {"text": "In the analysis that follows , we describe in detail the capabilities of this new variant and a β kill switch β that can remotely eliminate the malware from a mobile device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00688", "source": "cyner_mitre_valid"}} | |
| {"text": "Why Do Desktop Trojans Use a Mobile Component ?", "spans": {}, "info": {"id": "cyner_mitre_valid_00689", "source": "cyner_mitre_valid"}} | |
| {"text": "About a decade ago , attackers wielding banking Trojans could simply use stolen credentials to access a victim β s online banking account and perform money transfers .", "spans": {}, "info": {"id": "cyner_mitre_valid_00690", "source": "cyner_mitre_valid"}} | |
| {"text": "As a countermeasure , financial institutions introduced various second factor authentication ( 2FA ) methods .", "spans": {}, "info": {"id": "cyner_mitre_valid_00691", "source": "cyner_mitre_valid"}} | |
| {"text": "One method , which was popular in Germany , is known as mobile TAN ( mTAN ) .", "spans": {}, "info": {"id": "cyner_mitre_valid_00692", "source": "cyner_mitre_valid"}} | |
| {"text": "It was implemented by sending an SMS message containing a one-time password ( OTP ) to the client β s mobile device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00693", "source": "cyner_mitre_valid"}} | |
| {"text": "The transaction would only be authorized after the client enters the TAN into the online banking website in their browser .", "spans": {}, "info": {"id": "cyner_mitre_valid_00694", "source": "cyner_mitre_valid"}} | |
| {"text": "Keep in mind that while this case is about TANs , it can be any OTP , depending on which bank is being targeted .", "spans": {}, "info": {"id": "cyner_mitre_valid_00695", "source": "cyner_mitre_valid"}} | |
| {"text": "Meanwhile , desktop banking Trojans developed the ability to execute various social engineering schemes by using web injections , a method that alters the content presented to the infected victim in their browser .", "spans": {}, "info": {"id": "cyner_mitre_valid_00696", "source": "cyner_mitre_valid"}} | |
| {"text": "In some cases , sophisticated web injects were used to trick victims into entering their 2FA codes directly into the web forms controlled by the malware to eliminate the need for the mobile malware component .", "spans": {}, "info": {"id": "cyner_mitre_valid_00697", "source": "cyner_mitre_valid"}} | |
| {"text": "But attackers were still constantly looking for new methods to steal TANs .", "spans": {}, "info": {"id": "cyner_mitre_valid_00698", "source": "cyner_mitre_valid"}} | |
| {"text": "Around 2011 , the infamous Zeus Trojan started using web injects that tricked users into downloading a mobile component called β ZitMo β ( Zeus in the Mobile ) .", "spans": {"Malware: Zeus Trojan": [[27, 38]], "Malware: ZitMo": [[129, 134]], "Malware: Zeus": [[139, 143]]}, "info": {"id": "cyner_mitre_valid_00699", "source": "cyner_mitre_valid"}} | |
| {"text": "This was used to bypass 2FA methods by intercepting the SMS messages coming from the bank and stealing the mTANs without the victim β s knowledge .", "spans": {}, "info": {"id": "cyner_mitre_valid_00700", "source": "cyner_mitre_valid"}} | |
| {"text": "Many other banking malware families followed suit and released their own Android malware components designed to steal those OTPs and TANs .", "spans": {}, "info": {"id": "cyner_mitre_valid_00701", "source": "cyner_mitre_valid"}} | |
| {"text": "From mTAN to pushTAN In the past few years , some banks in Europe , especially in Germany , stopped using SMS-based authentication and switched to dedicated pushTAN applications for 2FA schemes .", "spans": {}, "info": {"id": "cyner_mitre_valid_00702", "source": "cyner_mitre_valid"}} | |
| {"text": "Instead of relying on SMS messages , which can be easily intercepted by third-party apps , these applications started using push notifications for users , containing the transaction details and the TAN .", "spans": {}, "info": {"id": "cyner_mitre_valid_00703", "source": "cyner_mitre_valid"}} | |
| {"text": "The pushTAN method has a clear advantage : It improves security by mitigating the risk of SIM swapping attacks and SMS stealers .", "spans": {}, "info": {"id": "cyner_mitre_valid_00704", "source": "cyner_mitre_valid"}} | |
| {"text": "TrickMo Calls pushTAN The pushTAN method is a hurdle for malware apps that may reside on the same device , and it β s particularly challenging for mobile malware due to Android β s application sandbox .", "spans": {"Malware: TrickMo": [[0, 7]], "System: Android": [[169, 176]]}, "info": {"id": "cyner_mitre_valid_00705", "source": "cyner_mitre_valid"}} | |
| {"text": "This feature is designed to block one application from accessing the data of other applications without rooting the device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00706", "source": "cyner_mitre_valid"}} | |
| {"text": "To get around this challenge , TrickMo β s developers added some new features to steal TANs using screen video recording and screen data scraping .", "spans": {"Malware: TrickMo": [[31, 38]]}, "info": {"id": "cyner_mitre_valid_00707", "source": "cyner_mitre_valid"}} | |
| {"text": "The Root of All ( Android ) Evil So how does TrickMo get around these security features ?", "spans": {"System: Android": [[18, 25]], "Malware: TrickMo": [[45, 52]]}, "info": {"id": "cyner_mitre_valid_00708", "source": "cyner_mitre_valid"}} | |
| {"text": "It abuses accessibility services .", "spans": {}, "info": {"id": "cyner_mitre_valid_00709", "source": "cyner_mitre_valid"}} | |
| {"text": "Android β s accessibility services were originally developed by Google for the benefit of users with disabilities .", "spans": {"System: Android": [[0, 7]], "Organization: Google": [[64, 70]]}, "info": {"id": "cyner_mitre_valid_00710", "source": "cyner_mitre_valid"}} | |
| {"text": "Any app can ask for accessibility permissions and implement features such as screen reading , changing sizes and colors of objects , hearing enhancements , replacing touch with other forms of control and more .", "spans": {}, "info": {"id": "cyner_mitre_valid_00711", "source": "cyner_mitre_valid"}} | |
| {"text": "In recent years , some malicious Android applications abused these accessibility services in various attack scenarios .", "spans": {"System: Android": [[33, 40]]}, "info": {"id": "cyner_mitre_valid_00712", "source": "cyner_mitre_valid"}} | |
| {"text": "Once on the device , as installed by a duped user , the TrickMo component opens and sends an intent to start the accessibility settings activity , coercing the user to grant it with accessibility permissions .", "spans": {"Malware: TrickMo": [[56, 63]]}, "info": {"id": "cyner_mitre_valid_00713", "source": "cyner_mitre_valid"}} | |
| {"text": "Then , it uses the accessibility service for its malicious operations , some of which include : Preventing the user from uninstalling the app Becoming the default SMS app by changing device settings Monitoring the currently running application ( s ) Scraping on-screen text Android operating systems include many dialog screens that require the denial , or approval , of app permissions and actions that have to receive input from the user by tapping a button on the screen .", "spans": {"System: Android": [[274, 281]]}, "info": {"id": "cyner_mitre_valid_00714", "source": "cyner_mitre_valid"}} | |
| {"text": "TrickMo uses accessibility services to identify and control some of these screens and make its own choices before giving the user a chance to react .", "spans": {"Malware: TrickMo": [[0, 7]]}, "info": {"id": "cyner_mitre_valid_00715", "source": "cyner_mitre_valid"}} | |
| {"text": "In the image below , we see the malware function that detects such dialogs when they are presented to the user , asking them to tap an option based on predefined choices .", "spans": {}, "info": {"id": "cyner_mitre_valid_00716", "source": "cyner_mitre_valid"}} | |
| {"text": "TrickMo β s Persistence Capabilities When it comes to Android-based devices , many applications must find a way to run on the device after a system reboot .", "spans": {"Malware: TrickMo": [[0, 7]], "System: Android-based": [[54, 67]]}, "info": {"id": "cyner_mitre_valid_00717", "source": "cyner_mitre_valid"}} | |
| {"text": "The most common way to achieve this is by creating a broadcast receiver that is registered to the β android.intent.action.BOOT_COMPLETED β broadcast action and adding code that boots the application when the broadcast is fired .", "spans": {"Indicator: android.intent.action.BOOT_COMPLETED": [[100, 136]]}, "info": {"id": "cyner_mitre_valid_00718", "source": "cyner_mitre_valid"}} | |
| {"text": "This instruction is especially important for malware that tries to avoid user interaction by running in the background as a service .", "spans": {}, "info": {"id": "cyner_mitre_valid_00719", "source": "cyner_mitre_valid"}} | |
| {"text": "But TrickMo does things differently .", "spans": {"Malware: TrickMo": [[4, 11]]}, "info": {"id": "cyner_mitre_valid_00720", "source": "cyner_mitre_valid"}} | |
| {"text": "Instead of running its service only at boot time , it registers a receiver that listens to the β android.intent.action.SCREEN_ON β and β android.provider.Telephony.SMS_DELIVER β broadcast actions .", "spans": {"Indicator: android.intent.action.SCREEN_ON": [[97, 128]], "Indicator: android.provider.Telephony.SMS_DELIVER": [[137, 175]]}, "info": {"id": "cyner_mitre_valid_00721", "source": "cyner_mitre_valid"}} | |
| {"text": "It then uses the AlarmManager to set a pending intent that will run its own service after a predefined interval .", "spans": {"System: AlarmManager": [[17, 29]]}, "info": {"id": "cyner_mitre_valid_00722", "source": "cyner_mitre_valid"}} | |
| {"text": "In other words , TrickMo β s service will start either after the device becomes interactive or after a new SMS message is received .", "spans": {"Malware: TrickMo": [[17, 24]]}, "info": {"id": "cyner_mitre_valid_00723", "source": "cyner_mitre_valid"}} | |
| {"text": "Tricky Configurations TrickMo uses the shared preferences mechanism to store settings and data that the malware uses at runtime .", "spans": {"Malware: TrickMo": [[22, 29]]}, "info": {"id": "cyner_mitre_valid_00724", "source": "cyner_mitre_valid"}} | |
| {"text": "Some of the settings are Boolean values that act as switches .", "spans": {}, "info": {"id": "cyner_mitre_valid_00725", "source": "cyner_mitre_valid"}} | |
| {"text": "They represent features and can be turned on and off from the command-and-control ( C & C ) server or by an SMS message , effectively instructing the malware to execute certain tasks .", "spans": {}, "info": {"id": "cyner_mitre_valid_00726", "source": "cyner_mitre_valid"}} | |
| {"text": "Some of the settings include : The URL of the C & C server Service wake-up intervals Important package names Accessibility permissions status Lockdown screen status Recording status SMS app status Kill switch status Stealth To keep its resources safer and make analysis more difficult for researchers , TrickMo uses an obfuscator to scramble the names of its functions , classes and variables .", "spans": {"Malware: TrickMo": [[303, 310]]}, "info": {"id": "cyner_mitre_valid_00727", "source": "cyner_mitre_valid"}} | |
| {"text": "A TrickMo version from January 2020 contained code that checks if the app is running on a rooted device or an emulator to prevent analysis .", "spans": {"Malware: TrickMo": [[2, 9]]}, "info": {"id": "cyner_mitre_valid_00728", "source": "cyner_mitre_valid"}} | |
| {"text": "As an example , in the two images below , we can see the encrypted and decrypted shared preferences file , which is encrypted using the java β PBEWithMD5AndDES β algorithm .", "spans": {}, "info": {"id": "cyner_mitre_valid_00729", "source": "cyner_mitre_valid"}} | |
| {"text": "C & C Communications Exfiltrating Device Data To communicate with its master , TrickMo β s code contains a hardcoded URL of the C & C server .", "spans": {"Malware: TrickMo": [[79, 86]]}, "info": {"id": "cyner_mitre_valid_00730", "source": "cyner_mitre_valid"}} | |
| {"text": "When it runs , it periodically connects to its designated server via an unencrypted HTTP request and sends over a JSON object that contains data gleaned from the victim β s phone .", "spans": {}, "info": {"id": "cyner_mitre_valid_00731", "source": "cyner_mitre_valid"}} | |
| {"text": "The stolen parameters follow : ID IMSI IMEI Phone number Operator AID Model Brand Version Build Battery percentage Wi-Fi connection state Wake time Are logs enabled ?", "spans": {}, "info": {"id": "cyner_mitre_valid_00732", "source": "cyner_mitre_valid"}} | |
| {"text": "Is the malware already set as the default SMS application ?", "spans": {}, "info": {"id": "cyner_mitre_valid_00733", "source": "cyner_mitre_valid"}} | |
| {"text": "[ True/False ] Signal strength Screen active [ True/False ] Orientation Was accessibility permission granted ?", "spans": {}, "info": {"id": "cyner_mitre_valid_00734", "source": "cyner_mitre_valid"}} | |
| {"text": "[ True/False ] Screen size List of the installed applications SMS messages saved on the device It is not uncommon for banking malware to harvest extensive amounts of data from the victim β s device .", "spans": {}, "info": {"id": "cyner_mitre_valid_00735", "source": "cyner_mitre_valid"}} | |
| {"text": "The collected data can then be used to generate a unique identifier of the bot or for monetization purposes .", "spans": {}, "info": {"id": "cyner_mitre_valid_00736", "source": "cyner_mitre_valid"}} | |
| {"text": "It can also be sold on the dark web and used in various spoofing attacks .", "spans": {}, "info": {"id": "cyner_mitre_valid_00737", "source": "cyner_mitre_valid"}} | |
| {"text": "For example , since some banks use anti-fraud solutions that only check device fingerprinting , fraudsters can use the collected information to perform fraudulent transactions from a device that mimics that same fingerprint .", "spans": {}, "info": {"id": "cyner_mitre_valid_00738", "source": "cyner_mitre_valid"}} | |
| {"text": "Stealing and Concealing SMS Messages As some banks still use SMS-based transaction authorization , TrickMo is configured to automatically steal all SMS messages that are stored on the device .", "spans": {"Malware: TrickMo": [[99, 106]]}, "info": {"id": "cyner_mitre_valid_00739", "source": "cyner_mitre_valid"}} | |
| {"text": "Once in a while , it sends a packet to its C & C server containing the collected device data along with all the saved SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_valid_00740", "source": "cyner_mitre_valid"}} | |
| {"text": "Since it can use the accessibility service to become the default SMS app , it can also delete the SMS messages so only the attackers can see them .", "spans": {}, "info": {"id": "cyner_mitre_valid_00741", "source": "cyner_mitre_valid"}} | |
| {"text": "In the image below , we can see a packet that was sent to the attacker β s C & C containing collected information along with stolen SMS data .", "spans": {}, "info": {"id": "cyner_mitre_valid_00742", "source": "cyner_mitre_valid"}} | |
| {"text": "A Communication Channel via Stolen SMS In addition , TrickMo has an automatic mechanism to send SMS messages to its C & C server .", "spans": {"Malware: TrickMo": [[53, 60]]}, "info": {"id": "cyner_mitre_valid_00743", "source": "cyner_mitre_valid"}} | |
| {"text": "In some cases , it uses this mechanism to send log data of important actions .", "spans": {}, "info": {"id": "cyner_mitre_valid_00744", "source": "cyner_mitre_valid"}} | |
| {"text": "It can save an SMS message on the device , marking with β internal β in the phone number field .", "spans": {}, "info": {"id": "cyner_mitre_valid_00745", "source": "cyner_mitre_valid"}} | |
| {"text": "The SMS message will be instantly sent to the server , informing the malware operator of executed tasks .", "spans": {}, "info": {"id": "cyner_mitre_valid_00746", "source": "cyner_mitre_valid"}} | |
| {"text": "In the image below , we see a log TrickMo sent to the attacker upon becoming the default SMS app .", "spans": {"Malware: TrickMo": [[34, 41]]}, "info": {"id": "cyner_mitre_valid_00747", "source": "cyner_mitre_valid"}} | |
| {"text": "If the malware successfully became the default SMS app , it sends the words β the app has been replaced β in Russian .", "spans": {}, "info": {"id": "cyner_mitre_valid_00748", "source": "cyner_mitre_valid"}} | |
| {"text": "If the original SMS app has been restored , it will send β the app returned to its original place. β Controlling TrickMo TrickMo β s operators can control the malware via two channels : Through its C & C via a plaintext HTTP protocol using JSON objects Through encrypted SMS messages There are predefined commands to change the malware β s configuration and make it execute certain tasks .", "spans": {"Malware: TrickMo": [[113, 120], [121, 128]]}, "info": {"id": "cyner_mitre_valid_00749", "source": "cyner_mitre_valid"}} | |
| {"text": "Some of the more interesting commands include : SMS Control Update the address of the C & C server β SMS starting with β http : // β Send AES-encrypted SMS message back to sender β SMS starting with β sms : // β Update service wake-up interval β β 2 β Kill switch β β 4 β C & C Control Update the address of the C & C server β β 1 β Update service wake-up interval β β 2 β Lock the screen β β 5 β Display a picture in a WebView from an arbitrary URL β β 11 β Send an arbitrary SMS message β β 8 β Steal images", "spans": {}, "info": {"id": "cyner_mitre_valid_00750", "source": "cyner_mitre_valid"}} | |
| {"text": "saved on the device β β 12 β and β 13 β Use the accessibility service to become the default SMS app β β 6 β Enable recording of other apps β β 15 β Kill switch β β 4 β The Lockdown Screen Most thieves don β t want to be caught red-handed as they steal β they want to buy some time to get away with the loot .", "spans": {}, "info": {"id": "cyner_mitre_valid_00751", "source": "cyner_mitre_valid"}} | |
| {"text": "The same is true for banking malware .", "spans": {}, "info": {"id": "cyner_mitre_valid_00752", "source": "cyner_mitre_valid"}} | |
| {"text": "Desktop banking malware often blocks the user β s access to their banking website after a successful transaction by using web injects that show a variety of β service unavailable β screens .", "spans": {}, "info": {"id": "cyner_mitre_valid_00753", "source": "cyner_mitre_valid"}} | |
| {"text": "TrickMo is no different ; the goal is to complete the operation while raising minimal suspicion .", "spans": {"Malware: TrickMo": [[0, 7]]}, "info": {"id": "cyner_mitre_valid_00754", "source": "cyner_mitre_valid"}} | |
| {"text": "After performing a fraudulent action , stealing the OTP/mTAN , TrickMo buys some time by activating the lock screen and preventing the user from accessing their device .", "spans": {"Malware: TrickMo": [[63, 70]]}, "info": {"id": "cyner_mitre_valid_00755", "source": "cyner_mitre_valid"}} | |
| {"text": "This lockdown screen includes two parts : A WebView containing a background picture loaded from a predefined URL .", "spans": {}, "info": {"id": "cyner_mitre_valid_00756", "source": "cyner_mitre_valid"}} | |
| {"text": "This background image likely contains a fake β software update β screen .", "spans": {}, "info": {"id": "cyner_mitre_valid_00757", "source": "cyner_mitre_valid"}} | |
| {"text": "A lockdown activity , which is a transparent window shown at the top of the screen that contains a β loading β cursor .", "spans": {}, "info": {"id": "cyner_mitre_valid_00758", "source": "cyner_mitre_valid"}} | |
| {"text": "This screen persists on the screen and prevents the user from using the navigation buttons .", "spans": {}, "info": {"id": "cyner_mitre_valid_00759", "source": "cyner_mitre_valid"}} | |
| {"text": "Due to TrickMo β s persistence implementation mentioned earlier , this lockdown screen persists after a restart and is re-initiated every time the device becomes interactive .", "spans": {"Malware: TrickMo": [[7, 14]]}, "info": {"id": "cyner_mitre_valid_00760", "source": "cyner_mitre_valid"}} | |
| {"text": "In some cases , TrickMo may use this feature to intercept SMS messages without the knowledge of the user by activating the lockdown screen and intercepting SMS messages in the background .", "spans": {"Malware: TrickMo": [[16, 23]]}, "info": {"id": "cyner_mitre_valid_00761", "source": "cyner_mitre_valid"}} | |
| {"text": "Application Recording β Stealing OTPs and TANs The feature that makes TrickMo different from standard SMS stealers is its unique ability to record the screen when targeted apps are running .", "spans": {"Malware: TrickMo": [[70, 77]]}, "info": {"id": "cyner_mitre_valid_00762", "source": "cyner_mitre_valid"}} | |
| {"text": "This feature was enabled only in newer versions of TrickMo that were tailored specifically for German banks and use a special application for implementing TAN-based 2FA .", "spans": {"Malware: TrickMo": [[51, 58]]}, "info": {"id": "cyner_mitre_valid_00763", "source": "cyner_mitre_valid"}} | |
| {"text": "The application recording is implemented via two methods : Using the Android MediaRecorder class to capture a video of the screen when the targeted application is presented to the user Using the accessibility service to save a text file containing the data of all the objects on the screen Both files are later sent to the C & C server of the attacker .", "spans": {"System: Android": [[69, 76]]}, "info": {"id": "cyner_mitre_valid_00764", "source": "cyner_mitre_valid"}} | |
| {"text": "In the following image , we can see how the malware receives a JSON object from the C & C server containing the command to start recording , the targeted apps and the recorded video size ratio .", "spans": {}, "info": {"id": "cyner_mitre_valid_00765", "source": "cyner_mitre_valid"}} | |
| {"text": "In the image below , the function recursively collects all the text data from the child nodes of each accessibility node .", "spans": {}, "info": {"id": "cyner_mitre_valid_00766", "source": "cyner_mitre_valid"}} | |
| {"text": "In other words , it goes through every object on the screen and saves its text data .", "spans": {}, "info": {"id": "cyner_mitre_valid_00767", "source": "cyner_mitre_valid"}} | |
| {"text": "A TrickMo Kill Switch One of the most interesting features of the TrickMo malware is having its own kill switch .", "spans": {"Malware: TrickMo": [[2, 9]], "Malware: TrickMo malware": [[66, 81]]}, "info": {"id": "cyner_mitre_valid_00768", "source": "cyner_mitre_valid"}} | |
| {"text": "Kill switches are used by many malware authors to remove traces from a device after a successful operation .", "spans": {}, "info": {"id": "cyner_mitre_valid_00769", "source": "cyner_mitre_valid"}} | |
| {"text": "Since TrickMo β s HTTP traffic with its C & C server is not encrypted , it can easily be tampered with .", "spans": {"Indicator: HTTP": [[18, 22]]}, "info": {"id": "cyner_mitre_valid_00770", "source": "cyner_mitre_valid"}} | |
| {"text": "In the following image , we can see the function that parses the commands from the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_valid_00771", "source": "cyner_mitre_valid"}} | |
| {"text": "If the returned JSON object has the β 4 β key , it will turn on the kill switch and initiate its own removal by sending an intent and seamlessly confirming the uninstall using the accessibility service , all without the victim ever noticing anything .", "spans": {}, "info": {"id": "cyner_mitre_valid_00772", "source": "cyner_mitre_valid"}} | |
| {"text": "The kill switch can also be turned on by SMS .", "spans": {}, "info": {"id": "cyner_mitre_valid_00773", "source": "cyner_mitre_valid"}} | |
| {"text": "This is a bit more complicated since the SMS commands are encrypted and encoded with base64 .", "spans": {}, "info": {"id": "cyner_mitre_valid_00774", "source": "cyner_mitre_valid"}} | |
| {"text": "The encryption algorithm used is RSA , and interestingly , the authors chose to use the private key for decryption and leave it in the code as a hardcoded string .", "spans": {}, "info": {"id": "cyner_mitre_valid_00775", "source": "cyner_mitre_valid"}} | |
| {"text": "The image below shows the function that parses the SMS messages , decrypts them using the hardcoded RSA private key and executes the commands .", "spans": {}, "info": {"id": "cyner_mitre_valid_00776", "source": "cyner_mitre_valid"}} | |
| {"text": "Having analyzed a few variants of the malware , we noticed that the private key was exposed in the code and did not change .", "spans": {}, "info": {"id": "cyner_mitre_valid_00777", "source": "cyner_mitre_valid"}} | |
| {"text": "Therefore , our team managed to generate the public key and craft an SMS message that activated the kill switch .", "spans": {}, "info": {"id": "cyner_mitre_valid_00778", "source": "cyner_mitre_valid"}} | |
| {"text": "This means that the malware can be remotely eliminated by an SMS message .", "spans": {}, "info": {"id": "cyner_mitre_valid_00779", "source": "cyner_mitre_valid"}} | |
| {"text": "Our team was also able to test other commands in the lab either by tampering with the HTTP traffic from the C & C or by sending crafted SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_valid_00780", "source": "cyner_mitre_valid"}} | |
| {"text": "Suspect You β re Infected ?", "spans": {}, "info": {"id": "cyner_mitre_valid_00781", "source": "cyner_mitre_valid"}} | |
| {"text": "The following SMS message can be used to kill the sample analyzed in this research and all other variants that use the same private key : HrLbpr3x/htAVnAgYepBuH2xmFDb68TYTt7FwGn0ddGlQJv/hqsctL57ocFU0Oz3L+uhLcOGG7GVBAfHKL1TBQ== Sending this SMS will trigger TrickMo β s kill switch by sending the string β 4 β encrypted with the generated RSA public key and base64", "spans": {"Malware: TrickMo": [[257, 264]]}, "info": {"id": "cyner_mitre_valid_00782", "source": "cyner_mitre_valid"}} | |
| {"text": "encoded .", "spans": {}, "info": {"id": "cyner_mitre_valid_00783", "source": "cyner_mitre_valid"}} | |
| {"text": "Indicators of Compromise ( IoCs ) hxxp : //mcsoft365.com/c hxxp : //pingconnect.net/c Hashes MD5 : 5c749c9fce8c41bf6bcc9bd8a691621b SHA256 : 284bd2d16092b4d13b6bc85d87950eb4c5e8cbba9af2a04d76d88da2f26c485c MD5 : b264af5d2f3390e465052ab502b0726d", "spans": {"Indicator: hxxp : //mcsoft365.com/c hxxp : //pingconnect.net/c": [[34, 85]], "Indicator: 5c749c9fce8c41bf6bcc9bd8a691621b": [[99, 131]], "Indicator: 284bd2d16092b4d13b6bc85d87950eb4c5e8cbba9af2a04d76d88da2f26c485c": [[141, 205]], "Indicator: b264af5d2f3390e465052ab502b0726d": [[212, 244]]}, "info": {"id": "cyner_mitre_valid_00784", "source": "cyner_mitre_valid"}} | |
| {"text": "SHA256 : 8ab1712ce9ca2d7952ab763d8a4872aa6a278c3f60dc13e0aebe59f50e6e30f6 The TrickMo Factor The TrickBot Trojan was one of the most active banking malware strains in the cybercrime arena in 2019 .", "spans": {"Indicator: 8ab1712ce9ca2d7952ab763d8a4872aa6a278c3f60dc13e0aebe59f50e6e30f6": [[9, 73]], "Malware: TrickMo": [[78, 85]], "Malware: TrickBot Trojan": [[97, 112]]}, "info": {"id": "cyner_mitre_valid_00785", "source": "cyner_mitre_valid"}} | |
| {"text": "From our analysis , it is apparent that TrickMo is designed to help TrickBot break the most recent methods of TAN-based authentication .", "spans": {"Malware: TrickMo": [[40, 47]], "Malware: TrickBot": [[68, 76]]}, "info": {"id": "cyner_mitre_valid_00786", "source": "cyner_mitre_valid"}} | |
| {"text": "One of the most significant features TrickMo possesses is the app recording feature , which is what gives TrickBot the ability to overcome the newer pushTAN app validations deployed by banks .", "spans": {"Malware: TrickMo": [[37, 44]], "Malware: TrickBot": [[106, 114]]}, "info": {"id": "cyner_mitre_valid_00787", "source": "cyner_mitre_valid"}} | |
| {"text": "SimBad : A Rogue Adware Campaign On Google Play March 13 , 2019 Check Point researchers from the Mobile Threat Team have discovered a new adware campaign on the Google Play Store .", "spans": {"Malware: SimBad": [[0, 6]], "System: Google Play": [[36, 47]], "Organization: Check Point": [[64, 75]], "System: Google Play Store": [[161, 178]]}, "info": {"id": "cyner_mitre_valid_00788", "source": "cyner_mitre_valid"}} | |
| {"text": "This particular strain of Adware was found in 206 applications , and the combined download count has reached almost 150 million .", "spans": {}, "info": {"id": "cyner_mitre_valid_00789", "source": "cyner_mitre_valid"}} | |
| {"text": "Google was swiftly notified and removed the infected applications from the Google Play Store .", "spans": {"Organization: Google": [[0, 6]], "System: Google Play": [[75, 86]]}, "info": {"id": "cyner_mitre_valid_00790", "source": "cyner_mitre_valid"}} | |
| {"text": "Inside the SDK The malware resides within the β RXDrioder β Software Development Kit ( SDK ) , which is provided by β addroider [ .", "spans": {"Indicator: addroider [ .": [[118, 131]]}, "info": {"id": "cyner_mitre_valid_00791", "source": "cyner_mitre_valid"}} | |
| {"text": "] com β as an ad-related SDK .", "spans": {}, "info": {"id": "cyner_mitre_valid_00792", "source": "cyner_mitre_valid"}} | |
| {"text": "We believe the developers were scammed to use this malicious SDK , unaware of its content , leading to the fact that this campaign was not targeting a specific county or developed by the same developer .", "spans": {}, "info": {"id": "cyner_mitre_valid_00793", "source": "cyner_mitre_valid"}} | |
| {"text": "The malware has been dubbed β SimBad β due to the fact that a large portion of the infected applications are simulator games .", "spans": {"Malware: SimBad": [[30, 36]]}, "info": {"id": "cyner_mitre_valid_00794", "source": "cyner_mitre_valid"}} | |
| {"text": "The Infection Chain Once the user downloads and installs one of the infected applications , β SimBad β registers itself to the β BOOT_COMPLETE β and β USER_PRESENT β intents , which lets β SimBad β to perform actions after the device has finished booting and while the user is using his device respectively .", "spans": {"Malware: SimBad": [[94, 100], [189, 195]]}, "info": {"id": "cyner_mitre_valid_00795", "source": "cyner_mitre_valid"}} | |
| {"text": "After installation , the malware connects to the designated Command and Control ( C & C ) server , and receives a command to perform .", "spans": {}, "info": {"id": "cyner_mitre_valid_00796", "source": "cyner_mitre_valid"}} | |
| {"text": "β SimBad β comes with a respected list of capabilities on the user β s device , such as removing the icon from the launcher , thus making it harder for the user to uninstall , start to display background ads and open a browser with a given URL .", "spans": {"Malware: SimBad": [[2, 8]]}, "info": {"id": "cyner_mitre_valid_00797", "source": "cyner_mitre_valid"}} | |
| {"text": "What Does SimBad Do ?", "spans": {"Malware: SimBad": [[10, 16]]}, "info": {"id": "cyner_mitre_valid_00798", "source": "cyner_mitre_valid"}} | |
| {"text": "β SimBad β has capabilities that can be divided into three groups β Show Ads , Phishing , and Exposure to other applications .", "spans": {"Malware: SimBad": [[2, 8]]}, "info": {"id": "cyner_mitre_valid_00799", "source": "cyner_mitre_valid"}} | |
| {"text": "With the capability to open a given URL in a browser , the actor behind β SimBad β can generate phishing pages for multiple platforms and open them in a browser , thus performing spear-phishing attacks on the user .", "spans": {"Malware: SimBad": [[74, 80]]}, "info": {"id": "cyner_mitre_valid_00800", "source": "cyner_mitre_valid"}} | |
| {"text": "With the capability to open market applications , such as Google Play and 9Apps , with a specific keyword search or even a single application β s page , the actor can gain exposure for other threat actors and increase his profits .", "spans": {"System: Google Play": [[58, 69]], "System: 9Apps": [[74, 79]]}, "info": {"id": "cyner_mitre_valid_00801", "source": "cyner_mitre_valid"}} | |
| {"text": "The actor can even take his malicious activities to the next level by installing a remote application from a designated server , thus allowing him to install new malware once it is required .", "spans": {}, "info": {"id": "cyner_mitre_valid_00802", "source": "cyner_mitre_valid"}} | |
| {"text": "The C & C server observed in this campaign is β www [ .", "spans": {"Indicator: www [ .": [[48, 55]]}, "info": {"id": "cyner_mitre_valid_00803", "source": "cyner_mitre_valid"}} | |
| {"text": "] addroider.com β .", "spans": {}, "info": {"id": "cyner_mitre_valid_00804", "source": "cyner_mitre_valid"}} | |
| {"text": "This server runs an instance of β Parse Server β ( source on GitHub ) , an open source version of the Parse Backend infrastructure , which is a model for providing web app and mobile app developers with a way to link their applications to backend cloud storage and APIs exposed by back-end applications , while also providing features such as user management , push notifications and more .", "spans": {"Organization: GitHub": [[61, 67]]}, "info": {"id": "cyner_mitre_valid_00805", "source": "cyner_mitre_valid"}} | |
| {"text": "The domain β addroider [ .", "spans": {"Indicator: addroider [ .": [[13, 26]]}, "info": {"id": "cyner_mitre_valid_00806", "source": "cyner_mitre_valid"}} | |
| {"text": "] com β was registered via GoDaddy , and uses privacy protection service .", "spans": {"Organization: GoDaddy": [[27, 34]]}, "info": {"id": "cyner_mitre_valid_00807", "source": "cyner_mitre_valid"}} | |
| {"text": "While accessing the domain from a browser you get a login page very similar to other malware panels .", "spans": {}, "info": {"id": "cyner_mitre_valid_00808", "source": "cyner_mitre_valid"}} | |
| {"text": "The β Register β and β Sign Up β links are broken and β redirects β the user back to the login page .", "spans": {}, "info": {"id": "cyner_mitre_valid_00809", "source": "cyner_mitre_valid"}} | |
| {"text": "According to RiskIQ β s PassiveTotal , the domain expired 7 months ago .", "spans": {"System: RiskIQ": [[13, 19]]}, "info": {"id": "cyner_mitre_valid_00810", "source": "cyner_mitre_valid"}} | |
| {"text": "As a result , it may be that are looking into a compromised , parked domain that was initially used legitimately , but is now participating in malicious activities .", "spans": {}, "info": {"id": "cyner_mitre_valid_00811", "source": "cyner_mitre_valid"}} | |
| {"text": "With the capabilities of showing out-of-scope ads , exposing the user to other applications , and opening a URL in a browser , β SimBad β acts now as an Adware , but already has the infrastructure to evolve into a much larger threat .", "spans": {"Malware: SimBad": [[129, 135]]}, "info": {"id": "cyner_mitre_valid_00812", "source": "cyner_mitre_valid"}} | |