| {"text": "Why Did Chinese Spyware Linger in U.S .", "spans": {}, "info": {"id": "securebert2_test_00000", "source": "securebert2_test"}} |
| {"text": "Phones ? November 16 , 2016 In what 's being chalked up as an apparent mistake , more than 120,000 Android phones sold in the U.S. were shipped with spying code that sent text messages , call logs and other sensitive data to a server in Shanghai .", "spans": {"System: Android": [[99, 106]]}, "info": {"id": "securebert2_test_00001", "source": "securebert2_test"}} |
| {"text": "The New York Times reported on Nov. 15 that Kryptowire , a mobile enterprise security company , discovered the code on a lower-end smartphone made by BLU Products of Doral , Fla .", "spans": {"Organization: New York Times": [[4, 18]], "Organization: Kryptowire": [[44, 54]], "Organization: BLU": [[150, 153]]}, "info": {"id": "securebert2_test_00002", "source": "securebert2_test"}} |
| {"text": "The phones are sold at Best Buy and Amazon.com , among other retail outlets .", "spans": {"Organization: Best Buy": [[23, 31]], "Organization: Amazon.com": [[36, 46]]}, "info": {"id": "securebert2_test_00003", "source": "securebert2_test"}} |
| {"text": "Kryptowire says the code , which it found on a BLU R1 HD devices , transmitted fine-grained location information and allowed for the remote installation of other apps .", "spans": {"Organization: Kryptowire": [[0, 10]], "Organization: BLU": [[47, 50]]}, "info": {"id": "securebert2_test_00004", "source": "securebert2_test"}} |
| {"text": "Text message and call logs were transmitted every 72 hours to the Shanghai server , and once a day for other personally identifiable data , the company says .", "spans": {}, "info": {"id": "securebert2_test_00005", "source": "securebert2_test"}} |
| {"text": "It turns out , however , that other security researchers noticed suspicious and faulty code on BLU devices as early as March 2015 , and it has taken nearly that long to remove it from the company 's devices .", "spans": {"Organization: BLU": [[95, 98]]}, "info": {"id": "securebert2_test_00006", "source": "securebert2_test"}} |
| {"text": "The finding , in part , shows the risk that can come in opting for less expensive smartphones , whose manufacturers may not diligently fix security vulnerabilities .", "spans": {"Vulnerability: security vulnerabilities": [[139, 163]]}, "info": {"id": "securebert2_test_00007", "source": "securebert2_test"}} |
| {"text": "It 's also raising eyebrows because of the connection with China , which has frequently sparred with the U.S. over cyber espionage .", "spans": {}, "info": {"id": "securebert2_test_00008", "source": "securebert2_test"}} |
| {"text": "BLU Products has now updated its phones to remove the spying code , which most likely would have never been detected by regular users .", "spans": {"Organization: BLU": [[0, 3]]}, "info": {"id": "securebert2_test_00009", "source": "securebert2_test"}} |
| {"text": "The code never informed phone users that it was collecting that data , a behavior uniformly viewed by many as a serious security concern .", "spans": {}, "info": {"id": "securebert2_test_00010", "source": "securebert2_test"}} |
| {"text": "The developer of the code , Shanghai Adups Technology Co. , has apologized , contending that the code was intended for another one of its clients who requested better blocking of junk text messages and marketing calls .", "spans": {"Organization: Shanghai Adups Technology Co.": [[28, 57]]}, "info": {"id": "securebert2_test_00011", "source": "securebert2_test"}} |
| {"text": "Vulnerabilities Reported BLU Products , founded in 2009 , makes lower-end Android-powered smartphones that sell for as little as $ 50 on Amazon .", "spans": {"System: Android-powered": [[74, 89]], "Organization: Amazon": [[137, 143]]}, "info": {"id": "securebert2_test_00012", "source": "securebert2_test"}} |
| {"text": "Like many original equipment manufacturers , it uses software components from other developers .", "spans": {}, "info": {"id": "securebert2_test_00013", "source": "securebert2_test"}} |
| {"text": "The company uses a type of software from Adups that 's nicknamed FOTA , short for firmware over-the-air .", "spans": {"Organization: Adups": [[41, 46]], "System: FOTA": [[65, 69]]}, "info": {"id": "securebert2_test_00014", "source": "securebert2_test"}} |
| {"text": "The software manages the delivery of firmware updates over-the-air , the term used for transmission via a mobile network .", "spans": {}, "info": {"id": "securebert2_test_00015", "source": "securebert2_test"}} |
| {"text": "Firmware is low-level code deep in an operating system that often has high access privileges , so it 's critical that it 's verified and contains no software vulnerabilities .", "spans": {}, "info": {"id": "securebert2_test_00016", "source": "securebert2_test"}} |
| {"text": "Long before Kryptowire 's announcement , Tim Strazzere , a mobile security researcher with RedNaga Security , contacted BLU Products in March 2015 after he found two vulnerabilities that could be traced to Adup 's code .", "spans": {"Organization: Kryptowire": [[12, 22]], "Organization: RedNaga Security": [[91, 107]], "Organization: Adup": [[206, 210]]}, "info": {"id": "securebert2_test_00017", "source": "securebert2_test"}} |
| {"text": "Those vulnerabilities could have enabled someone to gain broad access to an Android device .", "spans": {"System: Android": [[76, 83]]}, "info": {"id": "securebert2_test_00018", "source": "securebert2_test"}} |
| {"text": "Strazzere 's colleague , Jon Sawyer , suggested on Twitter that the vulnerabilities might have not been there by mistake , but rather included as intentionally coded backdoors .", "spans": {"Organization: Twitter": [[51, 58]]}, "info": {"id": "securebert2_test_00019", "source": "securebert2_test"}} |
| {"text": "He posted a tweet to The New York Times report , sarcastically writing , \" If only two people had called this company out for their backdoors several times over the last few years .", "spans": {"Organization: New York Times": [[25, 39]]}, "info": {"id": "securebert2_test_00020", "source": "securebert2_test"}} |
| {"text": "'' Strazzere 's experience in trying to contact both vendors last year is typical of the frustrations frequently faced by security researchers .", "spans": {}, "info": {"id": "securebert2_test_00021", "source": "securebert2_test"}} |
| {"text": "\" I tried reaching out to Adups and never heard back , '' Strazzere tells Information Security Media Group .", "spans": {"Organization: Adups": [[26, 31]], "Organization: Information Security Media Group": [[74, 106]]}, "info": {"id": "securebert2_test_00022", "source": "securebert2_test"}} |
| {"text": "\" BLU said they had no security department when I emailed them .", "spans": {"Organization: BLU": [[2, 5]]}, "info": {"id": "securebert2_test_00023", "source": "securebert2_test"}} |
| {"text": "'' Strazzere says he also failed to reach MediaTek , a Taiwanese fabless semiconductor manufacturer whose chipsets that powered BLU phones also contained Adups software .", "spans": {"Organization: MediaTek": [[42, 50]], "Organization: BLU": [[128, 131]], "Organization: Adups": [[154, 159]]}, "info": {"id": "securebert2_test_00024", "source": "securebert2_test"}} |
| {"text": "To their credit , both Google and Amazon appear to have put pressure on device manufacturers to fix their devices when flaws are found , Strazzere says .", "spans": {"Organization: Google": [[23, 29]], "Organization: Amazon": [[34, 40]]}, "info": {"id": "securebert2_test_00025", "source": "securebert2_test"}} |
| {"text": "For Google , Android security issues - even if not in the core operating code - are a reputation threat , and for Amazon , a product quality issue .", "spans": {"Organization: Google": [[4, 10]], "Organization: Amazon": [[114, 120]]}, "info": {"id": "securebert2_test_00026", "source": "securebert2_test"}} |
| {"text": "But devices sold outside of Amazon \" might not have ever seen fixes , '' he says .", "spans": {"Organization: Amazon": [[28, 34]]}, "info": {"id": "securebert2_test_00027", "source": "securebert2_test"}} |
| {"text": "Officials at BLU could n't be immediately reached for comment .", "spans": {"Organization: BLU": [[13, 16]]}, "info": {"id": "securebert2_test_00028", "source": "securebert2_test"}} |
| {"text": "Attitude Change The disinterest in the issues appears to have changed with The New York Times report , which lit a fire underneath Adups and BLU .", "spans": {"Organization: New York Times": [[79, 93]], "Organization: Adups": [[131, 136]], "Organization: BLU": [[141, 144]]}, "info": {"id": "securebert2_test_00029", "source": "securebert2_test"}} |
| {"text": "Adups addressed the issue in a Nov. 16 news release , writing that some products made by BLU were updated in June with a version of its FOTA that had actually been intended for other clients who had requested an ability to stop text spam .", "spans": {"Organization: Adups": [[0, 5]], "Organization: BLU": [[89, 92]], "System: FOTA": [[136, 140]]}, "info": {"id": "securebert2_test_00030", "source": "securebert2_test"}} |
| {"text": "That version flags messages \" containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user 's contacts , '' the company says .", "spans": {}, "info": {"id": "securebert2_test_00031", "source": "securebert2_test"}} |
| {"text": "Manufacturers should be keeping close tabs on what software ends up on their devices .", "spans": {}, "info": {"id": "securebert2_test_00032", "source": "securebert2_test"}} |
| {"text": "But it would appear that BLU only took action after Kryptowire notified it along with Google , Adups and Amazon .", "spans": {"Organization: BLU": [[25, 28]], "Organization: Kryptowire": [[52, 62]], "Organization: Google": [[86, 92]], "Organization: Adups": [[95, 100]], "Organization: Amazon": [[105, 111]]}, "info": {"id": "securebert2_test_00033", "source": "securebert2_test"}} |
| {"text": "\" When BLU raised objections , Adups took immediate measures to disable that functionality on BLU phones , '' Adups says .", "spans": {"Organization: BLU": [[7, 10], [94, 97]], "Organization: Adups": [[31, 36]]}, "info": {"id": "securebert2_test_00034", "source": "securebert2_test"}} |
| {"text": "The greater worry is that these situations may sometimes not be simple mistakes .", "spans": {}, "info": {"id": "securebert2_test_00035", "source": "securebert2_test"}} |
| {"text": "Security experts have long warned of the ability of advanced adversaries to subvert hardware and software supply chains .", "spans": {}, "info": {"id": "securebert2_test_00036", "source": "securebert2_test"}} |
| {"text": "Also , the software vulnerabilities pointed out in the FOTA software by Strazzere in 2015 could have been taken advantage of by cybercriminals looking to steal bank account details or execute other frauds .", "spans": {"Vulnerability: software vulnerabilities": [[11, 35]], "System: FOTA": [[55, 59]]}, "info": {"id": "securebert2_test_00037", "source": "securebert2_test"}} |
| {"text": "Strazzere advises that consumers should look at the pedigree of mobile manufacturers and take a close look at their security track record before making a decision on what device to buy .", "spans": {}, "info": {"id": "securebert2_test_00038", "source": "securebert2_test"}} |
| {"text": "\" In the end , the consumer needs to vote with their wallet , '' he says .", "spans": {}, "info": {"id": "securebert2_test_00039", "source": "securebert2_test"}} |
| {"text": "Skygofree : Following in the footsteps of HackingTeam 16 JAN 2018 At the beginning of October 2017 , we discovered new Android spyware with several features previously unseen in the wild .", "spans": {"Malware: Skygofree": [[0, 9]], "Organization: HackingTeam": [[42, 53]], "System: Android": [[119, 126]]}, "info": {"id": "securebert2_test_00040", "source": "securebert2_test"}} |
| {"text": "In the course of further research , we found a number of related samples that point to a long-term development process .", "spans": {}, "info": {"id": "securebert2_test_00041", "source": "securebert2_test"}} |
| {"text": "We believe the initial versions of this malware were created at least three years ago โ at the end of 2014 .", "spans": {}, "info": {"id": "securebert2_test_00042", "source": "securebert2_test"}} |
| {"text": "Since then , the implant โ s functionality has been improving and remarkable new features implemented , such as the ability to record audio surroundings via the microphone when an infected device is in a specified location ; the stealing of WhatsApp messages via Accessibility Services ; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals .", "spans": {"System: WhatsApp": [[241, 249]]}, "info": {"id": "securebert2_test_00043", "source": "securebert2_test"}} |
| {"text": "We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants .", "spans": {"System: Android": [[109, 116]]}, "info": {"id": "securebert2_test_00044", "source": "securebert2_test"}} |
| {"text": "These domains have been registered by the attackers since 2015 .", "spans": {}, "info": {"id": "securebert2_test_00045", "source": "securebert2_test"}} |
| {"text": "According to our telemetry , that was the year the distribution campaign was at its most active .", "spans": {}, "info": {"id": "securebert2_test_00046", "source": "securebert2_test"}} |
| {"text": "The activities continue : the most recently observed domain was registered on October 31 , 2017 .", "spans": {}, "info": {"id": "securebert2_test_00047", "source": "securebert2_test"}} |
| {"text": "Based on our KSN statistics , there are several infected individuals , exclusively in Italy .", "spans": {}, "info": {"id": "securebert2_test_00048", "source": "securebert2_test"}} |
| {"text": "Moreover , as we dived deeper into the investigation , we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine .", "spans": {"System: Windows": [[95, 102]]}, "info": {"id": "securebert2_test_00049", "source": "securebert2_test"}} |
| {"text": "The version we found was built at the beginning of 2017 , and at the moment we are not sure whether this implant has been used in the wild .", "spans": {}, "info": {"id": "securebert2_test_00050", "source": "securebert2_test"}} |
| {"text": "We named the malware Skygofree , because we found the word in one of the domains * .", "spans": {"Malware: Skygofree": [[21, 30]]}, "info": {"id": "securebert2_test_00051", "source": "securebert2_test"}} |
| {"text": "Malware Features Android According to the observed samples and their signatures , early versions of this Android malware were developed by the end of 2014 and the campaign has remained active ever since .", "spans": {"System: Android": [[17, 24], [105, 112]]}, "info": {"id": "securebert2_test_00052", "source": "securebert2_test"}} |
| {"text": "The code and functionality have changed numerous times ; from simple unobfuscated malware at the beginning to sophisticated multi-stage spyware that gives attackers full remote control of the infected device .", "spans": {}, "info": {"id": "securebert2_test_00053", "source": "securebert2_test"}} |
| {"text": "We have examined all the detected versions , including the latest one that is signed by a certificate valid from September 14 , 2017 .", "spans": {}, "info": {"id": "securebert2_test_00054", "source": "securebert2_test"}} |
| {"text": "The implant provides the ability to grab a lot of exfiltrated data , like call records , text messages , geolocation , surrounding audio , calendar events , and other memory information stored on the device .", "spans": {}, "info": {"id": "securebert2_test_00055", "source": "securebert2_test"}} |
| {"text": "After manual launch , it shows a fake welcome notification to the user : Dear Customer , we โ re updating your configuration and it will be ready as soon as possible .", "spans": {}, "info": {"id": "securebert2_test_00056", "source": "securebert2_test"}} |
| {"text": "At the same time , it hides an icon and starts background services to hide further actions from the user .", "spans": {}, "info": {"id": "securebert2_test_00057", "source": "securebert2_test"}} |
| {"text": "Service Name Purpose AndroidAlarmManager Uploading last recorded .amr audio AndroidSystemService Audio recording AndroidSystemQueues Location tracking with movement detection ClearSystems GSM tracking ( CID , LAC , PSC ) ClipService Clipboard stealing AndroidFileManager Uploading all exfiltrated data AndroidPush XMPP ะก & C protocol ( url.plus:5223 ) RegistrationService Registration on C & C via HTTP ( url.plus/app/pro/ ) Interestingly , a self-protection feature was implemented in almost every service .", "spans": {"System: GSM": [[188, 191]], "Indicator: url.plus:5223": [[336, 349]], "Indicator: url.plus/app/pro/": [[405, 422]]}, "info": {"id": "securebert2_test_00058", "source": "securebert2_test"}} |
| {"text": "Since in Android 8.0 ( SDK API 26 ) the system is able to kill idle services , this code raises a fake update notification to prevent it : Cybercriminals have the ability to control the implant via HTTP , XMPP , binary SMS and FirebaseCloudMessaging ( or GoogleCloudMessaging in older versions ) protocols .", "spans": {"System: Android 8.0": [[9, 20]]}, "info": {"id": "securebert2_test_00059", "source": "securebert2_test"}} |
| {"text": "Such a diversity of protocols gives the attackers more flexible control .", "spans": {}, "info": {"id": "securebert2_test_00060", "source": "securebert2_test"}} |
| {"text": "In the latest implant versions there are 48 different commands .", "spans": {}, "info": {"id": "securebert2_test_00061", "source": "securebert2_test"}} |
| {"text": "You can find a full list with short descriptions in the Appendix .", "spans": {}, "info": {"id": "securebert2_test_00062", "source": "securebert2_test"}} |
| {"text": "Here are some of the most notable : โ geofence โ โ this command adds a specified location to the implant โ s internal database and when it matches a device โ s current location the malware triggers and begins to record surrounding audio .", "spans": {}, "info": {"id": "securebert2_test_00063", "source": "securebert2_test"}} |
| {"text": "โ social โ โ this command that starts the โ AndroidMDMSupport โ service โ this allows the files of any other installed application to be grabbed .", "spans": {}, "info": {"id": "securebert2_test_00064", "source": "securebert2_test"}} |
| {"text": "The service name makes it clear that by applications the attackers mean MDM solutions that are business-specific tools .", "spans": {}, "info": {"id": "securebert2_test_00065", "source": "securebert2_test"}} |
| {"text": "The operator can specify a path with the database of any targeted application and server-side PHP script name for uploading .", "spans": {}, "info": {"id": "securebert2_test_00066", "source": "securebert2_test"}} |
| {"text": "Several hardcoded applications targeted by the MDM-grabbing command โ wifi โ โ this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled .", "spans": {}, "info": {"id": "securebert2_test_00067", "source": "securebert2_test"}} |
| {"text": "So , when a device connects to the established network , this process will be in silent and automatic mode .", "spans": {}, "info": {"id": "securebert2_test_00068", "source": "securebert2_test"}} |
| {"text": "This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to perform traffic sniffing and man-in-the-middle ( MitM ) attacks .", "spans": {}, "info": {"id": "securebert2_test_00069", "source": "securebert2_test"}} |
| {"text": "addWifiConfig method code fragments โ camera โ โ this command records a video/capture a photo using the front-facing camera when someone next unlocks the device .", "spans": {}, "info": {"id": "securebert2_test_00070", "source": "securebert2_test"}} |
| {"text": "Some versions of the Skygofree feature the self-protection ability exclusively for Huawei devices .", "spans": {"Malware: Skygofree": [[21, 30]], "Organization: Huawei": [[83, 89]]}, "info": {"id": "securebert2_test_00071", "source": "securebert2_test"}} |
| {"text": "There is a โ protected apps โ list in this brand โ s smartphones , related to a battery-saving concept .", "spans": {}, "info": {"id": "securebert2_test_00072", "source": "securebert2_test"}} |
| {"text": "Apps not selected as protected apps stop working once the screen is off and await re-activation , so the implant is able to determine that it is running on a Huawei device and add itself to this list .", "spans": {"Organization: Huawei": [[158, 164]]}, "info": {"id": "securebert2_test_00073", "source": "securebert2_test"}} |
| {"text": "Due to this feature , it is clear that the developers paid special attention to the work of the implant on Huawei devices .", "spans": {"Organization: Huawei": [[107, 113]]}, "info": {"id": "securebert2_test_00074", "source": "securebert2_test"}} |
| {"text": "Also , we found a debug version of the implant ( 70a937b2504b3ad6c623581424c7e53d ) that contains interesting constants , including the version of the spyware .", "spans": {"Indicator: 70a937b2504b3ad6c623581424c7e53d": [[49, 81]]}, "info": {"id": "securebert2_test_00075", "source": "securebert2_test"}} |
| {"text": "Debug BuildConfig with the version After a deep analysis of all discovered versions of Skygofree , we made an approximate timeline of the implant โ s evolution .", "spans": {"Malware: Skygofree": [[87, 96]]}, "info": {"id": "securebert2_test_00076", "source": "securebert2_test"}} |
| {"text": "Mobile implant evolution timeline However , some facts indicate that the APK samples from stage two can also be used separately as the first step of the infection .", "spans": {}, "info": {"id": "securebert2_test_00077", "source": "securebert2_test"}} |
| {"text": "Below is a list of the payloads used by the Skygofree implant in the second and third stages .", "spans": {"Malware: Skygofree": [[44, 53]]}, "info": {"id": "securebert2_test_00078", "source": "securebert2_test"}} |
| {"text": "Reverse shell payload The reverse shell module is an external ELF file compiled by the attackers to run on Android .", "spans": {"System: Android": [[107, 114]]}, "info": {"id": "securebert2_test_00079", "source": "securebert2_test"}} |
| {"text": "The choice of a particular payload is determined by the implant โ s version , and it can be downloaded from the command and control ( C & C ) server soon after the implant starts , or after a specific command .", "spans": {}, "info": {"id": "securebert2_test_00080", "source": "securebert2_test"}} |
| {"text": "In the most recent case , the choice of the payload zip file depends on the device process architecture .", "spans": {}, "info": {"id": "securebert2_test_00081", "source": "securebert2_test"}} |
| {"text": "For now , we observe only one payload version for following the ARM CPUs : arm64-v8a , armeabi , armeabi-v7a .", "spans": {"System: ARM": [[64, 67]], "System: arm64-v8a": [[75, 84]], "System: armeabi": [[87, 94]], "System: armeabi-v7a": [[97, 108]]}, "info": {"id": "securebert2_test_00082", "source": "securebert2_test"}} |
| {"text": "Note that in almost all cases , this payload file , contained in zip archives , is named โ setting โ or โ setting.o โ .", "spans": {"Indicator: setting": [[91, 98]], "Indicator: setting.o": [[106, 115]]}, "info": {"id": "securebert2_test_00083", "source": "securebert2_test"}} |
| {"text": "The main purpose of this module is providing reverse shell features on the device by connecting with the C & C server โ s socket .", "spans": {}, "info": {"id": "securebert2_test_00084", "source": "securebert2_test"}} |
| {"text": "Reverse shell payload The payload is started by the main module with a specified host and port as a parameter that is hardcoded to โ 54.67.109.199 โ and โ 30010 โ in some versions : Alternatively , they could be hardcoded directly into the payload code : We also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path .", "spans": {"Indicator: 54.67.109.199": [[133, 146]], "Indicator: 30010": [[155, 160]]}, "info": {"id": "securebert2_test_00085", "source": "securebert2_test"}} |
| {"text": "Equipped reverse shell payload with specific string After an in-depth look , we found that some versions of the reverse shell payload code share similarities with PRISM โ a stealth reverse shell backdoor that is available on Github .", "spans": {"Malware: PRISM": [[163, 168]], "Organization: Github": [[225, 231]]}, "info": {"id": "securebert2_test_00086", "source": "securebert2_test"}} |
| {"text": "Reverse shell payload from update_dev.zip Exploit payload At the same time , we found an important payload binary that is trying to exploit several known vulnerabilities and escalate privileges .", "spans": {"Indicator: update_dev.zip": [[27, 41]]}, "info": {"id": "securebert2_test_00087", "source": "securebert2_test"}} |
| {"text": "According to several timestamps , this payload is used by implant versions created since 2016 .", "spans": {}, "info": {"id": "securebert2_test_00088", "source": "securebert2_test"}} |
| {"text": "It can also be downloaded by a specific command .", "spans": {}, "info": {"id": "securebert2_test_00089", "source": "securebert2_test"}} |
| {"text": "The exploit payload contains following file components : Component name Description run_root_shell/arrs_put_user.o/arrs_put_user/poc Exploit ELF db Sqlite3 tool ELF device.db Sqlite3 database with supported devices and their constants needed for privilege escalation โ device.db โ is a database used by the exploit .", "spans": {"Indicator: run_root_shell/arrs_put_user.o/arrs_put_user/poc": [[84, 132]], "Indicator: device.db": [[165, 174], [269, 278]]}, "info": {"id": "securebert2_test_00090", "source": "securebert2_test"}} |
| {"text": "It contains two tables โ โ supported_devices โ and โ device_address โ .", "spans": {}, "info": {"id": "securebert2_test_00091", "source": "securebert2_test"}} |
| {"text": "The first table contains 205 devices with some Linux properties ; the second contains the specific memory addresses associated with them that are needed for successful exploitation .", "spans": {"System: Linux": [[47, 52]]}, "info": {"id": "securebert2_test_00092", "source": "securebert2_test"}} |
| {"text": "You can find a full list of targeted models in the Appendix .", "spans": {}, "info": {"id": "securebert2_test_00093", "source": "securebert2_test"}} |
| {"text": "Fragment of the database with targeted devices and specific memory addresses If the infected device is not listed in this database , the exploit tries to discover these addresses programmatically .", "spans": {}, "info": {"id": "securebert2_test_00094", "source": "securebert2_test"}} |
| {"text": "After downloading and unpacking , the main module executes the exploit binary file .", "spans": {}, "info": {"id": "securebert2_test_00095", "source": "securebert2_test"}} |
| {"text": "Once executed , the module attempts to get root privileges on the device by exploiting the following vulnerabilities : CVE-2013-2094 CVE-2013-2595 CVE-2013-6282 CVE-2014-3153 ( futex aka TowelRoot ) CVE-2015-3636 Exploitation process After an in-depth look , we found that the exploit payload code shares several similarities with the public project android-rooting-tools .", "spans": {"Vulnerability: CVE-2013-2094": [[119, 132]], "Vulnerability: CVE-2013-2595": [[133, 146]], "Vulnerability: CVE-2013-6282": [[147, 160]], "Vulnerability: CVE-2014-3153": [[161, 174]], "Vulnerability: futex": [[177, 182]], "Vulnerability: TowelRoot": [[187, 196]], "Vulnerability: CVE-2015-3636": [[199, 212]]}, "info": {"id": "securebert2_test_00096", "source": "securebert2_test"}} |
| {"text": "Decompiled exploit function code fragment run_with_mmap function from the android-rooting-tools project As can be seen from the comparison , there are similar strings and also a unique comment in Italian , so it looks like the attackers created this exploit payload based on android-rooting-tools project source code .", "spans": {"System: android-rooting-tools": [[74, 95], [275, 296]]}, "info": {"id": "securebert2_test_00097", "source": "securebert2_test"}} |
| {"text": "Busybox payload Busybox is public software that provides several Linux tools in a single ELF file .", "spans": {}, "info": {"id": "securebert2_test_00098", "source": "securebert2_test"}} |
| {"text": "In earlier versions , it operated with shell commands like this : Stealing WhatsApp encryption key with Busybox Social payload Actually , this is not a standalone payload file โ in all the observed versions its code was compiled with exploit payload in one file ( โ poc_perm โ , โ arrs_put_user โ , โ arrs_put_user.o โ ) .", "spans": {"Malware: Busybox Social payload": [[104, 126]]}, "info": {"id": "securebert2_test_00099", "source": "securebert2_test"}} |
| {"text": "This is due to the fact that the implant needs to escalate privileges before performing social payload actions .", "spans": {}, "info": {"id": "securebert2_test_00100", "source": "securebert2_test"}} |
| {"text": "This payload is also used by the earlier versions of the implant .", "spans": {}, "info": {"id": "securebert2_test_00101", "source": "securebert2_test"}} |
| {"text": "It has similar functionality to the โ AndroidMDMSupport โ command from the current versions โ stealing data belonging to other installed applications .", "spans": {}, "info": {"id": "securebert2_test_00102", "source": "securebert2_test"}} |
| {"text": "The payload will execute shell code to steal data from various applications .", "spans": {}, "info": {"id": "securebert2_test_00103", "source": "securebert2_test"}} |
| {"text": "The example below steals Facebook data : All the other hardcoded applications targeted by the payload : Package name Name jp.naver.line.android LINE : Free Calls & Messages com.facebook.orca Facebook messenger com.facebook.katana Facebook com.whatsapp WhatsApp com.viber.voip Viber Parser payload Upon receiving a specific command , the implant can download a special payload to grab sensitive information from external applications .", "spans": {"System: Facebook": [[25, 33], [230, 238]], "Indicator: jp.naver.line.android": [[122, 143]], "System: LINE : Free Calls & Messages": [[144, 172]], "Indicator: com.facebook.orca": [[173, 190]], "System: Facebook messenger": [[191, 209]], "Indicator: com.facebook.katana": [[210, 229]], "Indicator: com.whatsapp": [[239, 251]], "System: WhatsApp": [[252, 260]], "Indicator: com.viber.voip": [[261, 275]], "System: Viber": [[276, 281]]}, "info": {"id": "securebert2_test_00104", "source": "securebert2_test"}} |
| {"text": "The case where we observed this involved WhatsApp .", "spans": {"System: WhatsApp": [[41, 49]]}, "info": {"id": "securebert2_test_00105", "source": "securebert2_test"}} |
| {"text": "In the examined version , it was downloaded from : hxxp : //url [ .", "spans": {"Indicator: hxxp : //url [ .": [[51, 67]]}, "info": {"id": "securebert2_test_00106", "source": "securebert2_test"}} |
| {"text": "] plus/Updates/tt/parser.apk The payload can be a .dex or .apk file which is a Java-compiled Android executable .", "spans": {"System: Android": [[93, 100]]}, "info": {"id": "securebert2_test_00107", "source": "securebert2_test"}} |
| {"text": "After downloading , it will be loaded by the main module via DexClassLoader api : As mentioned , we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way .", "spans": {"System: WhatsApp messenger": [[148, 166]]}, "info": {"id": "securebert2_test_00108", "source": "securebert2_test"}} |
| {"text": "The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen , so it waits for the targeted application to be launched and then parses all nodes to find text messages : Note that the implant needs special permission to use the Accessibility Service API , but there is a command that performs a request with a phishing text displayed to the user to obtain such permission .", "spans": {"System: Android": [[21, 28]]}, "info": {"id": "securebert2_test_00109", "source": "securebert2_test"}} |
| {"text": "Windows We have found multiple components that form an entire spyware system for the Windows platform .", "spans": {"System: Windows": [[0, 7], [85, 92]]}, "info": {"id": "securebert2_test_00110", "source": "securebert2_test"}} |
| {"text": "Name MD5 Purpose msconf.exe 55fb01048b6287eadcbd9a0f86d21adf Main module , reverse shell network.exe f673bb1d519138ced7659484c0b66c5b Sending exfiltrated data system.exe d3baa45ed342fbc5a56d974d36d5f73f Surrounding sound recording by mic update.exe 395f9f87df728134b5e3c1ca4d48e9fa Keylogging wow.exe 16311b16fd48c1c87c6476a455093e7a Screenshot capturing skype_sync2.exe 6bcc3559d7405f25ea403317353d905f Skype call recording to MP3 All modules , except skype_sync2.exe , are written in Python and packed to binary files via the Py2exe tool .", "spans": {"Indicator: msconf.exe": [[17, 27]], "Indicator: 55fb01048b6287eadcbd9a0f86d21adf": [[28, 60]], "Indicator: network.exe": [[89, 100]], "Indicator: f673bb1d519138ced7659484c0b66c5b": [[101, 133]], "Indicator: system.exe": [[159, 169]], "Indicator: d3baa45ed342fbc5a56d974d36d5f73f": [[170, 202]], "Indicator: update.exe": [[238, 248]], "Indicator: 395f9f87df728134b5e3c1ca4d48e9fa": [[249, 281]], "Indicator: wow.exe": [[293, 300]], "Indicator: 16311b16fd48c1c87c6476a455093e7a": [[301, 333]], "Indicator: skype_sync2.exe": [[355, 370], [453, 468]], "Indicator: 6bcc3559d7405f25ea403317353d905f": [[371, 403]], "System: Skype": [[404, 409]], "System: Python": [[486, 492]], "System: Py2exe": [[528, 534]]}, "info": {"id": "securebert2_test_00111", "source": "securebert2_test"}} |
| {"text": "This sort of conversion allows Python code to be run in a Windows environment without pre-installed Python binaries .", "spans": {"System: Python": [[31, 37], [100, 106]], "System: Windows": [[58, 65]]}, "info": {"id": "securebert2_test_00112", "source": "securebert2_test"}} |
| {"text": "msconf.exe is the main module that provides control of the implant and reverse shell feature .", "spans": {"Indicator: msconf.exe": [[0, 10]]}, "info": {"id": "securebert2_test_00113", "source": "securebert2_test"}} |
| {"text": "It opens a socket on the victim โ s machine and connects with a server-side component of the implant located at 54.67.109.199:6500 .", "spans": {"Indicator: 54.67.109.199:6500": [[112, 130]]}, "info": {"id": "securebert2_test_00114", "source": "securebert2_test"}} |
| {"text": "Before connecting with the socket , it creates a malware environment in โ APPDATA/myupd โ and creates a sqlite3 database there โ โ myupd_tmp\\\\mng.db โ : CREATE TABLE MANAGE ( ID INT PRIMARY KEY NOT NULL , Send INT NOT NULL , Keylogg INT NOT NULL , Screenshot INT NOT NULL , Audio INT NOT NULL ) ; INSERT INTO MANAGE ( ID , Send , Keylogg , Screenshot , Audio ) VALUES ( 1 , 1 , 1 , 1 , 0 ) Finally , the malware modifies the โ Software\\Microsoft\\Windows\\CurrentVersion\\Run โ registry key to enable autostart of the main module .", "spans": {"Indicator: APPDATA/myupd": [[74, 87]], "Indicator: myupd_tmp\\\\mng.db": [[131, 148]], "Indicator: Software\\Microsoft\\Windows\\CurrentVersion\\Run": [[427, 472]]}, "info": {"id": "securebert2_test_00115", "source": "securebert2_test"}} |
| {"text": "The code contains multiple comments in Italian , here is the most noteworthy example : โ Receive commands from the remote server , here you can set the key commands to command the virus โ Here are the available commands : Name Description cd Change current directory to specified quit Close the socket nggexe Execute received command via Python โ s subprocess.Popen ( ) without outputs ngguploads Upload specified file to the specified URL nggdownloads Download content from the specified URLs and save to specified file nggfilesystem Dump file structure of the C : path , save it to the file in json format and zip it nggstart_screen nggstop_screen Enable/disable screenshot module .", "spans": {"System: Python": [[338, 344]]}, "info": {"id": "securebert2_test_00116", "source": "securebert2_test"}} |
| {"text": "When enabled , it makes a screenshot every 25 seconds nggstart_key nggstop_key Enable/disable keylogging module nggstart_rec nggstop_rec Enable/disable surrounding sounds recording module ngg_status Send components status to the C & C socket * any other * Execute received command via Python โ s subprocess.Popen ( ) , output result will be sent to the C & C socket .", "spans": {"System: Python": [[285, 291]]}, "info": {"id": "securebert2_test_00117", "source": "securebert2_test"}} |
| {"text": "All modules set hidden attributes to their files : Module Paths Exfiltrated data format msconf.exe % APPDATA % /myupd/gen/ % Y % m % d- % H % M % S_filesystem.zip ( file structure dump ) system.exe % APPDATA % /myupd/aud/ % d % m % Y % H % M % S.wav ( surrounding sounds ) update.exe % APPDATA % /myupd_tmp/txt/ % APPDATA % /myupd/txt/ % Y % m % d- % H % M % S.txt ( keylogging ) wow.exe % APPDATA % /myupd/scr/ % Y % m % d- % H % M % S.jpg ( screenshots ) skype_sync2.exe % APPDATA % /myupd_tmp/skype/ % APPDATA % /myupd/skype/ yyyyMMddHHmmss_in.mp3 yyyyMMddHHmmss_out.mp3 ( skype calls records ) Moreover , we found one module written in .Net โ skype_sync2.exe .", "spans": {"Indicator: msconf.exe": [[88, 98]], "Indicator: % APPDATA % /myupd/gen/ % Y % m % d- % H % M % S_filesystem.zip ( file structure dump ) system.exe % APPDATA % /myupd/aud/ % d % m % Y % H % M % S.wav ( surrounding sounds ) update.exe % APPDATA % /myupd_tmp/txt/ % APPDATA % /myupd/txt/ % Y % m % d- % H % M % S.txt ( keylogging ) wow.exe % APPDATA % /myupd/scr/ % Y % m % d- % H % M % S.jpg ( screenshots ) skype_sync2.exe % APPDATA % /myupd_tmp/skype/ % APPDATA % /myupd/skype/ yyyyMMddHHmmss_in.mp3": [[99, 550]], "Indicator: yyyyMMddHHmmss_out.mp3": [[551, 573]], "System: .Net": [[640, 644]], "Indicator: skype_sync2.exe": [[647, 662]]}, "info": {"id": "securebert2_test_00118", "source": "securebert2_test"}} |
| {"text": "The main purpose of this module is to exfiltrate Skype call recordings .", "spans": {"System: Skype": [[49, 54]]}, "info": {"id": "securebert2_test_00119", "source": "securebert2_test"}} |
| {"text": "Just like the previous modules , it contains multiple strings in Italian .", "spans": {}, "info": {"id": "securebert2_test_00120", "source": "securebert2_test"}} |
| {"text": "After launch , it downloads a codec for MP3 encoding directly from the C & C server : http : //54.67.109.199/skype_resource/libmp3lame.dll The skype_sync2.exe module has a compilation timestamp โ Feb 06 2017 and the following PDB string : \\\\vmware-host\\Shared Folders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb network.exe is a module for submitting all exfiltrated data to the server .", "spans": {"Indicator: http : //54.67.109.199/skype_resource/libmp3lame.dll": [[86, 138]], "Indicator: skype_sync2.exe": [[143, 158]], "Indicator: \\\\vmware-host\\Shared": [[239, 259]], "Indicator: Folders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb": [[260, 338]], "Indicator: network.exe": [[339, 350]]}, "info": {"id": "securebert2_test_00121", "source": "securebert2_test"}} |
| {"text": "In the observed version of the implant it doesn โ t have an interface to work with the skype_sync2.exe module .", "spans": {"Indicator: skype_sync2.exe": [[87, 102]]}, "info": {"id": "securebert2_test_00122", "source": "securebert2_test"}} |
| {"text": "network.exe submitting to the server code snippet Code similarities We found some code similarities between the implant for Windows and other public accessible projects .", "spans": {"Indicator: network.exe": [[0, 11]], "System: Windows": [[124, 131]]}, "info": {"id": "securebert2_test_00123", "source": "securebert2_test"}} |
| {"text": "https : //github.com/El3ct71k/Keylogger/ It appears the developers have copied the functional part of the keylogger module from this project .", "spans": {"Indicator: https : //github.com/El3ct71k/Keylogger/": [[0, 40]]}, "info": {"id": "securebert2_test_00124", "source": "securebert2_test"}} |
| {"text": "update.exe module and Keylogger by โ El3ct71k โ code comparison Xenotix Python Keylogger including specified mutex โ mutex_var_xboz โ .", "spans": {"Indicator: update.exe": [[0, 10]], "System: Xenotix Python Keylogger": [[64, 88]]}, "info": {"id": "securebert2_test_00125", "source": "securebert2_test"}} |
| {"text": "update.exe module and Xenotix Python Keylogger code comparison โ addStartup โ method from msconf.exe module โ addStartup โ method from Xenotix Python Keylogger Distribution We found several landing pages that spread the Android implants .", "spans": {"Indicator: update.exe": [[0, 10]], "System: Xenotix Python Keylogger": [[22, 46], [135, 159]], "Indicator: msconf.exe": [[90, 100]], "System: Android": [[220, 227]]}, "info": {"id": "securebert2_test_00126", "source": "securebert2_test"}} |
| {"text": "Malicious URL Referrer Dates http : //217.194.13.133/tre/internet/Configuratore_3.apk http : //217.194.13.133/tre/internet/ 2015-02-04 to present time http : //217.194.13.133/appPro_AC.apk โ 2015-07-01 http : //217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html 2015-01-20 to present time http : //217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone % 20Configuratore.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html currently active http : //vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk http : //vodafoneinfinity.sytes.net/tim/internet/ 2015-03-04 http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/ 2015-01-14 http : //windupdate.serveftp.com/wind/LTE/WIND % 20Configuratore % 20v5_4_2.apk http : //windupdate.serveftp.com/wind/LTE/ 2015-03-31 http : //119.network/lte/Internet-TIM-4G-LTE.apk http : //119.network/lte/download.html 2015-02-04 2015-07-20 http : //119.network/lte/Configuratore_TIM.apk 2015-07-08 Many of these domains are outdated , but almost all ( except one โ appPro_AC.apk ) samples located on the 217.194.13.133 server are still accessible .", "spans": {"Indicator: http : //217.194.13.133/tre/internet/Configuratore_3.apk": [[29, 85]], "Indicator: http : //217.194.13.133/tre/internet/": [[86, 123]], "Indicator: http : //217.194.13.133/appPro_AC.apk": [[151, 188]], "Indicator: http : //217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk": [[202, 306]], "Indicator: http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html": [[307, 380], [502, 575]], "Indicator: http : //217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone % 20Configuratore.apk": [[408, 501]], "Indicator: http : //vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk": [[593, 663]], "Indicator: http : //vodafoneinfinity.sytes.net/tim/internet/": [[664, 713]], "Indicator: http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk": [[725, 841]], "Indicator: http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/": [[842, 917]], "Indicator: http : //windupdate.serveftp.com/wind/LTE/WIND % 20Configuratore % 20v5_4_2.apk": [[929, 1008]], "Indicator: http : //windupdate.serveftp.com/wind/LTE/": [[1009, 1051]], "Indicator: http : //119.network/lte/Internet-TIM-4G-LTE.apk": [[1063, 1111]], "Indicator: http : //119.network/lte/download.html": [[1112, 1150]], "Indicator: http : //119.network/lte/Configuratore_TIM.apk": [[1173, 1219]], "Indicator: appPro_AC.apk": [[1298, 1311]], "Indicator: 217.194.13.133": [[1337, 1351]]}, "info": {"id": "securebert2_test_00127", "source": "securebert2_test"}} |
| {"text": "All the observed landing pages mimic the mobile operators โ web pages through their domain name and web page content as well .", "spans": {}, "info": {"id": "securebert2_test_00128", "source": "securebert2_test"}} |
| {"text": "Further research of the attacker โ s infrastructure revealed more related mimicking domains .", "spans": {}, "info": {"id": "securebert2_test_00129", "source": "securebert2_test"}} |
| {"text": "Unfortunately , for now we can โ t say in what environment these landing pages were used in the wild , but according to all the information at our dsiposal , we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks .", "spans": {}, "info": {"id": "securebert2_test_00130", "source": "securebert2_test"}} |
| {"text": "For example , this could be when the victim โ s device connects to a Wi-Fi access point that is infected or controlled by the attackers .", "spans": {}, "info": {"id": "securebert2_test_00131", "source": "securebert2_test"}} |
| {"text": "Artifacts During the research , we found plenty of traces of the developers and those doing the maintaining .", "spans": {}, "info": {"id": "securebert2_test_00132", "source": "securebert2_test"}} |
| {"text": "As already stated in the โ malware features โ part , there are multiple giveaways in the code .", "spans": {}, "info": {"id": "securebert2_test_00133", "source": "securebert2_test"}} |
| {"text": "Here are just some of them : ngglobal โ FirebaseCloudMessaging topic name Issuer : CN = negg โ from several certificates negg.ddns [ .", "spans": {"Indicator: negg.ddns [ .": [[121, 134]]}, "info": {"id": "securebert2_test_00134", "source": "securebert2_test"}} |
| {"text": "] net , negg1.ddns [ .", "spans": {"Indicator: negg1.ddns [ .": [[8, 22]]}, "info": {"id": "securebert2_test_00135", "source": "securebert2_test"}} |
| {"text": "] net , negg2.ddns [ .", "spans": {"Indicator: negg2.ddns [ .": [[8, 22]]}, "info": {"id": "securebert2_test_00136", "source": "securebert2_test"}} |
| {"text": "] net โ C & C servers NG SuperShell โ string from the reverse shell payload ngg โ prefix in commands names of the implant for Windows Signature with specific issuer Whois records and IP relationships provide many interesting insights as well .", "spans": {"System: Windows": [[126, 133]]}, "info": {"id": "securebert2_test_00137", "source": "securebert2_test"}} |
| {"text": "There are a lot of other โ Negg โ mentions in Whois records and references to it .", "spans": {}, "info": {"id": "securebert2_test_00138", "source": "securebert2_test"}} |
| {"text": "For example : Conclusions The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform .", "spans": {"Malware: Skygofree": [[30, 39]], "System: Android": [[40, 47]]}, "info": {"id": "securebert2_test_00139", "source": "securebert2_test"}} |
| {"text": "As a result of the long-term development process , there are multiple , exceptional capabilities : usage of multiple exploits for gaining root privileges , a complex payload structure , never-before-seen surveillance features such as recording surrounding audio in specified locations .", "spans": {}, "info": {"id": "securebert2_test_00140", "source": "securebert2_test"}} |
| {"text": "Given the many artifacts we discovered in the malware code , as well as infrastructure analysis , we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions , just like HackingTeam .", "spans": {"Malware: Skygofree": [[148, 157]], "Organization: HackingTeam": [[241, 252]]}, "info": {"id": "securebert2_test_00141", "source": "securebert2_test"}} |
| {"text": "HenBox : The Chickens Come Home to Roost March 13 , 2018 at 5:00 AM Unit 42 recently discovered a new Android malware family we named โ HenBox โ masquerading as a variety of legitimate Android apps .", "spans": {"Malware: HenBox": [[0, 6], [136, 142]], "System: Android": [[102, 109], [185, 192]]}, "info": {"id": "securebert2_test_00142", "source": "securebert2_test"}} |
| {"text": "We chose the name โ HenBox โ based on metadata found in most of the malicious apps such as package names and signer detail .", "spans": {"Malware: HenBox": [[20, 26]]}, "info": {"id": "securebert2_test_00143", "source": "securebert2_test"}} |
| {"text": "HenBox masquerades as apps such as VPN and Android system apps and often installs legitimate versions of these apps along with HenBox to trick users into thinking they downloaded the legitimate app .", "spans": {"Malware: HenBox": [[0, 6], [127, 133]], "System: Android": [[43, 50]]}, "info": {"id": "securebert2_test_00144", "source": "securebert2_test"}} |
| {"text": "While some of the legitimate apps HenBox use as decoys can be found on Google Play , HenBox apps themselves have only been found on third-party ( non-Google Play ) app stores .", "spans": {"Malware: HenBox": [[34, 40], [85, 91]], "System: Google Play": [[71, 82]], "System: Play": [[157, 161]]}, "info": {"id": "securebert2_test_00145", "source": "securebert2_test"}} |
| {"text": "HenBox appears to primarily target the Uyghurs โ a minority Turkic ethnic group that is primarily Muslim and lives mainly in the Xinjiang Uyghur Autonomous Region in North West China .", "spans": {"Malware: HenBox": [[0, 6]]}, "info": {"id": "securebert2_test_00146", "source": "securebert2_test"}} |
| {"text": "It also targets devices made by Chinese manufacturer Xiaomi and those running MIUI , an operating system based on Google Android made by Xiaomi .", "spans": {"Organization: Xiaomi": [[53, 59], [137, 143]], "System: MIUI": [[78, 82]], "System: Google Android": [[114, 128]]}, "info": {"id": "securebert2_test_00147", "source": "securebert2_test"}} |
| {"text": "Smartphones are the dominant form of internet access in the region and Xinjiang was recently above the national average of internet users in China .", "spans": {}, "info": {"id": "securebert2_test_00148", "source": "securebert2_test"}} |
| {"text": "The result is a large online population who have been the subject of numerous cyber-attacks in the past .", "spans": {}, "info": {"id": "securebert2_test_00149", "source": "securebert2_test"}} |
| {"text": "Once installed , HenBox steals information from the devices from a myriad of sources , including many mainstream chat , communication , and social media apps .", "spans": {"Malware: HenBox": [[17, 23]]}, "info": {"id": "securebert2_test_00150", "source": "securebert2_test"}} |
| {"text": "The stolen information includes personal and device information .", "spans": {}, "info": {"id": "securebert2_test_00151", "source": "securebert2_test"}} |
| {"text": "Of note , in addition to tracking the compromised device โ s location , HenBox also harvests all outgoing phone numbers with an โ 86 โ prefix , which is the country code for the People โ s Republic of China ( PRC ) .", "spans": {"Malware: HenBox": [[72, 78]]}, "info": {"id": "securebert2_test_00152", "source": "securebert2_test"}} |
| {"text": "It can also access the phone โ s cameras and microphone .", "spans": {}, "info": {"id": "securebert2_test_00153", "source": "securebert2_test"}} |
| {"text": "HenBox has ties to infrastructure used in targeted attacks with a focus on politics in South East Asia .", "spans": {"Malware: HenBox": [[0, 6]]}, "info": {"id": "securebert2_test_00154", "source": "securebert2_test"}} |
| {"text": "These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX , Zupdax , 9002 , and Poison Ivy .", "spans": {"Malware: PlugX": [[112, 117]], "Malware: Zupdax": [[120, 126]], "Malware: 9002": [[129, 133]], "Malware: Poison Ivy": [[140, 150]]}, "info": {"id": "securebert2_test_00155", "source": "securebert2_test"}} |
| {"text": "This also aligns with HenBox โ s timeline , as in total we have identified almost 200 HenBox samples , with the oldest dating to 2015 .", "spans": {"Malware: HenBox": [[22, 28], [86, 92]]}, "info": {"id": "securebert2_test_00156", "source": "securebert2_test"}} |
| {"text": "Most of the samples we found date from the last half of 2017 , fewer samples date from 2016 , and a handful date back to 2015 .", "spans": {}, "info": {"id": "securebert2_test_00157", "source": "securebert2_test"}} |
| {"text": "In 2018 , we have already observed a small but consistent number of samples .", "spans": {}, "info": {"id": "securebert2_test_00158", "source": "securebert2_test"}} |
| {"text": "We believe this indicates a fairly sustained campaign that has gained momentum over recent months .", "spans": {}, "info": {"id": "securebert2_test_00159", "source": "securebert2_test"}} |
| {"text": "HenBox Enters the Uyghur App Store In May 2016 , a HenBox app was downloaded from uyghurapps [ .", "spans": {"Malware: HenBox": [[0, 6], [51, 57]], "System: Uyghur App Store": [[18, 34]], "Indicator: uyghurapps [ .": [[82, 96]]}, "info": {"id": "securebert2_test_00160", "source": "securebert2_test"}} |
| {"text": "] net .", "spans": {}, "info": {"id": "securebert2_test_00161", "source": "securebert2_test"}} |
| {"text": "Specifically , the app was an Android Package ( APK ) file that will be discussed in more detail shortly .", "spans": {"System: Android Package": [[30, 45]]}, "info": {"id": "securebert2_test_00162", "source": "securebert2_test"}} |
| {"text": "The domain name , language of the site and app content hosted suggest this site is a third-party app store for whom the intended users are the Uyghurs .", "spans": {}, "info": {"id": "securebert2_test_00163", "source": "securebert2_test"}} |
| {"text": "Such app stores are so-called because they are not officially supported by Android , nor are they provided by Google , unlike the Play Store .", "spans": {"System: Android": [[75, 82]], "Organization: Google": [[110, 116]], "System: Play Store": [[130, 140]]}, "info": {"id": "securebert2_test_00164", "source": "securebert2_test"}} |
| {"text": "Third-party app stores are ubiquitous in China for a number of reasons including : evermore powerful Chinese Original Equipment Manufacturers ( OEM ) , a lack of an official Chinese Google Play app store , and a growing smartphone market .", "spans": {"Organization: Chinese Original Equipment Manufacturers ( OEM )": [[101, 149]], "System: Google Play": [[182, 193]]}, "info": {"id": "securebert2_test_00165", "source": "securebert2_test"}} |
| {"text": "The HenBox app downloaded in May 2016 was masquerading as the DroidVPN app .", "spans": {"Malware: HenBox": [[4, 10]], "Indicator: DroidVPN": [[62, 70]]}, "info": {"id": "securebert2_test_00166", "source": "securebert2_test"}} |
| {"text": "At the time of writing , the content served at the given URL on uyghurapps [ .", "spans": {"Indicator: uyghurapps [ .": [[64, 78]]}, "info": {"id": "securebert2_test_00167", "source": "securebert2_test"}} |
| {"text": "] net , is now a legitimate version of the DroidVPN app , and looks as shown in Figure 1 below .", "spans": {"Indicator: DroidVPN": [[43, 51]]}, "info": {"id": "securebert2_test_00168", "source": "securebert2_test"}} |
| {"text": "henbox_2 Figure 1 Uyghurapps [ .", "spans": {"Indicator: Uyghurapps [ .": [[18, 32]]}, "info": {"id": "securebert2_test_00169", "source": "securebert2_test"}} |
| {"text": "] net app store showing the current DroidVPN app Virtual Private Network ( VPN ) tools allow connections to remote private networks , increasing the security and privacy of the user โ s communications .", "spans": {"Indicator: DroidVPN": [[36, 44]]}, "info": {"id": "securebert2_test_00170", "source": "securebert2_test"}} |
| {"text": "According to the DroidVPN app description , it โ helps bypass regional internet restrictions , web filtering and firewalls by tunneling traffic over ICMP. โ Some features may require devices to be rooted to function and according to some 3rd party app stores , unconditional rooting is required , which has additional security implications for the device .", "spans": {"Indicator: DroidVPN": [[17, 25]]}, "info": {"id": "securebert2_test_00171", "source": "securebert2_test"}} |
| {"text": "We have not been able to ascertain how the DroidVPN app on the uyghurapps [ .", "spans": {"Indicator: DroidVPN": [[43, 51]], "Indicator: uyghurapps [ .": [[63, 77]]}, "info": {"id": "securebert2_test_00172", "source": "securebert2_test"}} |
| {"text": "] net app store was replaced with the malicious HenBox app ; however , some indicators point to the server running an outdated version of Apache Web Server on a Windows 32-Bit operating system .", "spans": {"Malware: HenBox": [[48, 54]], "System: Windows": [[161, 168]]}, "info": {"id": "securebert2_test_00173", "source": "securebert2_test"}} |
| {"text": "In light of this , we believe an attack against unpatched vulnerabilities is a reasonable conjecture for how the server was compromised .", "spans": {"Vulnerability: unpatched vulnerabilities": [[48, 73]]}, "info": {"id": "securebert2_test_00174", "source": "securebert2_test"}} |
| {"text": "The HenBox app downloaded in May 2016 , as described in Table 1 below , masquerades as a legitimate version of the DroidVPN app by using the same app name โ DroidVPN โ and the same iconography used when displaying the app in Android โ s launcher view , as highlighted in Figure 2 below Table 1 .", "spans": {"Indicator: DroidVPN": [[115, 123]], "System: DroidVPN": [[157, 165]], "System: Android": [[225, 232]]}, "info": {"id": "securebert2_test_00175", "source": "securebert2_test"}} |
| {"text": "APK SHA256 Size ( bytes ) First Seen App Package name App name 0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7 2,740,860 May 2016 com.android.henbox DroidVPN Table 1 Details of the HenBox DroidVPN app on the uyghurapps [ .", "spans": {"Indicator: 0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7": [[63, 127]], "Indicator: com.android.henbox": [[147, 165]], "System: DroidVPN": [[166, 174], [205, 213]], "Malware: HenBox": [[198, 204]], "Indicator: uyghurapps [ .": [[225, 239]]}, "info": {"id": "securebert2_test_00176", "source": "securebert2_test"}} |
| {"text": "] net app store henbox_3 Figure 2 HenBox app installed , purporting to be DroidVPN Depending on the language setting on the device , and for this particular variant of HenBox , the installed HenBox app may have the name โ Backup โ but uses the same DroidVPN logo .", "spans": {"Malware: HenBox": [[34, 40], [168, 174], [191, 197]], "Indicator: DroidVPN": [[74, 82], [249, 257]]}, "info": {"id": "securebert2_test_00177", "source": "securebert2_test"}} |
| {"text": "Other variants use other names and logos , as described later .", "spans": {}, "info": {"id": "securebert2_test_00178", "source": "securebert2_test"}} |
| {"text": "Given the DroidVPN look and feel being used by this variant of HenBox , it โ s highly likely the uyghurapps [ .", "spans": {"Indicator: DroidVPN": [[10, 18]], "Malware: HenBox": [[63, 69]], "Indicator: uyghurapps [ .": [[97, 111]]}, "info": {"id": "securebert2_test_00179", "source": "securebert2_test"}} |
| {"text": "] net page for DroidVPN remained identical when serving either HenBox or DroidVPN apps , just that the legitimate APK file had been replaced with HenBox for an unknown period of time .", "spans": {"Indicator: DroidVPN": [[15, 23], [73, 81]], "Malware: HenBox": [[63, 69]]}, "info": {"id": "securebert2_test_00180", "source": "securebert2_test"}} |
| {"text": "In addition to the look and feel of DroidVPN , this HenBox variant also contained a legitimate DroidVPN app within its APK package as an asset , which could be compared to a resource item within a Windows Portable Executable ( PE ) file .", "spans": {"Indicator: DroidVPN": [[36, 44], [95, 103]], "Malware: HenBox": [[52, 58]], "System: Windows Portable Executable": [[197, 224]]}, "info": {"id": "securebert2_test_00181", "source": "securebert2_test"}} |
| {"text": "Once the HenBox app is installed and launched , it launches an install process for the embedded app as a decoy to other malicious behaviors occurring in the background , and to satisfy the victim with the app they were requesting , assuming they requested to download a particular app , such as DroidVPN .", "spans": {"Malware: HenBox": [[9, 15]], "System: DroidVPN": [[295, 303]]}, "info": {"id": "securebert2_test_00182", "source": "securebert2_test"}} |
| {"text": "The version of the legitimate DroidVPN embedded inside this HenBox variant is the same version of DroidVPN available for download from uyghurapps [ .", "spans": {"Indicator: DroidVPN": [[30, 38], [98, 106]], "Malware: HenBox": [[60, 66]], "Indicator: uyghurapps [ .": [[135, 149]]}, "info": {"id": "securebert2_test_00183", "source": "securebert2_test"}} |
| {"text": "] net , at the time of writing .", "spans": {}, "info": {"id": "securebert2_test_00184", "source": "securebert2_test"}} |
| {"text": "It โ s worth noting , newer versions of the DroidVPN app are available on Google Play , as well as in some other third-party app stores , which could indicate uyghurapps [ .", "spans": {"System: DroidVPN": [[44, 52]], "System: Google Play": [[74, 85]], "Indicator: uyghurapps [ .": [[159, 173]]}, "info": {"id": "securebert2_test_00185", "source": "securebert2_test"}} |
| {"text": "] net is not awfully well maintained or updated to the latest apps available .", "spans": {}, "info": {"id": "securebert2_test_00186", "source": "securebert2_test"}} |
| {"text": "At the time of writing , to our knowledge no other third-party app stores , nor the official Google Play store , were or are hosting this malicious HenBox variant masquerading as DroidVPN .", "spans": {"System: Google Play": [[93, 104]], "Malware: HenBox": [[148, 154]], "Indicator: DroidVPN": [[179, 187]]}, "info": {"id": "securebert2_test_00187", "source": "securebert2_test"}} |
| {"text": "The Right App at the Right Time The malicious HenBox and embedded DroidVPN app combination is one instance of the type of legitimate apps the attackers choose to mimic to compromise their victims .", "spans": {"Malware: HenBox": [[46, 52]], "Indicator: DroidVPN": [[66, 74]]}, "info": {"id": "securebert2_test_00188", "source": "securebert2_test"}} |
| {"text": "These threat actors frequently offer malicious apps purporting to be legitimate apps that are broadly used or important to a targeted population .", "spans": {}, "info": {"id": "securebert2_test_00189", "source": "securebert2_test"}} |
| {"text": "It โ s worth noting however , about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps .", "spans": {"Malware: HenBox": [[53, 59]]}, "info": {"id": "securebert2_test_00190", "source": "securebert2_test"}} |
| {"text": "Some were only 3 bytes long , containing strings such as โ ddd โ and โ 333 โ , or were otherwise corrupted .", "spans": {}, "info": {"id": "securebert2_test_00191", "source": "securebert2_test"}} |
| {"text": "Beyond the previously mentioned DroidVPN example , other viable embedded apps we found include apps currently available on Google Play , as well as many third-party app stores .", "spans": {"Indicator: DroidVPN": [[32, 40]], "System: Google Play": [[123, 134]]}, "info": {"id": "securebert2_test_00192", "source": "securebert2_test"}} |
| {"text": "Table 2 below lists some of these apps with their respective metadata .", "spans": {}, "info": {"id": "securebert2_test_00193", "source": "securebert2_test"}} |
| {"text": "Sample 1 marks the first HenBox sample we saw embedding a legitimate app within its assets to be dropped and installed on the victim device as a decoy .", "spans": {"Malware: HenBox": [[25, 31]]}, "info": {"id": "securebert2_test_00194", "source": "securebert2_test"}} |
| {"text": "The legitimate app in question was a Uyghur language keyboard app targeted at native speakers of the Uyghur language and their smartphones .", "spans": {}, "info": {"id": "securebert2_test_00195", "source": "securebert2_test"}} |
| {"text": "Sample 2 , has the package name cn.android.setting masquerading as Android โ s Settings app , which has a similar package name ( com.android.settings ) .", "spans": {"Indicator: cn.android.setting": [[32, 50]], "System: Settings app": [[79, 91]], "Indicator: com.android.settings": [[129, 149]]}, "info": {"id": "securebert2_test_00196", "source": "securebert2_test"}} |
| {"text": "This variant of HenBox also used the common green Android figure as the app logo and was named ่ฎพ็ฝฎ ( โ Backup โ in English ) .", "spans": {"Malware: HenBox": [[16, 22]], "System: Android": [[50, 57]]}, "info": {"id": "securebert2_test_00197", "source": "securebert2_test"}} |
| {"text": "This variant โ s app name , along with many others , is written in Chinese and describes the app as a backup tool .", "spans": {}, "info": {"id": "securebert2_test_00198", "source": "securebert2_test"}} |
| {"text": "Please see the IOCs section for all app and package name combinations .", "spans": {}, "info": {"id": "securebert2_test_00199", "source": "securebert2_test"}} |
|
|
