diff --git "a/data/processed/backup/cyner_train.jsonl" "b/data/processed/backup/cyner_train.jsonl"
new file mode 100644--- /dev/null
+++ "b/data/processed/backup/cyner_train.jsonl"
@@ -0,0 +1,2811 @@
+{"text": "Super Mario Run Malware # 2 – DroidJack RAT Gamers love Mario and Pokemon , but so do malware authors .", "spans": {"Malware: Super Mario Run Malware": [[0, 23]], "Malware: DroidJack RAT": [[30, 43]], "System: Mario": [[56, 61]], "System: Pokemon": [[66, 73]]}, "info": {"id": "cyner_mitre_train_00000", "source": "cyner_mitre_train"}}
+{"text": "A few days back , we wrote about an Android Marcher trojan variant posing as the Super Mario Run game for Android .", "spans": {"System: Android": [[36, 43], [106, 113]], "Malware: Marcher": [[44, 51]], "System: Super Mario Run": [[81, 96]]}, "info": {"id": "cyner_mitre_train_00001", "source": "cyner_mitre_train"}}
+{"text": "We have found another instance of malware posing as the Super Mario Run Android app , and this time it has taken the form of DroidJack RAT ( remote access trojan ) .", "spans": {"System: Super Mario Run": [[56, 71]], "System: Android": [[72, 79]], "Malware: DroidJack RAT": [[125, 138]]}, "info": {"id": "cyner_mitre_train_00002", "source": "cyner_mitre_train"}}
+{"text": "Proofpoint wrote about the DroidJack RAT side-loaded with the Pokemon GO app back in July 2016 ; the difference here is that there is no game included in the malicious package .", "spans": {"Organization: Proofpoint": [[0, 10]], "Malware: DroidJack RAT": [[27, 40]], "System: Pokemon GO": [[62, 72]]}, "info": {"id": "cyner_mitre_train_00003", "source": "cyner_mitre_train"}}
+{"text": "The authors are trying to latch onto the popularity of the Super Mario Run game to target eagerly waiting Android users .", "spans": {"System: Super Mario Run": [[59, 74]], "System: Android": [[106, 113]]}, "info": {"id": "cyner_mitre_train_00004", "source": "cyner_mitre_train"}}
+{"text": "Details : Name : Super Mario Run Package Name : net.droidjack.server MD5 : 69b4b32e4636f1981841cbbe3b927560 Technical Analysis : The malicious package claims to be the Super Mario Run game , as shown in the permissions screenshot below , but in reality this is a malicious RAT called DroidJack ( also known as SandroRAT ) that is getting installed .", "spans": {"System: Super Mario Run": [[17, 32], [168, 183]], "Indicator: net.droidjack.server": [[48, 68]], "Indicator: 69b4b32e4636f1981841cbbe3b927560": [[75, 107]], "Malware: DroidJack": [[284, 293]], "Malware: SandroRAT": [[310, 319]]}, "info": {"id": "cyner_mitre_train_00005", "source": "cyner_mitre_train"}}
+{"text": "Once installed , the RAT registers the infected device as shown below .", "spans": {}, "info": {"id": "cyner_mitre_train_00006", "source": "cyner_mitre_train"}}
+{"text": "DroidJack RAT starts capturing sensitive information like call data , SMS data , videos , photos , etc .", "spans": {"Malware: DroidJack RAT": [[0, 13]]}, "info": {"id": "cyner_mitre_train_00007", "source": "cyner_mitre_train"}}
+{"text": "Observe below the code routine for call recording .", "spans": {}, "info": {"id": "cyner_mitre_train_00008", "source": "cyner_mitre_train"}}
+{"text": "This RAT records all the calls and stores the recording to an “ .amr ” file .", "spans": {"Indicator: .amr": [[64, 68]]}, "info": {"id": "cyner_mitre_train_00009", "source": "cyner_mitre_train"}}
+{"text": "The following is the code routine for video capturing .", "spans": {}, "info": {"id": "cyner_mitre_train_00010", "source": "cyner_mitre_train"}}
+{"text": "Here , the RAT stores all the captured videos in a “ video.3gp ” file .", "spans": {"Indicator: video.3gp": [[53, 62]]}, "info": {"id": "cyner_mitre_train_00011", "source": "cyner_mitre_train"}}
+{"text": "It also harvests call details and SMS logs as shown below .", "spans": {}, "info": {"id": "cyner_mitre_train_00012", "source": "cyner_mitre_train"}}
+{"text": "Upon further inspection , we have observed that this RAT extracts WhatsApp data too .", "spans": {"System: WhatsApp": [[66, 74]]}, "info": {"id": "cyner_mitre_train_00013", "source": "cyner_mitre_train"}}
+{"text": "The RAT stores all the data in a database ( DB ) in order to send it to the Command & Control ( C & C ) server .", "spans": {}, "info": {"id": "cyner_mitre_train_00014", "source": "cyner_mitre_train"}}
+{"text": "The following are the DBs created and maintained by the RAT .", "spans": {}, "info": {"id": "cyner_mitre_train_00015", "source": "cyner_mitre_train"}}
+{"text": "We saw the following hardcoded C & C server location in the RAT package : Conclusion : The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware .", "spans": {"Malware: DroidJack RAT": [[91, 104]]}, "info": {"id": "cyner_mitre_train_00016", "source": "cyner_mitre_train"}}
+{"text": "In this case , like others before , the event of a popular game release became an opportunity to trick unsuspecting users into downloading the RAT .", "spans": {}, "info": {"id": "cyner_mitre_train_00017", "source": "cyner_mitre_train"}}
+{"text": "As a reminder , it is always a good practice to download apps only from trusted app stores such as Google Play .", "spans": {"System: Google Play": [[99, 110]]}, "info": {"id": "cyner_mitre_train_00018", "source": "cyner_mitre_train"}}
+{"text": "This practice can be enforced by unchecking the \" Unknown Sources '' option under the \" Security '' settings of your device .", "spans": {}, "info": {"id": "cyner_mitre_train_00019", "source": "cyner_mitre_train"}}
+{"text": "XLoader Disguises as Android Apps , Has FakeSpy Links This new XLoader variant poses as a security app for Android devices , and uses a malicious iOS profile to affect iPhone and iPad devices .", "spans": {"Malware: XLoader": [[0, 7], [63, 70]], "System: Android": [[21, 28], [107, 114]], "Malware: FakeSpy": [[40, 47]], "System: iOS": [[146, 149]], "System: iPhone": [[168, 174]], "System: iPad": [[179, 183]]}, "info": {"id": "cyner_mitre_train_00020", "source": "cyner_mitre_train"}}
+{"text": "By : Hara Hiroaki , Lilang Wu , Lorin Wu April 02 , 2019 In previous attacks , XLoader posed as Facebook , Chrome and other legitimate applications to trick users into downloading its malicious app .", "spans": {"Malware: XLoader": [[79, 86]], "System: Facebook": [[96, 104]], "System: Chrome": [[107, 113]]}, "info": {"id": "cyner_mitre_train_00021", "source": "cyner_mitre_train"}}
+{"text": "Trend Micro researchers found a new variant that uses a different way to lure users .", "spans": {"Organization: Trend Micro": [[0, 11]]}, "info": {"id": "cyner_mitre_train_00022", "source": "cyner_mitre_train"}}
+{"text": "This new XLoader variant poses as a security app for Android devices , and uses a malicious iOS profile to affect iPhone and iPad devices .", "spans": {"Malware: XLoader": [[9, 16]], "System: Android": [[53, 60]], "System: iOS": [[92, 95]], "System: iPhone": [[114, 120]], "System: iPad": [[125, 129]]}, "info": {"id": "cyner_mitre_train_00023", "source": "cyner_mitre_train"}}
+{"text": "Aside from a change in its deployment techniques , a few changes in its code set it apart from its previous versions .", "spans": {}, "info": {"id": "cyner_mitre_train_00024", "source": "cyner_mitre_train"}}
+{"text": "This newest variant has been labeled XLoader version 6.0 ( detected as AndroidOS_XLoader.HRXD ) , following the last version discussed in a previous research on the malware family .", "spans": {"Malware: XLoader": [[37, 44]], "Indicator: AndroidOS_XLoader.HRXD": [[71, 93]]}, "info": {"id": "cyner_mitre_train_00025", "source": "cyner_mitre_train"}}
+{"text": "Infection chain The threat actors behind this version used several fake websites as their host — copying that of a Japanese mobile phone operator ’ s website in particular — to trick users into downloading the fake security Android application package ( APK ) .", "spans": {"System: Android": [[224, 231]]}, "info": {"id": "cyner_mitre_train_00026", "source": "cyner_mitre_train"}}
+{"text": "Monitoring efforts on this new variant revealed that the malicious websites are spread through smishing .", "spans": {}, "info": {"id": "cyner_mitre_train_00027", "source": "cyner_mitre_train"}}
+{"text": "The infection has not spread very widely at the time of writing , but we ’ ve seen that many users have already received its SMS content .", "spans": {}, "info": {"id": "cyner_mitre_train_00028", "source": "cyner_mitre_train"}}
+{"text": "In the past , XLoader showed the ability to mine cryptocurrency on PCs and perform account phishing on iOS devices .", "spans": {"Malware: XLoader": [[14, 21]], "System: iOS": [[103, 106]]}, "info": {"id": "cyner_mitre_train_00029", "source": "cyner_mitre_train"}}
+{"text": "This new wave also presents unique attack vectors based on the kind of device it has accessed .", "spans": {}, "info": {"id": "cyner_mitre_train_00030", "source": "cyner_mitre_train"}}
+{"text": "In the case of Android devices , accessing the malicious website or pressing any of the buttons will prompt the download of the APK .", "spans": {"System: Android": [[15, 22]]}, "info": {"id": "cyner_mitre_train_00031", "source": "cyner_mitre_train"}}
+{"text": "However , successfully installing this malicious APK requires that the user has allowed the installation of such apps as controlled in the Unknown Sources settings .", "spans": {}, "info": {"id": "cyner_mitre_train_00032", "source": "cyner_mitre_train"}}
+{"text": "If users allow such apps to be installed , then it can be actively installed on the victim ’ s device .", "spans": {}, "info": {"id": "cyner_mitre_train_00033", "source": "cyner_mitre_train"}}
+{"text": "The infection chain is slightly more roundabout in the case of Apple devices .", "spans": {"System: Apple": [[63, 68]]}, "info": {"id": "cyner_mitre_train_00034", "source": "cyner_mitre_train"}}
+{"text": "Accessing the same malicious site would redirect its user to another malicious website ( hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[89, 114]]}, "info": {"id": "cyner_mitre_train_00035", "source": "cyner_mitre_train"}}
+{"text": "] qwq-japan [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00036", "source": "cyner_mitre_train"}}
+{"text": "] com or hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[9, 34]]}, "info": {"id": "cyner_mitre_train_00037", "source": "cyner_mitre_train"}}
+{"text": "] zqo-japan [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00038", "source": "cyner_mitre_train"}}
+{"text": "] com ) that prompts the user to install a malicious iOS configuration profile to solve a network issue preventing the site to load .", "spans": {"System: iOS": [[53, 56]]}, "info": {"id": "cyner_mitre_train_00039", "source": "cyner_mitre_train"}}
+{"text": "If the user installs the profile , the malicious website will open , revealing it to be an Apple phishing site , as seen in figure 2 .", "spans": {"Organization: Apple": [[91, 96]]}, "info": {"id": "cyner_mitre_train_00040", "source": "cyner_mitre_train"}}
+{"text": "Technical analysis Most of this new attack ’ s routines are similar to those of the previous XLoader versions .", "spans": {"Malware: XLoader": [[93, 100]]}, "info": {"id": "cyner_mitre_train_00041", "source": "cyner_mitre_train"}}
+{"text": "However , as mentioned earlier , an analysis of this new variant showed some changes in its code in line with its new deployment method .", "spans": {}, "info": {"id": "cyner_mitre_train_00042", "source": "cyner_mitre_train"}}
+{"text": "We discuss these changes and its effect on Android and Apple devices .", "spans": {"System: Android": [[43, 50]], "System: Apple": [[55, 60]]}, "info": {"id": "cyner_mitre_train_00043", "source": "cyner_mitre_train"}}
+{"text": "Malicious APK Like its previous versions , XLoader 6.0 abuses social media user profiles to hide its real C & C addresses , but this time its threat actors chose the social media platform Twitter , which was never used in previous attacks .", "spans": {"Malware: XLoader 6.0": [[43, 54]], "Organization: Twitter": [[188, 195]]}, "info": {"id": "cyner_mitre_train_00044", "source": "cyner_mitre_train"}}
+{"text": "The real C & C address is encoded in the Twitter names , and can only be revealed once decoded .", "spans": {"Organization: Twitter": [[41, 48]]}, "info": {"id": "cyner_mitre_train_00045", "source": "cyner_mitre_train"}}
+{"text": "This adds an extra layer against detection .", "spans": {}, "info": {"id": "cyner_mitre_train_00046", "source": "cyner_mitre_train"}}
+{"text": "The code for this characteristic and the corresponding Twitter accounts can be seen in figures 3 and 4 respectively .", "spans": {"Organization: Twitter": [[55, 62]]}, "info": {"id": "cyner_mitre_train_00047", "source": "cyner_mitre_train"}}
+{"text": "Version 6.0 also adds a command called “ getPhoneState ” , which collects unique identifiers of mobile devices such as IMSI , ICCID , Android ID , and device serial number .", "spans": {"System: Android": [[134, 141]]}, "info": {"id": "cyner_mitre_train_00048", "source": "cyner_mitre_train"}}
+{"text": "This addition is seen in Figure 5 .", "spans": {}, "info": {"id": "cyner_mitre_train_00049", "source": "cyner_mitre_train"}}
+{"text": "Considering the other malicious behaviors of XLoader , this added operation could be very dangerous as threat actors can use it to perform targeted attacks .", "spans": {"Malware: XLoader": [[45, 52]]}, "info": {"id": "cyner_mitre_train_00050", "source": "cyner_mitre_train"}}
+{"text": "Malicious iOS profile In the case of Apple devices , the downloaded malicious iOS profile gathers the following : Unique device identifier ( UDID ) International Mobile Equipment Identity ( IMEI ) Integrated Circuit Card ID ( ICCID ) Mobile equipment identifier ( MEID ) Version number Product number The profile installations differ depending on the iOS .", "spans": {"System: iOS": [[10, 13], [78, 81], [351, 354]], "System: Apple": [[37, 42]]}, "info": {"id": "cyner_mitre_train_00051", "source": "cyner_mitre_train"}}
+{"text": "For versions 11.0 and 11.4 , the installation is straightforward .", "spans": {}, "info": {"id": "cyner_mitre_train_00052", "source": "cyner_mitre_train"}}
+{"text": "If a user visits the profile host website and allows the installer to download , the iOS system will go directly to the “ Install Profile ” page ( which shows a verified safety certificate ) , and then request the users ’ passcode for the last step of installation .", "spans": {"System: iOS": [[85, 88]]}, "info": {"id": "cyner_mitre_train_00053", "source": "cyner_mitre_train"}}
+{"text": "On later versions , specifically iOS 12.1.1 and iOS 12.2 , the process is different .", "spans": {"System: iOS 12.1.1": [[33, 43]], "System: iOS 12.2": [[48, 56]]}, "info": {"id": "cyner_mitre_train_00054", "source": "cyner_mitre_train"}}
+{"text": "After the profile is downloaded , the iOS system will first ask users to review the profile in their settings if they want to install it .", "spans": {"System: iOS": [[38, 41]]}, "info": {"id": "cyner_mitre_train_00055", "source": "cyner_mitre_train"}}
+{"text": "Users can see a “ Profile Downloaded ” added in their settings ( this feature is in iOS 12.2 , but not on iOS 12.1.1 ) .", "spans": {"System: iOS 12.2": [[84, 92]], "System: iOS 12.1.1": [[106, 116]]}, "info": {"id": "cyner_mitre_train_00056", "source": "cyner_mitre_train"}}
+{"text": "This gives users a chance to see details and better understand any changes made .", "spans": {}, "info": {"id": "cyner_mitre_train_00057", "source": "cyner_mitre_train"}}
+{"text": "After the review , the process is the same as above .", "spans": {}, "info": {"id": "cyner_mitre_train_00058", "source": "cyner_mitre_train"}}
+{"text": "After the profile is installed , the user will then be redirected to another Apple phishing site .", "spans": {"Organization: Apple": [[77, 82]]}, "info": {"id": "cyner_mitre_train_00059", "source": "cyner_mitre_train"}}
+{"text": "The phishing site uses the gathered information as its GET parameter , allowing the attacker to access the stolen information .", "spans": {}, "info": {"id": "cyner_mitre_train_00060", "source": "cyner_mitre_train"}}
+{"text": "Ongoing activity While monitoring this particular threat , we found another XLoader variant posing as a pornography app aimed at South Korean users .", "spans": {"Malware: XLoader": [[76, 83]]}, "info": {"id": "cyner_mitre_train_00061", "source": "cyner_mitre_train"}}
+{"text": "The \" porn kr sex '' APK connects to a malicious website that runs XLoader in the background .", "spans": {"Malware: XLoader": [[67, 74]]}, "info": {"id": "cyner_mitre_train_00062", "source": "cyner_mitre_train"}}
+{"text": "The website uses a different fixed twitter account ( https : //twitter.com/fdgoer343 ) .", "spans": {"Organization: twitter": [[35, 42]], "Indicator: https : //twitter.com/fdgoer343": [[53, 84]]}, "info": {"id": "cyner_mitre_train_00063", "source": "cyner_mitre_train"}}
+{"text": "This attack , however , seems exclusive to Android users , as it does not have the code to attack iOS devices .", "spans": {"System: Android": [[43, 50]], "System: iOS": [[98, 101]]}, "info": {"id": "cyner_mitre_train_00064", "source": "cyner_mitre_train"}}
+{"text": "Succeeding monitoring efforts revealed a newer variant that exploits the social media platforms Instagram and Tumblr instead of Twitter to hide its C & C address .", "spans": {"Organization: Instagram": [[96, 105]], "Organization: Tumblr": [[110, 116]], "Organization: Twitter": [[128, 135]]}, "info": {"id": "cyner_mitre_train_00065", "source": "cyner_mitre_train"}}
+{"text": "We labeled this new variant XLoader version 7.0 , because of the different deployment method and its use of the native code to load the payload and hide in Instagram and Tumblr profiles .", "spans": {"Malware: XLoader": [[28, 35]], "Organization: Instagram": [[156, 165]], "Organization: Tumblr": [[170, 176]]}, "info": {"id": "cyner_mitre_train_00066", "source": "cyner_mitre_train"}}
+{"text": "These more recent developments indicate that XLoader is still evolving .", "spans": {"Malware: XLoader": [[45, 52]]}, "info": {"id": "cyner_mitre_train_00067", "source": "cyner_mitre_train"}}
+{"text": "Adding connections to FakeSpy We have been seeing activity from XLoader since 2018 , and have since followed up our initial findings with a detailed research revealing a wealth of activity dating back to as early as January 2015 , which outlined a major discovery—its connection to FakeSpy .", "spans": {"Malware: FakeSpy": [[22, 29], [282, 289]], "Malware: XLoader": [[64, 71]]}, "info": {"id": "cyner_mitre_train_00068", "source": "cyner_mitre_train"}}
+{"text": "The emergence of XLoader 6.0 does not only indicate that the threat actors behind it remain active ; it also holds fresh evidence of its connection to FakeSpy .", "spans": {"Malware: XLoader 6.0": [[17, 28]], "Malware: FakeSpy": [[151, 158]]}, "info": {"id": "cyner_mitre_train_00069", "source": "cyner_mitre_train"}}
+{"text": "One such immediately apparent connection was the similar deployment technique used by both XLoader 6.0 and FakeSpy .", "spans": {"Malware: XLoader 6.0": [[91, 102]], "Malware: FakeSpy": [[107, 114]]}, "info": {"id": "cyner_mitre_train_00070", "source": "cyner_mitre_train"}}
+{"text": "It had again cloned a different legitimate Japanese website to host its malicious app , similar to what FakeSpy had also done before .", "spans": {"Malware: FakeSpy": [[104, 111]]}, "info": {"id": "cyner_mitre_train_00071", "source": "cyner_mitre_train"}}
+{"text": "Their similarity is made more apparent by looking at their naming method for downloadable files , domain structure of fake websites and other details of their deployment techniques , exemplified in figure 10 .", "spans": {}, "info": {"id": "cyner_mitre_train_00072", "source": "cyner_mitre_train"}}
+{"text": "XLoader 6.0 also mirrors the way FakeSpy hides its real C & C server .", "spans": {"Malware: XLoader 6.0": [[0, 11]], "Malware: FakeSpy": [[33, 40]]}, "info": {"id": "cyner_mitre_train_00073", "source": "cyner_mitre_train"}}
+{"text": "When before it had used several different social media platforms , it now uses the Twitter platform , something FakeSpy has done in its past attacks .", "spans": {"Organization: Twitter": [[83, 90]], "Malware: FakeSpy": [[112, 119]]}, "info": {"id": "cyner_mitre_train_00074", "source": "cyner_mitre_train"}}
+{"text": "Analysis of the malicious iOS profile also revealed further connections , as the profile can also be downloaded from a website that FakeSpy deployed early this year .", "spans": {"System: iOS": [[26, 29]], "Malware: FakeSpy": [[132, 139]]}, "info": {"id": "cyner_mitre_train_00075", "source": "cyner_mitre_train"}}
+{"text": "Conclusion and security recommendations The continued monitoring of XLoader showed how its operators continuously changed its features , such as its attack vector deployment infrastructure and deployment techniques .", "spans": {"Malware: XLoader": [[68, 75]]}, "info": {"id": "cyner_mitre_train_00076", "source": "cyner_mitre_train"}}
+{"text": "This newest entry seems to indicate that these changes won ’ t be stopping soon .", "spans": {}, "info": {"id": "cyner_mitre_train_00077", "source": "cyner_mitre_train"}}
+{"text": "Being aware of this fact can help create defensive strategies , as well as prepare for upcoming attacks .", "spans": {}, "info": {"id": "cyner_mitre_train_00078", "source": "cyner_mitre_train"}}
+{"text": "In addition , just as uncovering new characteristics is important , finding ones we ’ ve also seen in a different malware family like FakeSpy also provides valuable insight .", "spans": {"Malware: FakeSpy": [[134, 141]]}, "info": {"id": "cyner_mitre_train_00079", "source": "cyner_mitre_train"}}
+{"text": "Links between XLoader and FakeSpy can give clues to the much broader inner workings of the threat actors behind them .", "spans": {"Malware: XLoader": [[14, 21]], "Malware: FakeSpy": [[26, 33]]}, "info": {"id": "cyner_mitre_train_00080", "source": "cyner_mitre_train"}}
+{"text": "Perhaps more information on XLoader will be known in the future .", "spans": {"Malware: XLoader": [[28, 35]]}, "info": {"id": "cyner_mitre_train_00081", "source": "cyner_mitre_train"}}
+{"text": "For now , users can make the best of the knowledge they have now to significantly reduce the effectivity of such malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00082", "source": "cyner_mitre_train"}}
+{"text": "Users of iOS can remove the malicious profile using the Apple Configurator 2 , Apple ’ s official iOS helper app for managing Apple devices .", "spans": {"System: iOS": [[9, 12], [98, 101]], "Organization: Apple": [[56, 61], [79, 84], [126, 131]]}, "info": {"id": "cyner_mitre_train_00083", "source": "cyner_mitre_train"}}
+{"text": "Following simple best practices , like strictly downloading applications or any files from trusted sources and being wary of unsolicited messages , can also prevent similar attacks from compromising devices .", "spans": {}, "info": {"id": "cyner_mitre_train_00084", "source": "cyner_mitre_train"}}
+{"text": "Indicators of Compromise SHA256 Package App label 332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425 ufD.wykyx.vlhvh SEX kr porn 403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588 ufD.wyjyx.vahvh 佐川急便 466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b", "spans": {"Indicator: 332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425": [[50, 114]], "Indicator: ufD.wykyx.vlhvh": [[115, 130]], "Indicator: 403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588": [[143, 207]], "Indicator: ufD.wyjyx.vahvh": [[208, 223]], "Indicator: 466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b": [[229, 293]]}, "info": {"id": "cyner_mitre_train_00085", "source": "cyner_mitre_train"}}
+{"text": "com.dhp.ozqh Facebook 5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8 ufD.wyjyx.vahvh Anshin Scan a0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511 com.aqyh.xolo 佐川急便 cb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7", "spans": {"Indicator: com.dhp.ozqh": [[0, 12]], "Organization: Facebook": [[13, 21]], "Indicator: 5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8": [[22, 86]], "Indicator: ufD.wyjyx.vahvh": [[87, 102]], "Indicator: a0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511": [[115, 179]], "Indicator: com.aqyh.xolo": [[180, 193]], "Indicator: cb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7": [[199, 263]]}, "info": {"id": "cyner_mitre_train_00086", "source": "cyner_mitre_train"}}
+{"text": "jp.co.sagawa.SagawaOfficialApp 佐川急便 Malicious URLs : hxxp : //38 [ .", "spans": {"Indicator: jp.co.sagawa.SagawaOfficialApp": [[0, 30]], "Indicator: hxxp : //38 [ .": [[53, 68]]}, "info": {"id": "cyner_mitre_train_00087", "source": "cyner_mitre_train"}}
+{"text": "] 27 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00088", "source": "cyner_mitre_train"}}
+{"text": "] 99 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00089", "source": "cyner_mitre_train"}}
+{"text": "] 11/xvideo/ hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[13, 38]]}, "info": {"id": "cyner_mitre_train_00090", "source": "cyner_mitre_train"}}
+{"text": "] qwe-japan [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00091", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[6, 31]]}, "info": {"id": "cyner_mitre_train_00092", "source": "cyner_mitre_train"}}
+{"text": "] qwq-japan [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00093", "source": "cyner_mitre_train"}}
+{"text": "] com/ hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[7, 32]]}, "info": {"id": "cyner_mitre_train_00094", "source": "cyner_mitre_train"}}
+{"text": "] zqo-japan [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00095", "source": "cyner_mitre_train"}}
+{"text": "] com/ hxxp : //files.spamo [ .", "spans": {"Indicator: hxxp : //files.spamo [ .": [[7, 31]]}, "info": {"id": "cyner_mitre_train_00096", "source": "cyner_mitre_train"}}
+{"text": "] jp/佐川急便.apk hxxp : //mailsa-qae [ .", "spans": {"Indicator: hxxp : //mailsa-qae [ .": [[14, 37]]}, "info": {"id": "cyner_mitre_train_00097", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //mailsa-qaf [ .", "spans": {"Indicator: hxxp : //mailsa-qaf [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_00098", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //mailsa-qau [ .", "spans": {"Indicator: hxxp : //mailsa-qau [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_00099", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //mailsa-qaw [ .", "spans": {"Indicator: hxxp : //mailsa-qaw [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_00100", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //mailsa-wqe [ .", "spans": {"Indicator: hxxp : //mailsa-wqe [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_00101", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //mailsa-wqo [ .", "spans": {"Indicator: hxxp : //mailsa-wqo [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_00102", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //mailsa-wqp [ .", "spans": {"Indicator: hxxp : //mailsa-wqp [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_00103", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //mailsa-wqq [ .", "spans": {"Indicator: hxxp : //mailsa-wqq [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_00104", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //mailsa-wqu [ .", "spans": {"Indicator: hxxp : //mailsa-wqu [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_00105", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //mailsa-wqw [ .", "spans": {"Indicator: hxxp : //mailsa-wqw [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_00106", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //nttdocomo-qae [ .", "spans": {"Indicator: hxxp : //nttdocomo-qae [ .": [[6, 32]]}, "info": {"id": "cyner_mitre_train_00107", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //nttdocomo-qaq [ .", "spans": {"Indicator: hxxp : //nttdocomo-qaq [ .": [[6, 32]]}, "info": {"id": "cyner_mitre_train_00108", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //nttdocomo-qaq [ .", "spans": {"Indicator: hxxp : //nttdocomo-qaq [ .": [[6, 32]]}, "info": {"id": "cyner_mitre_train_00109", "source": "cyner_mitre_train"}}
+{"text": "] com/aa hxxp : //nttdocomo-qar [ .", "spans": {"Indicator: hxxp : //nttdocomo-qar [ .": [[9, 35]]}, "info": {"id": "cyner_mitre_train_00110", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //nttdocomo-qat [ .", "spans": {"Indicator: hxxp : //nttdocomo-qat [ .": [[6, 32]]}, "info": {"id": "cyner_mitre_train_00111", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //nttdocomo-qaw [ .", "spans": {"Indicator: hxxp : //nttdocomo-qaw [ .": [[6, 32]]}, "info": {"id": "cyner_mitre_train_00112", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //sagawa-reg [ .", "spans": {"Indicator: hxxp : //sagawa-reg [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_00113", "source": "cyner_mitre_train"}}
+{"text": "] com/ hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[7, 23]]}, "info": {"id": "cyner_mitre_train_00114", "source": "cyner_mitre_train"}}
+{"text": "] 711231 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00115", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "cyner_mitre_train_00116", "source": "cyner_mitre_train"}}
+{"text": "] 759383 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00117", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "cyner_mitre_train_00118", "source": "cyner_mitre_train"}}
+{"text": "] 923525 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00119", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "cyner_mitre_train_00120", "source": "cyner_mitre_train"}}
+{"text": "] 923915 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00121", "source": "cyner_mitre_train"}}
+{"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "cyner_mitre_train_00122", "source": "cyner_mitre_train"}}
+{"text": "] 975685 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00123", "source": "cyner_mitre_train"}}
+{"text": "] com Malicious Twitter accounts : https : //twitter.com/lucky88755 https : //twitter.com/lucky98745 https : //twitter.com/lucky876543 https : //twitter.com/luckyone1232 https : //twitter.com/sadwqewqeqw https : //twitter.com/gyugyu87418490 https : //twitter.com/fdgoer343 https : //twitter.com/sdfghuio342 https : //twitter.com/asdqweqweqeqw https : //twitter.com/ukenivor3", "spans": {"Organization: Twitter": [[16, 23]], "Indicator: https : //twitter.com/lucky88755": [[35, 67]], "Indicator: https : //twitter.com/lucky98745": [[68, 100]], "Indicator: https : //twitter.com/lucky876543": [[101, 134]], "Indicator: https : //twitter.com/luckyone1232": [[135, 169]], "Indicator: https : //twitter.com/sadwqewqeqw": [[170, 203]], "Indicator: https : //twitter.com/gyugyu87418490": [[204, 240]], "Indicator: https : //twitter.com/fdgoer343": [[241, 272]], "Indicator: https : //twitter.com/sdfghuio342": [[273, 306]], "Indicator: https : //twitter.com/asdqweqweqeqw": [[307, 342]], "Indicator: https : //twitter.com/ukenivor3": [[343, 374]]}, "info": {"id": "cyner_mitre_train_00124", "source": "cyner_mitre_train"}}
+{"text": "Malicious Instagram account : https : //www.instagram.com/freedomguidepeople1830/ Malicious Tumblr accounts : https : //mainsheetgyam.tumblr.com/ https : //hormonaljgrj.tumblr.com/ https : //globalanab.tumblr.com/ C & C addresses : 104 [ .", "spans": {"Organization: Instagram": [[10, 19]], "Indicator: https : //www.instagram.com/freedomguidepeople1830/": [[30, 81]], "Organization: Tumblr": [[92, 98]], "Indicator: https : //mainsheetgyam.tumblr.com/": [[110, 145]], "Indicator: https : //hormonaljgrj.tumblr.com/": [[146, 180]], "Indicator: https : //globalanab.tumblr.com/": [[181, 213]], "Indicator: 104 [ .": [[232, 239]]}, "info": {"id": "cyner_mitre_train_00125", "source": "cyner_mitre_train"}}
+{"text": "] 160 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00126", "source": "cyner_mitre_train"}}
+{"text": "] 191 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00127", "source": "cyner_mitre_train"}}
+{"text": "] 190:8822 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "cyner_mitre_train_00128", "source": "cyner_mitre_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00129", "source": "cyner_mitre_train"}}
+{"text": "] 204 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00130", "source": "cyner_mitre_train"}}
+{"text": "] 87:28833 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "cyner_mitre_train_00131", "source": "cyner_mitre_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00132", "source": "cyner_mitre_train"}}
+{"text": "] 204 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00133", "source": "cyner_mitre_train"}}
+{"text": "] 87:28844 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "cyner_mitre_train_00134", "source": "cyner_mitre_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00135", "source": "cyner_mitre_train"}}
+{"text": "] 204 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00136", "source": "cyner_mitre_train"}}
+{"text": "] 87:28855 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "cyner_mitre_train_00137", "source": "cyner_mitre_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00138", "source": "cyner_mitre_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00139", "source": "cyner_mitre_train"}}
+{"text": "] 122:28833 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "cyner_mitre_train_00140", "source": "cyner_mitre_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00141", "source": "cyner_mitre_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00142", "source": "cyner_mitre_train"}}
+{"text": "] 122:28844 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "cyner_mitre_train_00143", "source": "cyner_mitre_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00144", "source": "cyner_mitre_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00145", "source": "cyner_mitre_train"}}
+{"text": "] 122:28855 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "cyner_mitre_train_00146", "source": "cyner_mitre_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00147", "source": "cyner_mitre_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00148", "source": "cyner_mitre_train"}}
+{"text": "] 132:28833 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "cyner_mitre_train_00149", "source": "cyner_mitre_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00150", "source": "cyner_mitre_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00151", "source": "cyner_mitre_train"}}
+{"text": "] 132:28844 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "cyner_mitre_train_00152", "source": "cyner_mitre_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00153", "source": "cyner_mitre_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00154", "source": "cyner_mitre_train"}}
+{"text": "] 132:28855 GoldenCup : New Cyber Threat Targeting World Cup Fans As the World Cup launches , so does a new threat Officials from the Israeli Defense Force recently uncovered an Android Spyware campaign targeting Israeli soldiers and orchestrated by \" Hamas .", "spans": {"Malware: GoldenCup": [[12, 21]], "Organization: Israeli Defense Force": [[134, 155]], "System: Android": [[178, 185]], "Organization: Hamas": [[252, 257]]}, "info": {"id": "cyner_mitre_train_00155", "source": "cyner_mitre_train"}}
+{"text": "'' The latest samples attributed to this campaign were discovered by security researchers from ClearSky .", "spans": {"Organization: ClearSky": [[95, 103]]}, "info": {"id": "cyner_mitre_train_00156", "source": "cyner_mitre_train"}}
+{"text": "In our research , we focus on the most recent sample , an application dubbed as \" Golden Cup '' , launched just before the start of World Cup 2018 .", "spans": {"Malware: Golden Cup": [[82, 92]]}, "info": {"id": "cyner_mitre_train_00157", "source": "cyner_mitre_train"}}
+{"text": "Distribution / Infection When this campaign started at the start of 2018 , the malware ( \" GlanceLove '' , \" WinkChat '' ) was distributed by the perpetrators mainly via fake Facebook profiles , attempting to seduce IDF soldiers to socialize on a different platform ( their malware ) .", "spans": {"Malware: GlanceLove": [[91, 101]], "Malware: WinkChat": [[109, 117]], "System: Facebook": [[175, 183]]}, "info": {"id": "cyner_mitre_train_00158", "source": "cyner_mitre_train"}}
+{"text": "As this approach was not a great success , their last attempt was to quickly create a World Cup app and this time distribute it to Israeli citizens , not just soldiers .", "spans": {}, "info": {"id": "cyner_mitre_train_00159", "source": "cyner_mitre_train"}}
+{"text": "The official “ Golden Cup ” Facebook page .", "spans": {"Malware: Golden Cup": [[15, 25]], "System: Facebook": [[28, 36]]}, "info": {"id": "cyner_mitre_train_00160", "source": "cyner_mitre_train"}}
+{"text": "The short URL redirects to the application page at Google Play .", "spans": {"System: Google Play": [[51, 62]]}, "info": {"id": "cyner_mitre_train_00161", "source": "cyner_mitre_train"}}
+{"text": "The official “ Golden Cup ” Facebook page .", "spans": {"Malware: Golden Cup": [[15, 25]], "System: Facebook": [[28, 36]]}, "info": {"id": "cyner_mitre_train_00162", "source": "cyner_mitre_train"}}
+{"text": "The short URL redirects to the application page at Google Play .", "spans": {"System: Google Play": [[51, 62]]}, "info": {"id": "cyner_mitre_train_00163", "source": "cyner_mitre_train"}}
+{"text": "We assume it was rushed because , unlike GlanceLove , it lacked any real obfuscation .", "spans": {"Malware: GlanceLove": [[41, 51]]}, "info": {"id": "cyner_mitre_train_00164", "source": "cyner_mitre_train"}}
+{"text": "Even the C & C server side was mostly exposed with the file listing available for everyone to traverse through it .", "spans": {}, "info": {"id": "cyner_mitre_train_00165", "source": "cyner_mitre_train"}}
+{"text": "It contained approximately 8GB of stolen data .", "spans": {}, "info": {"id": "cyner_mitre_train_00166", "source": "cyner_mitre_train"}}
+{"text": "A recent whois of “ goldncup.com ” .", "spans": {"Indicator: goldncup.com": [[20, 32]]}, "info": {"id": "cyner_mitre_train_00167", "source": "cyner_mitre_train"}}
+{"text": "Creation date is a week before the start of the tournament .", "spans": {}, "info": {"id": "cyner_mitre_train_00168", "source": "cyner_mitre_train"}}
+{"text": "A recent whois of “ goldncup.com ” .", "spans": {"Indicator: goldncup.com": [[20, 32]]}, "info": {"id": "cyner_mitre_train_00169", "source": "cyner_mitre_train"}}
+{"text": "Creation date is a week before the start of the tournament .", "spans": {}, "info": {"id": "cyner_mitre_train_00170", "source": "cyner_mitre_train"}}
+{"text": "How it Works In order to get into the Google Play Store , the malware uses a phased approach which is quite a common practice for malware authors these days .", "spans": {"System: Google Play": [[38, 49]]}, "info": {"id": "cyner_mitre_train_00171", "source": "cyner_mitre_train"}}
+{"text": "The original app looks innocent , with most of its code aimed at implementing the real features that the app claims to provide .", "spans": {}, "info": {"id": "cyner_mitre_train_00172", "source": "cyner_mitre_train"}}
+{"text": "In addition , it collects identifiers and some data from the device .", "spans": {}, "info": {"id": "cyner_mitre_train_00173", "source": "cyner_mitre_train"}}
+{"text": "After getting a command from the C & C , the app is able to download a malicious payload in the form of a .dex file that is being dynamically loaded adding the additional malicious capabilities .", "spans": {}, "info": {"id": "cyner_mitre_train_00174", "source": "cyner_mitre_train"}}
+{"text": "In this way , the malware authors can submit their app and add the malicious capabilities only after their app is live on the Play Store .", "spans": {"System: Play Store": [[126, 136]]}, "info": {"id": "cyner_mitre_train_00175", "source": "cyner_mitre_train"}}
+{"text": "Communication with the C & C In order to communicate with its C & C , the app uses the MQTT ( Message Queuing Telemetry Transport ) protocol , which is transported over TCP port 1883 .", "spans": {"Indicator: TCP port 1883": [[169, 182]]}, "info": {"id": "cyner_mitre_train_00176", "source": "cyner_mitre_train"}}
+{"text": "Initiating the MQTT client .", "spans": {}, "info": {"id": "cyner_mitre_train_00177", "source": "cyner_mitre_train"}}
+{"text": "Initiating the MQTT client .", "spans": {}, "info": {"id": "cyner_mitre_train_00178", "source": "cyner_mitre_train"}}
+{"text": "Initiating the MQTT client .", "spans": {}, "info": {"id": "cyner_mitre_train_00179", "source": "cyner_mitre_train"}}
+{"text": "The app connects to the MQTT broker with hardcoded username and password and a unique device identifier generated for each device .", "spans": {}, "info": {"id": "cyner_mitre_train_00180", "source": "cyner_mitre_train"}}
+{"text": "The MQTT connection to broker The MQTT connection to broker The MQTT communication is used primarily to update the device state and get commands from the C & C .", "spans": {}, "info": {"id": "cyner_mitre_train_00181", "source": "cyner_mitre_train"}}
+{"text": "It uses different topics that include the unique device identifier , which side is sending the message , and whether it is information message or command .", "spans": {}, "info": {"id": "cyner_mitre_train_00182", "source": "cyner_mitre_train"}}
+{"text": "HTTP Communication In addition to the MQTT communication , the app also uses plain text HTTP communication in order to download the .dex file and upload collected data .", "spans": {}, "info": {"id": "cyner_mitre_train_00183", "source": "cyner_mitre_train"}}
+{"text": "All of the files that are being uploaded or downloaded are zip files encrypted by AES with ECB mode .", "spans": {}, "info": {"id": "cyner_mitre_train_00184", "source": "cyner_mitre_train"}}
+{"text": "The key for each file is generated randomly and stored in the encrypted file with a fixed offset .", "spans": {}, "info": {"id": "cyner_mitre_train_00185", "source": "cyner_mitre_train"}}
+{"text": "In order to upload the file , the app uses a basic REST communication with the server , checking if the file exists and uploading it if it isn ’ t .", "spans": {}, "info": {"id": "cyner_mitre_train_00186", "source": "cyner_mitre_train"}}
+{"text": "The path that is used for the uploads is : http : // /apps/d/p/op.php The communication looks like this : First Phase The first phase of the app ’ s attack flow collects device information and a list of apps installed on the device .", "spans": {"Indicator: http : // /apps/d/p/op.php": [[43, 69]]}, "info": {"id": "cyner_mitre_train_00187", "source": "cyner_mitre_train"}}
+{"text": "These are then uploaded to the C & C HTTP server .", "spans": {}, "info": {"id": "cyner_mitre_train_00188", "source": "cyner_mitre_train"}}
+{"text": "The collection of basic device information .", "spans": {}, "info": {"id": "cyner_mitre_train_00189", "source": "cyner_mitre_train"}}
+{"text": "The collection of basic device information .", "spans": {}, "info": {"id": "cyner_mitre_train_00190", "source": "cyner_mitre_train"}}
+{"text": "In addition , at this stage the app can process one of these commands : • Collect device info • Install app • Is online ?", "spans": {}, "info": {"id": "cyner_mitre_train_00191", "source": "cyner_mitre_train"}}
+{"text": "• Change server domain Out of these , the most interesting command is the “ install app ” command that downloads an encrypted zip file containing the second phase dex file , unpacks and loads it .", "spans": {}, "info": {"id": "cyner_mitre_train_00192", "source": "cyner_mitre_train"}}
+{"text": "Second Phase The second phase dex file contains 3 main services that are being used : • ConnManager - handles connections to the C & C • ReceiverManager - waits for incoming calls / app installations • TaskManager - manages the data collection tasks The C & C server address is different than the one that is used by the first phase , so the app reconnects to the new server as well as starts the periodic data collector tasks .", "spans": {}, "info": {"id": "cyner_mitre_train_00193", "source": "cyner_mitre_train"}}
+{"text": "By analyzing the TaskManager class we can see the new commands that are supported at this stage : As can be seen in the code snippet above , there are quite a lot of data collection tasks that are now available : Collect device info Track location Upload contacts information Upload sent and received SMS messages Upload images Upload video files Send recursive dirlist of the external storage Upload specific files Record audio using the microphone Record calls Use the camera to capture bursts of snapshots Those tasks can either run periodically , on event ( such as incoming call ) or when getting", "spans": {}, "info": {"id": "cyner_mitre_train_00194", "source": "cyner_mitre_train"}}
+{"text": "a command from the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_00195", "source": "cyner_mitre_train"}}
+{"text": "Mitigations Stay protected from mobile malware by taking these precautions : Do not download apps from unfamiliar sites Only install apps from trusted sources Pay close attention to the permissions requested by apps Install a suitable mobile security app , such as SEP Mobile or Norton , to protect your device and data Keep your operating system up to date Make frequent backups of important data Indicators of Compromise ( IoCs ) Package names : anew.football.cup.world.com.worldcup com.coder.glancelove com.winkchat APK SHA2 : 166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a", "spans": {"Indicator: anew.football.cup.world.com.worldcup": [[448, 484]], "Indicator: com.coder.glancelove com.winkchat": [[485, 518]], "Indicator: 166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a": [[530, 594]]}, "info": {"id": "cyner_mitre_train_00196", "source": "cyner_mitre_train"}}
+{"text": "b45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47 d9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9 2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc 67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7", "spans": {"Indicator: b45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47": [[0, 64]], "Indicator: d9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9": [[65, 129]], "Indicator: 2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc": [[130, 194]], "Indicator: 67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7": [[195, 259]]}, "info": {"id": "cyner_mitre_train_00197", "source": "cyner_mitre_train"}}
+{"text": "1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2 Loaded DEX SHA2 : afaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e Domain/IP : goldncup [ .", "spans": {"Indicator: 1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2": [[0, 64]], "Indicator: afaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e": [[83, 147]], "Indicator: goldncup [ .": [[160, 172]]}, "info": {"id": "cyner_mitre_train_00198", "source": "cyner_mitre_train"}}
+{"text": "] com glancelove [ .", "spans": {"Indicator: glancelove [ .": [[6, 20]]}, "info": {"id": "cyner_mitre_train_00199", "source": "cyner_mitre_train"}}
+{"text": "] com autoandroidup [ .", "spans": {"Indicator: autoandroidup [ .": [[6, 23]]}, "info": {"id": "cyner_mitre_train_00200", "source": "cyner_mitre_train"}}
+{"text": "] website mobilestoreupdate [ .", "spans": {"Indicator: mobilestoreupdate [ .": [[10, 31]]}, "info": {"id": "cyner_mitre_train_00201", "source": "cyner_mitre_train"}}
+{"text": "] website updatemobapp [ .", "spans": {"Indicator: updatemobapp [ .": [[10, 26]]}, "info": {"id": "cyner_mitre_train_00202", "source": "cyner_mitre_train"}}
+{"text": "] website 107 [ .", "spans": {"Indicator: 107 [ .": [[10, 17]]}, "info": {"id": "cyner_mitre_train_00203", "source": "cyner_mitre_train"}}
+{"text": "] 175 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00204", "source": "cyner_mitre_train"}}
+{"text": "] 144 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00205", "source": "cyner_mitre_train"}}
+{"text": "] 26 192 [ .", "spans": {"Indicator: 192 [ .": [[5, 12]]}, "info": {"id": "cyner_mitre_train_00206", "source": "cyner_mitre_train"}}
+{"text": "] 64 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00207", "source": "cyner_mitre_train"}}
+{"text": "] 114 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00208", "source": "cyner_mitre_train"}}
+{"text": "] 147 Red Alert 2.0 : Android Trojan targets security-seekers A malicious , counterfeit version of a VPN client for mobile devices targets security-minded victims with a RAT .", "spans": {"Malware: Red Alert 2.0": [[6, 19]], "System: Android": [[22, 29]], "System: VPN": [[101, 104]]}, "info": {"id": "cyner_mitre_train_00209", "source": "cyner_mitre_train"}}
+{"text": "Written by Jagadeesh Chandraiah JULY 23 , 2018 SophosLabs has uncovered a mobile malware distribution campaign that uses advertising placement to distribute the Red Alert Trojan , linking counterfeit branding of well-known apps to Web pages that deliver an updated , 2.0 version of this bank credential thief .", "spans": {"Organization: SophosLabs": [[47, 57]], "Malware: Red Alert Trojan": [[161, 177]]}, "info": {"id": "cyner_mitre_train_00210", "source": "cyner_mitre_train"}}
+{"text": "The group distributing this family of malware decorates it in the branding and logos of well-known social media or media player apps , system update patches , or ( in its most recent campaign ) VPN client apps in an attempt to lure users into downloading , installing , and elevating the privileges of a Trojanized app hosted on a site not affiliated with any reputable app market or store .", "spans": {"System: VPN": [[194, 197]]}, "info": {"id": "cyner_mitre_train_00211", "source": "cyner_mitre_train"}}
+{"text": "Aside from the inescapable irony of disguising a security-reducing Trojan as an ostensibly security-enhancing app , and the righteous affront to the whole concept of a VPN ’ s purpose a Trojan so disguised inspires , this represents an escalation in the variety of app types targeted by this campaign of bankbots in disguise .", "spans": {}, "info": {"id": "cyner_mitre_train_00212", "source": "cyner_mitre_train"}}
+{"text": "Red Alert Plays Dress-Up In the wild , we found Web pages designed to ( vaguely ) resemble legitimate app market pages , hosting files for download that have been disguised as a legitimate mobile application of moderately broad appeal , such as a media player or social media app .", "spans": {"Malware: Red Alert": [[0, 9]]}, "info": {"id": "cyner_mitre_train_00213", "source": "cyner_mitre_train"}}
+{"text": "But the categories targeted by this group seem to be broadening with the inclusion of VPN software .", "spans": {"System: VPN": [[86, 89]]}, "info": {"id": "cyner_mitre_train_00214", "source": "cyner_mitre_train"}}
+{"text": "The Web page shown here on the left is hosted on a domain that seems apt : free-vpn [ .", "spans": {"Indicator: free-vpn [ .": [[75, 87]]}, "info": {"id": "cyner_mitre_train_00215", "source": "cyner_mitre_train"}}
+{"text": "] download .", "spans": {}, "info": {"id": "cyner_mitre_train_00216", "source": "cyner_mitre_train"}}
+{"text": "Investigation of this domain led to additional domains that appear to have been registered for use with the campaign , but are not in use yet .", "spans": {}, "info": {"id": "cyner_mitre_train_00217", "source": "cyner_mitre_train"}}
+{"text": "( You can find additional IoCs at the end of this article ) As you can see , the Web page uses a similar colour scheme as , and the icon design from , a legitimate VPN application ( VPN Proxy Master ) found on the Google Play store .", "spans": {"System: Google Play store": [[214, 231]]}, "info": {"id": "cyner_mitre_train_00218", "source": "cyner_mitre_train"}}
+{"text": "The fake doesn ’ t quite nail the app name .", "spans": {}, "info": {"id": "cyner_mitre_train_00219", "source": "cyner_mitre_train"}}
+{"text": "In addition to “ Free VPN Master Android , ” we ’ ve observed Red Alert 2.0 Trojans in the wild disguising themselves using names like : Flash Player or Update Flash Player Android Update or Android Antivirus Chrome Update or Google Update Update Google Market WhatsApp Viber OneCoin Wallet Pornhub Tactic FlashLight or PROFlashLight Finanzonline The vast majority of in-the-wild Red Alert 2.0 samples falsely present themselves as Adobe Flash player for Android , a utility that Adobe stopped supporting years ago .", "spans": {"System: Free VPN Master Android": [[17, 40]], "Malware: Red Alert 2.0": [[62, 75]], "System: Flash Player": [[137, 149]], "System: Update Flash Player": [[153, 172]], "System: Android Update": [[173, 187]], "System: Android Antivirus": [[191, 208]], "System: Chrome Update": [[209, 222]], "System: Google Update": [[226, 239]], "System: Update Google Market": [[240, 260]], "System: WhatsApp": [[261, 269]], "System: Viber": [[270, 275]], "System: OneCoin": [[276, 283]], "System: Wallet": [[284, 290]], "Malware: Red Alert 2.0 samples": [[380, 401]], "System: Adobe Flash player": [[432, 450]], "System: Android": [[455, 462]], "Organization: Adobe": [[480, 485]]}, "info": {"id": "cyner_mitre_train_00220", "source": "cyner_mitre_train"}}
+{"text": "Our logs show a number of simultaneous Red Alert 2.0 campaigns in operation , many ( but not all ) hosted on dynamic DNS domains .", "spans": {"Malware: simultaneous Red Alert 2.0 campaigns": [[26, 62]]}, "info": {"id": "cyner_mitre_train_00221", "source": "cyner_mitre_train"}}
+{"text": "The Red Alert Payload Once installed , the malware requests Device Administrator privileges .", "spans": {"Malware: Red Alert Payload": [[4, 21]]}, "info": {"id": "cyner_mitre_train_00222", "source": "cyner_mitre_train"}}
+{"text": "If the malware obtains device administrator rights , it will be able to lock the screen by itself , expire the password , and resist being uninstalled through normal methods .", "spans": {}, "info": {"id": "cyner_mitre_train_00223", "source": "cyner_mitre_train"}}
+{"text": "Device admin request from app that says it is WhatsApp The app then stays in the background listening to commands from the cybercrooks .", "spans": {}, "info": {"id": "cyner_mitre_train_00224", "source": "cyner_mitre_train"}}
+{"text": "Within some of the first of those commands , the bot typically receives a list of banks it will target .", "spans": {}, "info": {"id": "cyner_mitre_train_00225", "source": "cyner_mitre_train"}}
+{"text": "The Trojan works by creating an overlay whenever the user launches the banking application .", "spans": {}, "info": {"id": "cyner_mitre_train_00226", "source": "cyner_mitre_train"}}
+{"text": "Currently Running Applications Banking Trojans that rely on the overlay mechanism to steal information need to know what application is in the foreground .", "spans": {}, "info": {"id": "cyner_mitre_train_00227", "source": "cyner_mitre_train"}}
+{"text": "They do this not only to identify whether the use of a particular app may permit them to harvest another credential , but also because each targeted app needs to have an overlay mapped to its design , so the Trojan can intercept and steal user data .", "spans": {}, "info": {"id": "cyner_mitre_train_00228", "source": "cyner_mitre_train"}}
+{"text": "This quest to determine the currently running application is a hallmark of overlay malware , so we thought we ’ d take a closer look at how it ’ s done .", "spans": {}, "info": {"id": "cyner_mitre_train_00229", "source": "cyner_mitre_train"}}
+{"text": "To prevent this , Android ’ s engineers regularly release updates that contain bug fixes designed to prevent apps from getting the list of currently running apps without explicit permission .", "spans": {"System: Android": [[18, 25]]}, "info": {"id": "cyner_mitre_train_00230", "source": "cyner_mitre_train"}}
+{"text": "With every Android update , the malware authors are forced to come up with new tricks .", "spans": {"System: Android": [[11, 18]]}, "info": {"id": "cyner_mitre_train_00231", "source": "cyner_mitre_train"}}
+{"text": "This particular case is not an exception .", "spans": {}, "info": {"id": "cyner_mitre_train_00232", "source": "cyner_mitre_train"}}
+{"text": "The author ( s ) of this malware wrote separate subroutines that identify the operating system version and fire off methods to obtain a list of currently running applications known to work on that particular version of Android .", "spans": {"System: Android": [[219, 226]]}, "info": {"id": "cyner_mitre_train_00233", "source": "cyner_mitre_train"}}
+{"text": "First , they use the built-in toolbox commands to determine what apps are running .", "spans": {}, "info": {"id": "cyner_mitre_train_00234", "source": "cyner_mitre_train"}}
+{"text": "If that doesn ’ t work , they try to use queryUsageStats : When the malware invokes queryUsageStats , it asks for the list of applications that ran in the last 1 million milliseconds ( 16 minutes and 40 seconds ) .", "spans": {}, "info": {"id": "cyner_mitre_train_00235", "source": "cyner_mitre_train"}}
+{"text": "String Resources Used to Store App Data Red Alert 2.0 stores its data in an atypical location ( inside the Strings.xml file embedded in the app ) to fetch its critical data , such as the C2 address .", "spans": {"Malware: Red Alert 2.0": [[40, 53]], "Indicator: Strings.xml file": [[107, 123]]}, "info": {"id": "cyner_mitre_train_00236", "source": "cyner_mitre_train"}}
+{"text": "The com.dsufabunfzs.dowiflubs strings in the screenshot above refer to the internal name this particular malware was given , which in this case was randomized into alphabet salad .", "spans": {}, "info": {"id": "cyner_mitre_train_00237", "source": "cyner_mitre_train"}}
+{"text": "It ’ s been SophosLabs ’ observation that Red Alert Trojans usually have a randomized internal name like this .", "spans": {"Malware: Red Alert Trojans": [[42, 59]]}, "info": {"id": "cyner_mitre_train_00238", "source": "cyner_mitre_train"}}
+{"text": "The strings section of the app contains embedded command-and-control IP addresses , ports , and domain names in plaintext .", "spans": {}, "info": {"id": "cyner_mitre_train_00239", "source": "cyner_mitre_train"}}
+{"text": "It is an invaluable source of intelligence about a given campaign .. The following snippet shows the location within the Trojan where it uses SQLite database commands to store and recall command-and-control addresses : Backdoor Commands The Red Alert code also contains an embedded list of commands the botmaster can send to the bot .", "spans": {"Malware: Red Alert code": [[241, 255]]}, "info": {"id": "cyner_mitre_train_00240", "source": "cyner_mitre_train"}}
+{"text": "The malware can execute a variety of arbitrary commands , including ( for example ) intercepting or sending text messages without the user ’ s knowledge , obtaining a copy of the victim ’ s Address Book , or call or text message logs , or sending phone network feature codes ( also known as USSD codes ) .", "spans": {"System: Address Book": [[190, 202]]}, "info": {"id": "cyner_mitre_train_00241", "source": "cyner_mitre_train"}}
+{"text": "C2 and Targeted Banks As described earlier , the C2 domain is kept in the app ’ s resources .", "spans": {}, "info": {"id": "cyner_mitre_train_00242", "source": "cyner_mitre_train"}}
+{"text": "During the app execution , the malware contacts C2 domain for further instructions .", "spans": {}, "info": {"id": "cyner_mitre_train_00243", "source": "cyner_mitre_train"}}
+{"text": "Most of the network traffic we ’ ve observed is HTTP .", "spans": {"Indicator: HTTP": [[48, 52]]}, "info": {"id": "cyner_mitre_train_00244", "source": "cyner_mitre_train"}}
+{"text": "The C2 address , as stored in samples we ’ ve seen , comprise both an IP address and port number ; So far , all the samples we ’ ve tested attempted to contact an IP address on port 7878/tcp .", "spans": {"Indicator: port 7878/tcp": [[177, 190]]}, "info": {"id": "cyner_mitre_train_00245", "source": "cyner_mitre_train"}}
+{"text": "If the main C2 domain is not responsive , the bot fetches a backup C2 domain from a Twitter account .", "spans": {"Organization: Twitter": [[84, 91]]}, "info": {"id": "cyner_mitre_train_00246", "source": "cyner_mitre_train"}}
+{"text": "Static analysis of the code reveals that the malware downloads the overlay template to use against any of the bank ( s ) it is targeting .", "spans": {}, "info": {"id": "cyner_mitre_train_00247", "source": "cyner_mitre_train"}}
+{"text": "The malware also sends regular telemetry back to its C2 server about the infected device in the form of an HTTP POST to its C2 server .", "spans": {"Indicator: HTTP": [[107, 111]]}, "info": {"id": "cyner_mitre_train_00248", "source": "cyner_mitre_train"}}
+{"text": "It uses the base Dalvik User-Agent string for the device it ’ s running on .", "spans": {}, "info": {"id": "cyner_mitre_train_00249", "source": "cyner_mitre_train"}}
+{"text": "The content of the HTTP POST data is telemetry data in a json format about the device the malware is running on .", "spans": {"Indicator: HTTP": [[19, 23]]}, "info": {"id": "cyner_mitre_train_00250", "source": "cyner_mitre_train"}}
+{"text": "The list of banks targeted by Red Alert 2.0 includes NatWest , Barclays , Westpac , and Citibank .", "spans": {"Malware: Red Alert 2.0": [[30, 43]], "Organization: Barclays": [[63, 71]]}, "info": {"id": "cyner_mitre_train_00251", "source": "cyner_mitre_train"}}
+{"text": "Red Alert 2.0 is a banking bot that is currently very active online , and presents a risk to Android devices .", "spans": {"Malware: Red Alert 2.0": [[0, 13]]}, "info": {"id": "cyner_mitre_train_00252", "source": "cyner_mitre_train"}}
+{"text": "We expect to see more diversification in the social engineering lures this threat group employs as time goes on .", "spans": {}, "info": {"id": "cyner_mitre_train_00253", "source": "cyner_mitre_train"}}
+{"text": "So far , legitimate app stores appear to be this malware ’ s Achilles heel ; disabling the installation of third-party apps has been an effective prevention measure .", "spans": {}, "info": {"id": "cyner_mitre_train_00254", "source": "cyner_mitre_train"}}
+{"text": "Stick to Google Play and use VPN software from reputable vendors .", "spans": {"System: Google Play": [[9, 20]]}, "info": {"id": "cyner_mitre_train_00255", "source": "cyner_mitre_train"}}
+{"text": "Sophos detects all the samples of this Trojan family as Andr/Banker-GWC and Andr/Spybot-A .", "spans": {"Organization: Sophos": [[0, 6]]}, "info": {"id": "cyner_mitre_train_00256", "source": "cyner_mitre_train"}}
+{"text": "In the wild , these are only distributed as a direct download from unofficial Web pages ( “ third-party ” app ) and not through legitimate app stores .", "spans": {}, "info": {"id": "cyner_mitre_train_00257", "source": "cyner_mitre_train"}}
+{"text": "Red Alert 2.0 IoCs list C2 addresses 103.239.30.126:7878 146.185.241.29:7878 146.185.241.42:7878 185.126.200.3:7878 185.126.200.12:7878 185.126.200.15:7878 185.126.200.18:7878 185.165.28.15:7878 185.243.243.241:7878 185.243.243.244:7878 185.243.243.245:7878 Domains Malware source Web hosts", "spans": {"Malware: Red Alert 2.0": [[0, 13]], "Indicator: 103.239.30.126:7878": [[37, 56]], "Indicator: 146.185.241.29:7878": [[57, 76]], "Indicator: 146.185.241.42:7878": [[77, 96]], "Indicator: 185.126.200.3:7878": [[97, 115]], "Indicator: 185.126.200.12:7878": [[116, 135]], "Indicator: 185.126.200.15:7878": [[136, 155]], "Indicator: 185.126.200.18:7878": [[156, 175]], "Indicator: 185.165.28.15:7878": [[176, 194]], "Indicator: 185.243.243.241:7878": [[195, 215]], "Indicator: 185.243.243.244:7878": [[216, 236]], "Indicator: 185.243.243.245:7878": [[237, 257]]}, "info": {"id": "cyner_mitre_train_00258", "source": "cyner_mitre_train"}}
+{"text": "on 167.99.176.61 : free-androidvpn.date free-androidvpn.download free-androidvpn.online free-vpn.date free-vpn.download free-vpn.online Hashes 22fcfce096392f085218c3a78dd0fa4be9e67ed725bce42b965a27725f671cf 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372", "spans": {"Indicator: 167.99.176.61": [[3, 16]], "Indicator: free-androidvpn.date": [[19, 39]], "Indicator: free-vpn.date": [[88, 101]], "Indicator: 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372": [[207, 271]]}, "info": {"id": "cyner_mitre_train_00259", "source": "cyner_mitre_train"}}
+{"text": "be92a751e5abbcd24151b509dbb4feb98ea46f367a99d6f86ed4a7c162461e31 5c4d666cef84abc2a1ffd3b1060ef28fa3c6c3bb4fad1fa26db99350b41bea4c 06081ab7faa729e33b9397a0e47548e75cbec3d43c50e6368e81d737552150a5 753999cb19a4346042f973e30cf1158c44f2335ab65859d3bfa16bca4098e2ef", "spans": {"Indicator: be92a751e5abbcd24151b509dbb4feb98ea46f367a99d6f86ed4a7c162461e31": [[0, 64]], "Indicator: 5c4d666cef84abc2a1ffd3b1060ef28fa3c6c3bb4fad1fa26db99350b41bea4c": [[65, 129]], "Indicator: 06081ab7faa729e33b9397a0e47548e75cbec3d43c50e6368e81d737552150a5": [[130, 194]], "Indicator: 753999cb19a4346042f973e30cf1158c44f2335ab65859d3bfa16bca4098e2ef": [[195, 259]]}, "info": {"id": "cyner_mitre_train_00260", "source": "cyner_mitre_train"}}
+{"text": "As a result of a lot of hard work done by our security research teams , we revealed today a new and alarming malware campaign .", "spans": {}, "info": {"id": "cyner_mitre_train_00261", "source": "cyner_mitre_train"}}
+{"text": "The attack campaign , named Gooligan , breached the security of over one million Google accounts .", "spans": {"Malware: Gooligan": [[28, 36]], "Organization: Google": [[81, 87]]}, "info": {"id": "cyner_mitre_train_00262", "source": "cyner_mitre_train"}}
+{"text": "The number continues to rise at an additional 13,000 breached devices each day .", "spans": {}, "info": {"id": "cyner_mitre_train_00263", "source": "cyner_mitre_train"}}
+{"text": "Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play , Gmail , Google Photos , Google Docs , G Suite , Google Drive , and more .", "spans": {"System: Google Play": [[130, 141]], "System: Gmail": [[144, 149]], "System: Google Photos": [[152, 165]], "System: Google Docs": [[168, 179]], "System: G Suite": [[182, 189]], "System: Google Drive": [[192, 204]]}, "info": {"id": "cyner_mitre_train_00264", "source": "cyner_mitre_train"}}
+{"text": "Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year .", "spans": {"Malware: Gooligan": [[0, 8]], "Malware: SnapPea": [[90, 97]]}, "info": {"id": "cyner_mitre_train_00265", "source": "cyner_mitre_train"}}
+{"text": "Check Point reached out to the Google Security team immediately with information on this campaign .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google Security": [[31, 46]]}, "info": {"id": "cyner_mitre_train_00266", "source": "cyner_mitre_train"}}
+{"text": "Our researchers are working closely with Google to investigate the source of the Gooligan campaign .", "spans": {"Organization: Google": [[41, 47]], "Malware: Gooligan campaign": [[81, 98]]}, "info": {"id": "cyner_mitre_train_00267", "source": "cyner_mitre_train"}}
+{"text": "“ We ’ re appreciative of both Check Point ’ s research and their partnership as we ’ ve worked together to understand these issues , ” said Adrian Ludwig , Google ’ s director of Android security .", "spans": {"Organization: Check Point": [[31, 42]], "Organization: Google": [[157, 163]], "System: Android": [[180, 187]]}, "info": {"id": "cyner_mitre_train_00268", "source": "cyner_mitre_train"}}
+{"text": "“ As part of our ongoing efforts to protect users from the Ghost Push family of malware , we ’ ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall. ” We are very encouraged by the statement Google shared with us addressing the issue .", "spans": {"Malware: Ghost Push family": [[59, 76]], "System: Android": [[172, 179]], "Organization: Google": [[241, 247]]}, "info": {"id": "cyner_mitre_train_00269", "source": "cyner_mitre_train"}}
+{"text": "We have chosen to join forces to continue the investigation around Gooligan .", "spans": {"Malware: Gooligan": [[67, 75]]}, "info": {"id": "cyner_mitre_train_00270", "source": "cyner_mitre_train"}}
+{"text": "Google also stated that they are taking numerous steps including proactively notifying affected accounts , revoking affected tokens and deploying SafetyNet improvements to protect users from these apps in the future .", "spans": {"Organization: Google": [[0, 6]]}, "info": {"id": "cyner_mitre_train_00271", "source": "cyner_mitre_train"}}
+{"text": "Who is affected ?", "spans": {}, "info": {"id": "cyner_mitre_train_00272", "source": "cyner_mitre_train"}}
+{"text": "Gooligan potentially affects devices on Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop ) , which is over 74 % of in-market devices today .", "spans": {"Malware: Gooligan": [[0, 8]], "System: Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop )": [[40, 92]]}, "info": {"id": "cyner_mitre_train_00273", "source": "cyner_mitre_train"}}
+{"text": "About 57 % of these devices are located in Asia and about 9 % are in Europe .", "spans": {}, "info": {"id": "cyner_mitre_train_00274", "source": "cyner_mitre_train"}}
+{"text": "In our research we identified tens of fake applications that were infected with this malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00275", "source": "cyner_mitre_train"}}
+{"text": "If you ’ ve downloaded one of the apps listed in Appendix A , below , you might be infected .", "spans": {}, "info": {"id": "cyner_mitre_train_00276", "source": "cyner_mitre_train"}}
+{"text": "You may review your application list in “ Settings - > Apps ” , if you find one of this applications , please consider downloading an antivirus product such as Check Point ZoneAlarm to check if you are indeed infected .", "spans": {"Organization: Check Point": [[160, 171]], "System: ZoneAlarm": [[172, 181]]}, "info": {"id": "cyner_mitre_train_00277", "source": "cyner_mitre_train"}}
+{"text": "We have noticed that hundreds of the email addresses are associated with enterprise accounts worldwide .", "spans": {}, "info": {"id": "cyner_mitre_train_00278", "source": "cyner_mitre_train"}}
+{"text": "How do you know if your Google account is breached ?", "spans": {"Organization: Google": [[24, 30]]}, "info": {"id": "cyner_mitre_train_00279", "source": "cyner_mitre_train"}}
+{"text": "You can check if your account is compromised by accessing the following web site that we created : https : //gooligan.checkpoint.com/ .", "spans": {"Indicator: https : //gooligan.checkpoint.com/": [[99, 133]]}, "info": {"id": "cyner_mitre_train_00280", "source": "cyner_mitre_train"}}
+{"text": "If your account has been breached , the following steps are required : A clean installation of an operating system on your mobile device is required ( a process called “ flashing ” ) .", "spans": {}, "info": {"id": "cyner_mitre_train_00281", "source": "cyner_mitre_train"}}
+{"text": "As this is a complex process , we recommend powering off your device and approaching a certified technician , or your mobile service provider , to request that your device be “ re-flashed. ” Change your Google account passwords immediately after this process .", "spans": {"Organization: Google": [[203, 209]]}, "info": {"id": "cyner_mitre_train_00282", "source": "cyner_mitre_train"}}
+{"text": "How do Android devices become infected ?", "spans": {}, "info": {"id": "cyner_mitre_train_00283", "source": "cyner_mitre_train"}}
+{"text": "We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores .", "spans": {"Malware: Gooligan": [[23, 31]], "System: Android": [[97, 104]]}, "info": {"id": "cyner_mitre_train_00284", "source": "cyner_mitre_train"}}
+{"text": "These stores are an attractive alternative to Google Play because many of their apps are free , or offer free versions of paid apps .", "spans": {"System: Google Play": [[46, 57]]}, "info": {"id": "cyner_mitre_train_00285", "source": "cyner_mitre_train"}}
+{"text": "However , the security of these stores and the apps they sell aren ’ t always verified .", "spans": {}, "info": {"id": "cyner_mitre_train_00286", "source": "cyner_mitre_train"}}
+{"text": "Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services .", "spans": {"Malware: Gooligan-infected": [[0, 17]]}, "info": {"id": "cyner_mitre_train_00287", "source": "cyner_mitre_train"}}
+{"text": "How did Gooligan emerge ?", "spans": {"Malware: Gooligan": [[8, 16]]}, "info": {"id": "cyner_mitre_train_00288", "source": "cyner_mitre_train"}}
+{"text": "Our researchers first encountered Gooligan ’ s code in the malicious SnapPea app last year .", "spans": {"Malware: Gooligan": [[34, 42]], "Malware: SnapPea": [[69, 76]]}, "info": {"id": "cyner_mitre_train_00289", "source": "cyner_mitre_train"}}
+{"text": "At the time this malware was reported by several security vendors , and attributed to different malware families like Ghostpush , MonkeyTest , and Xinyinhe .", "spans": {"Malware: Ghostpush": [[118, 127]], "Malware: MonkeyTest": [[130, 140]], "Malware: Xinyinhe": [[147, 155]]}, "info": {"id": "cyner_mitre_train_00290", "source": "cyner_mitre_train"}}
+{"text": "By late 2015 , the malware ’ s creators had gone mostly silent until the summer of 2016 when the malware reappeared with a more complex architecture that injects malicious code into Android system processes .", "spans": {"System: Android": [[182, 189]]}, "info": {"id": "cyner_mitre_train_00291", "source": "cyner_mitre_train"}}
+{"text": "The change in the way the malware works today may be to help finance the campaign through fraudulent ad activity .", "spans": {}, "info": {"id": "cyner_mitre_train_00292", "source": "cyner_mitre_train"}}
+{"text": "The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device .", "spans": {}, "info": {"id": "cyner_mitre_train_00293", "source": "cyner_mitre_train"}}
+{"text": "An attacker is paid by the network when one of these apps is installed successfully .", "spans": {}, "info": {"id": "cyner_mitre_train_00294", "source": "cyner_mitre_train"}}
+{"text": "Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began .", "spans": {"Organization: Check Point": [[18, 29]], "Malware: Gooligan": [[62, 70]]}, "info": {"id": "cyner_mitre_train_00295", "source": "cyner_mitre_train"}}
+{"text": "How does Gooligan work ?", "spans": {"Malware: Gooligan": [[9, 17]]}, "info": {"id": "cyner_mitre_train_00296", "source": "cyner_mitre_train"}}
+{"text": "The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device .", "spans": {"Malware: Gooligan-infected": [[58, 75]]}, "info": {"id": "cyner_mitre_train_00297", "source": "cyner_mitre_train"}}
+{"text": "Our research team has found infected apps on third-party app stores , but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages .", "spans": {"System: Android": [[107, 114]]}, "info": {"id": "cyner_mitre_train_00298", "source": "cyner_mitre_train"}}
+{"text": "After an infected app is installed , it sends data about the device to the campaign ’ s Command and Control ( C & C ) server .", "spans": {}, "info": {"id": "cyner_mitre_train_00299", "source": "cyner_mitre_train"}}
+{"text": "Gooligan then downloads a rootkit from the C & C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT ( CVE-2013-6282 ) and Towelroot ( CVE-2014-3153 ) .", "spans": {"Malware: Gooligan": [[0, 8]], "System: Android 4 and 5": [[89, 104]], "Vulnerability: VROOT": [[139, 144]], "Vulnerability: CVE-2013-6282": [[147, 160]], "Vulnerability: Towelroot": [[167, 176]], "Vulnerability: CVE-2014-3153": [[179, 192]]}, "info": {"id": "cyner_mitre_train_00300", "source": "cyner_mitre_train"}}
+{"text": "These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android , or the patches were never installed by the user .", "spans": {"System: Android": [[128, 135]]}, "info": {"id": "cyner_mitre_train_00301", "source": "cyner_mitre_train"}}
+{"text": "If rooting is successful , the attacker has full control of the device and can execute privileged commands remotely .", "spans": {}, "info": {"id": "cyner_mitre_train_00302", "source": "cyner_mitre_train"}}
+{"text": "After achieving root access , Gooligan downloads a new , malicious module from the C & C server and installs it on the infected device .", "spans": {"Malware: Gooligan": [[30, 38]]}, "info": {"id": "cyner_mitre_train_00303", "source": "cyner_mitre_train"}}
+{"text": "This module injects code into running Google Play or GMS ( Google Mobile Services ) to mimic user behavior so Gooligan can avoid detection , a technique first seen with the mobile malware HummingBad .", "spans": {"System: Google Play": [[38, 49]], "System: GMS ( Google Mobile Services )": [[53, 83]], "Malware: Gooligan": [[110, 118]], "Malware: HummingBad": [[188, 198]]}, "info": {"id": "cyner_mitre_train_00304", "source": "cyner_mitre_train"}}
+{"text": "The module allows Gooligan to : Steal a user ’ s Google email account and authentication token information Install apps from Google Play and rate them to raise their reputation Install adware to generate revenue Ad servers , which don ’ t know whether an app using its service is malicious or not , send Gooligan the names of the apps to download from Google Play .", "spans": {"Malware: Gooligan": [[18, 26], [304, 312]], "Organization: Google": [[49, 55]], "System: Google Play": [[125, 136], [352, 363]]}, "info": {"id": "cyner_mitre_train_00305", "source": "cyner_mitre_train"}}
+{"text": "After an app is installed , the ad service pays the attacker .", "spans": {}, "info": {"id": "cyner_mitre_train_00306", "source": "cyner_mitre_train"}}
+{"text": "Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C & C server .", "spans": {"System: Google Play": [[63, 74]]}, "info": {"id": "cyner_mitre_train_00307", "source": "cyner_mitre_train"}}
+{"text": "Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews .", "spans": {"System: Google Play": [[127, 138]]}, "info": {"id": "cyner_mitre_train_00308", "source": "cyner_mitre_train"}}
+{"text": "This is another reminder of why users shouldn ’ t rely on ratings alone to decide whether to trust an app .", "spans": {}, "info": {"id": "cyner_mitre_train_00309", "source": "cyner_mitre_train"}}
+{"text": "Similar to HummingBad , the malware also fakes device identification information , such as IMEI and IMSI , to download an app twice while seeming like the installation is happening on a different device , thereby doubling the potential revenue .", "spans": {"Malware: HummingBad": [[11, 21]]}, "info": {"id": "cyner_mitre_train_00310", "source": "cyner_mitre_train"}}
+{"text": "What are Google authorization tokens ?", "spans": {"Organization: Google": [[9, 15]]}, "info": {"id": "cyner_mitre_train_00311", "source": "cyner_mitre_train"}}
+{"text": "A Google authorization token is a way to access the Google account and the related services of a user .", "spans": {"Organization: Google": [[2, 8], [52, 58]]}, "info": {"id": "cyner_mitre_train_00312", "source": "cyner_mitre_train"}}
+{"text": "It is issued by Google once a user successfully logged into this account .", "spans": {"Organization: Google": [[16, 22]]}, "info": {"id": "cyner_mitre_train_00313", "source": "cyner_mitre_train"}}
+{"text": "When an authorization token is stolen by a hacker , they can use this token to access all the Google services related to the user , including Google Play , Gmail , Google Docs , Google Drive , and Google Photos .", "spans": {"Organization: Google": [[94, 100]], "System: Google Play": [[142, 153]], "System: Gmail": [[156, 161]], "System: Google Docs": [[164, 175]], "System: Google Drive": [[178, 190]], "System: Google Photos": [[197, 210]]}, "info": {"id": "cyner_mitre_train_00314", "source": "cyner_mitre_train"}}
+{"text": "While Google implemented multiple mechanisms , like two-factor-authentication , to prevent hackers from compromising Google accounts , a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in .", "spans": {"Organization: Google": [[6, 12], [117, 123]]}, "info": {"id": "cyner_mitre_train_00315", "source": "cyner_mitre_train"}}
+{"text": "Conclusion Gooligan has breached over a million Google accounts .", "spans": {"Malware: Gooligan": [[11, 19]], "Organization: Google": [[48, 54]]}, "info": {"id": "cyner_mitre_train_00316", "source": "cyner_mitre_train"}}
+{"text": "We believe that it is the largest Google account breach to date , and we are working with Google to continue the investigation .", "spans": {"Malware: Google": [[34, 40]], "Organization: Google": [[90, 96]]}, "info": {"id": "cyner_mitre_train_00317", "source": "cyner_mitre_train"}}
+{"text": "We encourage Android users to validate whether their accounts have been breached .", "spans": {"System: Android": [[13, 20]]}, "info": {"id": "cyner_mitre_train_00318", "source": "cyner_mitre_train"}}
+{"text": "Hacking Team Spying Tool Listens to Calls By : Trend Micro July 21 , 2015 Following news that iOS devices are at risk of spyware related to the Hacking Team , the saga continues into the Android sphere .", "spans": {"Organization: Hacking Team": [[0, 12], [144, 156]], "Organization: Trend Micro": [[47, 58]], "System: iOS": [[94, 97]], "System: Android": [[187, 194]]}, "info": {"id": "cyner_mitre_train_00319", "source": "cyner_mitre_train"}}
+{"text": "We found that among the leaked files is the code for Hacking Team ’ s open-source malware suite RCSAndroid ( Remote Control System Android ) , which was sold by the company as a tool for monitoring targets .", "spans": {"Malware: RCSAndroid": [[96, 106]], "Malware: Remote Control System Android": [[109, 138]]}, "info": {"id": "cyner_mitre_train_00320", "source": "cyner_mitre_train"}}
+{"text": "( Researchers have been aware of this suite as early as 2014 .", "spans": {}, "info": {"id": "cyner_mitre_train_00321", "source": "cyner_mitre_train"}}
+{"text": ") The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed .", "spans": {"Malware: RCSAndroid": [[6, 16]], "System: Android": [[99, 106]]}, "info": {"id": "cyner_mitre_train_00322", "source": "cyner_mitre_train"}}
+{"text": "The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations .", "spans": {}, "info": {"id": "cyner_mitre_train_00323", "source": "cyner_mitre_train"}}
+{"text": "Based on the leaked code , the RCSAndroid app can do the following intrusive routines to spy on targets : Capture screenshots using the “ screencap ” command and framebuffer direct reading Monitor clipboard content Collect passwords for Wi-Fi networks and online acco ; .unts , including Skype , Facebook , Twitter , Google , WhatsApp , Mail , and LinkedIn Record using the microphone Collect SMS , MMS , and Gmail messages Record location Gather device information Capture photos using the front and back cameras Collect contacts and decode", "spans": {"Malware: RCSAndroid": [[31, 41]], "System: Skype": [[288, 293]], "System: Facebook": [[296, 304]], "System: Twitter": [[307, 314]], "System: Google": [[317, 323]], "System: WhatsApp": [[326, 334]], "System: Mail": [[337, 341]], "System: LinkedIn": [[348, 356]], "System: Gmail": [[409, 414]]}, "info": {"id": "cyner_mitre_train_00324", "source": "cyner_mitre_train"}}
+{"text": "messages from IM accounts , including Facebook Messenger , WhatsApp , Skype , Viber , Line , WeChat , Hangouts , Telegram , and BlackBerry Messenger .", "spans": {"System: Facebook Messenger": [[38, 56]], "System: WhatsApp": [[59, 67]], "System: Skype": [[70, 75]], "System: Viber": [[78, 83]], "System: Line": [[86, 90]], "System: WeChat": [[93, 99]], "System: Hangouts": [[102, 110]], "System: Telegram": [[113, 121]], "System: BlackBerry Messenger": [[128, 148]]}, "info": {"id": "cyner_mitre_train_00325", "source": "cyner_mitre_train"}}
+{"text": "Capture real-time voice calls in any network or app by hooking into the “ mediaserver ” system service RCSAndroid in the Wild Our analysis reveals that this RCSAndroid ( AndroidOS_RCSAgent.HRX ) has been in the wild since 2012 .", "spans": {"Malware: RCSAndroid": [[103, 113], [157, 167]], "Indicator: AndroidOS_RCSAgent.HRX": [[170, 192]]}, "info": {"id": "cyner_mitre_train_00326", "source": "cyner_mitre_train"}}
+{"text": "Traces of its previous uses in the wild were found inside the configuration file : It was configured to use a Command-and-control ( C & C ) server in the United States ; however , the server was bought from a host service provider and is now unavailable .", "spans": {}, "info": {"id": "cyner_mitre_train_00327", "source": "cyner_mitre_train"}}
+{"text": "It was configured to activate via SMS sent from a Czech Republic number .", "spans": {}, "info": {"id": "cyner_mitre_train_00328", "source": "cyner_mitre_train"}}
+{"text": "Attackers can send SMS with certain messages to activate the agent and trigger corresponding action .", "spans": {}, "info": {"id": "cyner_mitre_train_00329", "source": "cyner_mitre_train"}}
+{"text": "This can also define what kind of evidences to collect .", "spans": {}, "info": {"id": "cyner_mitre_train_00330", "source": "cyner_mitre_train"}}
+{"text": "Based on emails leaked in the dump , a number of Czech firms appear to be in business with the Hacking team , including a major IT partner in the Olympic Games .", "spans": {}, "info": {"id": "cyner_mitre_train_00331", "source": "cyner_mitre_train"}}
+{"text": "Dropping Cluster Bombs RCSAndroid is a threat that works like a cluster bomb in that it deploys multiple dangerous exploits and uses various techniques to easily infect Android devices .", "spans": {"Malware: RCSAndroid": [[23, 33]], "System: Android": [[169, 176]]}, "info": {"id": "cyner_mitre_train_00332", "source": "cyner_mitre_train"}}
+{"text": "While analyzing the code , we found that the whole system consists of four critical components , as follows : penetration solutions , ways to get inside the device , either via SMS/email or a legitimate app low-level native code , advanced exploits and spy tools beyond Android ’ s security framework high-level Java agent – the app ’ s malicious APK command-and-control ( C & C ) servers , used to remotely send/receive malicious commands Attackers use two methods to get targets to download RCSAndroid .", "spans": {"System: Android": [[270, 277]], "Malware: RCSAndroid": [[493, 503]]}, "info": {"id": "cyner_mitre_train_00333", "source": "cyner_mitre_train"}}
+{"text": "The first method is to send a specially crafted URL to the target via SMS or email .", "spans": {}, "info": {"id": "cyner_mitre_train_00334", "source": "cyner_mitre_train"}}
+{"text": "The URL will trigger exploits for arbitrary memory read ( CVE-2012-2825 ) and heap buffer overflow ( CVE-2012-2871 ) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean , allowing another local privilege escalation exploit to execute .", "spans": {"Vulnerability: arbitrary memory read ( CVE-2012-2825 )": [[34, 73]], "Vulnerability: heap buffer overflow ( CVE-2012-2871 )": [[78, 116]], "System: Android versions 4.0 Ice Cream Sandwich": [[160, 199]], "System: 4.3 Jelly Bean": [[203, 217]]}, "info": {"id": "cyner_mitre_train_00335", "source": "cyner_mitre_train"}}
+{"text": "When root privilege is gained , a shell backdoor and malicious RCSAndroid agent APK file will be installed The second method is to use a stealthy backdoor app such as ANDROIDOS_HTBENEWS.A , which was designed to bypass Google Play .", "spans": {"Malware: RCSAndroid": [[63, 73]], "Malware: ANDROIDOS_HTBENEWS.A": [[167, 187]], "System: Google Play": [[219, 230]]}, "info": {"id": "cyner_mitre_train_00336", "source": "cyner_mitre_train"}}
+{"text": "The role of ANDROIDOS_HTBENEWS.A and the malicious APK mentioned in the first method is to exploit a local privilege escalation vulnerability in Android devices .", "spans": {"Malware: ANDROIDOS_HTBENEWS.A": [[12, 32]], "Vulnerability: local privilege escalation vulnerability": [[101, 141]]}, "info": {"id": "cyner_mitre_train_00337", "source": "cyner_mitre_train"}}
+{"text": "Hacking Team has been known to use both CVE-2014-3153 and CVE-2013-6282 in their attacks .", "spans": {"Vulnerability: CVE-2014-3153": [[40, 53]], "Vulnerability: CVE-2013-6282": [[58, 71]]}, "info": {"id": "cyner_mitre_train_00338", "source": "cyner_mitre_train"}}
+{"text": "The said exploits will root the device and install a shell backdoor .", "spans": {}, "info": {"id": "cyner_mitre_train_00339", "source": "cyner_mitre_train"}}
+{"text": "The shell backdoor then installs the RCSAndroid agent .", "spans": {"Malware: RCSAndroid": [[37, 47]]}, "info": {"id": "cyner_mitre_train_00340", "source": "cyner_mitre_train"}}
+{"text": "This agent has two core modules , the Evidence Collector and the Event Action Trigger .", "spans": {}, "info": {"id": "cyner_mitre_train_00341", "source": "cyner_mitre_train"}}
+{"text": "The Evidence Collector module is responsible for the spying routines outlined above .", "spans": {}, "info": {"id": "cyner_mitre_train_00342", "source": "cyner_mitre_train"}}
+{"text": "One of its most notable routines is capturing voice calls in real time by hooking into the “ mediaserver ” system service .", "spans": {}, "info": {"id": "cyner_mitre_train_00343", "source": "cyner_mitre_train"}}
+{"text": "The basic idea is to hook the voice call process in mediaserver .", "spans": {}, "info": {"id": "cyner_mitre_train_00344", "source": "cyner_mitre_train"}}
+{"text": "Take voice call playback process for example .", "spans": {}, "info": {"id": "cyner_mitre_train_00345", "source": "cyner_mitre_train"}}
+{"text": "The mediaserver will first builds a new unique track , start to play the track , loop play all audio buffer , then finally stop the playback .", "spans": {}, "info": {"id": "cyner_mitre_train_00346", "source": "cyner_mitre_train"}}
+{"text": "The raw wave audio buffer frame can be dumped in the getNextBuffer ( ) function .", "spans": {}, "info": {"id": "cyner_mitre_train_00347", "source": "cyner_mitre_train"}}
+{"text": "With the help of the open-source Android Dynamic Binary Instrumentation Toolkit and root privilege , it is possible to intercept any function execution .", "spans": {"System: Android": [[33, 40]]}, "info": {"id": "cyner_mitre_train_00348", "source": "cyner_mitre_train"}}
+{"text": "The Event Action Trigger module triggers malicious actions based on certain events .", "spans": {}, "info": {"id": "cyner_mitre_train_00349", "source": "cyner_mitre_train"}}
+{"text": "These events can be based on time , charging or battery status , location , connectivity , running apps , focused app , SIM card status , SMS received with keywords , and screen turning on .", "spans": {}, "info": {"id": "cyner_mitre_train_00350", "source": "cyner_mitre_train"}}
+{"text": "According to the configuration pattern , these actions are registered to certain events : Sync configuration data , upgrade modules , and download new payload ( This uses transport protocol ZProtocol encrypted by AES/CBC/PKCS5Padding algorithm to communicate with the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_00351", "source": "cyner_mitre_train"}}
+{"text": ") Upload and purge collected evidence Destroy device by resetting locking password Execute shell commands Send SMS with defined content or location Disable network Disable root Uninstall bot To avoid detection and removal of the agent app in the device memory , the RCSAndroid suite also detects emulators or sandboxes , obfuscates code using DexGuard , uses ELF string obfuscator , and adjusts the OOM ( out-of-memory ) value .", "spans": {"Malware: RCSAndroid": [[266, 276]], "System: DexGuard": [[343, 351]]}, "info": {"id": "cyner_mitre_train_00352", "source": "cyner_mitre_train"}}
+{"text": "Interestingly , one unused feature of the app is its ability to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon .", "spans": {"System: Android": [[87, 94]]}, "info": {"id": "cyner_mitre_train_00353", "source": "cyner_mitre_train"}}
+{"text": "Recommendations Popular mobile platforms like Android are common targets for organized or commercialized monitoring operations .", "spans": {"System: Android": [[46, 53]]}, "info": {"id": "cyner_mitre_train_00354", "source": "cyner_mitre_train"}}
+{"text": "Attackers know that rooting devices via malware exploits is an effective means to control devices and gather information from them .", "spans": {}, "info": {"id": "cyner_mitre_train_00355", "source": "cyner_mitre_train"}}
+{"text": "In a root broken device , security is a fairy tale .", "spans": {}, "info": {"id": "cyner_mitre_train_00356", "source": "cyner_mitre_train"}}
+{"text": "Take note of the following best practices to prevent this threat from getting in your device : Disable app installations from unknown , third-party sources .", "spans": {}, "info": {"id": "cyner_mitre_train_00357", "source": "cyner_mitre_train"}}
+{"text": "Constantly update your Android devices to the latest version to help prevent exploits , especially in the case of RCSAndroid which can affect only up to version 4.4.4 KitKat .", "spans": {"System: Android": [[23, 30]], "Malware: RCSAndroid": [[114, 124]], "System: 4.4.4 KitKat": [[161, 173]]}, "info": {"id": "cyner_mitre_train_00358", "source": "cyner_mitre_train"}}
+{"text": "Note , however , that based on the leak mail from a customer inquiry , Hacking Team was in the process of developing exploits for Android 5.0 Lollipop .", "spans": {"Organization: Hacking Team": [[71, 83]], "System: Android 5.0 Lollipop": [[130, 150]]}, "info": {"id": "cyner_mitre_train_00359", "source": "cyner_mitre_train"}}
+{"text": "Install a mobile security solution to secure your device from threats .", "spans": {}, "info": {"id": "cyner_mitre_train_00360", "source": "cyner_mitre_train"}}
+{"text": "The leaked RCSAndroid code is a commercial weapon now in the wild .", "spans": {"Malware: RCSAndroid code": [[11, 26]]}, "info": {"id": "cyner_mitre_train_00361", "source": "cyner_mitre_train"}}
+{"text": "Mobile users are called on to be on top of this news and be on guard for signs of monitoring .", "spans": {}, "info": {"id": "cyner_mitre_train_00362", "source": "cyner_mitre_train"}}
+{"text": "Some indicators may come in the form of peculiar behavior such as unexpected rebooting , finding unfamiliar apps installed , or instant messaging apps suddenly freezing .", "spans": {}, "info": {"id": "cyner_mitre_train_00363", "source": "cyner_mitre_train"}}
+{"text": "Should a device become infected , this backdoor can not be removed without root privilege .", "spans": {}, "info": {"id": "cyner_mitre_train_00364", "source": "cyner_mitre_train"}}
+{"text": "Users may be required the help of their device manufacturer to get support for firmware flashing .", "spans": {}, "info": {"id": "cyner_mitre_train_00365", "source": "cyner_mitre_train"}}
+{"text": "Trend Micro offers security for Android mobile devices through Mobile Security for Android™ to protect against these types of attacks .", "spans": {"Organization: Trend Micro": [[0, 11]], "System: Android": [[32, 39]], "System: Mobile Security for Android™": [[63, 91]]}, "info": {"id": "cyner_mitre_train_00366", "source": "cyner_mitre_train"}}
+{"text": "Find out more about the 7 Android Security Hacks You Need to Do Right Now to keep your mobile data safe .", "spans": {"System: Android": [[26, 33]]}, "info": {"id": "cyner_mitre_train_00367", "source": "cyner_mitre_train"}}
+{"text": "Update as of July 23 , 2015 1:00 AM PDT ( UTC-7 ) We have added a link to a previous report discussing this threat .", "spans": {}, "info": {"id": "cyner_mitre_train_00368", "source": "cyner_mitre_train"}}
+{"text": "Timeline of posts related to the Hacking Team DATE UPDATE July 5 The Italian company Hacking Team was hacked , with more than 400GB of confidential company data made available to the public .", "spans": {"Organization: Hacking Team": [[85, 97]]}, "info": {"id": "cyner_mitre_train_00369", "source": "cyner_mitre_train"}}
+{"text": "July 7 Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump .", "spans": {"System: Flash Player": [[32, 44]], "System: Windows": [[61, 68]]}, "info": {"id": "cyner_mitre_train_00370", "source": "cyner_mitre_train"}}
+{"text": "One of these [ CVE-2015-5119 ] was a Flash zero-day .", "spans": {"Vulnerability: CVE-2015-5119": [[15, 28]]}, "info": {"id": "cyner_mitre_train_00371", "source": "cyner_mitre_train"}}
+{"text": "The Windows kernel vulnerability ( CVE-2015-2387 ) existed in the open type font manager module ( ATMFD.dll ) and can be exploited to bypass the sandbox mitigation mechanism .", "spans": {"Vulnerability: Windows kernel vulnerability": [[4, 32]], "Vulnerability: CVE-2015-2387": [[35, 48]], "Indicator: ATMFD.dll": [[98, 107]]}, "info": {"id": "cyner_mitre_train_00372", "source": "cyner_mitre_train"}}
+{"text": "The Flash zero-day exploit ( CVE-2015-5119 ) was added into the Angler Exploit Kit and Nuclear Exploit Pack .", "spans": {"System: Flash": [[4, 9]], "Vulnerability: CVE-2015-5119": [[29, 42]], "Malware: Angler Exploit Kit": [[64, 82]], "Malware: Nuclear Exploit Pack": [[87, 107]]}, "info": {"id": "cyner_mitre_train_00373", "source": "cyner_mitre_train"}}
+{"text": "It was also used in limited attacks in Korea and Japan .", "spans": {}, "info": {"id": "cyner_mitre_train_00374", "source": "cyner_mitre_train"}}
+{"text": "July 11 Two new Flash zero-day vulnerabilities , CVE-2015-5122 and CVE-2015-5123 , were found in the hacking team dump .", "spans": {"Vulnerability: Flash zero-day vulnerabilities": [[16, 46]], "Vulnerability: CVE-2015-5122": [[49, 62]], "Vulnerability: CVE-2015-5123": [[67, 80]]}, "info": {"id": "cyner_mitre_train_00375", "source": "cyner_mitre_train"}}
+{"text": "July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System ( RCS ) agent installed in their targets ’ systems .", "spans": {"Malware: UEFI BIOS rootkit": [[81, 98]], "Malware: Remote Control System ( RCS )": [[113, 142]]}, "info": {"id": "cyner_mitre_train_00376", "source": "cyner_mitre_train"}}
+{"text": "July 14 A new zero-day vulnerability ( CVE-2015-2425 ) was found in Internet Explorer .", "spans": {"Vulnerability: zero-day vulnerability": [[14, 36]], "Vulnerability: CVE-2015-2425": [[39, 52]], "System: Internet Explorer": [[68, 85]]}, "info": {"id": "cyner_mitre_train_00377", "source": "cyner_mitre_train"}}
+{"text": "July 16 On the mobile front , a fake news app designed to bypass Google Play was discovered .", "spans": {"System: Google Play": [[65, 76]]}, "info": {"id": "cyner_mitre_train_00378", "source": "cyner_mitre_train"}}
+{"text": "July 20 A new zero-day vulnerability ( CVE-2015-2426 ) was found in Windows , which Microsoft fixed in an out-of-band patch .", "spans": {"Vulnerability: zero-day vulnerability": [[14, 36]], "Vulnerability: CVE-2015-2426": [[39, 52]], "System: Windows": [[68, 75]], "Organization: Microsoft": [[84, 93]]}, "info": {"id": "cyner_mitre_train_00379", "source": "cyner_mitre_train"}}
+{"text": "July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in .", "spans": {"Malware: RCSAndroid": [[24, 34]]}, "info": {"id": "cyner_mitre_train_00380", "source": "cyner_mitre_train"}}
+{"text": "July 28 A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team .", "spans": {"System: Flash": [[76, 81]], "Organization: Hacking Team": [[102, 114]]}, "info": {"id": "cyner_mitre_train_00381", "source": "cyner_mitre_train"}}
+{"text": "Android users warned of malware attack spreading via SMS FEB 16 , 2016 Security researchers are warning owners of Android smartphones about a new malware attack , spreading via SMS text messages .", "spans": {"System: Android": [[0, 7], [114, 121]]}, "info": {"id": "cyner_mitre_train_00382", "source": "cyner_mitre_train"}}
+{"text": "As the team at Scandinavian security group CSIS describes , malware known as MazarBOT is being distributed via SMS in Denmark and is likely to also be encountered in other countries .", "spans": {"Organization: CSIS": [[43, 47]], "Malware: MazarBOT": [[77, 85]]}, "info": {"id": "cyner_mitre_train_00383", "source": "cyner_mitre_train"}}
+{"text": "Victims ’ first encounter with the malware reportedly comes via an unsolicited text message that their Android smartphone receives .", "spans": {"System: Android smartphone": [[103, 121]]}, "info": {"id": "cyner_mitre_train_00384", "source": "cyner_mitre_train"}}
+{"text": "The txt message uses social engineering to dupe unsuspecting users into clicking on a link to a downloadable Android application .", "spans": {"System: Android": [[109, 116]]}, "info": {"id": "cyner_mitre_train_00385", "source": "cyner_mitre_train"}}
+{"text": "CSIS provided a ( sanitised ) version of a typical message to warn users what to look out for : “ You have received a multimedia message from + [ country code ] [ sender number ] Follow the link http : //www.mmsforyou [ .", "spans": {"Organization: CSIS": [[0, 4]], "Indicator: http : //www.mmsforyou [ .": [[195, 221]]}, "info": {"id": "cyner_mitre_train_00386", "source": "cyner_mitre_train"}}
+{"text": "] net/mms.apk to view the message ” Once the APK package is downloaded , potential victims are urged to grant the malicious app a wide range of permissions on their Android device : App permissions SEND_SMS RECEIVE_BOOT_COMPLETED INTERNET SYSTEM_ALERT_WINDOW WRITE_SMS ACCESS_NETWORK_STATE WAKE_LOCK GET_TASKS CALL_PHONE RECEIVE_SMS READ_PHONE_STATE READ_SMS ERASE_PHONE Once installed , MazarBOT downloads a copy of", "spans": {"Malware: MazarBOT": [[388, 396]]}, "info": {"id": "cyner_mitre_train_00387", "source": "cyner_mitre_train"}}
+{"text": "Tor onto users ’ Android smartphones and uses it to connect anonymously to the net before sending a text message containing the victim ’ s location to an Iranian mobile phone number .", "spans": {"System: Tor": [[0, 3]], "System: Android": [[17, 24]]}, "info": {"id": "cyner_mitre_train_00388", "source": "cyner_mitre_train"}}
+{"text": "With the malware now in place , a number of actions can be performed , including allowing attackers to secretly monitor and control smartphones via a backdoor , send messages to premium-rate numbers , and intercept two-factor authentication codes sent by online banking apps and the like .", "spans": {}, "info": {"id": "cyner_mitre_train_00389", "source": "cyner_mitre_train"}}
+{"text": "In fact , with full access to the compromised Android smartphone , the opportunities for criminals to wreak havoc are significant – such as erasing infected phones or launching man-in-the-middle ( MITM ) attacks .", "spans": {"System: Android smartphone": [[46, 64]]}, "info": {"id": "cyner_mitre_train_00390", "source": "cyner_mitre_train"}}
+{"text": "In its analysis , CSIS notes that MazarBOT was reported by Recorded Future last November as being actively sold in Russian underground forums and intriguingly , the malware will not activate on Android devices configured with Russian language settings .", "spans": {"Organization: CSIS": [[18, 22]], "Malware: MazarBOT": [[34, 42]], "Organization: Recorded Future": [[59, 74]], "System: Android": [[194, 201]]}, "info": {"id": "cyner_mitre_train_00391", "source": "cyner_mitre_train"}}
+{"text": "This , in itself , does not prove that the perpetrators of the malware campaign are based in Russia , but it certainly sounds as if that is a strong possibility .", "spans": {}, "info": {"id": "cyner_mitre_train_00392", "source": "cyner_mitre_train"}}
+{"text": "Malware authors in the past have often coded a “ safety net ” into their malware to prevent them from accidentally infecting their own computers and devices .", "spans": {}, "info": {"id": "cyner_mitre_train_00393", "source": "cyner_mitre_train"}}
+{"text": "For more detailed information about the threat , check out the blog post from CSIS .", "spans": {"Organization: CSIS": [[78, 82]]}, "info": {"id": "cyner_mitre_train_00394", "source": "cyner_mitre_train"}}
+{"text": "And , of course , remember to always be wary of unsolicited , unusual text messages and installing apps from third-party sources on your Android smartphone .", "spans": {"System: Android smartphone": [[137, 155]]}, "info": {"id": "cyner_mitre_train_00395", "source": "cyner_mitre_train"}}
+{"text": "Coronavirus Update App Leads to Project Spy Android and iOS Spyware We discovered a cyberespionage campaign we have named Project Spy infecting Android and iOS devices with spyware by using the coronavirus disease ( Covid-19 ) as a lure .", "spans": {"System: Coronavirus Update App": [[0, 22]], "Malware: Project Spy": [[32, 43], [122, 133]], "System: Android": [[44, 51], [144, 151]], "System: iOS": [[56, 59], [156, 159]]}, "info": {"id": "cyner_mitre_train_00396", "source": "cyner_mitre_train"}}
+{"text": "By : Tony Bao , Junzhi Lu April 14 , 2020 We discovered a potential cyberespionage campaign , which we have named Project Spy , that infects Android and iOS devices with spyware ( detected by Trend Micro as AndroidOS_ProjectSpy.HRX and IOS_ProjectSpy.A , respectively ) .", "spans": {"Malware: Project Spy": [[114, 125]], "System: Android": [[141, 148]], "System: iOS": [[153, 156]], "Organization: Trend Micro": [[192, 203]], "Indicator: AndroidOS_ProjectSpy.HRX": [[207, 231]], "Indicator: IOS_ProjectSpy.A": [[236, 252]]}, "info": {"id": "cyner_mitre_train_00397", "source": "cyner_mitre_train"}}
+{"text": "Project Spy uses the ongoing coronavirus pandemic as a lure , posing as an app called Coronavirus Updates .", "spans": {"Malware: Project Spy": [[0, 11]]}, "info": {"id": "cyner_mitre_train_00398", "source": "cyner_mitre_train"}}
+{"text": "We also found similarities in two older samples disguised as a Google service and , subsequently , as a music app after further investigation .", "spans": {"Organization: Google": [[63, 69]]}, "info": {"id": "cyner_mitre_train_00399", "source": "cyner_mitre_train"}}
+{"text": "However , we have noted a significantly small number of downloads of the app in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia .", "spans": {}, "info": {"id": "cyner_mitre_train_00400", "source": "cyner_mitre_train"}}
+{"text": "Project Spy routine At the end of March 2020 , we came across an app masquerading as a coronavirus update app , which we named Project Spy based on the login page of its backend server .", "spans": {"Malware: Project Spy": [[0, 11], [127, 138]]}, "info": {"id": "cyner_mitre_train_00401", "source": "cyner_mitre_train"}}
+{"text": "This app carries a number of the capabilities : Upload GSM , WhatsApp , Telegram , Facebook , and Threema messages Upload voice notes , contacts stored , accounts , call logs , location information , and images Upload the expanded list of collected device information ( e.g. , IMEI , product , board , manufacturer , tag , host , Android version , application version , name , model brand , user , serial , hardware , bootloader , and device ID ) Upload SIM information ( e.g.", "spans": {"System: GSM": [[55, 58]], "System: WhatsApp": [[61, 69]], "System: Telegram": [[72, 80]], "System: Facebook": [[83, 91]], "System: Threema": [[98, 105]], "System: Android": [[330, 337]]}, "info": {"id": "cyner_mitre_train_00402", "source": "cyner_mitre_train"}}
+{"text": ", IMSI , operator code , country , MCC-mobile country , SIM serial , operator name , and mobile number ) Upload wifi information ( e.g. , SSID , wifi speed , and MAC address ) Upload other information ( e.g. , display , date , time , fingerprint , created at , and updated at ) The app is capable of stealing messages from popular messaging apps by abusing the notification permissions to read the notification content and saving it to the database .", "spans": {}, "info": {"id": "cyner_mitre_train_00403", "source": "cyner_mitre_train"}}
+{"text": "It requests permission to access the additional storage .", "spans": {}, "info": {"id": "cyner_mitre_train_00404", "source": "cyner_mitre_train"}}
+{"text": "Project Spy ’ s earlier versions Searching for the domain in our sample database , we found that the coronavirus update app appears to be the latest version of another sample that we detected in May 2019 .", "spans": {"Malware: Project Spy": [[0, 11]]}, "info": {"id": "cyner_mitre_train_00405", "source": "cyner_mitre_train"}}
+{"text": "The first version of Project Spy ( detected by Trend Micro as AndroidOS_SpyAgent.HRXB ) had the following capabilities : Collect device and system information ( i.e. , IMEI , device ID , manufacturer , model and phone number ) , location information , contacts stored , and call logs Collect and send SMS Take pictures via the camera Upload recorded MP4 files Monitor calls Searching further , we also found another sample that could be the second version of Project Spy .", "spans": {"Malware: Project Spy": [[21, 32]], "Organization: Trend Micro": [[47, 58]], "Indicator: AndroidOS_SpyAgent.HRXB": [[62, 85]]}, "info": {"id": "cyner_mitre_train_00406", "source": "cyner_mitre_train"}}
+{"text": "This version appeared as Wabi Music , and copied a popular video-sharing social networking service as its backend login page .", "spans": {}, "info": {"id": "cyner_mitre_train_00407", "source": "cyner_mitre_train"}}
+{"text": "In this second version , the developer ’ s name listed was “ concipit1248 ” in Google Play , and may have been active between May 2019 to February 2020 .", "spans": {"System: Google Play": [[79, 90]]}, "info": {"id": "cyner_mitre_train_00408", "source": "cyner_mitre_train"}}
+{"text": "This app appears to have become unavailable on Google Play in March 2020 .", "spans": {"System: Google Play": [[47, 58]]}, "info": {"id": "cyner_mitre_train_00409", "source": "cyner_mitre_train"}}
+{"text": "The second Project Spy version has similar capabilities to the first version , with the addition of the following : Stealing notification messages sent from WhatsApp , Facebook , and Telegram Abandoning the FTP mode of uploading the recorded images Aside from changing the app ’ s supposed function and look , the second and third versions ’ codes had little differences .", "spans": {"Malware: Project Spy": [[11, 22]], "System: WhatsApp": [[157, 165]], "System: Facebook": [[168, 176]], "System: Telegram": [[183, 191]]}, "info": {"id": "cyner_mitre_train_00410", "source": "cyner_mitre_train"}}
+{"text": "Potentially malicious iOS connection Using the codes and “ Concipit1248 ” to check for more versions , we found two other apps in the App Store .", "spans": {"System: iOS": [[22, 25]], "System: App Store": [[134, 143]]}, "info": {"id": "cyner_mitre_train_00411", "source": "cyner_mitre_train"}}
+{"text": "Further analysis of the iOS app “ Concipit1248 ” showed that the server used , spy [ .", "spans": {"Indicator: spy [ .": [[79, 86]]}, "info": {"id": "cyner_mitre_train_00412", "source": "cyner_mitre_train"}}
+{"text": "] cashnow [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00413", "source": "cyner_mitre_train"}}
+{"text": "] ee , is the same one used in the Android version of Project Spy .", "spans": {"System: Android": [[35, 42]], "System: Project Spy": [[54, 65]]}, "info": {"id": "cyner_mitre_train_00414", "source": "cyner_mitre_train"}}
+{"text": "However , although the “ Concipit1248 ” app requested permissions to open the device camera and read photos , the code only can upload a self-contained PNG file to a remote sever .", "spans": {}, "info": {"id": "cyner_mitre_train_00415", "source": "cyner_mitre_train"}}
+{"text": "This may imply the “ Concipit1248 ” app is still incubating .", "spans": {}, "info": {"id": "cyner_mitre_train_00416", "source": "cyner_mitre_train"}}
+{"text": "The other iOS app “ Concipit Shop ” from the same developer appeared normal and was last updated on November 2019 .", "spans": {"System: iOS": [[10, 13]]}, "info": {"id": "cyner_mitre_train_00417", "source": "cyner_mitre_train"}}
+{"text": "Apple has confirmed that the iOS apps are not functioning based on analysis of the codes , and stated that the sandbox is able to detect and block these malicious behaviors .", "spans": {"Organization: Apple": [[0, 5]], "System: iOS": [[29, 32]]}, "info": {"id": "cyner_mitre_train_00418", "source": "cyner_mitre_train"}}
+{"text": "Conclusion The “ Corona Updates ” app had relatively low downloads in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia .", "spans": {}, "info": {"id": "cyner_mitre_train_00419", "source": "cyner_mitre_train"}}
+{"text": "Perhaps the app ’ s false capabilities also fueled the low number of downloads .", "spans": {}, "info": {"id": "cyner_mitre_train_00420", "source": "cyner_mitre_train"}}
+{"text": "It also appears the apps may still be in development or incubation , maybe waiting for a “ right time ” to inject the malicious codes .", "spans": {}, "info": {"id": "cyner_mitre_train_00421", "source": "cyner_mitre_train"}}
+{"text": "It ’ s also possible that the apps are being used to test other possible techniques .", "spans": {}, "info": {"id": "cyner_mitre_train_00422", "source": "cyner_mitre_train"}}
+{"text": "A possible indication for timing might be when the app reaches a specific number of downloads or infected devices .", "spans": {}, "info": {"id": "cyner_mitre_train_00423", "source": "cyner_mitre_train"}}
+{"text": "The coding style suggests that the cybercriminals behind this campaign are amateurs .", "spans": {}, "info": {"id": "cyner_mitre_train_00424", "source": "cyner_mitre_train"}}
+{"text": "The incomplete iOS codes used in this campaign may have been bought while other capabilities appear to have been added .", "spans": {"System: iOS": [[15, 18]]}, "info": {"id": "cyner_mitre_train_00425", "source": "cyner_mitre_train"}}
+{"text": "This may also explain the timing in between the apps becoming fully functional and “ incubation. ” As this is a group we have not observed before , we will continue monitoring this campaign for further developments .", "spans": {}, "info": {"id": "cyner_mitre_train_00426", "source": "cyner_mitre_train"}}
+{"text": "Users are cautioned to research and check reviews before they download apps .", "spans": {}, "info": {"id": "cyner_mitre_train_00427", "source": "cyner_mitre_train"}}
+{"text": "Observe and look at the app ’ s display and text , stated functions , reviews from other users , and requested permissions before downloading .", "spans": {}, "info": {"id": "cyner_mitre_train_00428", "source": "cyner_mitre_train"}}
+{"text": "Make sure that all other apps installed and the device operating systems are updated to the latest version .", "spans": {}, "info": {"id": "cyner_mitre_train_00429", "source": "cyner_mitre_train"}}
+{"text": "Indicators of Compromise ( IoCs ) SHA256 Detection e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe AndroidOS_SpyAgent.HRXB e8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa AndroidOS_ProjectSpy.HRX 29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d", "spans": {"Indicator: e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe": [[51, 115]], "Indicator: AndroidOS_SpyAgent.HRXB": [[116, 139]], "Indicator: e8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa": [[140, 204]], "Indicator: 29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d": [[230, 294]]}, "info": {"id": "cyner_mitre_train_00430", "source": "cyner_mitre_train"}}
+{"text": "AndroidOS_ProjectSpy.HRX 3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb IOS_ProjectSpy.A URLs cashnow [ .", "spans": {"Indicator: 3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb": [[25, 89]], "Indicator: IOS_ProjectSpy.A": [[90, 106]], "Indicator: cashnow [ .": [[112, 123]]}, "info": {"id": "cyner_mitre_train_00431", "source": "cyner_mitre_train"}}
+{"text": "] ee Backend server ftp [ .", "spans": {"Indicator: server ftp [ .": [[13, 27]]}, "info": {"id": "cyner_mitre_train_00432", "source": "cyner_mitre_train"}}
+{"text": "] XXXX [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00433", "source": "cyner_mitre_train"}}
+{"text": "] com Backend server spy [ .", "spans": {"Indicator: server spy [ .": [[14, 28]]}, "info": {"id": "cyner_mitre_train_00434", "source": "cyner_mitre_train"}}
+{"text": "] cashnow [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00435", "source": "cyner_mitre_train"}}
+{"text": "] ee Backend server xyz [ .", "spans": {"Indicator: server xyz [ .": [[13, 27]]}, "info": {"id": "cyner_mitre_train_00436", "source": "cyner_mitre_train"}}
+{"text": "] cashnow [ .", "spans": {}, "info": {"id": "cyner_mitre_train_00437", "source": "cyner_mitre_train"}}
+{"text": "] ee Backend server October 8 , 2020 Sophisticated new Android malware marks the latest evolution of mobile ransomware Attackers are persistent and motivated to continuously evolve – and no platform is immune .", "spans": {"System: Android": [[55, 62]]}, "info": {"id": "cyner_mitre_train_00438", "source": "cyner_mitre_train"}}
+{"text": "That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows .", "spans": {"Organization: Microsoft": [[12, 21]], "System: Windows": [[110, 117]]}, "info": {"id": "cyner_mitre_train_00439", "source": "cyner_mitre_train"}}
+{"text": "The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint ( previously Microsoft Defender Advanced Threat Protection ) now delivers protection on all major platforms .", "spans": {"System: Microsoft Defender": [[73, 91]], "System: Microsoft Defender Advanced Threat Protection": [[118, 163]]}, "info": {"id": "cyner_mitre_train_00440", "source": "cyner_mitre_train"}}
+{"text": "Microsoft ’ s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks , as well as provide more tools to detect and respond to threats across domains and across platforms .", "spans": {"Organization: Microsoft": [[0, 9]]}, "info": {"id": "cyner_mitre_train_00441", "source": "cyner_mitre_train"}}
+{"text": "Like all of Microsoft ’ s security solutions , these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats .", "spans": {"Organization: Microsoft": [[12, 21]]}, "info": {"id": "cyner_mitre_train_00442", "source": "cyner_mitre_train"}}
+{"text": "For example , we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior , exemplifying the rapid evolution of mobile threats that we have also observed on other platforms .", "spans": {"System: Android": [[63, 70]]}, "info": {"id": "cyner_mitre_train_00443", "source": "cyner_mitre_train"}}
+{"text": "The mobile ransomware , detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B , is the latest variant of a ransomware family that ’ s been in the wild for a while but has been evolving non-stop .", "spans": {"System: Microsoft Defender": [[36, 54]], "Indicator: AndroidOS/MalLocker.B": [[71, 92]]}, "info": {"id": "cyner_mitre_train_00444", "source": "cyner_mitre_train"}}
+{"text": "This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures , including masquerading as popular apps , cracked games , or video players .", "spans": {}, "info": {"id": "cyner_mitre_train_00445", "source": "cyner_mitre_train"}}
+{"text": "The new variant caught our attention because it ’ s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections , registering a low detection rate against security solutions .", "spans": {}, "info": {"id": "cyner_mitre_train_00446", "source": "cyner_mitre_train"}}
+{"text": "As with most Android ransomware , this new threat doesn ’ t actually block access to files by encrypting them .", "spans": {"System: Android": [[13, 20]]}, "info": {"id": "cyner_mitre_train_00447", "source": "cyner_mitre_train"}}
+{"text": "Instead , it blocks access to devices by displaying a screen that appears over every other window , such that the user can ’ t do anything else .", "spans": {}, "info": {"id": "cyner_mitre_train_00448", "source": "cyner_mitre_train"}}
+{"text": "The said screen is the ransom note , which contains threats and instructions to pay the ransom .", "spans": {}, "info": {"id": "cyner_mitre_train_00449", "source": "cyner_mitre_train"}}
+{"text": "What ’ s innovative about this ransomware is how it displays its ransom note .", "spans": {}, "info": {"id": "cyner_mitre_train_00450", "source": "cyner_mitre_train"}}
+{"text": "In this blog , we ’ ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven ’ t seen leveraged by malware before , as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note .", "spans": {"System: Android": [[106, 113]]}, "info": {"id": "cyner_mitre_train_00451", "source": "cyner_mitre_train"}}
+{"text": "New scheme , same goal In the past , Android ransomware used a special permission called “ SYSTEM_ALERT_WINDOW ” to display their ransom note .", "spans": {"System: Android": [[37, 44]]}, "info": {"id": "cyner_mitre_train_00452", "source": "cyner_mitre_train"}}
+{"text": "Apps that have this permission can draw a window that belongs to the system group and can ’ t be dismissed .", "spans": {}, "info": {"id": "cyner_mitre_train_00453", "source": "cyner_mitre_train"}}
+{"text": "No matter what button is pressed , the window stays on top of all other windows .", "spans": {}, "info": {"id": "cyner_mitre_train_00454", "source": "cyner_mitre_train"}}
+{"text": "The notification was intended to be used for system alerts or errors , but Android threats misused it to force the attacker-controlled UI to fully occupy the screen , blocking access to the device .", "spans": {"System: Android": [[75, 82]]}, "info": {"id": "cyner_mitre_train_00455", "source": "cyner_mitre_train"}}
+{"text": "Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device .", "spans": {}, "info": {"id": "cyner_mitre_train_00456", "source": "cyner_mitre_train"}}
+{"text": "To catch these threats , security solutions used heuristics that focused on detecting this behavior .", "spans": {}, "info": {"id": "cyner_mitre_train_00457", "source": "cyner_mitre_train"}}
+{"text": "Google later implemented platform-level changes that practically eliminated this attack surface .", "spans": {"Organization: Google": [[0, 6]]}, "info": {"id": "cyner_mitre_train_00458", "source": "cyner_mitre_train"}}
+{"text": "These changes include : Removing the SYSTEM_ALERT_WINDOW error and alert window types , and introducing a few other types as replacement Elevating the permission status of SYSTEM_ALERT_WINDOW to special permission by putting it into the “ above dangerous ” category , which means that users have to go through many screens to approve apps that ask for permission , instead of just one click Introducing an overlay kill switch on Android 8.0 and later that users can activate anytime to deactivate a system alert window To adapt , Android malware evolved to misusing", "spans": {"System: Android 8.0": [[429, 440]], "System: Android": [[530, 537]]}, "info": {"id": "cyner_mitre_train_00459", "source": "cyner_mitre_train"}}
+{"text": "other features , but these aren ’ t as effective .", "spans": {}, "info": {"id": "cyner_mitre_train_00460", "source": "cyner_mitre_train"}}
+{"text": "For example , some strains of ransomware abuse accessibility features , a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services .", "spans": {}, "info": {"id": "cyner_mitre_train_00461", "source": "cyner_mitre_train"}}
+{"text": "Other ransomware families use infinite loops of drawing non-system windows , but in between drawing and redrawing , it ’ s possible for users to go to settings and uninstall the offending app .", "spans": {"System: windows": [[67, 74]]}, "info": {"id": "cyner_mitre_train_00462", "source": "cyner_mitre_train"}}
+{"text": "The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we ’ ve seen before .", "spans": {"Malware: Android": [[8, 15], [89, 96]]}, "info": {"id": "cyner_mitre_train_00463", "source": "cyner_mitre_train"}}
+{"text": "To surface its ransom note , it uses a series of techniques that take advantage of the following components on Android : The “ call ” notification , among several categories of notifications that Android supports , which requires immediate user attention .", "spans": {"System: Android": [[111, 118], [196, 203]]}, "info": {"id": "cyner_mitre_train_00464", "source": "cyner_mitre_train"}}
+{"text": "The “ onUserLeaveHint ( ) ” callback method of the Android Activity ( i.e. , the typical GUI screen the user sees ) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice , for example , when the user presses the Home key .", "spans": {"System: Android Activity": [[51, 67]]}, "info": {"id": "cyner_mitre_train_00465", "source": "cyner_mitre_train"}}
+{"text": "The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback .", "spans": {}, "info": {"id": "cyner_mitre_train_00466", "source": "cyner_mitre_train"}}
+{"text": "As the code snippet shows , the malware creates a notification builder and then does the following : setCategory ( “ call ” ) – This means that the notification is built as a very important notification that needs special privilege .", "spans": {}, "info": {"id": "cyner_mitre_train_00467", "source": "cyner_mitre_train"}}
+{"text": "setFullScreenIntent ( ) – This API wires the notification to a GUI so that it pops up when the user taps on it .", "spans": {}, "info": {"id": "cyner_mitre_train_00468", "source": "cyner_mitre_train"}}
+{"text": "At this stage , half the job is done for the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00469", "source": "cyner_mitre_train"}}
+{"text": "However , the malware wouldn ’ t want to depend on user interaction to trigger the ransomware screen , so , it adds another functionality of Android callback : As the code snippet shows , the malware overrides the onUserLeaveHint ( ) callback function of Activity class .", "spans": {"System: Android": [[141, 148]]}, "info": {"id": "cyner_mitre_train_00470", "source": "cyner_mitre_train"}}
+{"text": "The function onUserLeaveHint ( ) is called whenever the malware screen is pushed to background , causing the in-call Activity to be automatically brought to the foreground .", "spans": {}, "info": {"id": "cyner_mitre_train_00471", "source": "cyner_mitre_train"}}
+{"text": "Recall that the malware hooked the RansomActivity intent with the notification that was created as a “ call ” type notification .", "spans": {}, "info": {"id": "cyner_mitre_train_00472", "source": "cyner_mitre_train"}}
+{"text": "This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window .", "spans": {}, "info": {"id": "cyner_mitre_train_00473", "source": "cyner_mitre_train"}}
+{"text": "Machine learning module indicates continuous evolution As mentioned , this ransomware is the latest variant of a malware family that has undergone several stages of evolution .", "spans": {}, "info": {"id": "cyner_mitre_train_00474", "source": "cyner_mitre_train"}}
+{"text": "The knowledge graph below shows the various techniques this ransomware family has been seen using , including abusing the system alert window , abusing accessibility features , and , more recently , abusing notification services .", "spans": {}, "info": {"id": "cyner_mitre_train_00475", "source": "cyner_mitre_train"}}
+{"text": "This ransomware family ’ s long history tells us that its evolution is far from over .", "spans": {}, "info": {"id": "cyner_mitre_train_00476", "source": "cyner_mitre_train"}}
+{"text": "We expect it to churn out new variants with even more sophisticated techniques .", "spans": {}, "info": {"id": "cyner_mitre_train_00477", "source": "cyner_mitre_train"}}
+{"text": "In fact , recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size , a valuable function given the variety of Android devices .", "spans": {"System: Android": [[213, 220]]}, "info": {"id": "cyner_mitre_train_00478", "source": "cyner_mitre_train"}}
+{"text": "The frozen TinyML model is useful for making sure images fit the screen without distortion .", "spans": {"System: TinyML": [[11, 17]]}, "info": {"id": "cyner_mitre_train_00479", "source": "cyner_mitre_train"}}
+{"text": "In the case of this ransomware , using the model would ensure that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable , increasing the chances of the user paying for the ransom .", "spans": {}, "info": {"id": "cyner_mitre_train_00480", "source": "cyner_mitre_train"}}
+{"text": "The library that uses tinyML is not yet wired to the malware ’ s functionalities , but its presence in the malware code indicates the intention to do so in future variants .", "spans": {"System: tinyML": [[22, 28]]}, "info": {"id": "cyner_mitre_train_00481", "source": "cyner_mitre_train"}}
+{"text": "We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats .", "spans": {}, "info": {"id": "cyner_mitre_train_00482", "source": "cyner_mitre_train"}}
+{"text": "Protecting organizations from threats across domains and platforms Mobile threats continue to rapidly evolve , with attackers continuously attempting to sidestep technological barriers and creatively find ways to accomplish their goal , whether financial gain or finding an entry point to broader network compromise .", "spans": {}, "info": {"id": "cyner_mitre_train_00483", "source": "cyner_mitre_train"}}
+{"text": "This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow .", "spans": {}, "info": {"id": "cyner_mitre_train_00484", "source": "cyner_mitre_train"}}
+{"text": "It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals .", "spans": {}, "info": {"id": "cyner_mitre_train_00485", "source": "cyner_mitre_train"}}
+{"text": "Microsoft Defender for Endpoint on Android , now generally available , extends Microsoft ’ s industry-leading endpoint protection to Android .", "spans": {"System: Microsoft Defender": [[0, 18]], "System: Android": [[35, 42], [133, 140]], "Organization: Microsoft": [[79, 88]]}, "info": {"id": "cyner_mitre_train_00486", "source": "cyner_mitre_train"}}
+{"text": "It detects this ransomware ( AndroidOS/MalLocker.B ) , as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics , in addition to content-based detection .", "spans": {"Indicator: AndroidOS/MalLocker.B": [[29, 50]]}, "info": {"id": "cyner_mitre_train_00487", "source": "cyner_mitre_train"}}
+{"text": "It also protects users and organizations from other mobile threats , such as mobile phishing , unsafe network connections , and unauthorized access to sensitive data .", "spans": {}, "info": {"id": "cyner_mitre_train_00488", "source": "cyner_mitre_train"}}
+{"text": "Learn more about our mobile threat defense capabilities in Microsoft Defender for Endpoint on Android .", "spans": {"System: Microsoft Defender": [[59, 77]], "System: Android": [[94, 101]]}, "info": {"id": "cyner_mitre_train_00489", "source": "cyner_mitre_train"}}
+{"text": "Malware , phishing , and other threats detected by Microsoft Defender for Endpoint are reported to the Microsoft Defender Security Center , allowing SecOps to investigate mobile threats along with endpoint signals from Windows and other platforms using Microsoft Defender for Endpoint ’ s rich set of tools for detection , investigation , and response .", "spans": {"System: Microsoft Defender": [[51, 69], [253, 271]], "Organization: Microsoft Defender Security Center": [[103, 137]], "System: Windows": [[219, 226]]}, "info": {"id": "cyner_mitre_train_00490", "source": "cyner_mitre_train"}}
+{"text": "Threat data from endpoints are combined with signals from email and data , identities , and apps in Microsoft 365 Defender ( previously Microsoft Threat Protection ) , which orchestrates detection , prevention , investigation , and response across domains , providing coordinated defense .", "spans": {"System: Microsoft 365 Defender": [[100, 122]], "System: Microsoft Threat Protection": [[136, 163]]}, "info": {"id": "cyner_mitre_train_00491", "source": "cyner_mitre_train"}}
+{"text": "Microsoft Defender for Endpoint on Android further enriches organizations ’ visibility into malicious activity , empowering them to comprehensively prevent , detect , and respond to against attack sprawl and cross-domain incidents .", "spans": {"System: Microsoft Defender": [[0, 18]], "System: Android": [[35, 42]]}, "info": {"id": "cyner_mitre_train_00492", "source": "cyner_mitre_train"}}
+{"text": "Technical analysis Obfuscation On top of recreating ransomware behavior in ways we haven ’ t seen before , the Android malware variant uses a new obfuscation technique unique to the Android platform .", "spans": {"System: Android": [[111, 118], [182, 189]]}, "info": {"id": "cyner_mitre_train_00493", "source": "cyner_mitre_train"}}
+{"text": "One of the tell-tale signs of an obfuscated malware is the absence of code that defines the classes declared in the manifest file .", "spans": {}, "info": {"id": "cyner_mitre_train_00494", "source": "cyner_mitre_train"}}
+{"text": "The classes.dex has implementation for only two classes : The main application class gCHotRrgEruDv , which is involved when the application opens A helper class that has definition for custom encryption and decryption This means that there ’ s no code corresponding to the services declared in the manifest file : Main Activity , Broadcast Receivers , and Background .", "spans": {}, "info": {"id": "cyner_mitre_train_00495", "source": "cyner_mitre_train"}}
+{"text": "How does the malware work without code for these key components ?", "spans": {}, "info": {"id": "cyner_mitre_train_00496", "source": "cyner_mitre_train"}}
+{"text": "As is characteristic for obfuscated threats , the malware has encrypted binary code stored in the Assets folder : When the malware runs for the first time , the static block of the main class is run .", "spans": {}, "info": {"id": "cyner_mitre_train_00497", "source": "cyner_mitre_train"}}
+{"text": "The code is heavily obfuscated and made unreadable through name mangling and use of meaningless variable names : Decryption with a twist The malware uses an interesting decryption routine : the string values passed to the decryption function do not correspond to the decrypted value , they correspond to junk code to simply hinder analysis .", "spans": {}, "info": {"id": "cyner_mitre_train_00498", "source": "cyner_mitre_train"}}
+{"text": "On Android , an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task .", "spans": {"System: Android": [[3, 10]]}, "info": {"id": "cyner_mitre_train_00499", "source": "cyner_mitre_train"}}
+{"text": "It ’ s a messaging object that can be used to request an action from another app component .", "spans": {}, "info": {"id": "cyner_mitre_train_00500", "source": "cyner_mitre_train"}}
+{"text": "The Intent object carries a string value as “ action ” parameter .", "spans": {}, "info": {"id": "cyner_mitre_train_00501", "source": "cyner_mitre_train"}}
+{"text": "The malware creates an Intent inside the decryption function using the string value passed as the name for the Intent .", "spans": {}, "info": {"id": "cyner_mitre_train_00502", "source": "cyner_mitre_train"}}
+{"text": "It then decrypts a hardcoded encrypted value and sets the “ action ” parameter of the Intent using the setAction API .", "spans": {}, "info": {"id": "cyner_mitre_train_00503", "source": "cyner_mitre_train"}}
+{"text": "Once this Intent object is generated with the action value pointing to the decrypted content , the decryption function returns the Intent object to the callee .", "spans": {}, "info": {"id": "cyner_mitre_train_00504", "source": "cyner_mitre_train"}}
+{"text": "The callee then invokes the getAction method to get the decrypted content .", "spans": {}, "info": {"id": "cyner_mitre_train_00505", "source": "cyner_mitre_train"}}
+{"text": "Payload deployment Once the static block execution is complete , the Android Lifecycle callback transfers the control to the OnCreate method of the main class .", "spans": {"System: Android Lifecycle": [[69, 86]]}, "info": {"id": "cyner_mitre_train_00506", "source": "cyner_mitre_train"}}
+{"text": "Malware code showing onCreate method Figure 9. onCreate method of the main class decrypting the payload Next , the malware-defined function decryptAssetToDex ( a meaningful name we assigned during analysis ) receives the string “ CuffGmrQRT ” as the first argument , which is the name of the encrypted file stored in the Assets folder .", "spans": {"Indicator: CuffGmrQRT": [[230, 240]]}, "info": {"id": "cyner_mitre_train_00507", "source": "cyner_mitre_train"}}
+{"text": "Malware code showing decryption of assets Figure 10 .", "spans": {}, "info": {"id": "cyner_mitre_train_00508", "source": "cyner_mitre_train"}}
+{"text": "Decrypting the assets After being decrypted , the asset turns into the .dex file .", "spans": {}, "info": {"id": "cyner_mitre_train_00509", "source": "cyner_mitre_train"}}
+{"text": "This is a notable behavior that is characteristic of this ransomware family .", "spans": {}, "info": {"id": "cyner_mitre_train_00510", "source": "cyner_mitre_train"}}
+{"text": "Comparison of code of Asset file before and after decryption Figure 11 .", "spans": {}, "info": {"id": "cyner_mitre_train_00511", "source": "cyner_mitre_train"}}
+{"text": "Asset file before and after decryption Once the encrypted executable is decrypted and dropped in the storage , the malware has the definitions for all the components it declared in the manifest file .", "spans": {}, "info": {"id": "cyner_mitre_train_00512", "source": "cyner_mitre_train"}}
+{"text": "It then starts the final detonator function to load the dropped .dex file into memory and triggers the main payload .", "spans": {}, "info": {"id": "cyner_mitre_train_00513", "source": "cyner_mitre_train"}}
+{"text": "Malware code showing loading of decrypted dex file Figure 12 .", "spans": {}, "info": {"id": "cyner_mitre_train_00514", "source": "cyner_mitre_train"}}
+{"text": "Loading the decrypted .dex file into memory and triggering the main payload Main payload When the main payload is loaded into memory , the initial detonator hands over the control to the main payload by invoking the method XoqF ( which we renamed to triggerInfection during analysis ) from the gvmthHtyN class ( renamed to PayloadEntry ) .", "spans": {}, "info": {"id": "cyner_mitre_train_00515", "source": "cyner_mitre_train"}}
+{"text": "Malware code showing handover from initial module to main payload Figure 13 .", "spans": {}, "info": {"id": "cyner_mitre_train_00516", "source": "cyner_mitre_train"}}
+{"text": "Handover from initial module to the main payload As mentioned , the initial handover component called triggerInfection with an instance of appObj and a method that returns the value for the variable config .", "spans": {}, "info": {"id": "cyner_mitre_train_00517", "source": "cyner_mitre_train"}}
+{"text": "Malware code showing definition of populateConfigMap Figure 14 .", "spans": {}, "info": {"id": "cyner_mitre_train_00518", "source": "cyner_mitre_train"}}
+{"text": "Definition of populateConfigMap , which loads the map with values Correlating the last two steps , one can observe that the malware payload receives the configuration for the following properties : number – The default number to be send to the server ( in case the number is not available from the device ) api – The API key url – The URL to be used in WebView to display on the ransom note The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers .", "spans": {}, "info": {"id": "cyner_mitre_train_00519", "source": "cyner_mitre_train"}}
+{"text": "This action registers code components to get notified when certain system events happen .", "spans": {}, "info": {"id": "cyner_mitre_train_00520", "source": "cyner_mitre_train"}}
+{"text": "This is done in the function initComponents .", "spans": {}, "info": {"id": "cyner_mitre_train_00521", "source": "cyner_mitre_train"}}
+{"text": "Malware code showing initializing broadcast receiver Figure 15 .", "spans": {}, "info": {"id": "cyner_mitre_train_00522", "source": "cyner_mitre_train"}}
+{"text": "Initializing the BroadcastReceiver against system events From this point on , the malware execution is driven by callback functions that are triggered on system events like connectivity change , unlocking the phone , elapsed time interval , and others .", "spans": {}, "info": {"id": "cyner_mitre_train_00523", "source": "cyner_mitre_train"}}
+{"text": "Lookout researchers have identified a new , highly targeted surveillanceware family known as Desert Scorpion in the Google Play Store .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: Desert Scorpion": [[93, 108]], "System: Google Play Store": [[116, 133]]}, "info": {"id": "cyner_mitre_train_00524", "source": "cyner_mitre_train"}}
+{"text": "Lookout notified Google of the finding and Google removed the app immediately while also taking action on it in Google Play Protect .", "spans": {"Organization: Lookout": [[0, 7]], "Organization: Google": [[17, 23], [43, 49]], "System: Google Play Protect": [[112, 131]]}, "info": {"id": "cyner_mitre_train_00525", "source": "cyner_mitre_train"}}
+{"text": "The app ties together two malware families - Desert Scorpion and another targeted surveillanceware family named FrozenCell - that we believe are being developed by a single , evolving surveillanceware actor called APT-C-23 targeting individuals in the Middle East .", "spans": {"Malware: Desert Scorpion": [[45, 60]], "Malware: FrozenCell": [[112, 122]], "Malware: APT-C-23": [[214, 222]]}, "info": {"id": "cyner_mitre_train_00526", "source": "cyner_mitre_train"}}
+{"text": "We 've seen this actor rely heavily on phishing campaigns to trick victims into downloading their malicious apps , specifically on Facebook .", "spans": {"System: Facebook": [[131, 139]]}, "info": {"id": "cyner_mitre_train_00527", "source": "cyner_mitre_train"}}
+{"text": "Even sophisticated actors are using lower cost , less technologically impressive means like phishing to spread their malware because it 's cheap and very effective , especially on mobile devices where there are more ways to interact with a victim ( messaging apps , social media apps , etc .", "spans": {}, "info": {"id": "cyner_mitre_train_00528", "source": "cyner_mitre_train"}}
+{"text": ") , and less screen real estate for victims to identify potential indicators of a threat .", "spans": {}, "info": {"id": "cyner_mitre_train_00529", "source": "cyner_mitre_train"}}
+{"text": "Lookout customers are protected against this threat and additionally we have included a list of IOCs at the end of this report .", "spans": {"Organization: Lookout": [[0, 7]]}, "info": {"id": "cyner_mitre_train_00530", "source": "cyner_mitre_train"}}
+{"text": "The potential actor and who they target Our current analysis strongly suggests Desert Scorpion is being deployed in targeted attacks against Middle Eastern individuals of interest specifically those in Palestine and has also been highlighted by other researchers .", "spans": {"Malware: Desert Scorpion": [[79, 94]]}, "info": {"id": "cyner_mitre_train_00531", "source": "cyner_mitre_train"}}
+{"text": "We have been able to tie the malware to a long-running Facebook profile that we observed promoting the first stage of this family , a malicious chat application called Dardesh via links to Google Play .", "spans": {"Organization: Facebook": [[55, 63]], "Malware: Dardesh": [[168, 175]], "System: Google Play": [[189, 200]]}, "info": {"id": "cyner_mitre_train_00532", "source": "cyner_mitre_train"}}
+{"text": "The Lookout Threat Intelligence team identified that this same Facebook profile has also posted Google Drive links to Android malware belonging to the FrozenCell family attributed to APT-C-27 .", "spans": {"Organization: Lookout Threat Intelligence": [[4, 31]], "Organization: Facebook": [[63, 71]], "System: Google Drive": [[96, 108]], "System: Android": [[118, 125]], "Malware: FrozenCell": [[151, 161]], "Indicator: APT-C-27": [[183, 191]]}, "info": {"id": "cyner_mitre_train_00533", "source": "cyner_mitre_train"}}
+{"text": "These factors , in combination with the fact that the command and control infrastructure used by Frozen Cell and Desert Scorpion resides in similar IP blocks , supports the theory that the same actor is responsible for operating , if not developing , both families .", "spans": {"Malware: Frozen Cell": [[97, 108]], "Malware: Desert Scorpion": [[113, 128]]}, "info": {"id": "cyner_mitre_train_00534", "source": "cyner_mitre_train"}}
+{"text": "What it does The surveillance functionality of Desert Scorpion resides in a second stage payload that can only be downloaded if the victim has downloaded , installed , and interacted with the first-stage chat application .", "spans": {"Malware: Desert Scorpion": [[47, 62]]}, "info": {"id": "cyner_mitre_train_00535", "source": "cyner_mitre_train"}}
+{"text": "The chat application acts as a dropper for this second-stage payload app .", "spans": {}, "info": {"id": "cyner_mitre_train_00536", "source": "cyner_mitre_train"}}
+{"text": "At the time of writing Lookout has observed two updates to the Dardesh application , the first on February 26 and the second on March 28 .", "spans": {"Organization: Lookout": [[23, 30]], "Malware: Dardesh": [[63, 70]]}, "info": {"id": "cyner_mitre_train_00537", "source": "cyner_mitre_train"}}
+{"text": "The malicious capabilities observed in the second stage include the following : Upload attacker-specified files to C2 servers Get list of installed applications Get device metadata Inspect itself to get a list of launchable activities Retrieves PDF , txt , doc , xls , xlsx , ppt , pptx files found on external storage Send SMS Retrieve text messages Track device location Handle limited attacker commands via out of band text messages Record surrounding audio Record calls Record video Retrieve account information such as email addresses Retrieve contacts Removes copies of itself if", "spans": {}, "info": {"id": "cyner_mitre_train_00538", "source": "cyner_mitre_train"}}
+{"text": "any additional APKs are downloaded to external storage .", "spans": {}, "info": {"id": "cyner_mitre_train_00539", "source": "cyner_mitre_train"}}
+{"text": "Call an attacker-specified number Uninstall apps Check if a device is rooted Hide its icon Retrieve list of files on external storage If running on a Huawei device it will attempt to add itself to the protected list of apps able to run with the screen off Encrypts some exfiltrated data Desert Scorpion 's second stage masquerades as a generic \" settings '' application .", "spans": {"Malware: Desert Scorpion": [[287, 302]]}, "info": {"id": "cyner_mitre_train_00540", "source": "cyner_mitre_train"}}
+{"text": "Curiously , several of these have included the world \" Fateh '' in their package name , which may be referring to the Fatah political party .", "spans": {"Organization: Fatah": [[118, 123]]}, "info": {"id": "cyner_mitre_train_00541", "source": "cyner_mitre_train"}}
+{"text": "Such references would be in line with FrozenCell 's phishing tactics in which they used file names to lure people associated with the political party to open malicious documents .", "spans": {"Malware: FrozenCell": [[38, 48]]}, "info": {"id": "cyner_mitre_train_00542", "source": "cyner_mitre_train"}}
+{"text": "Desert Scorpion 's second stage is capable of installing another non-malicious application ( included in the second stage ) which is highly specific to the Fatah political party and supports the targeting theory .", "spans": {"Malware: Desert Scorpion": [[0, 15]], "Organization: Fatah": [[156, 161]]}, "info": {"id": "cyner_mitre_train_00543", "source": "cyner_mitre_train"}}
+{"text": "The Lookout Threat Intelligence team is increasingly seeing the same tradecraft , tactics , and procedures that APT-C-23 favors being used by other actors .", "spans": {"Organization: Lookout Threat Intelligence": [[4, 31]], "Malware: APT-C-23": [[112, 120]]}, "info": {"id": "cyner_mitre_train_00544", "source": "cyner_mitre_train"}}
+{"text": "The approach of separating malicious functionality out into separate stages that are later downloaded during execution and not present in the initial app published to the Google Play Store , combined with social engineering delivered via social media platforms like Facebook , requires minimal investment in comparison to premium tooling like Pegasus or FinFisher .", "spans": {"System: Google Play Store": [[171, 188]], "Organization: Facebook": [[266, 274]], "Malware: Pegasus": [[343, 350]], "Malware: FinFisher": [[354, 363]]}, "info": {"id": "cyner_mitre_train_00545", "source": "cyner_mitre_train"}}
+{"text": "As we 've seen with actors like Dark Caracal , this low cost , low sophistication approach that relies heavily upon social engineering has still been shown to be highly successful for those operating such campaigns .", "spans": {"Malware: Dark Caracal": [[32, 44]]}, "info": {"id": "cyner_mitre_train_00546", "source": "cyner_mitre_train"}}
+{"text": "Given previous operational security errors from this actor in the past which resulted in exfiltrated content being publicly accessible Lookout Threat Intelligence is continuing to map out infrastructure and closely monitor their continued evolution .", "spans": {"Organization: Lookout Threat Intelligence": [[135, 162]]}, "info": {"id": "cyner_mitre_train_00547", "source": "cyner_mitre_train"}}
+{"text": "Virulent Android malware returns , gets > 2 million downloads on Google Play HummingWhale is back with new tricks , including a way to gin user ratings .", "spans": {"Malware: Virulent": [[0, 8]], "System: Android": [[9, 16]], "System: Google Play": [[65, 76]], "Malware: HummingWhale": [[77, 89]]}, "info": {"id": "cyner_mitre_train_00548", "source": "cyner_mitre_train"}}
+{"text": "DAN GOODIN - 1/23/2017 , 4:39 PM A virulent family of malware that infected more than 10 million Android devices last year has made a comeback , this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users .", "spans": {"Malware: virulent": [[35, 43]], "System: Android": [[97, 104]], "System: Google Play": [[169, 180]]}, "info": {"id": "cyner_mitre_train_00549", "source": "cyner_mitre_train"}}
+{"text": "HummingWhale , as the professionally developed malware has been dubbed , is a variant of HummingBad , the name given to a family of malicious apps researchers documented in July invading non-Google app markets .", "spans": {"Malware: HummingWhale": [[0, 12]], "Malware: HummingBad": [[89, 99]]}, "info": {"id": "cyner_mitre_train_00550", "source": "cyner_mitre_train"}}
+{"text": "HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android .", "spans": {"Malware: HummingBad": [[0, 10]], "Vulnerability: unpatched vulnerabilities": [[68, 93]], "System: Android": [[153, 160]]}, "info": {"id": "cyner_mitre_train_00551", "source": "cyner_mitre_train"}}
+{"text": "Before Google shut it down , it installed more than 50,000 fraudulent apps each day , displayed 20 million malicious advertisements , and generated more than $ 300,000 per month in revenue .", "spans": {"Organization: Google": [[7, 13]]}, "info": {"id": "cyner_mitre_train_00552", "source": "cyner_mitre_train"}}
+{"text": "Of the 10 million people who downloaded HummingBad-contaminated apps , an estimated 286,000 of them were located in the US .", "spans": {"Malware: HummingBad-contaminated": [[40, 63]]}, "info": {"id": "cyner_mitre_train_00553", "source": "cyner_mitre_train"}}
+{"text": "HummingWhale , by contrast , managed to sneak its way into about 20 Google Play apps that were downloaded from 2 million to 12 million times , according to researchers from Check Point , the security company that has been closely following the malware family for almost a year .", "spans": {"Malware: HummingWhale": [[0, 12]], "System: Google Play": [[68, 79]], "Organization: Check Point": [[173, 184]]}, "info": {"id": "cyner_mitre_train_00554", "source": "cyner_mitre_train"}}
+{"text": "Rather than rooting devices , the latest variant includes new virtual machine techniques that allow the malware to perform ad fraud better than ever , company researchers said in a blog post published Monday .", "spans": {}, "info": {"id": "cyner_mitre_train_00555", "source": "cyner_mitre_train"}}
+{"text": "\" Users must realize that they can no longer trust in installing only apps with a high reputation from official app stores as their sole defense , '' the researchers wrote in an e-mail to Ars .", "spans": {"Organization: Ars": [[188, 191]]}, "info": {"id": "cyner_mitre_train_00556", "source": "cyner_mitre_train"}}
+{"text": "\" This malware employs several tactics to keep its activity hidden , meaning users might be unaware of its existence on their device .", "spans": {}, "info": {"id": "cyner_mitre_train_00557", "source": "cyner_mitre_train"}}
+{"text": "'' As was the case with HummingBad , the purpose of HummingWhale is to generate revenue by displaying fraudulent ads and automatically installing apps .", "spans": {"Malware: HummingBad": [[24, 34]], "Malware: HummingWhale": [[52, 64]]}, "info": {"id": "cyner_mitre_train_00558", "source": "cyner_mitre_train"}}
+{"text": "When users try to close the ads , the new functionality causes already downloaded apps to run in a virtual machine .", "spans": {}, "info": {"id": "cyner_mitre_train_00559", "source": "cyner_mitre_train"}}
+{"text": "That creates a fake ID that allows the perpetrators to generate referral revenues .", "spans": {}, "info": {"id": "cyner_mitre_train_00560", "source": "cyner_mitre_train"}}
+{"text": "Use of the virtual machine brings many technical benefits to the operators , chief among them allowing the malware to install apps without requiring users to approve a list of elevated permissions .", "spans": {}, "info": {"id": "cyner_mitre_train_00561", "source": "cyner_mitre_train"}}
+{"text": "Advertisement The VM also disguises the malicious activity , making it easier for the apps to infiltrate Google Play .", "spans": {"System: Google Play": [[105, 116]]}, "info": {"id": "cyner_mitre_train_00562", "source": "cyner_mitre_train"}}
+{"text": "It has the added benefit of installing a nearly unlimited number of fraudulent apps without overloading the infected device .", "spans": {}, "info": {"id": "cyner_mitre_train_00563", "source": "cyner_mitre_train"}}
+{"text": "Until now , Android malware that wanted advanced capabilities typically had to trick users into approving sometimes scary-sounding permissions or exploit rooting vulnerabilities .", "spans": {"System: Android": [[12, 19]]}, "info": {"id": "cyner_mitre_train_00564", "source": "cyner_mitre_train"}}
+{"text": "Ginning the ratings FURTHER READING 1 million Google accounts compromised by Android malware called Gooligan To implement the VM feature , the malicious APK installation dropper used by HummingWhale uses DroidPlugin , an extension originally developed by developers from China-based company Qihoo 360 , Check Point said .", "spans": {"Organization: Google": [[46, 52]], "System: Android": [[77, 84]], "Malware: Gooligan": [[100, 108]], "Malware: HummingWhale": [[186, 198]], "Malware: DroidPlugin": [[204, 215]], "Organization: Qihoo 360": [[291, 300]], "Organization: Check Point": [[303, 314]]}, "info": {"id": "cyner_mitre_train_00565", "source": "cyner_mitre_train"}}
+{"text": "HummingWhale has also been observed hiding the original malicious app once it 's installed and trying to improve its Google Play reputation by automatically generating posts disguised as positive user comments and ratings .", "spans": {"Malware: HummingWhale": [[0, 12]], "System: Google Play": [[117, 128]]}, "info": {"id": "cyner_mitre_train_00566", "source": "cyner_mitre_train"}}
+{"text": "Gooligan , a family of Android malware that came to light in November after it compromised more than 1 million Google accounts , contained similar abilities to tamper with Google Play ratings .", "spans": {"Malware: Gooligan": [[0, 8]], "System: Android": [[23, 30]], "Organization: Google": [[111, 117]], "System: Google Play": [[172, 183]]}, "info": {"id": "cyner_mitre_train_00567", "source": "cyner_mitre_train"}}
+{"text": "People who want to know if their Android devices are infected can download the Check Point app here .", "spans": {"System: Android": [[33, 40]], "Organization: Check Point": [[79, 90]]}, "info": {"id": "cyner_mitre_train_00568", "source": "cyner_mitre_train"}}
+{"text": "A separate app from Check Point competitor Lookout also detects the threat as a variant of the Shedun malware family .", "spans": {"Organization: Check Point": [[20, 31]], "Organization: Lookout": [[43, 50]], "Malware: Shedun": [[95, 101]]}, "info": {"id": "cyner_mitre_train_00569", "source": "cyner_mitre_train"}}
+{"text": "More technically inclined people can detect infections by seeing if a device connects to a control server located at app.blinkingcamera.com .", "spans": {"Indicator: app.blinkingcamera.com": [[117, 139]]}, "info": {"id": "cyner_mitre_train_00570", "source": "cyner_mitre_train"}}
+{"text": "Package names for infected apps typically contain a common naming structure that includes com.XXXXXXXXX.camera , for example com.bird.sky.whale.camera ( app name : Whale Camera ) , com.color.rainbow.camera ( Rainbow Camera ) , and com.fishing.when.orangecamera ( Orange Camera ) .", "spans": {"Indicator: com.XXXXXXXXX.camera": [[90, 110]], "Indicator: com.bird.sky.whale.camera": [[125, 150]], "System: Whale Camera": [[164, 176]], "Indicator: com.color.rainbow.camera": [[181, 205]], "System: Rainbow Camera": [[208, 222]], "Indicator: com.fishing.when.orangecamera": [[231, 260]], "System: Orange Camera": [[263, 276]]}, "info": {"id": "cyner_mitre_train_00571", "source": "cyner_mitre_train"}}
+{"text": "Google officials removed the malicious apps from the Play market after receiving a private report of their existence .", "spans": {"Organization: Google": [[0, 6]], "System: Play market": [[53, 64]]}, "info": {"id": "cyner_mitre_train_00572", "source": "cyner_mitre_train"}}
+{"text": "A company representative declined to comment for this post .", "spans": {}, "info": {"id": "cyner_mitre_train_00573", "source": "cyner_mitre_train"}}
+{"text": "BusyGasper – the unfriendly spy 29 AUG 2018 In early 2018 our mobile intruder-detection technology was triggered by a suspicious Android sample that , as it turned out , belonged to an unknown spyware family .", "spans": {"Malware: BusyGasper": [[0, 10]], "System: Android": [[129, 136]]}, "info": {"id": "cyner_mitre_train_00574", "source": "cyner_mitre_train"}}
+{"text": "Further investigation showed that the malware , which we named BusyGasper , is not all that sophisticated , but demonstrates some unusual features for this type of threat .", "spans": {"Malware: BusyGasper": [[63, 73]]}, "info": {"id": "cyner_mitre_train_00575", "source": "cyner_mitre_train"}}
+{"text": "From a technical point of view , the sample is a unique spy implant with stand-out features such as device sensors listeners , including motion detectors that have been implemented with a degree of originality .", "spans": {}, "info": {"id": "cyner_mitre_train_00576", "source": "cyner_mitre_train"}}
+{"text": "It has an incredibly wide-ranging protocol – about 100 commands – and an ability to bypass the Doze battery saver .", "spans": {}, "info": {"id": "cyner_mitre_train_00577", "source": "cyner_mitre_train"}}
+{"text": "As a modern Android spyware it is also capable of exfiltrating data from messaging applications ( WhatsApp , Viber , Facebook ) .", "spans": {"System: WhatsApp": [[98, 106]], "System: Viber": [[109, 114]], "System: Facebook": [[117, 125]]}, "info": {"id": "cyner_mitre_train_00578", "source": "cyner_mitre_train"}}
+{"text": "Moreover , BusyGasper boasts some keylogging tools – the malware processes every user tap , gathering its coordinates and calculating characters by matching given values with hardcoded ones .", "spans": {"Malware: BusyGasper": [[11, 21]]}, "info": {"id": "cyner_mitre_train_00579", "source": "cyner_mitre_train"}}
+{"text": "The sample has a multicomponent structure and can download a payload or updates from its C & C server , which happens to be an FTP server belonging to the free Russian web hosting service Ucoz .", "spans": {}, "info": {"id": "cyner_mitre_train_00580", "source": "cyner_mitre_train"}}
+{"text": "It is noteworthy that BusyGasper supports the IRC protocol which is rarely seen among Android malware .", "spans": {"Malware: BusyGasper": [[22, 32]], "System: Android": [[86, 93]]}, "info": {"id": "cyner_mitre_train_00581", "source": "cyner_mitre_train"}}
+{"text": "In addition , the malware can log in to the attacker ’ s email inbox , parse emails in a special folder for commands and save any payloads to a device from email attachments .", "spans": {}, "info": {"id": "cyner_mitre_train_00582", "source": "cyner_mitre_train"}}
+{"text": "This particular operation has been active since approximately May 2016 up to the present time .", "spans": {}, "info": {"id": "cyner_mitre_train_00583", "source": "cyner_mitre_train"}}
+{"text": "Infection vector and victims While looking for the infection vector , we found no evidence of spear phishing or any of the other common vectors .", "spans": {}, "info": {"id": "cyner_mitre_train_00584", "source": "cyner_mitre_train"}}
+{"text": "But some clues , such as the existence of a hidden menu for operator control , point to a manual installation method – the attackers used physical access to a victim ’ s device to install the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00585", "source": "cyner_mitre_train"}}
+{"text": "This would explain the number of victims – there are less than 10 of them and according to our detection statistics , they are all located in the Russia .", "spans": {}, "info": {"id": "cyner_mitre_train_00586", "source": "cyner_mitre_train"}}
+{"text": "Intrigued , we continued our search and found more interesting clues that could reveal some detailed information about the owners of the infected devices .", "spans": {}, "info": {"id": "cyner_mitre_train_00587", "source": "cyner_mitre_train"}}
+{"text": "Several TXT files with commands on the attacker ’ s FTP server contain a victim identifier in the names that was probably added by the criminals : CMDS10114-Sun1.txt CMDS10134-Ju_ASUS.txt CMDS10134-Tad.txt CMDS10166-Jana.txt CMDS10187-Sun2.txt CMDS10194-SlavaAl.txt CMDS10209-Nikusha.txt Some of them sound like Russian names : Jana , SlavaAl , Nikusha .", "spans": {"Indicator: CMDS10114-Sun1.txt": [[147, 165]], "Indicator: CMDS10134-Ju_ASUS.txt": [[166, 187]], "Indicator: CMDS10134-Tad.txt": [[188, 205]], "Indicator: CMDS10166-Jana.txt": [[206, 224]], "Indicator: CMDS10187-Sun2.txt": [[225, 243]], "Indicator: CMDS10194-SlavaAl.txt": [[244, 265]], "Indicator: CMDS10209-Nikusha.txt": [[266, 287]]}, "info": {"id": "cyner_mitre_train_00588", "source": "cyner_mitre_train"}}
+{"text": "As we know from the FTP dump analysis , there was a firmware component from ASUS firmware , indicating the attacker ’ s interest in ASUS devices , which explains the victim file name that mentions “ ASUS ” .", "spans": {"Organization: ASUS": [[76, 80], [132, 136]]}, "info": {"id": "cyner_mitre_train_00589", "source": "cyner_mitre_train"}}
+{"text": "Information gathered from the email account provides a lot of the victims ’ personal data , including messages from IM applications .", "spans": {}, "info": {"id": "cyner_mitre_train_00590", "source": "cyner_mitre_train"}}
+{"text": "Gathered file Type Description lock Text Implant log ldata sqlite3 Location data based on network ( cell_id ) gdata sqlite3 Location data based on GPS coordinates sdata sqlite3 SMS messages f.db sqlite3 Facebook messages v.db sqlite3 Viber messages w.db sqlite3 WhatsApp messages Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US $ 10,000.But as far as we know , the attacker behind this campaign is not interested in stealing the victims ’ money", "spans": {"Indicator: sdata sqlite3": [[163, 176]], "Indicator: f.db sqlite3": [[190, 202]], "System: Facebook": [[203, 211]], "Indicator: v.db sqlite3": [[221, 233]], "System: Viber": [[234, 239]], "Indicator: w.db sqlite3": [[249, 261]], "System: WhatsApp": [[262, 270]]}, "info": {"id": "cyner_mitre_train_00591", "source": "cyner_mitre_train"}}
+{"text": ".", "spans": {}, "info": {"id": "cyner_mitre_train_00592", "source": "cyner_mitre_train"}}
+{"text": "We found no similarities to commercial spyware products or to other known spyware variants , which suggests BusyGasper is self-developed and used by a single threat actor .", "spans": {"Malware: BusyGasper": [[108, 118]]}, "info": {"id": "cyner_mitre_train_00593", "source": "cyner_mitre_train"}}
+{"text": "At the same time , the lack of encryption , use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00594", "source": "cyner_mitre_train"}}
+{"text": "Technical details Here is the meta information for the observed samples , certificates and hardcoded version stamps : Certificate MD5 Module Version Serial Number : 0x76607c02 Issuer : CN=Ron Validity : from = Tue Aug 30 13:01:30 MSK 2016 to = Sat Aug 24 13:01:30 MSK 2041 Subject : CN=Ron 9e005144ea1a583531f86663a5f14607 1 – 18abe28730c53de6d9e4786c7765c3d8 2 2.0", "spans": {"Indicator: 0x76607c02": [[165, 175]], "Indicator: 9e005144ea1a583531f86663a5f14607": [[290, 322]], "Indicator: 18abe28730c53de6d9e4786c7765c3d8": [[327, 359]]}, "info": {"id": "cyner_mitre_train_00595", "source": "cyner_mitre_train"}}
+{"text": "Serial Number : 0x6a0d1fec Issuer : CN=Sun Validity : from = Mon May 16 17:42:40 MSK 2016 to = Fri May 10 17:42:40 MSK 2041 Subject : CN=Sun 9ffc350ef94ef840728564846f2802b0 2 v2.51sun 6c246bbb40b7c6e75c60a55c0da9e2f2 2 v2.96s 7c8a12e56e3e03938788b26b84b80bd6 2 v3.09s", "spans": {"Indicator: 0x6a0d1fec": [[16, 26]], "Indicator: 9ffc350ef94ef840728564846f2802b0": [[141, 173]], "Indicator: 6c246bbb40b7c6e75c60a55c0da9e2f2": [[185, 217]], "Indicator: 7c8a12e56e3e03938788b26b84b80bd6": [[227, 259]]}, "info": {"id": "cyner_mitre_train_00596", "source": "cyner_mitre_train"}}
+{"text": "bde7847487125084f9e03f2b6b05adc3 2 v3.12s 2560942bb50ee6e6f55afc495d238a12 2 v3.18s It ’ s interesting that the issuer “ Sun ” matches the “ Sun1 ” and “ Sun2 ” identifiers of infected devices from the FTP server , suggesting they may be test devices .", "spans": {"Indicator: bde7847487125084f9e03f2b6b05adc3": [[0, 32]], "Indicator: 2560942bb50ee6e6f55afc495d238a12": [[42, 74]]}, "info": {"id": "cyner_mitre_train_00597", "source": "cyner_mitre_train"}}
+{"text": "The analyzed implant has a complex structure , and for now we have observed two modules .", "spans": {}, "info": {"id": "cyner_mitre_train_00598", "source": "cyner_mitre_train"}}
+{"text": "First ( start ) module The first module , which was installed on the targeted device , could be controlled over the IRC protocol and enable deployment of other components by downloading a payload from the FTP server : @ install command As can be seen from the screenshot above , a new component was copied in the system path , though that sort of operation is impossible without root privileges .", "spans": {}, "info": {"id": "cyner_mitre_train_00599", "source": "cyner_mitre_train"}}
+{"text": "At the time of writing we had no evidence of an exploit being used to obtain root privileges , though it is possible that the attackers used some unseen component to implement this feature .", "spans": {}, "info": {"id": "cyner_mitre_train_00600", "source": "cyner_mitre_train"}}
+{"text": "Here is a full list of possible commands that can be executed by the first module : Command name Description @ stop Stop IRC @ quit System.exit ( 0 ) @ start Start IRC @ server Set IRC server ( default value is “ irc.freenode.net ” ) , port is always 6667 @ boss Set IRC command and control nickname ( default value is “ ISeency ” ) @ nick Set IRC client nickname @ screen Report every time when screen is on ( enable/disable ) @ root Use root features ( enable/disable ) @ timer Set", "spans": {"Indicator: System.exit ( 0 )": [[132, 149]], "Indicator: irc.freenode.net": [[213, 229]]}, "info": {"id": "cyner_mitre_train_00601", "source": "cyner_mitre_train"}}
+{"text": "period of IRCService start @ hide Hide implant icon @ unhide Unhide implant icon @ run Execute specified shell @ broadcast Send command to the second module @ echo Write specified message to log @ install Download and copy specified component to the system path The implant uses a complex intent-based communication mechanism between its components to broadcast commands : Approximate graph of relationships between BusyGasper components Second ( main ) module This module writes a log of the command execution history to the file named “ lock ” , which is later exfiltrated", "spans": {}, "info": {"id": "cyner_mitre_train_00602", "source": "cyner_mitre_train"}}
+{"text": ".", "spans": {}, "info": {"id": "cyner_mitre_train_00603", "source": "cyner_mitre_train"}}
+{"text": "Below is a fragment of such a log : Log with specified command Log files can be uploaded to the FTP server and sent to the attacker ’ s email inbox .", "spans": {}, "info": {"id": "cyner_mitre_train_00604", "source": "cyner_mitre_train"}}
+{"text": "It ’ s even possible to send log messages via SMS to the attacker ’ s number .", "spans": {}, "info": {"id": "cyner_mitre_train_00605", "source": "cyner_mitre_train"}}
+{"text": "As the screenshot above shows , the malware has its own command syntax that represents a combination of characters while the “ # ” symbol is a delimiter .", "spans": {}, "info": {"id": "cyner_mitre_train_00606", "source": "cyner_mitre_train"}}
+{"text": "A full list of all possible commands with descriptions can be found in Appendix II below .", "spans": {}, "info": {"id": "cyner_mitre_train_00607", "source": "cyner_mitre_train"}}
+{"text": "The malware has all the popular capabilities of modern spyware .", "spans": {}, "info": {"id": "cyner_mitre_train_00608", "source": "cyner_mitre_train"}}
+{"text": "Below is a description of the most noteworthy : The implant is able to spy on all available device sensors and to log registered events .", "spans": {}, "info": {"id": "cyner_mitre_train_00609", "source": "cyner_mitre_train"}}
+{"text": "Moreover , there is a special handler for the accelerometer that is able to calculate and log the device ’ s speed : This feature is used in particular by the command “ tk0 ” that mutes the device , disables keyguard , turns off the brightness , uses wakelock and listens to device sensors .", "spans": {}, "info": {"id": "cyner_mitre_train_00610", "source": "cyner_mitre_train"}}
+{"text": "This allows it to silently execute any backdoor activity without the user knowing that the device is in an active state .", "spans": {}, "info": {"id": "cyner_mitre_train_00611", "source": "cyner_mitre_train"}}
+{"text": "As soon as the user picks up the device , the implant will detect a motion event and execute the “ tk1 ” and “ input keyevent 3 ” commands .", "spans": {}, "info": {"id": "cyner_mitre_train_00612", "source": "cyner_mitre_train"}}
+{"text": "“ tk1 ” will disable all the effects of the “ tk0 ” command , while “ input keyevent 3 ” is the shell command that simulates the pressing of the ‘ home ’ button so all the current activities will be minimized and the user won ’ t suspect anything .", "spans": {}, "info": {"id": "cyner_mitre_train_00613", "source": "cyner_mitre_train"}}
+{"text": "Location services to enable ( GPS/network ) tracking : The email command and control protocol .", "spans": {}, "info": {"id": "cyner_mitre_train_00614", "source": "cyner_mitre_train"}}
+{"text": "The implant can log in to the attackers email inbox , parse emails for commands in a special “ Cmd ” folder and save any payloads to a device from email attachments .", "spans": {}, "info": {"id": "cyner_mitre_train_00615", "source": "cyner_mitre_train"}}
+{"text": "Accessing the “ Cmd ” folder in the attacker ’ s email box Moreover , it can send a specified file or all the gathered data from the victim device via email .", "spans": {}, "info": {"id": "cyner_mitre_train_00616", "source": "cyner_mitre_train"}}
+{"text": "Emergency SMS commands .", "spans": {}, "info": {"id": "cyner_mitre_train_00617", "source": "cyner_mitre_train"}}
+{"text": "If an incoming SMS contains one of the following magic strings : ” 2736428734″ or ” 7238742800″ the malware will execute multiple initial commands : Keylogger implementation Keylogging is implemented in an original manner .", "spans": {"Indicator: 2736428734″": [[67, 78]], "Indicator: 7238742800″": [[84, 95]]}, "info": {"id": "cyner_mitre_train_00618", "source": "cyner_mitre_train"}}
+{"text": "Immediately after activation , the malware creates a textView element in a new window with the following layout parameters : All these parameters ensure the element is hidden from the user .", "spans": {}, "info": {"id": "cyner_mitre_train_00619", "source": "cyner_mitre_train"}}
+{"text": "Then it adds onTouchListener to this textView and is able to process every user tap .", "spans": {}, "info": {"id": "cyner_mitre_train_00620", "source": "cyner_mitre_train"}}
+{"text": "Interestingly , there is an allowlist of tapped activities : ui.ConversationActivity ui.ConversationListActivity SemcInCallScreen Quadrapop SocialPhonebookActivity The listener can operate with only coordinates , so it calculates pressed characters by matching given values with hardcoded ones : Additionally , if there is a predefined command , the keylogger can make a screenshot of the tapped display area : Manual access and operator menu There is a hidden menu ( Activity ) for controlling implant features that", "spans": {}, "info": {"id": "cyner_mitre_train_00621", "source": "cyner_mitre_train"}}
+{"text": "looks like it was created for manual operator control .", "spans": {}, "info": {"id": "cyner_mitre_train_00622", "source": "cyner_mitre_train"}}
+{"text": "To activate this menu the operator needs to call the hardcoded number “ 9909 ” from the infected device : A hidden menu then instantly appears on the device display : The operator can use this interface to type any command for execution .", "spans": {}, "info": {"id": "cyner_mitre_train_00623", "source": "cyner_mitre_train"}}
+{"text": "It also shows a current malware log .", "spans": {}, "info": {"id": "cyner_mitre_train_00624", "source": "cyner_mitre_train"}}
+{"text": "Infrastructure FTP server The attackers used ftp : //213.174.157 [ .", "spans": {"Indicator: ftp : //213.174.157 [ .": [[45, 68]]}, "info": {"id": "cyner_mitre_train_00625", "source": "cyner_mitre_train"}}
+{"text": "] 151/ as a command and control server .", "spans": {}, "info": {"id": "cyner_mitre_train_00626", "source": "cyner_mitre_train"}}
+{"text": "The IP belongs to the free Russian web hosting service Ucoz .", "spans": {}, "info": {"id": "cyner_mitre_train_00627", "source": "cyner_mitre_train"}}
+{"text": "Files Description CMDS * .txt Text files with commands to execute supersu.apk SuperSU ( eu.chainfire.supersu , https : //play.google.com/store/apps/details ?", "spans": {"Indicator: supersu.apk": [[66, 77]], "Indicator: eu.chainfire.supersu": [[88, 108]], "Indicator: https : //play.google.com/store/apps/details ?": [[111, 157]]}, "info": {"id": "cyner_mitre_train_00628", "source": "cyner_mitre_train"}}
+{"text": "id=eu.chainfire.supersu ) tool 246.us us.x SuperSU ELF binaries supersu.cfg supersu.cfg.ju supersu.cfg.old SuperSU configs with spyware implant mention bb.txt BusyBox v1.26.2 ELF file bdata.xml Config file for excluding malware components from Android battery saver feature Doze bdatas.apk Main implant module com.android.network.irc.apk Start implant module MobileManagerService.apk ASUS firmware system component ( clean ) mobilemanager.apk", "spans": {"Indicator: 246.us": [[31, 37]], "Indicator: us.x": [[38, 42]], "Indicator: supersu.cfg": [[64, 75]], "Indicator: supersu.cfg.ju": [[76, 90]], "Indicator: supersu.cfg.old": [[91, 106]], "Indicator: bb.txt": [[152, 158]], "Indicator: bdata.xml": [[184, 193]], "System: Android": [[244, 251]], "Indicator: bdatas.apk": [[279, 289]], "Indicator: com.android.network.irc.apk": [[310, 337]], "Indicator: MobileManagerService.apk": [[359, 383]], "Organization: ASUS": [[384, 388]], "Indicator: mobilemanager.apk": [[425, 442]]}, "info": {"id": "cyner_mitre_train_00629", "source": "cyner_mitre_train"}}
+{"text": "Corrupted archive privapp.txt Looks like a list of system applications ( including spyware components ) from the infected device run-as.x run-as.y Run-as tool ELF file SuperSU config fragment for implant components and the busybox tool supersu.cfg : This config allows the implant to use all root features silently .", "spans": {"Indicator: privapp.txt": [[18, 29]], "Indicator: run-as.x": [[129, 137]], "Indicator: run-as.y": [[138, 146]], "Indicator: supersu.cfg": [[236, 247]]}, "info": {"id": "cyner_mitre_train_00630", "source": "cyner_mitre_train"}}
+{"text": "Content of bdata.xml file : It can be added to the /system/etc/sysconfig/ path to allowlist specified implant components from the battery saving system .", "spans": {"Indicator: /system/etc/sysconfig/": [[51, 73]]}, "info": {"id": "cyner_mitre_train_00631", "source": "cyner_mitre_train"}}
+{"text": "Email account A Gmail account with password is mentioned in the sample ’ s code : It contains the victim ’ s exfiltrated data and “ cmd ” directory with commands for victim devices .", "spans": {"System: Gmail": [[16, 21]]}, "info": {"id": "cyner_mitre_train_00632", "source": "cyner_mitre_train"}}
+{"text": "10 million Android phones infected by all-powerful auto-rooting apps First detected in November , Shedun/HummingBad infections are surging .", "spans": {"System: Android": [[11, 18]], "Malware: Shedun/HummingBad": [[98, 115]]}, "info": {"id": "cyner_mitre_train_00633", "source": "cyner_mitre_train"}}
+{"text": "7/7/2016 , 1:50 PM Security experts have documented a disturbing spike in a particularly virulent family of Android malware , with more than 10 million handsets infected and more than 286,000 of them in the US .", "spans": {"System: Android": [[108, 115]]}, "info": {"id": "cyner_mitre_train_00634", "source": "cyner_mitre_train"}}
+{"text": "FURTHER READING New type of auto-rooting Android adware is nearly impossible to remove Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day , displays 20 million malicious advertisements , and generates more than $ 300,000 per month in revenue .", "spans": {"System: Android": [[41, 48]], "Organization: Check Point Software": [[118, 138]]}, "info": {"id": "cyner_mitre_train_00635", "source": "cyner_mitre_train"}}
+{"text": "The success is largely the result of the malware 's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android .", "spans": {"Vulnerability: vulnerabilities that remain unfixed in older versions of Android": [[135, 199]]}, "info": {"id": "cyner_mitre_train_00636", "source": "cyner_mitre_train"}}
+{"text": "The Check Point researchers have dubbed the malware family \" HummingBad , '' but researchers from mobile security company Lookout say HummingBad is in fact Shedun , a family of auto-rooting malware that came to light last November and had already infected a large number of devices .", "spans": {"Organization: Check Point": [[4, 15]], "Malware: HummingBad": [[61, 71], [134, 144]], "Organization: Lookout": [[122, 129]], "Malware: Shedun": [[156, 162]]}, "info": {"id": "cyner_mitre_train_00637", "source": "cyner_mitre_train"}}
+{"text": "Update Jul 11 2016 8:32 : On Monday , a Checkpoint representative disputed Lookout 's contention and pointed to this blog post from security firm Eleven Paths as support .", "spans": {"Organization: Checkpoint": [[40, 50]], "Organization: Lookout": [[75, 82]], "Organization: Eleven Paths": [[146, 158]]}, "info": {"id": "cyner_mitre_train_00638", "source": "cyner_mitre_train"}}
+{"text": "The blog post said HummingBad \" uses a completely different infrastructure with little in common '' with Shedun .", "spans": {"Malware: HummingBad": [[19, 29]]}, "info": {"id": "cyner_mitre_train_00639", "source": "cyner_mitre_train"}}
+{"text": "In an e-mail , a Lookout representative stood by its analysis and said company researchers planned to publish an in-depth response in the coming days .", "spans": {"Organization: Lookout": [[17, 24]]}, "info": {"id": "cyner_mitre_train_00640", "source": "cyner_mitre_train"}}
+{"text": "For the past five months , Check Point researchers have quietly observed the China-based advertising company behind HummingBad in several ways , including by infiltrating the command and control servers it uses .", "spans": {"Organization: Check Point": [[27, 38]], "Malware: HummingBad": [[116, 126]]}, "info": {"id": "cyner_mitre_train_00641", "source": "cyner_mitre_train"}}
+{"text": "The researchers say the malware uses the unusually tight control it gains over infected devices to create windfall profits and steadily increase its numbers .", "spans": {}, "info": {"id": "cyner_mitre_train_00642", "source": "cyner_mitre_train"}}
+{"text": "HummingBad does this by silently installing promoted apps on infected phones , defrauding legitimate mobile advertisers , and creating fraudulent statistics inside the official Google Play Store .", "spans": {"Malware: HummingBad": [[0, 10]], "System: Google Play Store": [[177, 194]]}, "info": {"id": "cyner_mitre_train_00643", "source": "cyner_mitre_train"}}
+{"text": "\" Accessing these devices and their sensitive data creates a new and steady stream of revenue for cybercriminals , '' Check Point researchers wrote in a recently published report .", "spans": {}, "info": {"id": "cyner_mitre_train_00644", "source": "cyner_mitre_train"}}
+{"text": "\" Emboldened by financial and technological independence , their skillsets will advance–putting end users , enterprises , and government agencies at risk .", "spans": {}, "info": {"id": "cyner_mitre_train_00645", "source": "cyner_mitre_train"}}
+{"text": "'' The report said HummingBad apps are developed by Yingmob , a Chinese mobile ad server company that other researchers claim is behind the Yinspector iOS malware .", "spans": {"Malware: HummingBad": [[19, 29]], "Organization: Yingmob": [[52, 59]], "Malware: Yinspector": [[140, 150]], "System: iOS": [[151, 154]]}, "info": {"id": "cyner_mitre_train_00646", "source": "cyner_mitre_train"}}
+{"text": "HummingBad sends notifications to Umeng , a tracking and analytics service attackers use to manage their campaign .", "spans": {"Malware: HummingBad": [[0, 10]]}, "info": {"id": "cyner_mitre_train_00647", "source": "cyner_mitre_train"}}
+{"text": "Check Point analyzed Yingmob ’ s Umeng account to gain further insights into the HummingBad campaign and found that beyond the 10 million devices under the control of malicious apps , Yingmob has non-malicious apps installed on another 75 million or so devices .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Yingmob": [[21, 28], [184, 191]], "Malware: HummingBad": [[81, 91]]}, "info": {"id": "cyner_mitre_train_00648", "source": "cyner_mitre_train"}}
+{"text": "The researchers wrote : While profit is powerful motivation for any attacker , Yingmob ’ s apparent self-sufficiency and organizational structure make it well-positioned to expand into new business ventures , including productizing the access to the 85 million Android devices it controls .", "spans": {"Organization: Yingmob": [[79, 86]], "System: Android": [[261, 268]]}, "info": {"id": "cyner_mitre_train_00649", "source": "cyner_mitre_train"}}
+{"text": "This alone would attract a whole new audience–and a new stream of revenue–for Yingmob .", "spans": {"Organization: Yingmob": [[78, 85]]}, "info": {"id": "cyner_mitre_train_00650", "source": "cyner_mitre_train"}}
+{"text": "Quick , easy access to sensitive data on mobile devices connected to enterprises and government agencies around the globe is extremely attractive to cybercriminals and hacktivists .", "spans": {}, "info": {"id": "cyner_mitre_train_00651", "source": "cyner_mitre_train"}}
+{"text": "Drive-by downloads and multiple rooting exploits The malware uses a variety of methods to infect devices .", "spans": {}, "info": {"id": "cyner_mitre_train_00652", "source": "cyner_mitre_train"}}
+{"text": "One involves drive-by downloads , possibly on booby-trapped porn sites .", "spans": {}, "info": {"id": "cyner_mitre_train_00653", "source": "cyner_mitre_train"}}
+{"text": "The attacks use multiple exploits in an attempt to gain root access on a device .", "spans": {}, "info": {"id": "cyner_mitre_train_00654", "source": "cyner_mitre_train"}}
+{"text": "When rooting fails , a second component delivers a fake system update notification in hopes of tricking users into granting HummingBad system-level permissions .", "spans": {"Malware: HummingBad": [[124, 134]]}, "info": {"id": "cyner_mitre_train_00655", "source": "cyner_mitre_train"}}
+{"text": "Whether or not rooting succeeds , HummingBad downloads a large number of apps .", "spans": {"Malware: HummingBad": [[34, 44]]}, "info": {"id": "cyner_mitre_train_00656", "source": "cyner_mitre_train"}}
+{"text": "In some cases , malicious components are dynamically downloaded onto a device after an infected app is installed .", "spans": {}, "info": {"id": "cyner_mitre_train_00657", "source": "cyner_mitre_train"}}
+{"text": "From there , infected phones display illegitimate ads and install fraudulent apps after certain events , such as rebooting , the screen turning on or off , a detection that the user is present , or a change in Internet connectivity .", "spans": {}, "info": {"id": "cyner_mitre_train_00658", "source": "cyner_mitre_train"}}
+{"text": "HummingBad also has the ability to inject code into Google Play to tamper with its ratings and statistics .", "spans": {"Malware: HummingBad": [[0, 10]], "System: Google Play": [[52, 63]]}, "info": {"id": "cyner_mitre_train_00659", "source": "cyner_mitre_train"}}
+{"text": "It does this by using infected devices to imitate clicks on the install , buy , and accept buttons .", "spans": {}, "info": {"id": "cyner_mitre_train_00660", "source": "cyner_mitre_train"}}
+{"text": "Many of the 10 million infected phones are running old versions of Android and reside in China ( 1.6 million ) and India ( 1.35 million ) .", "spans": {"System: Android": [[67, 74]]}, "info": {"id": "cyner_mitre_train_00661", "source": "cyner_mitre_train"}}
+{"text": "Still , US-based infected phones total almost 287,000 .", "spans": {}, "info": {"id": "cyner_mitre_train_00662", "source": "cyner_mitre_train"}}
+{"text": "The most widely infected major Android versions are KitKat with 50 percent , followed by Jelly Bean with 40 percent .", "spans": {"System: Android": [[31, 38]], "System: KitKat": [[52, 58]], "System: Jelly Bean": [[89, 99]]}, "info": {"id": "cyner_mitre_train_00663", "source": "cyner_mitre_train"}}
+{"text": "Lollipop has 7 percent , Ice Cream Sandwich has 2 percent , and Marshmallow has 1 percent .", "spans": {"System: Lollipop": [[0, 8]], "System: Ice Cream Sandwich": [[25, 43]], "System: Marshmallow": [[64, 75]]}, "info": {"id": "cyner_mitre_train_00664", "source": "cyner_mitre_train"}}
+{"text": "It 's often hard for average users to know if their phones have been rooted , and Shedun apps often wait some period of time before displaying obtrusive ads or installing apps .", "spans": {"Malware: Shedun": [[82, 88]]}, "info": {"id": "cyner_mitre_train_00665", "source": "cyner_mitre_train"}}
+{"text": "The best bet for Readers who want to make sure their phone is n't infected is to scan their phones using the free version of the Lookout Security and Antivirus app .", "spans": {"Organization: Lookout": [[129, 136]]}, "info": {"id": "cyner_mitre_train_00666", "source": "cyner_mitre_train"}}
+{"text": "Android malware has drastically lower rates of success when app installations outside of Google Play are barred .", "spans": {"System: Android": [[0, 7]], "System: Google Play": [[89, 100]]}, "info": {"id": "cyner_mitre_train_00667", "source": "cyner_mitre_train"}}
+{"text": "Readers should carefully think through the risks before changing this default setting .", "spans": {}, "info": {"id": "cyner_mitre_train_00668", "source": "cyner_mitre_train"}}
+{"text": "Top 20 countries targeted by Hummingbad/Shedun .", "spans": {"Malware: Hummingbad/Shedun": [[29, 46]]}, "info": {"id": "cyner_mitre_train_00669", "source": "cyner_mitre_train"}}
+{"text": "Enlarge / Top 20 countries targeted by Hummingbad/Shedun .", "spans": {"Malware: Hummingbad/Shedun": [[39, 56]]}, "info": {"id": "cyner_mitre_train_00670", "source": "cyner_mitre_train"}}
+{"text": "Check Point Software Hummingbad/Shedun infections by Android version .", "spans": {"Organization: Check Point Software": [[0, 20]], "Malware: Hummingbad/Shedun": [[21, 38]], "System: Android": [[53, 60]]}, "info": {"id": "cyner_mitre_train_00671", "source": "cyner_mitre_train"}}
+{"text": "Enlarge / Hummingbad/Shedun infections by Android version .", "spans": {"Malware: Hummingbad/Shedun": [[10, 27]], "System: Android": [[42, 49]]}, "info": {"id": "cyner_mitre_train_00672", "source": "cyner_mitre_train"}}
+{"text": "Check Point Software So far , HummingBad has been observed using its highly privileged status only to engage in click fraud , display pop-up ads , tamper with Google Play , and install additional apps that do more of the same .", "spans": {"Organization: Check Point Software": [[0, 20]], "Malware: HummingBad": [[30, 40]], "System: Google Play": [[159, 170]]}, "info": {"id": "cyner_mitre_train_00673", "source": "cyner_mitre_train"}}
+{"text": "But there 's little stopping it from doing much worse .", "spans": {}, "info": {"id": "cyner_mitre_train_00674", "source": "cyner_mitre_train"}}
+{"text": "That 's because the malware roots most of the phones it infects , a process that subverts key security mechanisms built into Android .", "spans": {"System: Android": [[125, 132]]}, "info": {"id": "cyner_mitre_train_00675", "source": "cyner_mitre_train"}}
+{"text": "Under a model known as sandboxing , most Android apps are n't permitted to access passwords or other data available to most other apps .", "spans": {"System: Android": [[41, 48]]}, "info": {"id": "cyner_mitre_train_00676", "source": "cyner_mitre_train"}}
+{"text": "System applications with root , by contrast , have super-user permissions that allow them to break out of such sandboxes .", "spans": {}, "info": {"id": "cyner_mitre_train_00677", "source": "cyner_mitre_train"}}
+{"text": "From there , root-level apps can read or modify data and resources that would be off-limits to normal apps .", "spans": {}, "info": {"id": "cyner_mitre_train_00678", "source": "cyner_mitre_train"}}
+{"text": "As Lookout first reported more than eight months ago , the problem with Shedun/HummingBad and similar malicious app families that silently exploit Android rooting vulnerabilities is that the infections can survive normal factory resets .", "spans": {"Organization: Lookout": [[3, 10]], "Malware: Shedun/HummingBad": [[72, 89]], "Vulnerability: Android rooting vulnerabilities": [[147, 178]]}, "info": {"id": "cyner_mitre_train_00679", "source": "cyner_mitre_train"}}
+{"text": "Lookout said in its own blog post published Wednesday that its threat detection network has recently observed a surge of Shedun attacks , indicating the scourge wo n't be going away any time soon .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: Shedun": [[121, 127]]}, "info": {"id": "cyner_mitre_train_00680", "source": "cyner_mitre_train"}}
+{"text": "An investigation of Chrysaor Malware on Android 03 April 2017 Google is constantly working to improve our systems that protect users from Potentially Harmful Applications ( PHAs ) .", "spans": {"Malware: Chrysaor": [[20, 28]], "System: Android": [[40, 47]], "Organization: Google": [[62, 68]]}, "info": {"id": "cyner_mitre_train_00681", "source": "cyner_mitre_train"}}
+{"text": "Usually , PHA authors attempt to install their harmful apps on as many devices as possible .", "spans": {}, "info": {"id": "cyner_mitre_train_00682", "source": "cyner_mitre_train"}}
+{"text": "However , a few PHA authors spend substantial effort , time , and money to create and install their harmful app on one or a very small number of devices .", "spans": {}, "info": {"id": "cyner_mitre_train_00683", "source": "cyner_mitre_train"}}
+{"text": "This is known as a targeted attack .", "spans": {}, "info": {"id": "cyner_mitre_train_00684", "source": "cyner_mitre_train"}}
+{"text": "In this blog post , we describe Chrysaor , a newly discovered family of spyware that was used in a targeted attack on a small number of Android devices , and how investigations like this help Google protect Android users from a variety of threats .", "spans": {"Malware: Chrysaor": [[32, 40]], "System: Android": [[136, 143], [207, 214]], "Organization: Google": [[192, 198]]}, "info": {"id": "cyner_mitre_train_00685", "source": "cyner_mitre_train"}}
+{"text": "What is Chrysaor ?", "spans": {"Malware: Chrysaor": [[8, 16]]}, "info": {"id": "cyner_mitre_train_00686", "source": "cyner_mitre_train"}}
+{"text": "Chrysaor is spyware believed to be created by NSO Group Technologies , specializing in the creation and sale of software and infrastructure for targeted attacks .", "spans": {"Malware: Chrysaor": [[0, 8]], "Organization: NSO Group Technologies": [[46, 68]]}, "info": {"id": "cyner_mitre_train_00687", "source": "cyner_mitre_train"}}
+{"text": "Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout .", "spans": {"Malware: Chrysaor": [[0, 8]], "Malware: Pegasus": [[42, 49]], "System: iOS": [[87, 90]], "Organization: Citizen Lab": [[107, 118]], "Organization: Lookout": [[123, 130]]}, "info": {"id": "cyner_mitre_train_00688", "source": "cyner_mitre_train"}}
+{"text": "Late last year , after receiving a list of suspicious package names from Lookout , we discovered that a few dozen Android devices may have installed an application related to Pegasus , which we named Chrysaor .", "spans": {"Organization: Lookout": [[73, 80]], "System: Android": [[114, 121]], "Malware: Pegasus": [[175, 182]], "Malware: Chrysaor": [[200, 208]]}, "info": {"id": "cyner_mitre_train_00689", "source": "cyner_mitre_train"}}
+{"text": "Although the applications were never available in Google Play , we immediately identified the scope of the problem by using Verify Apps .", "spans": {"System: Google Play": [[50, 61]], "System: Verify Apps": [[124, 135]]}, "info": {"id": "cyner_mitre_train_00690", "source": "cyner_mitre_train"}}
+{"text": "We gathered information from affected devices , and concurrently , attempted to acquire Chrysaor apps to better understand its impact on users .", "spans": {"Malware: Chrysaor": [[88, 96]]}, "info": {"id": "cyner_mitre_train_00691", "source": "cyner_mitre_train"}}
+{"text": "We 've contacted the potentially affected users , disabled the applications on affected devices , and implemented changes in Verify Apps to protect all users .", "spans": {"System: Verify Apps": [[125, 136]]}, "info": {"id": "cyner_mitre_train_00692", "source": "cyner_mitre_train"}}
+{"text": "What is the scope of Chrysaor ?", "spans": {"Malware: Chrysaor": [[21, 29]]}, "info": {"id": "cyner_mitre_train_00693", "source": "cyner_mitre_train"}}
+{"text": "Chrysaor was never available in Google Play and had a very low volume of installs outside of Google Play .", "spans": {"Malware: Chrysaor": [[0, 8]], "System: Google Play": [[32, 43], [93, 104]]}, "info": {"id": "cyner_mitre_train_00694", "source": "cyner_mitre_train"}}
+{"text": "Among the over 1.4 billion devices protected by Verify Apps , we observed fewer than 3 dozen installs of Chrysaor on victim devices .", "spans": {"System: Verify Apps": [[48, 59]], "Malware: Chrysaor": [[105, 113]]}, "info": {"id": "cyner_mitre_train_00695", "source": "cyner_mitre_train"}}
+{"text": "These devices were located in the following countries : How we protect you To protect Android devices and users , Google Play provides a complete set of security services that update outside of platform releases .", "spans": {"System: Android": [[86, 93]], "System: Google Play": [[114, 125]]}, "info": {"id": "cyner_mitre_train_00696", "source": "cyner_mitre_train"}}
+{"text": "Users do n't have to install any additional security services to keep their devices safe .", "spans": {}, "info": {"id": "cyner_mitre_train_00697", "source": "cyner_mitre_train"}}
+{"text": "In 2016 , these services protected over 1.4 billion devices , making Google one of the largest providers of on-device security services in the world : Identify PHAs using people , systems in the cloud , and data sent to us from devices Warn users about or blocking users from installing PHAs Continually scan devices for PHAs and other harmful threats Additionally , we are providing detailed technical information to help the security industry in our collective work against PHAs .", "spans": {"Organization: Google": [[69, 75]]}, "info": {"id": "cyner_mitre_train_00698", "source": "cyner_mitre_train"}}
+{"text": "What do I need to do ?", "spans": {}, "info": {"id": "cyner_mitre_train_00699", "source": "cyner_mitre_train"}}
+{"text": "It is extremely unlikely you or someone you know was affected by Chrysaor malware .", "spans": {"Malware: Chrysaor": [[65, 73]]}, "info": {"id": "cyner_mitre_train_00700", "source": "cyner_mitre_train"}}
+{"text": "Through our investigation , we identified less than 3 dozen devices affected by Chrysaor , we have disabled Chrysaor on those devices , and we have notified users of all known affected devices .", "spans": {"Malware: Chrysaor": [[80, 88], [108, 116]]}, "info": {"id": "cyner_mitre_train_00701", "source": "cyner_mitre_train"}}
+{"text": "Additionally , the improvements we made to our protections have been enabled for all users of our security services .", "spans": {}, "info": {"id": "cyner_mitre_train_00702", "source": "cyner_mitre_train"}}
+{"text": "To ensure you are fully protected against PHAs and other threats , we recommend these 5 basic steps : Install apps only from reputable sources : Install apps from a reputable source , such as Google Play .", "spans": {"System: Google Play": [[192, 203]]}, "info": {"id": "cyner_mitre_train_00703", "source": "cyner_mitre_train"}}
+{"text": "No Chrysaor apps were on Google Play .", "spans": {"Malware: Chrysaor": [[3, 11]], "System: Google Play": [[25, 36]]}, "info": {"id": "cyner_mitre_train_00704", "source": "cyner_mitre_train"}}
+{"text": "Enable a secure lock screen : Pick a PIN , pattern , or password that is easy for you to remember and hard for others to guess .", "spans": {}, "info": {"id": "cyner_mitre_train_00705", "source": "cyner_mitre_train"}}
+{"text": "Update your device : Keep your device up-to-date with the latest security patches .", "spans": {}, "info": {"id": "cyner_mitre_train_00706", "source": "cyner_mitre_train"}}
+{"text": "Verify Apps : Ensure Verify Apps is enabled .", "spans": {}, "info": {"id": "cyner_mitre_train_00707", "source": "cyner_mitre_train"}}
+{"text": "Locate your device : Practice finding your device with Android Device Manager because you are far more likely to lose your device than install a PHA .", "spans": {"System: Android Device Manager": [[55, 77]]}, "info": {"id": "cyner_mitre_train_00708", "source": "cyner_mitre_train"}}
+{"text": "How does Chrysaor work ?", "spans": {"Malware: Chrysaor": [[9, 17]]}, "info": {"id": "cyner_mitre_train_00709", "source": "cyner_mitre_train"}}
+{"text": "To install Chrysaor , we believe an attacker coaxed specifically targeted individuals to download the malicious software onto their device .", "spans": {"Malware: Chrysaor": [[11, 19]]}, "info": {"id": "cyner_mitre_train_00710", "source": "cyner_mitre_train"}}
+{"text": "Once Chrysaor is installed , a remote operator is able to surveil the victim 's activities on the device and within the vicinity , leveraging microphone , camera , data collection , and logging and tracking application activities on communication apps such as phone and SMS .", "spans": {"Malware: Chrysaor": [[5, 13]]}, "info": {"id": "cyner_mitre_train_00711", "source": "cyner_mitre_train"}}
+{"text": "One representative sample Chrysaor app that we analyzed was tailored to devices running Jellybean ( 4.3 ) or earlier .", "spans": {"Malware: Chrysaor": [[26, 34]], "System: Jellybean ( 4.3 )": [[88, 105]]}, "info": {"id": "cyner_mitre_train_00712", "source": "cyner_mitre_train"}}
+{"text": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target , with SHA256 digest : ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5Upon installation , the app uses known framaroot exploits to escalate privileges and break Android 's application sandbox .", "spans": {"Malware: Chrysaor": [[53, 61]], "Indicator: com.network.android": [[72, 91]], "Organization: Samsung": [[107, 114]], "Indicator: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5Upon": [[152, 220]], "System: Android": [[307, 314]]}, "info": {"id": "cyner_mitre_train_00713", "source": "cyner_mitre_train"}}
+{"text": "If the targeted device is not vulnerable to these exploits , then the app attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges .", "spans": {"Indicator: /system/csk": [[127, 138]]}, "info": {"id": "cyner_mitre_train_00714", "source": "cyner_mitre_train"}}
+{"text": "After escalating privileges , the app immediately protects itself and starts to collect data , by : Installing itself on the /system partition to persist across factory resets Removing Samsung 's system update app ( com.sec.android.fotaclient ) and disabling auto-updates to maintain persistence ( sets Settings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0 ) Deleting WAP push messages and changing WAP message settings , possibly for anti-forensic purpose .", "spans": {"Organization: Samsung": [[185, 192]], "Indicator: com.sec.android.fotaclient": [[216, 242]], "Indicator: Settings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0": [[303, 351]]}, "info": {"id": "cyner_mitre_train_00715", "source": "cyner_mitre_train"}}
+{"text": "Starting content observers and the main task loop to receive remote commands and exfiltrate data The app uses six techniques to collect user data : Repeated commands : use alarms to periodically repeat actions on the device to expose data , including gathering location data .", "spans": {}, "info": {"id": "cyner_mitre_train_00716", "source": "cyner_mitre_train"}}
+{"text": "Data collectors : dump all existing content on the device into a queue .", "spans": {}, "info": {"id": "cyner_mitre_train_00717", "source": "cyner_mitre_train"}}
+{"text": "Data collectors are used in conjunction with repeated commands to collect user data including , SMS settings , SMS messages , Call logs , Browser History , Calendar , Contacts , Emails , and messages from selected messaging apps , including WhatsApp , Twitter , Facebook , Kakoa , Viber , and Skype by making /data/data directories of the apps world readable .", "spans": {"System: WhatsApp": [[241, 249]], "System: Twitter": [[252, 259]], "System: Facebook": [[262, 270]], "System: Kakoa": [[273, 278]], "System: Viber": [[281, 286]], "System: Skype": [[293, 298]]}, "info": {"id": "cyner_mitre_train_00718", "source": "cyner_mitre_train"}}
+{"text": "Content observers : use Android 's ContentObserver framework to gather changes in SMS , Calendar , Contacts , Cell info , Email , WhatsApp , Facebook , Twitter , Kakao , Viber , and Skype .", "spans": {"System: Android": [[24, 31]], "System: SMS": [[82, 85]], "System: Calendar": [[88, 96]], "System: Contacts": [[99, 107]], "System: Cell info": [[110, 119]], "System: Email": [[122, 127]], "System: WhatsApp": [[130, 138]], "System: Facebook": [[141, 149]], "System: Twitter": [[152, 159]], "System: Kakao": [[162, 167]], "System: Viber": [[170, 175]], "System: Skype": [[182, 187]]}, "info": {"id": "cyner_mitre_train_00719", "source": "cyner_mitre_train"}}
+{"text": "Screenshots : captures an image of the current screen via the raw frame buffer .", "spans": {}, "info": {"id": "cyner_mitre_train_00720", "source": "cyner_mitre_train"}}
+{"text": "Keylogging : record input events by hooking IPCThreadState : :Transact from /system/lib/libbinder.so , and intercepting android : :parcel with the interface com.android.internal.view.IInputContext .", "spans": {"Indicator: /system/lib/libbinder.so": [[76, 100]], "Indicator: android : :parcel": [[120, 137]], "Indicator: com.android.internal.view.IInputContext": [[157, 196]]}, "info": {"id": "cyner_mitre_train_00721", "source": "cyner_mitre_train"}}
+{"text": "RoomTap : silently answers a telephone call and stays connected in the background , allowing the caller to hear conversations within the range of the phone 's microphone .", "spans": {}, "info": {"id": "cyner_mitre_train_00722", "source": "cyner_mitre_train"}}
+{"text": "If the user unlocks their device , they will see a black screen while the app drops the call , resets call settings and prepares for the user to interact with the device normally .", "spans": {}, "info": {"id": "cyner_mitre_train_00723", "source": "cyner_mitre_train"}}
+{"text": "Finally , the app can remove itself through three ways : Via a command from the server Autoremove if the device has not been able to check in to the server after 60 days Via an antidote file .", "spans": {}, "info": {"id": "cyner_mitre_train_00724", "source": "cyner_mitre_train"}}
+{"text": "If /sdcard/MemosForNotes was present on the device , the Chrysaor app removes itself from the device .", "spans": {"Indicator: /sdcard/MemosForNotes": [[3, 24]], "Malware: Chrysaor": [[57, 65]]}, "info": {"id": "cyner_mitre_train_00725", "source": "cyner_mitre_train"}}
+{"text": "Samples uploaded to VirusTotal To encourage further research in the security community , we ’ ve uploaded these sample Chrysaor apps to Virus Total .", "spans": {"Organization: VirusTotal": [[20, 30]], "Malware: Chrysaor": [[119, 127]], "Organization: Virus Total": [[136, 147]]}, "info": {"id": "cyner_mitre_train_00726", "source": "cyner_mitre_train"}}
+{"text": "Package Name SHA256 digest SHA1 certificate com.network.android ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.network.android 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86 516f8f516cc0fd8db53785a48c0a86554f75c3ba", "spans": {"Indicator: com.network.android": [[44, 63], [170, 189]], "Indicator: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5": [[64, 128]], "Indicator: 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d": [[129, 169]], "Indicator: 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86": [[190, 254]], "Indicator: 516f8f516cc0fd8db53785a48c0a86554f75c3ba": [[255, 295]]}, "info": {"id": "cyner_mitre_train_00727", "source": "cyner_mitre_train"}}
+{"text": "Additional digests with links to Chrysaor As a result of our investigation we have identified these additional Chrysaor-related apps .", "spans": {"Malware: Chrysaor": [[33, 41]], "Malware: Chrysaor-related": [[111, 127]]}, "info": {"id": "cyner_mitre_train_00728", "source": "cyner_mitre_train"}}
+{"text": "Package Name SHA256 digest SHA1 certificate com.network.android 98ca5f94638768e7b58889bb5df4584bf5b6af56b188da48c10a02648791b30c 516f8f516cc0fd8db53785a48c0a86554f75c3ba com.network.android 5353212b70aa096d918e4eb6b49eb5ad8f59d9bec02d089e88802c01e707c3a1", "spans": {"Indicator: com.network.android": [[44, 63], [170, 189]], "Indicator: 98ca5f94638768e7b58889bb5df4584bf5b6af56b188da48c10a02648791b30c": [[64, 128]], "Indicator: 516f8f516cc0fd8db53785a48c0a86554f75c3ba": [[129, 169]], "Indicator: 5353212b70aa096d918e4eb6b49eb5ad8f59d9bec02d089e88802c01e707c3a1": [[190, 254]]}, "info": {"id": "cyner_mitre_train_00729", "source": "cyner_mitre_train"}}
+{"text": "44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.binary.sms.receiver 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy e384694d3d17cd88ec3a66c740c6398e07b8ee401320ca61e26bdf96c20485b4", "spans": {"Indicator: 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d": [[0, 40]], "Indicator: com.binary.sms.receiver": [[41, 64]], "Indicator: 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae": [[65, 129]], "Indicator: 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf": [[130, 170]], "Indicator: com.android.copy": [[171, 187]], "Indicator: e384694d3d17cd88ec3a66c740c6398e07b8ee401320ca61e26bdf96c20485b4": [[188, 252]]}, "info": {"id": "cyner_mitre_train_00730", "source": "cyner_mitre_train"}}
+{"text": "7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 12e085ab85db887438655feebd249127d813e31df766f8c7b009f9519916e389 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 6348104f8ef22eba5ac8ee737b192887629de987badbb1642e347d0dd01420f8", "spans": {"Indicator: 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf": [[0, 40], [123, 163]], "Indicator: com.android.copy": [[41, 57], [164, 180]], "Indicator: 12e085ab85db887438655feebd249127d813e31df766f8c7b009f9519916e389": [[58, 122]], "Indicator: 6348104f8ef22eba5ac8ee737b192887629de987badbb1642e347d0dd01420f8": [[181, 245]]}, "info": {"id": "cyner_mitre_train_00731", "source": "cyner_mitre_train"}}
+{"text": "31a8633c2cd67ae965524d0b2192e9f14d04d016 FinFisher exposed : A researcher ’ s tale of defeating traps , tricks , and complex virtual machines March 1 , 2018 Office 365 Advanced Threat Protection ( Office 365 ATP ) blocked many notable zero-day exploits in 2017 .", "spans": {"Indicator: 31a8633c2cd67ae965524d0b2192e9f14d04d016": [[0, 40]], "Malware: FinFisher": [[41, 50]], "System: Office 365 Advanced Threat Protection": [[157, 194]], "System: Office 365 ATP": [[197, 211]]}, "info": {"id": "cyner_mitre_train_00732", "source": "cyner_mitre_train"}}
+{"text": "In our analysis , one activity group stood out : NEODYMIUM .", "spans": {"Malware: NEODYMIUM": [[49, 58]]}, "info": {"id": "cyner_mitre_train_00733", "source": "cyner_mitre_train"}}
+{"text": "This threat actor is remarkable for two reasons : Its access to sophisticated zero-day exploits for Microsoft and Adobe software Its use of an advanced piece of government-grade surveillance spyware FinFisher , also known as FinSpy and detected by Microsoft security products as Wingbird FinFisher is such a complex piece of malware that , like other researchers , we had to devise special methods to crack it .", "spans": {"Organization: Microsoft": [[100, 109], [248, 257]], "Organization: Adobe": [[114, 119]], "Malware: FinFisher": [[199, 208], [288, 297]], "Malware: FinSpy": [[225, 231]], "Malware: Wingbird": [[279, 287]]}, "info": {"id": "cyner_mitre_train_00734", "source": "cyner_mitre_train"}}
+{"text": "We needed to do this to understand the techniques FinFisher uses to compromise and persist on a machine , and to validate the effectiveness of Office 365 ATP detonation sandbox , Windows Defender Advanced Threat Protection ( Windows Defender ATP ) generic detections , and other Microsoft security solutions .", "spans": {"Malware: FinFisher": [[50, 59]], "System: Office 365 ATP": [[143, 157]], "System: Windows Defender Advanced Threat Protection": [[179, 222]], "System: Windows Defender ATP": [[225, 245]], "Organization: Microsoft": [[279, 288]]}, "info": {"id": "cyner_mitre_train_00735", "source": "cyner_mitre_train"}}
+{"text": "This task proved to be nontrivial .", "spans": {}, "info": {"id": "cyner_mitre_train_00736", "source": "cyner_mitre_train"}}
+{"text": "FinFisher is not afraid of using all kinds of tricks , ranging from junk instructions and “ spaghetti code ” to multiple layers of virtual machines and several known and lesser-known anti-debug and defensive measures .", "spans": {"Malware: FinFisher": [[0, 9]]}, "info": {"id": "cyner_mitre_train_00737", "source": "cyner_mitre_train"}}
+{"text": "Security analysts are typically equipped with the tools to defeat a good number of similar tricks during malware investigations .", "spans": {}, "info": {"id": "cyner_mitre_train_00738", "source": "cyner_mitre_train"}}
+{"text": "However , FinFisher is in a different category of malware for the level of its anti-analysis protection .", "spans": {"Malware: FinFisher": [[10, 19]]}, "info": {"id": "cyner_mitre_train_00739", "source": "cyner_mitre_train"}}
+{"text": "It ’ s a complicated puzzle that can be solved by skilled reverse engineers only with good amount of time , code , automation , and creativity .", "spans": {}, "info": {"id": "cyner_mitre_train_00740", "source": "cyner_mitre_train"}}
+{"text": "The intricate anti-analysis methods reveal how much effort the FinFisher authors exerted to keep the malware hidden and difficult to analyze .", "spans": {"Malware: FinFisher": [[63, 72]]}, "info": {"id": "cyner_mitre_train_00741", "source": "cyner_mitre_train"}}
+{"text": "This exercise revealed tons of information about techniques used by FinFisher that we used to make Office 365 ATP more resistant to sandbox detection and Windows Defender ATP to catch similar techniques and generic behaviors .", "spans": {"Malware: FinFisher": [[68, 77]], "System: Office 365 ATP": [[99, 113]], "System: Windows Defender ATP": [[154, 174]]}, "info": {"id": "cyner_mitre_train_00742", "source": "cyner_mitre_train"}}
+{"text": "Using intelligence from our in-depth investigation , Windows Defender ATP can raise alerts for malicious behavior employed by FinFisher ( such as memory injection in persistence ) in different stages of the attack kill chain .", "spans": {"System: Windows Defender ATP": [[53, 73]], "Malware: FinFisher": [[126, 135]]}, "info": {"id": "cyner_mitre_train_00743", "source": "cyner_mitre_train"}}
+{"text": "Machine learning in Windows Defender ATP further flags suspicious behaviors observed related to the manipulation of legitimate Windows binaries .", "spans": {"System: Windows Defender ATP": [[20, 40]], "System: Windows": [[127, 134]]}, "info": {"id": "cyner_mitre_train_00744", "source": "cyner_mitre_train"}}
+{"text": "Figure 1 .", "spans": {}, "info": {"id": "cyner_mitre_train_00745", "source": "cyner_mitre_train"}}
+{"text": "Generic Windows Defender ATP detections trigger alerts on FinFisher behavior While our analysis has allowed us to immediately protect our customers , we ’ d like to share our insights and add to the growing number of published analyses by other talented researchers ( listed below this blog post ) .", "spans": {"System: Windows Defender ATP": [[8, 28]], "Malware: FinFisher": [[58, 67]]}, "info": {"id": "cyner_mitre_train_00746", "source": "cyner_mitre_train"}}
+{"text": "We hope that this blog post helps other researchers to understand and analyze FinFisher samples and that this industry-wide information-sharing translate to the protection of as many customers as possible .", "spans": {"Malware: FinFisher": [[78, 87]]}, "info": {"id": "cyner_mitre_train_00747", "source": "cyner_mitre_train"}}
+{"text": "Spaghetti and junk codes make common analyst tools ineffective In analyzing FinFisher , the first obfuscation problem that requires a solution is the removal of junk instructions and “ spaghetti code ” , which is a technique that aims to confuse disassembly programs .", "spans": {"Malware: FinFisher": [[76, 85]]}, "info": {"id": "cyner_mitre_train_00748", "source": "cyner_mitre_train"}}
+{"text": "Spaghetti code makes the program flow hard to read by adding continuous code jumps , hence the name .", "spans": {}, "info": {"id": "cyner_mitre_train_00749", "source": "cyner_mitre_train"}}
+{"text": "An example of FinFisher ’ s spaghetti code is shown below .", "spans": {"Malware: FinFisher": [[14, 23]]}, "info": {"id": "cyner_mitre_train_00750", "source": "cyner_mitre_train"}}
+{"text": "Figure 2 .", "spans": {}, "info": {"id": "cyner_mitre_train_00751", "source": "cyner_mitre_train"}}
+{"text": "The spaghetti code in FinFisher dropper This problem is not novel , and in common situations there are known reversing plugins that may help for this task .", "spans": {"Malware: FinFisher": [[22, 31]]}, "info": {"id": "cyner_mitre_train_00752", "source": "cyner_mitre_train"}}
+{"text": "In the case of FinFisher , however , we could not find a good existing interactive disassembler ( IDA ) plugin that can normalize the code flow .", "spans": {"Malware: FinFisher": [[15, 24]]}, "info": {"id": "cyner_mitre_train_00753", "source": "cyner_mitre_train"}}
+{"text": "So we decided to write our own plugin code using IDA Python .", "spans": {"System: Python": [[53, 59]]}, "info": {"id": "cyner_mitre_train_00754", "source": "cyner_mitre_train"}}
+{"text": "Armed with this code , we removed this first layer of anti-analysis protection .", "spans": {}, "info": {"id": "cyner_mitre_train_00755", "source": "cyner_mitre_train"}}
+{"text": "Removing the junk instructions revealed a readable block of code .", "spans": {}, "info": {"id": "cyner_mitre_train_00756", "source": "cyner_mitre_train"}}
+{"text": "This code starts by allocating two chunks of memory : a global 1 MB buffer and one 64 KB buffer per thread .", "spans": {}, "info": {"id": "cyner_mitre_train_00757", "source": "cyner_mitre_train"}}
+{"text": "The big first buffer is used as index for multiple concurrent threads .", "spans": {}, "info": {"id": "cyner_mitre_train_00758", "source": "cyner_mitre_train"}}
+{"text": "A big chunk of data is extracted from the portable executable ( PE ) file itself and decrypted two times using a custom XOR algorithm .", "spans": {}, "info": {"id": "cyner_mitre_train_00759", "source": "cyner_mitre_train"}}
+{"text": "We determined that this chunk of data contains an array of opcode instructions ready to be interpreted by a custom virtual machine program ( from this point on referenced generically as “ VM ” ) implemented by FinFisher authors .", "spans": {"Malware: FinFisher": [[210, 219]]}, "info": {"id": "cyner_mitre_train_00760", "source": "cyner_mitre_train"}}
+{"text": "Figure 3 .", "spans": {}, "info": {"id": "cyner_mitre_train_00761", "source": "cyner_mitre_train"}}
+{"text": "The stages of the FinFisher multi-layered protection mechanisms Stage 0 : Dropper with custom virtual machine The main dropper implements the VM dispatcher loop and can use 32 different opcodes handlers .", "spans": {"Malware: FinFisher": [[18, 27]]}, "info": {"id": "cyner_mitre_train_00762", "source": "cyner_mitre_train"}}
+{"text": "Th 64KB buffer is used as a VM descriptor data structure to store data and the just-in-time ( JIT ) generated code to run .", "spans": {}, "info": {"id": "cyner_mitre_train_00763", "source": "cyner_mitre_train"}}
+{"text": "The VM dispatcher loop routine ends with a JMP to another routine .", "spans": {}, "info": {"id": "cyner_mitre_train_00764", "source": "cyner_mitre_train"}}
+{"text": "In total , there are 32 different routines , each of them implementing a different opcode and some basic functionality that the malware program may execute .", "spans": {}, "info": {"id": "cyner_mitre_train_00765", "source": "cyner_mitre_train"}}
+{"text": "Figure 4 .", "spans": {}, "info": {"id": "cyner_mitre_train_00766", "source": "cyner_mitre_train"}}
+{"text": "A snapshot of the code that processes each VM opcode and the associate interpreter The presence of a VM and virtualized instruction blocks can be described in simpler terms : Essentially , the creators of FinFisher interposed a layer of dynamic code translation ( the virtual machine ) that makes analysis using regular tools practically impossible .", "spans": {"Malware: snapshot": [[2, 10]], "Malware: FinFisher": [[205, 214]]}, "info": {"id": "cyner_mitre_train_00767", "source": "cyner_mitre_train"}}
+{"text": "Static analysis tools like IDA may not be useful in analyzing custom code that is interpreted and executed through a VM and a new set of instructions .", "spans": {}, "info": {"id": "cyner_mitre_train_00768", "source": "cyner_mitre_train"}}
+{"text": "On the other hand , dynamic analysis tools ( like debuggers or sandbox ) face the anti-debug and anti-analysis tricks hidden in the virtualized code itself that detects sandbox environments and alters the behavior of the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00769", "source": "cyner_mitre_train"}}
+{"text": "At this stage , the analysis can only continue by manually investigating the individual code blocks and opcode handlers , which are highly obfuscated ( also using spaghetti code ) .", "spans": {}, "info": {"id": "cyner_mitre_train_00770", "source": "cyner_mitre_train"}}
+{"text": "Reusing our deobfuscation tool and some other tricks , we have been able to reverse and analyze these opcodes and map them to a finite list that can be used later to automate the analysis process with some scripting .", "spans": {}, "info": {"id": "cyner_mitre_train_00771", "source": "cyner_mitre_train"}}
+{"text": "The opcode instructions generated by this custom VM are divided into different categories : Logical opcodes , which implement bit-logic operators ( OR , AND , NOT , XOR ) and mathematical operators Conditional branching opcodes , which implement a code branch based on conditions ( equals to JC , JE , JZ , other similar branching opcodes ) Load/Store opcodes , which write to or read from particular addresses of the virtual address space of the process Specialized opcodes for various purposes ,", "spans": {}, "info": {"id": "cyner_mitre_train_00772", "source": "cyner_mitre_train"}}
+{"text": "like execute specialized machine instruction that are not virtualized We are publishing below the ( hopefully ) complete list of opcodes used by FinFisher VM that we found during our analysis and integrated into our de-virtualization script : INDEX MNEMONIC DESCRIPTION 0x0 EXEC Execute machine code 0x1 JG Jump if greater/Jump if not less or equal 0x2 WRITE Write a value into the dereferenced internal VM value ( treated as a pointer ) 0x3 JNO Jump if not overflow 0x4 JLE Jump", "spans": {"Malware: FinFisher": [[145, 154]]}, "info": {"id": "cyner_mitre_train_00773", "source": "cyner_mitre_train"}}
+{"text": "if less or equal ( signed ) 0x5 MOV Move the value of a register into the VM descriptor ( same as opcode 0x1F ) 0x6 JO Jump if overflow 0x7 PUSH Push the internal VM value to the stack 0x8 ZERO Reset the internal VM value to 0 ( zero ) 0x9 JP Jump if parity even 0xA WRITE Write into an address 0xB ADD Add the value of a register to the internal VM value 0xC JNS Jump if not signed 0xD JL Jump if less ( signed ) 0xE", "spans": {}, "info": {"id": "cyner_mitre_train_00774", "source": "cyner_mitre_train"}}
+{"text": "EXEC Execute machine code and branch 0xF JBE Jump if below or equal or Jump if not above 0x10 SHL Shift left the internal value the number of times specified into the opcodes 0x11 JA Jump if above/Jump if not below or equal 0x12 MOV Move the internal VM value into a register 0x13 JZ JMP if zero 0x14 ADD Add an immediate value to the internal Vm descriptor 0x15 JB Jump if below ( unsigned ) 0x16 JS Jump if signed 0x17 EXEC Execute", "spans": {}, "info": {"id": "cyner_mitre_train_00775", "source": "cyner_mitre_train"}}
+{"text": "machine code ( same as opcode 0x0 ) 0x18 JGE Jump if greater or equal/Jump if not less 0x19 DEREF Write a register value into a dereferenced pointer 0x1A JMP Special obfuscated “ Jump if below ” opcode 0x1B * Resolve a pointer 0x1C LOAD Load a value into the internal VM descriptor 0x1D JNE Jump if not equal/Jump if not zero 0x1E CALL Call an external function or a function located in the dropper 0x1F MOV", "spans": {}, "info": {"id": "cyner_mitre_train_00776", "source": "cyner_mitre_train"}}
+{"text": "Move the value of a register into the VM descriptor 0x20 JNB Jump if not below/Jump if above or equal/Jump if not carry 0x21 JNP Jump if not parity/Jump if parity odd Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM .", "spans": {}, "info": {"id": "cyner_mitre_train_00777", "source": "cyner_mitre_train"}}
+{"text": "This data structure is 24 bytes and is composed of some fixed fields and a variable portion that depends on the opcode .", "spans": {}, "info": {"id": "cyner_mitre_train_00778", "source": "cyner_mitre_train"}}
+{"text": "Before interpreting the opcode , the VM decrypts the opcode ’ s content ( through a simple XOR algorithm ) , which it then relocates ( if needed ) , using the relocation fields .", "spans": {}, "info": {"id": "cyner_mitre_train_00779", "source": "cyner_mitre_train"}}
+{"text": "Here is an approximate diagram of the opcode data structure : Figure 5 .", "spans": {}, "info": {"id": "cyner_mitre_train_00780", "source": "cyner_mitre_train"}}
+{"text": "A graphical representation of the data structure used to store each VM opcode The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization ( ASLR ) .", "spans": {}, "info": {"id": "cyner_mitre_train_00781", "source": "cyner_mitre_train"}}
+{"text": "It is also able to move code execution into different locations if needed .", "spans": {}, "info": {"id": "cyner_mitre_train_00782", "source": "cyner_mitre_train"}}
+{"text": "For instance , in the case of the “ Execute ” opcode ( 0x17 ) , the 32-bit code to run is stored entirely into the variable section with the value at offset 5 specifying the number of bytes to be copied and executed .", "spans": {}, "info": {"id": "cyner_mitre_train_00783", "source": "cyner_mitre_train"}}
+{"text": "Otherwise , in the case of conditional opcodes , the variable part can contain the next JIT packet ID or the next relative virtual address ( RVA ) where code execution should continue .", "spans": {}, "info": {"id": "cyner_mitre_train_00784", "source": "cyner_mitre_train"}}
+{"text": "Of course , not all the opcodes are can be easily read and understood due to additional steps that the authors have taken to make analysis extremely complicated .", "spans": {}, "info": {"id": "cyner_mitre_train_00785", "source": "cyner_mitre_train"}}
+{"text": "For example , this is how opcode 0x1A is implemented : The opcode should represent a JB ( Jump if below ) function , but it ’ s implemented through set carry ( STC ) instruction followed by a JMP into the dispatcher code that will verify the carry flag condition set by STC .", "spans": {}, "info": {"id": "cyner_mitre_train_00786", "source": "cyner_mitre_train"}}
+{"text": "Figure 6 .", "spans": {}, "info": {"id": "cyner_mitre_train_00787", "source": "cyner_mitre_train"}}
+{"text": "One of the obfuscation tricks included by the malware authors in a VM opcode dispatcher Even armed with the knowledge we have described so far , it still took us many hours to write a full-fledged opcode interpreter that ’ s able to reconstruct the real code executed by FinFisher .", "spans": {"Malware: FinFisher": [[271, 280]]}, "info": {"id": "cyner_mitre_train_00788", "source": "cyner_mitre_train"}}
+{"text": "Stage 1 : Loader malware keeps sandbox and debuggers away The first stage of FinFisher running through this complicated virtual machine is a loader malware designed to probe the system and determine whether it ’ s running in a sandbox environment ( typical for cloud-based detonation solution like Office 365 ATP ) .", "spans": {"Malware: FinFisher": [[77, 86]], "System: Office 365 ATP": [[298, 312]]}, "info": {"id": "cyner_mitre_train_00789", "source": "cyner_mitre_train"}}
+{"text": "The loader first dynamically rebuilds a simple import address table ( IAT ) , resolving all the API needed from Kernel32 and NtDll libraries .", "spans": {}, "info": {"id": "cyner_mitre_train_00790", "source": "cyner_mitre_train"}}
+{"text": "It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space ( for example , modules injected by certain security solutions ) .", "spans": {}, "info": {"id": "cyner_mitre_train_00791", "source": "cyner_mitre_train"}}
+{"text": "It eventually kills all threads that belong to these undesired modules ( using ZwQueryInformationThread native API with ThreadQuerySetWin32StartAddress information class ) .", "spans": {}, "info": {"id": "cyner_mitre_train_00792", "source": "cyner_mitre_train"}}
+{"text": "The first anti-sandbox technique is the loader checking the code segment .", "spans": {}, "info": {"id": "cyner_mitre_train_00793", "source": "cyner_mitre_train"}}
+{"text": "If it ’ s not 0x1B ( for 32-bit systems ) or 0x23 ( for 32-bit system under Wow64 ) , the loader exits .", "spans": {}, "info": {"id": "cyner_mitre_train_00794", "source": "cyner_mitre_train"}}
+{"text": "Next , the dropper checks its own parent process for indications that it is running in a sandbox setup .", "spans": {}, "info": {"id": "cyner_mitre_train_00795", "source": "cyner_mitre_train"}}
+{"text": "It calculates the MD5 hash of the lower-case process image name and terminates if one of the following conditions are met : The MD5 hash of the parent process image name is either D0C4DBFA1F3962AED583F6FCE666F8BC or 3CE30F5FED4C67053379518EACFCF879 The parent process ’ s full image path is equal to its own process path If these initial checks are passed , the loader builds a complete IAT by reading four imported libraries from disk ( ntdll.dll", "spans": {"Indicator: D0C4DBFA1F3962AED583F6FCE666F8BC": [[180, 212]], "Indicator: 3CE30F5FED4C67053379518EACFCF879": [[216, 248]], "Indicator: ntdll.dll": [[438, 447]]}, "info": {"id": "cyner_mitre_train_00796", "source": "cyner_mitre_train"}}
+{"text": ", kernel32.dll , advapi32.dll , and version.dll ) and remapping them in memory .", "spans": {"Indicator: kernel32.dll": [[2, 14]], "Indicator: advapi32.dll": [[17, 29]], "Indicator: version.dll": [[36, 47]]}, "info": {"id": "cyner_mitre_train_00797", "source": "cyner_mitre_train"}}
+{"text": "This technique makes use of debuggers and software breakpoints useless .", "spans": {}, "info": {"id": "cyner_mitre_train_00798", "source": "cyner_mitre_train"}}
+{"text": "During this stage , the loader may also call a certain API using native system calls , which is another way to bypass breakpoints on API and security solutions using hooks .", "spans": {}, "info": {"id": "cyner_mitre_train_00799", "source": "cyner_mitre_train"}}
+{"text": "Figure 7 .", "spans": {}, "info": {"id": "cyner_mitre_train_00800", "source": "cyner_mitre_train"}}
+{"text": "FinFisher loader calling native Windows API to perform anti-debugging tricks At this point , the fun in analysis is not over .", "spans": {"Malware: FinFisher": [[0, 9]], "System: Windows": [[32, 39]]}, "info": {"id": "cyner_mitre_train_00801", "source": "cyner_mitre_train"}}
+{"text": "A lot of additional anti-sandbox checks are performed in this exact order : Check that the malware is not executed under the root folder of a drive Check that the malware file is readable from an external source Check that the hash of base path is not 3D6D62AF1A7C8053DBC8E110A530C679 Check that the full malware path contains only human readable characters ( “ a-z ” , “ A-Z ” , and “ 0-9 ” ) Check that no node in the full path contains the MD5 string of the malware", "spans": {"Indicator: 3D6D62AF1A7C8053DBC8E110A530C679": [[252, 284]]}, "info": {"id": "cyner_mitre_train_00802", "source": "cyner_mitre_train"}}
+{"text": "file Fingerprint the system and check the following registry values : HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid should not be “ 6ba1d002-21ed-4dbe-afb5-08cf8b81ca32 ” HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId should not be “ 55274-649-6478953-23109 ” , “ A22-00001 ” , or “ 47220 ” HARDWARE\\Description\\System\\SystemBiosDate should not contain “ 01/02/03 ”", "spans": {"Indicator: HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid": [[70, 118]], "Indicator: 6ba1d002-21ed-4dbe-afb5-08cf8b81ca32": [[135, 171]], "Indicator: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId": [[174, 240]], "Indicator: 55274-649-6478953-23109": [[257, 280]], "Indicator: A22-00001": [[287, 296]], "Indicator: 47220": [[306, 311]], "Indicator: HARDWARE\\Description\\System\\SystemBiosDate": [[314, 356]]}, "info": {"id": "cyner_mitre_train_00803", "source": "cyner_mitre_train"}}
+{"text": "Check that the mutex WininetStartupMutex0 does not already exist Check that no DLL whose base name has hash value of 0xC9CEF3E4 is mapped into the malware address space The hashes in these checks are most likely correspond to sandbox or security products that the FinFisher authors want to avoid .", "spans": {"Indicator: 0xC9CEF3E4": [[117, 127]], "Malware: FinFisher": [[264, 273]]}, "info": {"id": "cyner_mitre_train_00804", "source": "cyner_mitre_train"}}
+{"text": "Next , the loader checks that it ’ s not running in a virtualized environment ( VMWare or Hyper-V ) or under a debugger .", "spans": {"System: VMWare": [[80, 86]], "System: Hyper-V": [[90, 97]]}, "info": {"id": "cyner_mitre_train_00805", "source": "cyner_mitre_train"}}
+{"text": "For the hardware virtualization check , the loader obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list .", "spans": {}, "info": {"id": "cyner_mitre_train_00806", "source": "cyner_mitre_train"}}
+{"text": "In our tests , the malware sample was able to easily detect both VMWare and Hyper-V environments through the detection of the virtualized peripherals ( for example , Vmware has VEN_15AD as vendor ID , HyperV has VMBus as bus name ) .", "spans": {"System: VMWare": [[65, 71]], "System: Hyper-V": [[76, 83]], "Organization: Vmware": [[166, 172]]}, "info": {"id": "cyner_mitre_train_00807", "source": "cyner_mitre_train"}}
+{"text": "Office 365 ATP sandbox employs special mechanisms to avoid being detected by similar checks .", "spans": {"System: Office 365 ATP": [[0, 14]]}, "info": {"id": "cyner_mitre_train_00808", "source": "cyner_mitre_train"}}
+{"text": "The loader ’ s anti-debugger code is based on the following three methods : The first call aims to destroy the debugger connection : NOTE : This call completely stops the execution of WinDbg and other debuggers The second call tries to detect the presence of a debugger : The final call tries to destroy the possibility of adding software breakpoint : Finally , if the loader is happy with all the checks done so far , based on the victim operating system ( 32 or 64-bit ) it proceeds to decrypt a set of fake bitmap resources ( stage 2", "spans": {}, "info": {"id": "cyner_mitre_train_00809", "source": "cyner_mitre_train"}}
+{"text": ") embedded in the executable and prepares the execution of a new layer of VM decoding .", "spans": {}, "info": {"id": "cyner_mitre_train_00810", "source": "cyner_mitre_train"}}
+{"text": "Each bitmap resource is extracted , stripped of the first 0x428 bytes ( BMP headers and garbage data ) , and combined into one file .", "spans": {}, "info": {"id": "cyner_mitre_train_00811", "source": "cyner_mitre_train"}}
+{"text": "The block is decrypted using a customized algorithm that uses a key derived from the original malware dropper ’ s TimeDateStamp field multiplied by 5 .", "spans": {}, "info": {"id": "cyner_mitre_train_00812", "source": "cyner_mitre_train"}}
+{"text": "Figure 8 .", "spans": {}, "info": {"id": "cyner_mitre_train_00813", "source": "cyner_mitre_train"}}
+{"text": "The fake bitmap image embedded as resource The 32-bit stage 2 malware uses a customized loading mechanism ( i.e. , the PE file has a scrambled IAT and relocation table ) and exports only one function .", "spans": {}, "info": {"id": "cyner_mitre_train_00814", "source": "cyner_mitre_train"}}
+{"text": "For the 64-bit stage 2 malware , the code execution is transferred from the loader using a well-known technique called Heaven ’ s Gate .", "spans": {}, "info": {"id": "cyner_mitre_train_00815", "source": "cyner_mitre_train"}}
+{"text": "In the next sections , for simplicity , we will continue the analysis only on the 64-bit payload .", "spans": {}, "info": {"id": "cyner_mitre_train_00816", "source": "cyner_mitre_train"}}
+{"text": "Figure 9 .", "spans": {}, "info": {"id": "cyner_mitre_train_00817", "source": "cyner_mitre_train"}}
+{"text": "Heaven ’ s gate is still in use in 2017 Stage 2 : A second multi-platform virtual machine The 64-bit stage 2 malware implements another loader combined with another virtual machine .", "spans": {}, "info": {"id": "cyner_mitre_train_00818", "source": "cyner_mitre_train"}}
+{"text": "The architecture is quite similar to the one described previously , but the opcodes are slightly different .", "spans": {}, "info": {"id": "cyner_mitre_train_00819", "source": "cyner_mitre_train"}}
+{"text": "After reversing these opcodes , we were able to update our interpreter script to support both 32-bit and 64-bit virtual machines used by FinFisher .", "spans": {"Malware: FinFisher": [[137, 146]]}, "info": {"id": "cyner_mitre_train_00820", "source": "cyner_mitre_train"}}
+{"text": "INDEX MNEMONIC DESCRIPTION 0x0 JMP Special obfuscated conditional Jump ( always taken or always ignored ) 0x1 JMP Jump to a function ( same as opcode 0x10 ) 0x2 CALL Call to the function pointed by the internal VM value 0x3 CALL Optimized CALL function ( like the 0x1E opcode of the 32-bit VM ) 0x4 EXEC Execute code and move to the next packet 0x5 JMP Jump to an internal function 0x6 NOP No operation , move to the", "spans": {}, "info": {"id": "cyner_mitre_train_00821", "source": "cyner_mitre_train"}}
+{"text": "next packet 0x7 CALL Call an imported API ( whose address is stored in the internal VM value ) 0x8 LOAD Load a value into the VM descriptor structure * 0x9 STORE Store the internal VM value inside a register 0xA WRITE Resolve a pointer and store the value of a register in its content 0xB READ Move the value pointed by the VM internal value into a register 0xC LOAD Load a value into the VM descriptor structure ( not optimized ) 0xD CMP Compare the value pointed by the internal VM descriptor", "spans": {}, "info": {"id": "cyner_mitre_train_00822", "source": "cyner_mitre_train"}}
+{"text": "with a register 0xE CMP Compare the value pointed by the internal VM descriptor with an immediate value 0xF XCHG Exchange the value pointed by the internal VM descriptor with a register 0x10 SHL Jump to a function ( same as opcode 0x1 ) This additional virtual machine performs the same duties as the one already described but in a 64-bit environment .", "spans": {}, "info": {"id": "cyner_mitre_train_00823", "source": "cyner_mitre_train"}}
+{"text": "It extracts and decrypts the stage 3 malware , which is stored in encrypted resources such as fake dialog boxes .", "spans": {}, "info": {"id": "cyner_mitre_train_00824", "source": "cyner_mitre_train"}}
+{"text": "The extraction method is the same , but the encryption algorithm ( also XOR ) is much simpler .", "spans": {}, "info": {"id": "cyner_mitre_train_00825", "source": "cyner_mitre_train"}}
+{"text": "The new payload is decrypted , remapped , and executed in memory , and represents the installation and persistence stage of the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00826", "source": "cyner_mitre_train"}}
+{"text": "Stage 3 : Installer that takes DLL side-loading to a new level Stage 3 represents the setup program for FinFisher .", "spans": {"Malware: FinFisher": [[104, 113]]}, "info": {"id": "cyner_mitre_train_00827", "source": "cyner_mitre_train"}}
+{"text": "It is the first plain stage that does not employ a VM or obfuscation .", "spans": {}, "info": {"id": "cyner_mitre_train_00828", "source": "cyner_mitre_train"}}
+{"text": "The code supports two different installation methods : setup in a UAC-enforced environment ( with limited privileges ) , or an installation with full-administrative privileges enabled ( in cases where the malware gains the ability to run with elevated permissions ) .", "spans": {"System: UAC-enforced environment": [[66, 90]]}, "info": {"id": "cyner_mitre_train_00829", "source": "cyner_mitre_train"}}
+{"text": "We were a bit disappointed that we did not see traces of a true privilege escalation exploit after all this deobfuscation work , but it seems these FinFisher samples were designed to work just using UAC bypasses .", "spans": {"Vulnerability: privilege escalation exploit": [[64, 92]], "Malware: FinFisher": [[148, 157]]}, "info": {"id": "cyner_mitre_train_00830", "source": "cyner_mitre_train"}}
+{"text": "The setup code receives an installation command from the previous stage .", "spans": {}, "info": {"id": "cyner_mitre_train_00831", "source": "cyner_mitre_train"}}
+{"text": "In our test , this command was the value 3 .", "spans": {}, "info": {"id": "cyner_mitre_train_00832", "source": "cyner_mitre_train"}}
+{"text": "The malware creates a global event named 0x0A7F1FFAB12BB2 and drops some files under a folder located in C : \\ProgramData or in the user application data folder .", "spans": {"Indicator: 0x0A7F1FFAB12BB2": [[41, 57]], "Indicator: C : \\ProgramData": [[105, 121]]}, "info": {"id": "cyner_mitre_train_00833", "source": "cyner_mitre_train"}}
+{"text": "The name of the folder and the malware configuration are read from a customized configuration file stored in the resource section of the setup program .", "spans": {}, "info": {"id": "cyner_mitre_train_00834", "source": "cyner_mitre_train"}}
+{"text": "Here the list of the files potentially dropped during the installation stage : FILE NAME STAGE DESCRIPTION d3d9.dll Stage 4 Malware loader used for UAC environments with limited privileges ; also protected by VM obfuscation aepic.dll , sspisrv.dll , userenv.dll Stage 4 Malware loader used in presence of administrative privileges ; executed from ( and injected into ) a fake service ; also protected by VM obfuscation msvcr90.dll Stage 5 Malware payload injected into", "spans": {"Indicator: d3d9.dll": [[107, 115]], "Indicator: aepic.dll": [[224, 233]], "Indicator: sspisrv.dll": [[236, 247]], "Indicator: userenv.dll": [[250, 261]], "Indicator: msvcr90.dll": [[419, 430]]}, "info": {"id": "cyner_mitre_train_00835", "source": "cyner_mitre_train"}}
+{"text": "the explorer.exe or winlogon.exe process ; also protected by VM obfuscation .cab Config Main configuration file ; encrypted setup.cab Unknown Last section of the setup executable ; content still unknown .7z Plugin Malware plugin used to spy the victim network communications wsecedit.rar Stage 6 Main malware executable After writing some of these files , the malware decides which kind of installation to perform based on the current privilege provided by the hosting process ( for example , if a Microsoft Office process was used as exploit vector ) : Installation process under", "spans": {"Indicator: explorer.exe": [[4, 16]], "Indicator: winlogon.exe": [[20, 32]], "Indicator: setup.cab": [[124, 133]], "Indicator: wsecedit.rar": [[275, 287]], "System: Microsoft Office": [[498, 514]]}, "info": {"id": "cyner_mitre_train_00836", "source": "cyner_mitre_train"}}
+{"text": "UAC When running under a limited UAC account , the installer extracts d3d9.dll and creates a persistence key under HKCU\\Software\\Microsoft\\Windows\\Run .", "spans": {"Indicator: d3d9.dll": [[70, 78]], "Indicator: HKCU\\Software\\Microsoft\\Windows\\Run": [[115, 150]]}, "info": {"id": "cyner_mitre_train_00837", "source": "cyner_mitre_train"}}
+{"text": "The malware sets a registry value ( whose name is read from the configuration file ) to “ C : \\Windows\\system32\\rundll32.exe c : \\ProgramData\\AuditApp\\d3d9.dll , Control_Run ” .", "spans": {"Indicator: C : \\Windows\\system32\\rundll32.exe": [[90, 124]], "Indicator: c : \\ProgramData\\AuditApp\\d3d9.dll ,": [[125, 161]], "Indicator: Control_Run": [[162, 173]]}, "info": {"id": "cyner_mitre_train_00838", "source": "cyner_mitre_train"}}
+{"text": "Before doing this , the malware makes a screenshot of the screen and displays it on top of all other windows for few seconds .", "spans": {"System: windows": [[101, 108]]}, "info": {"id": "cyner_mitre_train_00839", "source": "cyner_mitre_train"}}
+{"text": "This indicates that the authors are trying to hide some messages showed by the system during the setup process .", "spans": {}, "info": {"id": "cyner_mitre_train_00840", "source": "cyner_mitre_train"}}
+{"text": "When loaded with startup command 2 , the installer can copy the original explorer.exe file inside its current running directory and rename d3d9.dll to uxtheme.dll .", "spans": {"Indicator: explorer.exe file": [[73, 90]], "Indicator: d3d9.dll": [[139, 147]], "Indicator: uxtheme.dll": [[151, 162]]}, "info": {"id": "cyner_mitre_train_00841", "source": "cyner_mitre_train"}}
+{"text": "In this case the persistence is achieved by loading the original explorer.exe from its startup location and , using DLL side-loading , passing the execution control to the stage 4 malware ( discussed in next section ) .", "spans": {"Indicator: explorer.exe": [[65, 77]]}, "info": {"id": "cyner_mitre_train_00842", "source": "cyner_mitre_train"}}
+{"text": "Finally , the malware spawns a thread that has the goal to load , remap , and relocate the stage 5 malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00843", "source": "cyner_mitre_train"}}
+{"text": "In this context , there is indeed no need to execute the stage 4 malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00844", "source": "cyner_mitre_train"}}
+{"text": "The msvcr90.dll file is opened , read , and decrypted , and the code execution control is transferred to the RunDll exported routine .", "spans": {"Indicator: msvcr90.dll file": [[4, 20]]}, "info": {"id": "cyner_mitre_train_00845", "source": "cyner_mitre_train"}}
+{"text": "In the case of 32-bit systems , the malware may attempt a known UAC bypass by launching printui.exe system process and using token manipulation with NtFilterToken as described in this blog post .", "spans": {"Indicator: printui.exe": [[88, 99]]}, "info": {"id": "cyner_mitre_train_00846", "source": "cyner_mitre_train"}}
+{"text": "Installation process with administrative privilege This installation method is more interesting because it reveals how the malware tries to achieve stealthier persistence on the machine .", "spans": {}, "info": {"id": "cyner_mitre_train_00847", "source": "cyner_mitre_train"}}
+{"text": "The method is a well-known trick used by penetration testers that was automated and generalized by FinFisher The procedure starts by enumerating the KnownDlls object directory and then scanning for section objects of the cached system DLLs .", "spans": {"Malware: FinFisher": [[99, 108]]}, "info": {"id": "cyner_mitre_train_00848", "source": "cyner_mitre_train"}}
+{"text": "Next , the malware enumerates all .exe programs in the % System % folder and looks for an original signed Windows binary that imports from at least one KnownDll and from a library that is not in the KnownDll directory .", "spans": {"System: Windows": [[106, 113]]}, "info": {"id": "cyner_mitre_train_00849", "source": "cyner_mitre_train"}}
+{"text": "When a suitable .exe file candidate is found , it is copied into the malware installation folder ( for example , C : \\ProgramData ) .", "spans": {"Indicator: C : \\ProgramData": [[113, 129]]}, "info": {"id": "cyner_mitre_train_00850", "source": "cyner_mitre_train"}}
+{"text": "At this point the malware extracts and decrypts a stub DLL from its own resources ( ID 101 ) .", "spans": {}, "info": {"id": "cyner_mitre_train_00851", "source": "cyner_mitre_train"}}
+{"text": "It then calls a routine that adds a code section to a target module .", "spans": {}, "info": {"id": "cyner_mitre_train_00852", "source": "cyner_mitre_train"}}
+{"text": "This section will contain a fake export table mimicking the same export table of the original system DLL chosen .", "spans": {}, "info": {"id": "cyner_mitre_train_00853", "source": "cyner_mitre_train"}}
+{"text": "At the time of writing , the dropper supports aepic.dll , sspisrv.dll , ftllib.dll , and userenv.dll to host the malicious FinFisher payload .", "spans": {"Indicator: aepic.dll": [[46, 55]], "Indicator: sspisrv.dll": [[58, 69]], "Indicator: ftllib.dll": [[72, 82]], "Indicator: userenv.dll": [[89, 100]], "Malware: FinFisher": [[123, 132]]}, "info": {"id": "cyner_mitre_train_00854", "source": "cyner_mitre_train"}}
+{"text": "Finally , a new Windows service is created with the service path pointing to the candidate .exe located in this new directory together with the freshly created , benign-looking DLL .", "spans": {"System: Windows": [[16, 23]]}, "info": {"id": "cyner_mitre_train_00855", "source": "cyner_mitre_train"}}
+{"text": "In this way , when the service runs during boot , the original Windows executable is executed from a different location and it will automatically load and map the malicious DLL inside its address space , instead of using the genuine system library .", "spans": {"System: Windows": [[63, 70]]}, "info": {"id": "cyner_mitre_train_00856", "source": "cyner_mitre_train"}}
+{"text": "This routine is a form of generic and variable generator of DLL side-loading combinations .", "spans": {}, "info": {"id": "cyner_mitre_train_00857", "source": "cyner_mitre_train"}}
+{"text": "Figure 10 .", "spans": {}, "info": {"id": "cyner_mitre_train_00858", "source": "cyner_mitre_train"}}
+{"text": "Windows Defender ATP timeline can pinpoint the service DLL side-loading trick ( in this example , using fltlib.dll ) .", "spans": {"System: Windows Defender ATP": [[0, 20]], "Indicator: fltlib.dll": [[104, 114]]}, "info": {"id": "cyner_mitre_train_00859", "source": "cyner_mitre_train"}}
+{"text": "In the past , we have seen other activity groups like LEAD employ a similar attacker technique named “ proxy-library ” to achieve persistence , but not with this professionalism .", "spans": {}, "info": {"id": "cyner_mitre_train_00860", "source": "cyner_mitre_train"}}
+{"text": "The said technique brings the advantage of avoiding auto-start extensibility points ( ASEP ) scanners and programs that checks for binaries installed as service ( for the latter , the service chosen by FinFisher will show up as a clean Windows signed binary ) .", "spans": {"Malware: FinFisher": [[202, 211]], "System: Windows": [[236, 243]]}, "info": {"id": "cyner_mitre_train_00861", "source": "cyner_mitre_train"}}
+{"text": "The malware cleans the system event logs using OpenEventLog/ClearEventLog APIs , and then terminates the setup procedure with a call to StartService to run the stage 4 malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00862", "source": "cyner_mitre_train"}}
+{"text": "Figure 11 .", "spans": {}, "info": {"id": "cyner_mitre_train_00863", "source": "cyner_mitre_train"}}
+{"text": "The DLL side-loaded stage 4 malware mimicking a real export table to avoid detection Stage 4 : The memory loader – Fun injection with GDI function hijacking Depending on how stage 4 was launched , two different things may happen : In the low-integrity case ( under UAC ) the installer simply injects the stage 5 malware into the bogus explorer.exe process started earlier and terminates In the high-integrity case ( with administrative privileges or after UAC bypass ) , the code searches for the process hosting the Plug and Play service ( usually svchost.exe", "spans": {"Indicator: explorer.exe": [[335, 347]], "Indicator: svchost.exe": [[549, 560]]}, "info": {"id": "cyner_mitre_train_00864", "source": "cyner_mitre_train"}}
+{"text": ") loaded in memory and injects itself into it For the second scenario , the injection process works like this : The malware opens the target service process .", "spans": {}, "info": {"id": "cyner_mitre_train_00865", "source": "cyner_mitre_train"}}
+{"text": "It allocates and fills four chunks of memory inside the service process .", "spans": {}, "info": {"id": "cyner_mitre_train_00866", "source": "cyner_mitre_train"}}
+{"text": "One chunk contains the entire malware DLL code ( without PE headers ) .", "spans": {}, "info": {"id": "cyner_mitre_train_00867", "source": "cyner_mitre_train"}}
+{"text": "Another chunk is used to copy a basic Ntdll and Kernel32 import address table .", "spans": {}, "info": {"id": "cyner_mitre_train_00868", "source": "cyner_mitre_train"}}
+{"text": "Two chunks are filled with an asynchronous procedure call ( APC ) routine code and a stub .", "spans": {}, "info": {"id": "cyner_mitre_train_00869", "source": "cyner_mitre_train"}}
+{"text": "It opens the service thread of the service process and uses the ZwQueueApcThread native API to inject an APC .", "spans": {"Indicator: ZwQueueApcThread": [[64, 80]]}, "info": {"id": "cyner_mitre_train_00870", "source": "cyner_mitre_train"}}
+{"text": "The APC routine creates a thread in the context of the svchost.exe process that will map and execute the stage 5 malware into the winlogon.exe process .", "spans": {"Indicator: svchost.exe": [[55, 66]], "Indicator: winlogon.exe": [[130, 142]]}, "info": {"id": "cyner_mitre_train_00871", "source": "cyner_mitre_train"}}
+{"text": "The injection method used for winlogon.exe is also interesting and quite unusual .", "spans": {"Indicator: winlogon.exe": [[30, 42]]}, "info": {"id": "cyner_mitre_train_00872", "source": "cyner_mitre_train"}}
+{"text": "We believe that this method is engineered to avoid trivial detection of process injection using the well-detected CreateRemoteThread or ZwQueueApcThread API .", "spans": {"Indicator: CreateRemoteThread": [[114, 132]], "Indicator: ZwQueueApcThread": [[136, 152]]}, "info": {"id": "cyner_mitre_train_00873", "source": "cyner_mitre_train"}}
+{"text": "The malware takes these steps : Check if the system master boot record ( MBR ) contains an infection marker ( 0xD289C989C089 8-bytes value at offset 0x2C ) , and , if so , terminate itself Check again if the process is attached to a debugger ( using the techniques described previously ) Read , decrypt , and map the stage 5 malware ( written in the previous stage in msvcr90.dll ) Open winlogon.exe process Load user32.dll system library and read the KernelCallbackTable", "spans": {"Indicator: 0xD289C989C089": [[110, 124]], "Indicator: msvcr90.dll": [[368, 379]], "Indicator: winlogon.exe": [[387, 399]], "Indicator: user32.dll": [[413, 423]], "Indicator: KernelCallbackTable": [[452, 471]]}, "info": {"id": "cyner_mitre_train_00874", "source": "cyner_mitre_train"}}
+{"text": "pointer from its own process environment block ( PEB ) ( Note : The KernelCallbackTable points to an array of graphic functions used by Win32 kernel subsystem module win32k.sys as call-back into user-mode .", "spans": {"Indicator: win32k.sys": [[166, 176]]}, "info": {"id": "cyner_mitre_train_00875", "source": "cyner_mitre_train"}}
+{"text": ") Calculate the difference between this pointer and the User32 base address .", "spans": {}, "info": {"id": "cyner_mitre_train_00876", "source": "cyner_mitre_train"}}
+{"text": "Copy the stage 5 DLL into winlogon.exe Allocate a chunk of memory in winlogon.exe process and copy the same APC routine seen previously Read and save the original pointer of the __fnDWORD internal User32 routine ( located at offset +0x10 of the KernelCallbackTable ) and replace this pointer with the address of the APC stub routine After this function pointer hijacking , when winlogon.exe makes any graphical call ( GDI ) , the malicious code can execute without using CreateRemoteThread or", "spans": {"Indicator: winlogon.exe": [[26, 38], [69, 81], [378, 390]]}, "info": {"id": "cyner_mitre_train_00877", "source": "cyner_mitre_train"}}
+{"text": "similar triggers that are easily detectable .", "spans": {}, "info": {"id": "cyner_mitre_train_00878", "source": "cyner_mitre_train"}}
+{"text": "After execution it takes care of restoring the original KernelCallbackTable .", "spans": {}, "info": {"id": "cyner_mitre_train_00879", "source": "cyner_mitre_train"}}
+{"text": "Stage 5 : The final loader takes control The stage 5 malware is needed only to provide one more layer of obfuscation , through the VM , of the final malware payload and to set up a special Structured Exception Hander routine , which is inserted as Wow64PrepareForException in Ntdll .", "spans": {}, "info": {"id": "cyner_mitre_train_00880", "source": "cyner_mitre_train"}}
+{"text": "This special exception handler is needed to manage some memory buffers protection and special exceptions that are used to provide more stealthy execution .", "spans": {}, "info": {"id": "cyner_mitre_train_00881", "source": "cyner_mitre_train"}}
+{"text": "After the VM code has checked again the user environment , it proceeds to extract and execute the final un-obfuscated payload sample directly into winlogon.exe ( alternatively , into explorer.exe ) process .", "spans": {"Indicator: winlogon.exe": [[147, 159]], "Indicator: explorer.exe": [[183, 195]]}, "info": {"id": "cyner_mitre_train_00882", "source": "cyner_mitre_train"}}
+{"text": "After the payload is extracted , decrypted , and mapped in the process memory , the malware calls the new DLL entry point , and then the RunDll exported function .", "spans": {}, "info": {"id": "cyner_mitre_train_00883", "source": "cyner_mitre_train"}}
+{"text": "The latter implements the entire spyware program .", "spans": {}, "info": {"id": "cyner_mitre_train_00884", "source": "cyner_mitre_train"}}
+{"text": "Stage 6 : The payload is a modular spyware framework for further analysis Our journey to deobfuscating FinFisher has allowed us to uncover the complex anti-analysis techniques used by this malware , as well as to use this intel to protect our customers , which is our top priority .", "spans": {"Malware: FinFisher": [[103, 112]]}, "info": {"id": "cyner_mitre_train_00885", "source": "cyner_mitre_train"}}
+{"text": "Analysis of the additional spyware modules is future work .", "spans": {}, "info": {"id": "cyner_mitre_train_00886", "source": "cyner_mitre_train"}}
+{"text": "It is evident that the ultimate goal of this program is to steal information .", "spans": {}, "info": {"id": "cyner_mitre_train_00887", "source": "cyner_mitre_train"}}
+{"text": "The malware architecture is modular , which means that it can execute plugins .", "spans": {}, "info": {"id": "cyner_mitre_train_00888", "source": "cyner_mitre_train"}}
+{"text": "The plugins are stored in its resource section and can be protected by the same VM .", "spans": {}, "info": {"id": "cyner_mitre_train_00889", "source": "cyner_mitre_train"}}
+{"text": "The sample we analyzed in October , for example , contains a plugin that is able to spy on internet connections , and can even divert some SSL connections and steal data from encrypted traffic .", "spans": {}, "info": {"id": "cyner_mitre_train_00890", "source": "cyner_mitre_train"}}
+{"text": "Some FinFisher variants incorporate an MBR rootkit , the exact purpose of which is not clear .", "spans": {"Malware: FinFisher": [[5, 14]], "Indicator: MBR rootkit": [[39, 50]]}, "info": {"id": "cyner_mitre_train_00891", "source": "cyner_mitre_train"}}
+{"text": "Quite possibly , this routine targets older platforms like Windows 7 and machines not taking advantage of hardware protections like UEFI and SecureBoot , available on Windows 10 .", "spans": {"System: Windows 7": [[59, 68]], "System: Windows 10": [[167, 177]]}, "info": {"id": "cyner_mitre_train_00892", "source": "cyner_mitre_train"}}
+{"text": "Describing this additional piece of code in detail is outside the scope of this analysis and may require a new dedicated blog post .", "spans": {"System: scope": [[66, 71]]}, "info": {"id": "cyner_mitre_train_00893", "source": "cyner_mitre_train"}}
+{"text": "Defense against FinFisher Exposing as much of FinFisher ’ s riddles as possible during this painstaking analysis has allowed us to ensure our customers are protected against this advanced piece of malware .", "spans": {"Malware: FinFisher": [[16, 25], [46, 55]]}, "info": {"id": "cyner_mitre_train_00894", "source": "cyner_mitre_train"}}
+{"text": "Windows 10 S devices are naturally protected against FinFisher and other threats thanks to the strong code integrity policies that don ’ t allow unknown unsigned binaries to run ( thus stopping FinFisher ’ s PE installer ) or loaded ( blocking FinFisher ’ s DLL persistence ) .", "spans": {"System: Windows 10": [[0, 10]], "Malware: FinFisher": [[53, 62], [194, 203], [244, 253]]}, "info": {"id": "cyner_mitre_train_00895", "source": "cyner_mitre_train"}}
+{"text": "On Windows 10 , similar code integrity policies can be configured using Windows Defender Application Control .", "spans": {"System: Windows 10": [[3, 13]], "System: Windows Defender Application Control": [[72, 108]]}, "info": {"id": "cyner_mitre_train_00896", "source": "cyner_mitre_train"}}
+{"text": "Office 365 Advanced Threat Protection secures mailboxes from email campaigns that use zero-day exploits to deliver threats like FinFisher .", "spans": {"System: Office 365 Advanced Threat Protection": [[0, 37]], "Vulnerability: zero-day exploits": [[86, 103]], "Malware: FinFisher": [[128, 137]]}, "info": {"id": "cyner_mitre_train_00897", "source": "cyner_mitre_train"}}
+{"text": "Office 365 ATP blocks unsafe attachments , malicious links , and linked-to files using time-of-click protection .", "spans": {"System: Office 365 ATP": [[0, 14]]}, "info": {"id": "cyner_mitre_train_00898", "source": "cyner_mitre_train"}}
+{"text": "Using intel from this research , we have made Office 365 ATP more resistant to FinFisher ’ s anti-sandbox checks .", "spans": {"System: Office 365 ATP": [[46, 60]], "Malware: FinFisher": [[79, 88]]}, "info": {"id": "cyner_mitre_train_00899", "source": "cyner_mitre_train"}}
+{"text": "Generic detections , advanced behavioral analytics , and machine learning technologies in Windows Defender Advanced Threat Protection detect FinFisher ’ s malicious behavior throughout the attack kill chain and alert SecOps personnel .", "spans": {"System: Windows Defender Advanced Threat Protection": [[90, 133]], "Malware: FinFisher": [[141, 150]]}, "info": {"id": "cyner_mitre_train_00900", "source": "cyner_mitre_train"}}
+{"text": "Windows Defender ATP also integrates with the Windows protection stack so that protections from Windows Defender AV and Windows Defender Exploit Guard are reported in Windows Defender ATP portal , enabling SecOps personnel to centrally manage security , and as well as promptly investigate and respond to hostile activity in the network .", "spans": {"System: Windows Defender ATP": [[0, 20], [167, 187]], "System: Windows": [[46, 53]], "System: Windows Defender AV": [[96, 115]], "System: Windows Defender Exploit Guard": [[120, 150]]}, "info": {"id": "cyner_mitre_train_00901", "source": "cyner_mitre_train"}}
+{"text": "We hope that this writeup of our journey through all the multiple layers of protection , obfuscation , and anti-analysis techniques of FinFisher will be useful to other researchers studying this malware .", "spans": {"Malware: FinFisher": [[135, 144]]}, "info": {"id": "cyner_mitre_train_00902", "source": "cyner_mitre_train"}}
+{"text": "We believe that an industry-wide collaboration and information-sharing is important in defending customers against this complex piece of malware .", "spans": {}, "info": {"id": "cyner_mitre_train_00903", "source": "cyner_mitre_train"}}
+{"text": "TUESDAY , APRIL 9 , 2019 Gustuff banking botnet targets Australia EXECUTIVE SUMMARY Cisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions .", "spans": {"Malware: Gustuff": [[25, 32]], "Organization: Cisco Talos": [[84, 95]], "System: Android-based": [[116, 129]]}, "info": {"id": "cyner_mitre_train_00904", "source": "cyner_mitre_train"}}
+{"text": "As the investigation progressed , Talos came to understand that this campaign was associated with the \" ChristinaMorrow '' text message spam scam previously spotted in Australia .", "spans": {"Organization: Talos": [[34, 39]]}, "info": {"id": "cyner_mitre_train_00905", "source": "cyner_mitre_train"}}
+{"text": "Although this malware 's credential-harvest mechanism is not particularly sophisticated , it does have an advanced self-preservation mechanism .", "spans": {}, "info": {"id": "cyner_mitre_train_00906", "source": "cyner_mitre_train"}}
+{"text": "Even though this is not a traditional remote access tool ( RAT ) , this campaign seems to target mainly private users .", "spans": {}, "info": {"id": "cyner_mitre_train_00907", "source": "cyner_mitre_train"}}
+{"text": "Aside from the credential stealing , this malware also includes features like the theft of users ' contact list , collecting phone numbers associated names , and files and photos on the device .", "spans": {}, "info": {"id": "cyner_mitre_train_00908", "source": "cyner_mitre_train"}}
+{"text": "But that does n't mean companies and organizations are out of the woods .", "spans": {}, "info": {"id": "cyner_mitre_train_00909", "source": "cyner_mitre_train"}}
+{"text": "They should still be on the lookout for these kinds of trojans , as the attackers could target corporate accounts that contain large amounts of money .", "spans": {}, "info": {"id": "cyner_mitre_train_00910", "source": "cyner_mitre_train"}}
+{"text": "The information collected by the malware and the control over the victim 's mobile device allows their operators to perform more complex social engineering attacks .", "spans": {}, "info": {"id": "cyner_mitre_train_00911", "source": "cyner_mitre_train"}}
+{"text": "A motivated attacker can use this trojan to harvest usernames and passwords and then reuse them to login into the organization 's system where the victim works .", "spans": {}, "info": {"id": "cyner_mitre_train_00912", "source": "cyner_mitre_train"}}
+{"text": "This is a good example where two-factor authentication based on SMS would fail since the attacker can read the SMS .", "spans": {}, "info": {"id": "cyner_mitre_train_00913", "source": "cyner_mitre_train"}}
+{"text": "Corporations can protect themselves from these side-channel attacks by deploying client-based two-factor authentication , such as Duo Security .", "spans": {"System: Duo Security": [[130, 142]]}, "info": {"id": "cyner_mitre_train_00914", "source": "cyner_mitre_train"}}
+{"text": "One of the most impressive features of this malware is its resilience .", "spans": {}, "info": {"id": "cyner_mitre_train_00915", "source": "cyner_mitre_train"}}
+{"text": "If the command and control ( C2 ) server is taken down , the malicious operator can still recover the malware control by sending SMS messages directly to the infected devices .", "spans": {}, "info": {"id": "cyner_mitre_train_00916", "source": "cyner_mitre_train"}}
+{"text": "This makes the taking down and recovery of the network much harder and poses a considerable challenge for defenders .", "spans": {}, "info": {"id": "cyner_mitre_train_00917", "source": "cyner_mitre_train"}}
+{"text": "THE CAMPAIGN The malware 's primary infection vector is SMS .", "spans": {}, "info": {"id": "cyner_mitre_train_00918", "source": "cyner_mitre_train"}}
+{"text": "Just like the old-school mail worms that used the victim 's address book to select the next victims , this banking trojan 's activation cycle includes the exfiltration of the victim 's address book .", "spans": {"System: address book": [[60, 72]]}, "info": {"id": "cyner_mitre_train_00919", "source": "cyner_mitre_train"}}
+{"text": "The trojan will receive instructions from the C2 to spread .", "spans": {}, "info": {"id": "cyner_mitre_train_00920", "source": "cyner_mitre_train"}}
+{"text": "Spread command from C2 The victim receives the command sendSMSMass .", "spans": {}, "info": {"id": "cyner_mitre_train_00921", "source": "cyner_mitre_train"}}
+{"text": "Usually , this message targets four or five people at a time .", "spans": {}, "info": {"id": "cyner_mitre_train_00922", "source": "cyner_mitre_train"}}
+{"text": "The body contains a message and URL .", "spans": {}, "info": {"id": "cyner_mitre_train_00923", "source": "cyner_mitre_train"}}
+{"text": "Again , the concept is that new victims are more likely to install the malware if the SMS comes from someone they know .", "spans": {}, "info": {"id": "cyner_mitre_train_00924", "source": "cyner_mitre_train"}}
+{"text": "When a victim tries to access the URL in the SMS body , the C2 will check if the mobile device meets the criteria to receive the malware ( see infrastructure section ) .", "spans": {}, "info": {"id": "cyner_mitre_train_00925", "source": "cyner_mitre_train"}}
+{"text": "If the device does not meet the criteria , it wo n't receive any data , otherwise , it will be redirected to a second server to receive a copy of the malware to install on their device .", "spans": {}, "info": {"id": "cyner_mitre_train_00926", "source": "cyner_mitre_train"}}
+{"text": "The domain on this campaign was registered on Jan. 19 , 2019 .", "spans": {}, "info": {"id": "cyner_mitre_train_00927", "source": "cyner_mitre_train"}}
+{"text": "However , Talos has identified that was used at least since November 2018 .", "spans": {"Organization: Talos": [[10, 15]]}, "info": {"id": "cyner_mitre_train_00928", "source": "cyner_mitre_train"}}
+{"text": "During the investigation , Talos was also able to determine that the same infrastructure has been used to deploy similar campaigns using different versions of the malware .", "spans": {"Organization: Talos": [[27, 32]]}, "info": {"id": "cyner_mitre_train_00929", "source": "cyner_mitre_train"}}
+{"text": "Distribution of victims .", "spans": {}, "info": {"id": "cyner_mitre_train_00930", "source": "cyner_mitre_train"}}
+{"text": "Talos assess with high confidence that this campaign is targeting Australian financial institutions based on several factors .", "spans": {"Organization: Talos": [[0, 5]]}, "info": {"id": "cyner_mitre_train_00931", "source": "cyner_mitre_train"}}
+{"text": "Our Umbrella telemetry shows that the majority of the request comes from Australia and the majority of the phone numbers infected have the international indicative for Australia .", "spans": {}, "info": {"id": "cyner_mitre_train_00932", "source": "cyner_mitre_train"}}
+{"text": "Finally , the specific overlays are designed for Australian financial institutions , and Australia is one of the geographic regions that is accepted by the C2 .", "spans": {}, "info": {"id": "cyner_mitre_train_00933", "source": "cyner_mitre_train"}}
+{"text": "DNS queries distribution over time The campaign does n't seem to be growing at a fast pace .", "spans": {}, "info": {"id": "cyner_mitre_train_00934", "source": "cyner_mitre_train"}}
+{"text": "Our data shows , on average , about three requests per hour to the drop host .", "spans": {}, "info": {"id": "cyner_mitre_train_00935", "source": "cyner_mitre_train"}}
+{"text": "This request is only made upon installation , but there is no guarantee that it will be installed .", "spans": {}, "info": {"id": "cyner_mitre_train_00936", "source": "cyner_mitre_train"}}
+{"text": "This data , when analyzed with the number of commands to send SMSs that Talos received during the investigation , lead us to conclude that the malicious operator is aggressively spreading the malware , but that does n't seem to result in the same number of new infections .", "spans": {}, "info": {"id": "cyner_mitre_train_00937", "source": "cyner_mitre_train"}}
+{"text": "Examples of the overlays available to the malware Above , you can see examples of the injections that distributed to the malware as part of this specific campaign .", "spans": {}, "info": {"id": "cyner_mitre_train_00938", "source": "cyner_mitre_train"}}
+{"text": "While doing our investigation we were able to identify other malware packages with different names .", "spans": {}, "info": {"id": "cyner_mitre_train_00939", "source": "cyner_mitre_train"}}
+{"text": "Some of these might have been used on old campaigns or were already prepared for new campaigns .", "spans": {}, "info": {"id": "cyner_mitre_train_00940", "source": "cyner_mitre_train"}}
+{"text": "MALWARE TECHNICAL DETAILS During our investigation , researchers uncovered a malware known as \" Gustuff. '' .", "spans": {"Malware: Gustuff.": [[96, 104]]}, "info": {"id": "cyner_mitre_train_00941", "source": "cyner_mitre_train"}}
+{"text": "Given the lack of indicators of compromise , we decided to check to see if this was the same malware we had been researching .", "spans": {}, "info": {"id": "cyner_mitre_train_00942", "source": "cyner_mitre_train"}}
+{"text": "Our Threat Intelligence and Interdiction team found the Gustuff malware being advertised in the Exploit.in forum as a botnet for rent .", "spans": {"Malware: Gustuff": [[56, 63]], "Indicator: Exploit.in": [[96, 106]]}, "info": {"id": "cyner_mitre_train_00943", "source": "cyner_mitre_train"}}
+{"text": "The seller , known as \" bestoffer , '' was , at some point , expelled from the forum .", "spans": {}, "info": {"id": "cyner_mitre_train_00944", "source": "cyner_mitre_train"}}
+{"text": "Gustuff advertising screenshot The companies advertised in the image above were from Australia , which matches up with the campaign we researched .", "spans": {"Malware: Gustuff": [[0, 7]]}, "info": {"id": "cyner_mitre_train_00945", "source": "cyner_mitre_train"}}
+{"text": "The screenshots provided by the author align with the advertised features and the features that we discovered while doing our analysis .", "spans": {}, "info": {"id": "cyner_mitre_train_00946", "source": "cyner_mitre_train"}}
+{"text": "Admin panel The administration panel shows the application configuration , which matches the commands from the C2 .", "spans": {}, "info": {"id": "cyner_mitre_train_00947", "source": "cyner_mitre_train"}}
+{"text": "Country selection The administration console screenshots also show the ability to filter the results by country .", "spans": {}, "info": {"id": "cyner_mitre_train_00948", "source": "cyner_mitre_train"}}
+{"text": "In this case , \" AU '' is the code shown , which is Australia .", "spans": {}, "info": {"id": "cyner_mitre_train_00949", "source": "cyner_mitre_train"}}
+{"text": "Based on this information , Talos assesses with high confidence that the malware is the same and this is , in fact , the Gustuff malware .", "spans": {"Organization: Talos": [[28, 33]], "Malware: Gustuff": [[121, 128]]}, "info": {"id": "cyner_mitre_train_00950", "source": "cyner_mitre_train"}}
+{"text": "Design In the manifest , the malware requests a large number of permissions .", "spans": {}, "info": {"id": "cyner_mitre_train_00951", "source": "cyner_mitre_train"}}
+{"text": "However , it does n't request permissions like BIND_ADMIN .", "spans": {}, "info": {"id": "cyner_mitre_train_00952", "source": "cyner_mitre_train"}}
+{"text": "To perform some of its activities , the malware does not need high privileges inside the device , as we will explain ahead .", "spans": {}, "info": {"id": "cyner_mitre_train_00953", "source": "cyner_mitre_train"}}
+{"text": "Permissions in the manifest This malware is designed to avoid detection and analysis .", "spans": {}, "info": {"id": "cyner_mitre_train_00954", "source": "cyner_mitre_train"}}
+{"text": "It has several protections in place , both in the C2 and the malware 's code .", "spans": {}, "info": {"id": "cyner_mitre_train_00955", "source": "cyner_mitre_train"}}
+{"text": "The code is not only obfuscated but also packed .", "spans": {}, "info": {"id": "cyner_mitre_train_00956", "source": "cyner_mitre_train"}}
+{"text": "The packer , besides making the static analysis more complex , will break the standard debugger .", "spans": {}, "info": {"id": "cyner_mitre_train_00957", "source": "cyner_mitre_train"}}
+{"text": "Manifest activity declaration Class list inside the dex file The main malware classes are packed , to a point where the class defined in the manifest has a handler for the MAIN category that does not exist in the DEX file .", "spans": {}, "info": {"id": "cyner_mitre_train_00958", "source": "cyner_mitre_train"}}
+{"text": "Error when trying to debug the malware using the Android Studio IDE .", "spans": {"System: Android Studio IDE": [[49, 67]]}, "info": {"id": "cyner_mitre_train_00959", "source": "cyner_mitre_train"}}
+{"text": "One of the side effects of this packer is the inability of Android Studio IDE to debug the code .", "spans": {"System: Android Studio IDE": [[59, 77]]}, "info": {"id": "cyner_mitre_train_00960", "source": "cyner_mitre_train"}}
+{"text": "This happens because the IDE executes the code from the Android debug bridge ( ADB ) by calling the activity declared in the manifest by name .", "spans": {"System: Android debug bridge": [[56, 76]]}, "info": {"id": "cyner_mitre_train_00961", "source": "cyner_mitre_train"}}
+{"text": "Since the class does not exist at startup , the application does not run on the debugger .", "spans": {}, "info": {"id": "cyner_mitre_train_00962", "source": "cyner_mitre_train"}}
+{"text": "Although Talos analyzed the unpacked version of the code , the packer analysis is beyond the scope of this post .", "spans": {"Malware: Talos": [[9, 14]]}, "info": {"id": "cyner_mitre_train_00963", "source": "cyner_mitre_train"}}
+{"text": "Check code for emulators As part of its defense , the malware payload first checks for emulators to prevent analysis on sandboxes .", "spans": {}, "info": {"id": "cyner_mitre_train_00964", "source": "cyner_mitre_train"}}
+{"text": "It checks for different kinds of emulators , including QEMU , Genymotion , BlueStacks and Bignox .", "spans": {"System: QEMU": [[55, 59]], "System: Genymotion": [[62, 72]], "System: BlueStacks": [[75, 85]], "System: Bignox": [[90, 96]]}, "info": {"id": "cyner_mitre_train_00965", "source": "cyner_mitre_train"}}
+{"text": "If the malware determines that is not running on an emulator , it then performs additional checks to ensure that it wo n't be detected .", "spans": {}, "info": {"id": "cyner_mitre_train_00966", "source": "cyner_mitre_train"}}
+{"text": "Code to check the existence of SafetyNet Google API It also checks if the Android SafetyNet is active and reporting back to the C2 .", "spans": {"System: Google API": [[41, 51]], "System: Android": [[74, 81]]}, "info": {"id": "cyner_mitre_train_00967", "source": "cyner_mitre_train"}}
+{"text": "This helps the C2 define what actions it can do before being detected on the mobile device .", "spans": {}, "info": {"id": "cyner_mitre_train_00968", "source": "cyner_mitre_train"}}
+{"text": "List of anti-virus packages that are checked The payload goes a long way to protect itself and checks for anti-virus software installed on the mobile device .", "spans": {}, "info": {"id": "cyner_mitre_train_00969", "source": "cyner_mitre_train"}}
+{"text": "The trojan uses the Android Accessibility API to intercept all interactions between the user and the mobile device .", "spans": {"System: Android Accessibility": [[20, 41]]}, "info": {"id": "cyner_mitre_train_00970", "source": "cyner_mitre_train"}}
+{"text": "The Android developer documentation describes the accessibility event class as a class that \" represents accessibility events that are seen by the system when something notable happens in the user interface .", "spans": {"System: Android": [[4, 11]]}, "info": {"id": "cyner_mitre_train_00971", "source": "cyner_mitre_train"}}
+{"text": "For example , when a button is clicked , a view is focused , etc .", "spans": {}, "info": {"id": "cyner_mitre_train_00972", "source": "cyner_mitre_train"}}
+{"text": "'' For each interaction , the malware will check if the generator is a package that belongs to the anti-virus list , the malware will abuse another feature of the Accessibility API .", "spans": {"System: Accessibility API": [[163, 180]]}, "info": {"id": "cyner_mitre_train_00973", "source": "cyner_mitre_train"}}
+{"text": "There is a function called \" performGlobalAction '' with the description below .", "spans": {}, "info": {"id": "cyner_mitre_train_00974", "source": "cyner_mitre_train"}}
+{"text": "Android documentation describes that function as \" a global action .", "spans": {"System: Android": [[0, 7]]}, "info": {"id": "cyner_mitre_train_00975", "source": "cyner_mitre_train"}}
+{"text": "Such an action can be performed at any moment , regardless of the current application or user location in that application .", "spans": {}, "info": {"id": "cyner_mitre_train_00976", "source": "cyner_mitre_train"}}
+{"text": "For example , going back , going home , opening recents , etc .", "spans": {}, "info": {"id": "cyner_mitre_train_00977", "source": "cyner_mitre_train"}}
+{"text": "'' The trojan calls this function with the action GLOBAL_ACTION_BACK , which equals the pressing of the back button on the device , thus canceling the opening of the anti-virus application .", "spans": {}, "info": {"id": "cyner_mitre_train_00978", "source": "cyner_mitre_train"}}
+{"text": "The same event interception is used to place the webview overlay when the user tries to access the targeted applications , allowing it to display its overlay , thus intercepting the credentials .", "spans": {}, "info": {"id": "cyner_mitre_train_00979", "source": "cyner_mitre_train"}}
+{"text": "The beaconing only starts after the application is installed and removed from the running tasks .", "spans": {}, "info": {"id": "cyner_mitre_train_00980", "source": "cyner_mitre_train"}}
+{"text": "Beaconing information The ID is generated for each installation of the malware , while the token remains unique .", "spans": {}, "info": {"id": "cyner_mitre_train_00981", "source": "cyner_mitre_train"}}
+{"text": "Some of the checks performed previously are immediately sent to the C2 , like the safetyNet , admin and defaultSMSApp .", "spans": {}, "info": {"id": "cyner_mitre_train_00982", "source": "cyner_mitre_train"}}
+{"text": "The beaconing is sent to the URL http : // /api/v2/get.php with an interval of 60 seconds .", "spans": {"Indicator: http : // /api/v2/get.php": [[33, 58]]}, "info": {"id": "cyner_mitre_train_00983", "source": "cyner_mitre_train"}}
+{"text": "Answer from the C2 The C2 will check the country field , if it 's empty or if the country is not targeted , it will reply with a \" Unauthorized '' answer .", "spans": {}, "info": {"id": "cyner_mitre_train_00984", "source": "cyner_mitre_train"}}
+{"text": "Otherwise , it will return a JSON encoded \" OK , '' and if that is the case , the command to be executed .", "spans": {}, "info": {"id": "cyner_mitre_train_00985", "source": "cyner_mitre_train"}}
+{"text": "List of available commands The command names are self-explanatory .", "spans": {}, "info": {"id": "cyner_mitre_train_00986", "source": "cyner_mitre_train"}}
+{"text": "The command will be issued as an answer to the beaconing , and the result will be returned to the URL http : // /api/v2/set_state.php Example of the command \" changeServer '' The commands are issued in a JSON format , and the obfuscation is part of the malware code and not added by the packer .", "spans": {"Indicator: http : // /api/v2/set_state.php": [[102, 133]]}, "info": {"id": "cyner_mitre_train_00987", "source": "cyner_mitre_train"}}
+{"text": "It is a custom obfuscation partly based on base85 encoding , which is in itself unusual , in malware .", "spans": {"Indicator: base85 encoding": [[43, 58]]}, "info": {"id": "cyner_mitre_train_00988", "source": "cyner_mitre_train"}}
+{"text": "Base85 encoding is usually used on pdf and postscript documentsThe configuration of the malware is stored in custom preferences files , using the same obfuscation scheme .", "spans": {"Indicator: Base85 encoding": [[0, 15]]}, "info": {"id": "cyner_mitre_train_00989", "source": "cyner_mitre_train"}}
+{"text": "Activation cycle As we have explained above , the malware has several defence mechanisms .", "spans": {}, "info": {"id": "cyner_mitre_train_00990", "source": "cyner_mitre_train"}}
+{"text": "Beside the obfuscation and the environment checks , the malware also has some interesting anti-sandbox mechanisms .", "spans": {}, "info": {"id": "cyner_mitre_train_00991", "source": "cyner_mitre_train"}}
+{"text": "After installation , the user needs to run the application .", "spans": {}, "info": {"id": "cyner_mitre_train_00992", "source": "cyner_mitre_train"}}
+{"text": "The user needs to press the \" close '' button to finish the installation .", "spans": {}, "info": {"id": "cyner_mitre_train_00993", "source": "cyner_mitre_train"}}
+{"text": "However , this wo n't close the application , it will send it to the background , instead .", "spans": {}, "info": {"id": "cyner_mitre_train_00994", "source": "cyner_mitre_train"}}
+{"text": "While the application is in the background , although the service is already running , the beaconing will not start .", "spans": {}, "info": {"id": "cyner_mitre_train_00995", "source": "cyner_mitre_train"}}
+{"text": "The beaconing will only start after the application is removed from the background , ultimately stopping it .", "spans": {}, "info": {"id": "cyner_mitre_train_00996", "source": "cyner_mitre_train"}}
+{"text": "This will be the trigger for the service to start the beaconing .", "spans": {}, "info": {"id": "cyner_mitre_train_00997", "source": "cyner_mitre_train"}}
+{"text": "As mentioned previously , the beaconing is done every 60 seconds .", "spans": {}, "info": {"id": "cyner_mitre_train_00998", "source": "cyner_mitre_train"}}
+{"text": "However , no command is received from the C2 until the inactiveTime field ( see beaconing information image above ) has at least the value of 2000000 .", "spans": {}, "info": {"id": "cyner_mitre_train_00999", "source": "cyner_mitre_train"}}
+{"text": "This time resets every time the user performs some activity .", "spans": {}, "info": {"id": "cyner_mitre_train_01000", "source": "cyner_mitre_train"}}
+{"text": "After the checks , the malware becomes active , but first , it goes through seven steps , each one calling a different command : uploadPhoneNumbers : Exfiltrates all phone numbers that are in the contact list .", "spans": {}, "info": {"id": "cyner_mitre_train_01001", "source": "cyner_mitre_train"}}
+{"text": "Aside from the natural value of phone numbers associated with the names of their owners .", "spans": {}, "info": {"id": "cyner_mitre_train_01002", "source": "cyner_mitre_train"}}
+{"text": "Using the SMS has an initial infection vector is another possibility for the exfiltration .", "spans": {}, "info": {"id": "cyner_mitre_train_01003", "source": "cyner_mitre_train"}}
+{"text": "One of the purposes of the exfiltration of the contact list is to use them to attack other victims using SMS as an initial vector .", "spans": {}, "info": {"id": "cyner_mitre_train_01004", "source": "cyner_mitre_train"}}
+{"text": "checkApps : Asks the malware to see if the packages sent as parameters are installed .", "spans": {}, "info": {"id": "cyner_mitre_train_01005", "source": "cyner_mitre_train"}}
+{"text": "The malware contains a list of 209 packages hardcoded in its source code .", "spans": {}, "info": {"id": "cyner_mitre_train_01006", "source": "cyner_mitre_train"}}
+{"text": "However , the C2 can send an updated list .", "spans": {}, "info": {"id": "cyner_mitre_train_01007", "source": "cyner_mitre_train"}}
+{"text": "List of packages received from the C2 adminNumber : Setup of the admin phone number .", "spans": {}, "info": {"id": "cyner_mitre_train_01008", "source": "cyner_mitre_train"}}
+{"text": "In our case , the administrator phone number belongs to a mobile network in Australia .", "spans": {}, "info": {"id": "cyner_mitre_train_01009", "source": "cyner_mitre_train"}}
+{"text": "Phone number for administration changeServer : At this point , the malware changes the C2 to a new host , even though the API and communication protocol continues to be the same .", "spans": {}, "info": {"id": "cyner_mitre_train_01010", "source": "cyner_mitre_train"}}
+{"text": "Change server request The URL 's for the new server is obfuscated , preventing easy network identification .", "spans": {}, "info": {"id": "cyner_mitre_train_01011", "source": "cyner_mitre_train"}}
+{"text": "changeActivity : This command will set up the webview to overlay any of the target activities .", "spans": {}, "info": {"id": "cyner_mitre_train_01012", "source": "cyner_mitre_train"}}
+{"text": "changeActivity command The webview injects are not hosted on the C2 , they are hosted on a completely different server .", "spans": {}, "info": {"id": "cyner_mitre_train_01013", "source": "cyner_mitre_train"}}
+{"text": "params : This command allows the malicious operator to change configuration parameters in the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_01014", "source": "cyner_mitre_train"}}
+{"text": "During this stage of the activation cycle , the malware increases the beaconing time to avoid detection .", "spans": {}, "info": {"id": "cyner_mitre_train_01015", "source": "cyner_mitre_train"}}
+{"text": "Command to change the beaconing changeArchive : The final command of the activation cycle is the download of an archive .", "spans": {}, "info": {"id": "cyner_mitre_train_01016", "source": "cyner_mitre_train"}}
+{"text": "This archive is stored in the same host has the webviews .", "spans": {}, "info": {"id": "cyner_mitre_train_01017", "source": "cyner_mitre_train"}}
+{"text": "The archive is a ZIP containing several files , which is protected with a password .", "spans": {}, "info": {"id": "cyner_mitre_train_01018", "source": "cyner_mitre_train"}}
+{"text": "Change archive command After this activation cycle , the malware will start the collection of information activities and dissemination .", "spans": {}, "info": {"id": "cyner_mitre_train_01019", "source": "cyner_mitre_train"}}
+{"text": "Malicious activity Once the activation cycle ends , the trojan will start its malicious activities .", "spans": {}, "info": {"id": "cyner_mitre_train_01020", "source": "cyner_mitre_train"}}
+{"text": "These activities depend on the device configuration .", "spans": {}, "info": {"id": "cyner_mitre_train_01021", "source": "cyner_mitre_train"}}
+{"text": "Depending if the victim has any of the targeted applications , the anti-virus installed or geographic location , the malware can harvest credentials from the targeted applications , exfiltrate all personal information or simply use the victim 's device to send SMS to spread the trojan The malware deploys overlaying webviews to trick the user and eventually steal their login credentials .", "spans": {}, "info": {"id": "cyner_mitre_train_01022", "source": "cyner_mitre_train"}}
+{"text": "These are adapted to the information the malicious operator wants to retrieve .", "spans": {}, "info": {"id": "cyner_mitre_train_01023", "source": "cyner_mitre_train"}}
+{"text": "The first webview overlay is created on step 6 of the activation cycle .", "spans": {}, "info": {"id": "cyner_mitre_train_01024", "source": "cyner_mitre_train"}}
+{"text": "Pin request overlay This overlay asks the user to provide their PIN to unlock the mobile device , which is immediately exfiltrated to the C2 .", "spans": {}, "info": {"id": "cyner_mitre_train_01025", "source": "cyner_mitre_train"}}
+{"text": "The last step of the activation cycle is the download of a password-protected ZIP file .", "spans": {}, "info": {"id": "cyner_mitre_train_01026", "source": "cyner_mitre_train"}}
+{"text": "This file contains all HTML , CSS and PNG files necessary to create overlays .", "spans": {}, "info": {"id": "cyner_mitre_train_01027", "source": "cyner_mitre_train"}}
+{"text": "Talos found 189 logos from banks to cryptocurrency exchanges inside the archive , all of which could be targeted .", "spans": {}, "info": {"id": "cyner_mitre_train_01028", "source": "cyner_mitre_train"}}
+{"text": "The archive also contained all the necessary codes to target Australian financial institutions .", "spans": {}, "info": {"id": "cyner_mitre_train_01029", "source": "cyner_mitre_train"}}
+{"text": "The overlays are activated by the malicious operator using the command changeActivity , as seen on step 5 of the activation cycle .", "spans": {}, "info": {"id": "cyner_mitre_train_01030", "source": "cyner_mitre_train"}}
+{"text": "In this case , we can see that the HTML code of the overlay is stored in the C2 infrastructure .", "spans": {}, "info": {"id": "cyner_mitre_train_01031", "source": "cyner_mitre_train"}}
+{"text": "However , since the archive that is downloaded into the device has all the necessary information and the malicious actor has access to the device via SMS , the malicious operator can keep its activity even without the C2 infrastructure .", "spans": {}, "info": {"id": "cyner_mitre_train_01032", "source": "cyner_mitre_train"}}
+{"text": "Infrastructure The infrastructure supporting this malware is rather complex .", "spans": {}, "info": {"id": "cyner_mitre_train_01033", "source": "cyner_mitre_train"}}
+{"text": "It is clear that on all stages there are at least two layers .", "spans": {}, "info": {"id": "cyner_mitre_train_01034", "source": "cyner_mitre_train"}}
+{"text": "The infrastructure has several layers , although not being very dynamic , still has several layers each one providing some level of protection .", "spans": {}, "info": {"id": "cyner_mitre_train_01035", "source": "cyner_mitre_train"}}
+{"text": "All the IP addresses belong to the same company Hetzner , an IP-hosting firm in Germany .", "spans": {"Organization: Hetzner": [[48, 55]]}, "info": {"id": "cyner_mitre_train_01036", "source": "cyner_mitre_train"}}
+{"text": "COVERAGE Cisco Cloud Web Security ( CWS ) or Web Security Appliance ( WSA ) web scanning prevents access to malicious websites and detects malware used in these attacks .", "spans": {"Organization: Cisco": [[9, 14]], "System: Cloud Web Security": [[15, 33]], "System: Web Security Appliance": [[45, 67]]}, "info": {"id": "cyner_mitre_train_01037", "source": "cyner_mitre_train"}}
+{"text": "Email Security can block malicious emails sent by threat actors as part of their campaign .", "spans": {}, "info": {"id": "cyner_mitre_train_01038", "source": "cyner_mitre_train"}}
+{"text": "Network Security appliances such as Next-Generation Firewall ( NGFW ) , Next-Generation Intrusion Prevention System ( NGIPS ) , and Meraki MX can detect malicious activity associated with this threat .", "spans": {"System: Next-Generation Firewall": [[36, 60]], "System: Next-Generation Intrusion Prevention System": [[72, 115]], "System: Meraki MX": [[132, 141]]}, "info": {"id": "cyner_mitre_train_01039", "source": "cyner_mitre_train"}}
+{"text": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products .", "spans": {"Organization: Cisco": [[80, 85]]}, "info": {"id": "cyner_mitre_train_01040", "source": "cyner_mitre_train"}}
+{"text": "Umbrella , our secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network .", "spans": {}, "info": {"id": "cyner_mitre_train_01041", "source": "cyner_mitre_train"}}
+{"text": "Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org .", "spans": {}, "info": {"id": "cyner_mitre_train_01042", "source": "cyner_mitre_train"}}
+{"text": "INDICATORS OF COMPROMISE ( IOCS ) Domains Facebook-photos-au.su Homevideo2-12l.ml videohosting1-5j.gq URLs hxxp : //88.99.227 [ .", "spans": {"Indicator: Homevideo2-12l.ml": [[64, 81]], "Indicator: videohosting1-5j.gq": [[82, 101]], "Indicator: hxxp : //88.99.227 [ .": [[107, 129]]}, "info": {"id": "cyner_mitre_train_01043", "source": "cyner_mitre_train"}}
+{"text": "] 26/html2/2018/GrafKey/new-inj-135-3-dark.html hxxp : //88.99.227 [ .", "spans": {"Indicator: hxxp : //88.99.227 [ .": [[48, 70]]}, "info": {"id": "cyner_mitre_train_01044", "source": "cyner_mitre_train"}}
+{"text": "] 26/html2/arc92/au483x.zip hxxp : //94.130.106 [ .", "spans": {"Indicator: hxxp : //94.130.106 [ .": [[28, 51]]}, "info": {"id": "cyner_mitre_train_01045", "source": "cyner_mitre_train"}}
+{"text": "] 117:8080/api/v1/report/records.php hxxp : //88.99.227 [ .", "spans": {"Indicator: hxxp : //88.99.227 [ .": [[37, 59]]}, "info": {"id": "cyner_mitre_train_01046", "source": "cyner_mitre_train"}}
+{"text": "] 26/html2/new-inj-135-3-white.html hxxp : //facebook-photos-au [ .", "spans": {"Indicator: hxxp : //facebook-photos-au [ .": [[36, 67]]}, "info": {"id": "cyner_mitre_train_01047", "source": "cyner_mitre_train"}}
+{"text": "] su/ChristinaMorrow hxxp : //homevideo2-12l [ .", "spans": {"Indicator: hxxp : //homevideo2-12l [ .": [[21, 48]]}, "info": {"id": "cyner_mitre_train_01048", "source": "cyner_mitre_train"}}
+{"text": "] ml/mms3/download_3.php IP addresses 78.46.201.36 88.99.170.84 88.99.227.26 94.130.106.117 88.99.174.200 88.99.189.31 Hash 369fcf48c1eb982088c22f86672add10cae967af82613bee6fb8a3669603dc48 b2d4fcf03c7a8bf135fbd3073bea450e2e6661ad8ef2ab2058a3c04f81fc3f3e", "spans": {"Indicator: 78.46.201.36": [[38, 50]], "Indicator: 88.99.170.84": [[51, 63]], "Indicator: 88.99.227.26": [[64, 76]], "Indicator: 94.130.106.117": [[77, 91]], "Indicator: 88.99.174.200": [[92, 105]], "Indicator: 88.99.189.31": [[106, 118]], "Indicator: 369fcf48c1eb982088c22f86672add10cae967af82613bee6fb8a3669603dc48": [[124, 188]], "Indicator: b2d4fcf03c7a8bf135fbd3073bea450e2e6661ad8ef2ab2058a3c04f81fc3f3e": [[189, 253]]}, "info": {"id": "cyner_mitre_train_01049", "source": "cyner_mitre_train"}}
+{"text": "8f5d5d8419a4832d175a6028c9e7d445f1e99fdc12170db257df79831c69ae4e a5ebcdaf5fd10ec9de85d62e48cc97a4e08c699a7ebdeab0351b86ab1370557d 84578b9b2c3cc1c7bbfcf4038a6c76ae91dfc82eef5e4c6815627eaf6b4ae6f6", "spans": {"Indicator: 8f5d5d8419a4832d175a6028c9e7d445f1e99fdc12170db257df79831c69ae4e": [[0, 64]], "Indicator: a5ebcdaf5fd10ec9de85d62e48cc97a4e08c699a7ebdeab0351b86ab1370557d": [[65, 129]], "Indicator: 84578b9b2c3cc1c7bbfcf4038a6c76ae91dfc82eef5e4c6815627eaf6b4ae6f6": [[130, 194]]}, "info": {"id": "cyner_mitre_train_01050", "source": "cyner_mitre_train"}}
+{"text": "89eecd91dff4bf42bebbf3aa85aa512ddf661d3e9de4c91196c98f4fc325a018 9edee3f3d539e3ade61ac2956a6900d93ba3b535b6a76b3a9ee81e2251e25c61 0e48e5dbc3a60910c1460b382d28e087a580f38f57d3f82d4564309346069bd1 c113cdd2a5e164dcba157fc4e6026495a1cfbcb0b1a8bf3e38e7eddbb316e01f", "spans": {"Indicator: 89eecd91dff4bf42bebbf3aa85aa512ddf661d3e9de4c91196c98f4fc325a018": [[0, 64]], "Indicator: 9edee3f3d539e3ade61ac2956a6900d93ba3b535b6a76b3a9ee81e2251e25c61": [[65, 129]], "Indicator: 0e48e5dbc3a60910c1460b382d28e087a580f38f57d3f82d4564309346069bd1": [[130, 194]], "Indicator: c113cdd2a5e164dcba157fc4e6026495a1cfbcb0b1a8bf3e38e7eddbb316e01f": [[195, 259]]}, "info": {"id": "cyner_mitre_train_01051", "source": "cyner_mitre_train"}}
+{"text": "1819d2546d9c9580193827c0d2f5aad7e7f2856f7d5e6d40fd739b6cecdb1e9e b213c1de737b72f8dd7185186a246277951b651c64812692da0b9fdf1be5bf15 453e7827e943cdda9121948f3f4a68d6289d09777538f92389ca56f6e6de03f0 0246dd4acd9f64ff1508131c57a7b29e995e102c74477d5624e1271700ecb0e2", "spans": {"Indicator: 1819d2546d9c9580193827c0d2f5aad7e7f2856f7d5e6d40fd739b6cecdb1e9e": [[0, 64]], "Indicator: b213c1de737b72f8dd7185186a246277951b651c64812692da0b9fdf1be5bf15": [[65, 129]], "Indicator: 453e7827e943cdda9121948f3f4a68d6289d09777538f92389ca56f6e6de03f0": [[130, 194]], "Indicator: 0246dd4acd9f64ff1508131c57a7b29e995e102c74477d5624e1271700ecb0e2": [[195, 259]]}, "info": {"id": "cyner_mitre_train_01052", "source": "cyner_mitre_train"}}
+{"text": "88034e0eddfdb6297670d28ed810aef87679e9492e9b3e782cc14d9d1a55db84 e08f08f4fa75609731c6dd597dc55c8f95dbdd5725a6a90a9f80134832a07f2e 01c5b637f283697350ca361f241416303ab6123da4c6726a6555ac36cb654b5c 1fb06666befd581019af509951320c7e8535e5b38ad058069f4979e9a21c7e1c", "spans": {"Indicator: 88034e0eddfdb6297670d28ed810aef87679e9492e9b3e782cc14d9d1a55db84": [[0, 64]], "Indicator: e08f08f4fa75609731c6dd597dc55c8f95dbdd5725a6a90a9f80134832a07f2e": [[65, 129]], "Indicator: 01c5b637f283697350ca361f241416303ab6123da4c6726a6555ac36cb654b5c": [[130, 194]], "Indicator: 1fb06666befd581019af509951320c7e8535e5b38ad058069f4979e9a21c7e1c": [[195, 259]]}, "info": {"id": "cyner_mitre_train_01053", "source": "cyner_mitre_train"}}
+{"text": "6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341 ADDITIONAL INFORMATION Packages monitored pin.secret.access com.chase.sig.android com.morganstanley.clientmobile.prod com.wf.wellsfargomobile com.citi.citimobile com.konylabs.capitalone com.infonow.bofa com.htsu.hsbcpersonalbanking com.usaa.mobile.android.usaa", "spans": {"Indicator: 6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341": [[0, 64]], "Indicator: pin.secret.access": [[107, 124]], "Indicator: com.chase.sig.android": [[125, 146]], "Indicator: com.morganstanley.clientmobile.prod": [[147, 182]], "Indicator: com.wf.wellsfargomobile": [[183, 206]], "Indicator: com.citi.citimobile": [[207, 226]], "Indicator: com.konylabs.capitalone": [[227, 250]], "Indicator: com.infonow.bofa": [[251, 267]], "Indicator: com.htsu.hsbcpersonalbanking": [[268, 296]], "Indicator: com.usaa.mobile.android.usaa": [[297, 325]]}, "info": {"id": "cyner_mitre_train_01054", "source": "cyner_mitre_train"}}
+{"text": "com.schwab.mobile com.americanexpress.android.acctsvcs.us com.pnc.ecommerce.mobile com.regions.mobbanking com.clairmail.fth com.grppl.android.shell.BOS com.tdbank com.huntington.m com.citizensbank.androidapp com.usbank.mobilebanking com.ally.MobileBanking com.key.android com.unionbank.ecommerce.mobile.android com.mfoundry.mb.android.mb_BMOH071025661", "spans": {"Indicator: com.schwab.mobile": [[0, 17]], "Indicator: com.pnc.ecommerce.mobile": [[58, 82]], "Indicator: com.regions.mobbanking": [[83, 105]], "Indicator: com.clairmail.fth": [[106, 123]], "Indicator: com.grppl.android.shell.BOS": [[124, 151]], "Indicator: com.tdbank": [[152, 162]], "Indicator: com.huntington.m": [[163, 179]], "Indicator: com.citizensbank.androidapp": [[180, 207]], "Indicator: com.usbank.mobilebanking": [[208, 232]], "Indicator: com.ally.MobileBanking": [[233, 255]], "Indicator: com.key.android": [[256, 271]], "Indicator: com.unionbank.ecommerce.mobile.android": [[272, 310]], "Indicator: com.mfoundry.mb.android.mb_BMOH071025661": [[311, 351]]}, "info": {"id": "cyner_mitre_train_01055", "source": "cyner_mitre_train"}}
+{"text": "com.bbt.cmol com.sovereign.santander com.mtb.mbanking.sc.retail.prod com.fi9293.godough com.commbank.netbank org.westpac.bank org.stgeorge.bank au.com.nab.mobile au.com.bankwest.mobile au.com.ingdirect.android org.banksa.bank com.anz.android com.anz.android.gomoney com.citibank.mobile.au org.bom.bank com.latuabancaperandroid", "spans": {"Indicator: com.bbt.cmol": [[0, 12]], "Indicator: com.sovereign.santander": [[13, 36]], "Indicator: com.mtb.mbanking.sc.retail.prod": [[37, 68]], "Indicator: com.fi9293.godough": [[69, 87]], "Indicator: com.commbank.netbank": [[88, 108]], "Indicator: org.westpac.bank": [[109, 125]], "Indicator: org.stgeorge.bank": [[126, 143]], "Indicator: au.com.nab.mobile": [[144, 161]], "Indicator: au.com.bankwest.mobile": [[162, 184]], "Indicator: au.com.ingdirect.android": [[185, 209]], "Indicator: org.banksa.bank": [[210, 225]], "Indicator: com.anz.android": [[226, 241]], "Indicator: com.anz.android.gomoney": [[242, 265]], "Indicator: com.citibank.mobile.au": [[266, 288]], "Indicator: org.bom.bank": [[289, 301]], "Indicator: com.latuabancaperandroid": [[302, 326]]}, "info": {"id": "cyner_mitre_train_01056", "source": "cyner_mitre_train"}}
+{"text": "com.comarch.mobile com.jpm.sig.android com.konylabs.cbplpat by.belinvestbank no.apps.dnbnor com.arkea.phonegap com.alseda.bpssberbank com.belveb.belvebmobile com.finanteq.finance.ca pl.eurobank pl.eurobank2 pl.noblebank.mobile com.getingroup.mobilebanking hr.asseco.android.mtoken.getin pl.getinleasing.mobile com.icp.ikasa.getinon", "spans": {"Indicator: com.comarch.mobile": [[0, 18]], "Indicator: com.jpm.sig.android": [[19, 38]], "Indicator: com.konylabs.cbplpat": [[39, 59]], "Indicator: by.belinvestbank": [[60, 76]], "Indicator: no.apps.dnbnor": [[77, 91]], "Indicator: com.arkea.phonegap": [[92, 110]], "Indicator: com.alseda.bpssberbank": [[111, 133]], "Indicator: com.belveb.belvebmobile": [[134, 157]], "Indicator: com.finanteq.finance.ca": [[158, 181]], "Indicator: pl.eurobank": [[182, 193]], "Indicator: pl.eurobank2": [[194, 206]], "Indicator: pl.noblebank.mobile": [[207, 226]], "Indicator: com.getingroup.mobilebanking": [[227, 255]], "Indicator: hr.asseco.android.mtoken.getin": [[256, 286]], "Indicator: pl.getinleasing.mobile": [[287, 309]], "Indicator: com.icp.ikasa.getinon": [[310, 331]]}, "info": {"id": "cyner_mitre_train_01057", "source": "cyner_mitre_train"}}
+{"text": "eu.eleader.mobilebanking.pekao softax.pekao.powerpay softax.pekao.mpos dk.jyskebank.mobilbank com.starfinanz.smob.android.bwmobilbanking eu.newfrontier.iBanking.mobile.SOG.Retail com.accessbank.accessbankapp com.sbi.SBIFreedomPlus com.zenithBank.eazymoney net.cts.android.centralbank com.f1soft.nmbmobilebanking.activities.main com.lb.smartpay com.mbmobile", "spans": {"Indicator: eu.eleader.mobilebanking.pekao": [[0, 30]], "Indicator: softax.pekao.powerpay": [[31, 52]], "Indicator: softax.pekao.mpos": [[53, 70]], "Indicator: dk.jyskebank.mobilbank": [[71, 93]], "Indicator: com.starfinanz.smob.android.bwmobilbanking": [[94, 136]], "Indicator: eu.newfrontier.iBanking.mobile.SOG.Retail": [[137, 178]], "Indicator: com.accessbank.accessbankapp": [[179, 207]], "Indicator: com.sbi.SBIFreedomPlus": [[208, 230]], "Indicator: com.zenithBank.eazymoney": [[231, 255]], "Indicator: net.cts.android.centralbank": [[256, 283]], "Indicator: com.f1soft.nmbmobilebanking.activities.main": [[284, 327]], "Indicator: com.lb.smartpay": [[328, 343]], "Indicator: com.mbmobile": [[344, 356]]}, "info": {"id": "cyner_mitre_train_01058", "source": "cyner_mitre_train"}}
+{"text": "com.db.mobilebanking com.botw.mobilebanking com.fg.wallet com.sbi.SBISecure com.icsfs.safwa com.interswitchng.www com.dhanlaxmi.dhansmart.mtc com.icomvision.bsc.tbc hr.asseco.android.jimba.cecro com.vanso.gtbankapp com.fss.pnbpsp com.mfino.sterling cy.com.netinfo.netteller.boc ge.mobility.basisbank com.snapwork.IDBI", "spans": {"Indicator: com.db.mobilebanking": [[0, 20]], "Indicator: com.botw.mobilebanking": [[21, 43]], "Indicator: com.fg.wallet": [[44, 57]], "Indicator: com.sbi.SBISecure": [[58, 75]], "Indicator: com.icsfs.safwa": [[76, 91]], "Indicator: com.interswitchng.www": [[92, 113]], "Indicator: com.dhanlaxmi.dhansmart.mtc": [[114, 141]], "Indicator: com.icomvision.bsc.tbc": [[142, 164]], "Indicator: hr.asseco.android.jimba.cecro": [[165, 194]], "Indicator: com.vanso.gtbankapp": [[195, 214]], "Indicator: com.fss.pnbpsp": [[215, 229]], "Indicator: com.mfino.sterling": [[230, 248]], "Indicator: cy.com.netinfo.netteller.boc": [[249, 277]], "Indicator: ge.mobility.basisbank": [[278, 299]], "Indicator: com.snapwork.IDBI": [[300, 317]]}, "info": {"id": "cyner_mitre_train_01059", "source": "cyner_mitre_train"}}
+{"text": "com.lcode.apgvb com.fact.jib mn.egolomt.bank com.pnbrewardz com.firstbank.firstmobile wit.android.bcpBankingApp.millenniumPL com.grppl.android.shell.halifax com.revolut.revolut de.commerzbanking.mobil uk.co.santander.santanderUK se.nordea.mobilebank com.snapwork.hdfc com.csam.icici.bank.imobile com.msf.kbank.mobile", "spans": {"Indicator: com.lcode.apgvb": [[0, 15]], "Indicator: com.fact.jib": [[16, 28]], "Indicator: mn.egolomt.bank": [[29, 44]], "Indicator: com.pnbrewardz": [[45, 59]], "Indicator: com.firstbank.firstmobile": [[60, 85]], "Indicator: wit.android.bcpBankingApp.millenniumPL": [[86, 124]], "Indicator: com.grppl.android.shell.halifax": [[125, 156]], "Indicator: com.revolut.revolut": [[157, 176]], "Indicator: de.commerzbanking.mobil": [[177, 200]], "Indicator: uk.co.santander.santanderUK": [[201, 228]], "Indicator: se.nordea.mobilebank": [[229, 249]], "Indicator: com.snapwork.hdfc": [[250, 267]], "Indicator: com.csam.icici.bank.imobile": [[268, 295]], "Indicator: com.msf.kbank.mobile": [[296, 316]]}, "info": {"id": "cyner_mitre_train_01060", "source": "cyner_mitre_train"}}
+{"text": "com.bmm.mobilebankingapp net.bnpparibas.mescomptes fr.banquepopulaire.cyberplus com.caisseepargne.android.mobilebanking com.palatine.android.mobilebanking.prod com.ocito.cdn.activity.creditdunord com.fullsix.android.labanquepostale.accountaccess mobi.societegenerale.mobile.lappli com.db.businessline.cardapp com.skh.android.mbanking com.ifs.banking.fiid1491", "spans": {"Indicator: com.bmm.mobilebankingapp": [[0, 24]], "Indicator: net.bnpparibas.mescomptes": [[25, 50]], "Indicator: fr.banquepopulaire.cyberplus": [[51, 79]], "Indicator: com.caisseepargne.android.mobilebanking": [[80, 119]], "Indicator: com.palatine.android.mobilebanking.prod": [[120, 159]], "Indicator: com.ocito.cdn.activity.creditdunord": [[160, 195]], "Indicator: com.fullsix.android.labanquepostale.accountaccess": [[196, 245]], "Indicator: mobi.societegenerale.mobile.lappli": [[246, 280]], "Indicator: com.db.businessline.cardapp": [[281, 308]], "Indicator: com.skh.android.mbanking": [[309, 333]], "Indicator: com.ifs.banking.fiid1491": [[334, 358]]}, "info": {"id": "cyner_mitre_train_01061", "source": "cyner_mitre_train"}}
+{"text": "de.dkb.portalapp pl.pkobp.ipkobiznes pl.com.suntech.mobileconnect eu.eleader.mobilebanking.pekao.firm pl.mbank pl.upaid.nfcwallet.mbank eu.eleader.mobilebanking.bre pl.asseco.mpromak.android.app.bre pl.asseco.mpromak.android.app.bre.hd pl.mbank.mnews eu.eleader.mobilebanking.raiffeisen pl.raiffeisen.nfc hr.asseco.android.jimba.rmb", "spans": {"Indicator: de.dkb.portalapp": [[0, 16]], "Indicator: pl.pkobp.ipkobiznes": [[17, 36]], "Indicator: pl.com.suntech.mobileconnect": [[37, 65]], "Indicator: eu.eleader.mobilebanking.pekao.firm": [[66, 101]], "Indicator: pl.mbank": [[102, 110]], "Indicator: pl.upaid.nfcwallet.mbank": [[111, 135]], "Indicator: eu.eleader.mobilebanking.bre": [[136, 164]], "Indicator: pl.asseco.mpromak.android.app.bre": [[165, 198]], "Indicator: pl.asseco.mpromak.android.app.bre.hd": [[199, 235]], "Indicator: pl.mbank.mnews": [[236, 250]], "Indicator: eu.eleader.mobilebanking.raiffeisen": [[251, 286]], "Indicator: pl.raiffeisen.nfc": [[287, 304]], "Indicator: hr.asseco.android.jimba.rmb": [[305, 332]]}, "info": {"id": "cyner_mitre_train_01062", "source": "cyner_mitre_train"}}
+{"text": "com.advantage.RaiffeisenBank pl.bzwbk.ibiznes24 pl.bzwbk.bzwbk24 pl.bzwbk.mobile.tab.bzwbk24 com.comarch.mobile.investment com.android.vending com.snapchat.android jp.naver.line.android com.viber.voip com.gettaxi.android com.whatsapp com.tencent.mm com.skype.raider com.ubercab com.paypal.android.p2pmobile", "spans": {"Indicator: com.advantage.RaiffeisenBank": [[0, 28]], "Indicator: pl.bzwbk.ibiznes24": [[29, 47]], "Indicator: pl.bzwbk.bzwbk24": [[48, 64]], "Indicator: pl.bzwbk.mobile.tab.bzwbk24": [[65, 92]], "Indicator: com.comarch.mobile.investment": [[93, 122]], "Indicator: com.android.vending": [[123, 142]], "Indicator: com.snapchat.android": [[143, 163]], "Indicator: jp.naver.line.android": [[164, 185]], "Indicator: com.viber.voip": [[186, 200]], "Indicator: com.gettaxi.android": [[201, 220]], "Indicator: com.whatsapp": [[221, 233]], "Indicator: com.tencent.mm": [[234, 248]], "Indicator: com.skype.raider": [[249, 265]], "Indicator: com.ubercab": [[266, 277]], "Indicator: com.paypal.android.p2pmobile": [[278, 306]]}, "info": {"id": "cyner_mitre_train_01063", "source": "cyner_mitre_train"}}
+{"text": "com.circle.android com.coinbase.android com.walmart.android com.bestbuy.android com.ebay.gumtree.au com.ebay.mobile com.westernunion.android.mtapp com.moneybookers.skrillpayments com.gyft.android com.amazon.mShop.android.shopping com.comarch.mobile.banking.bgzbnpparibas.biznes pl.bnpbgzparibas.firmapp com.finanteq.finance.bgz pl.upaid.bgzbnpp", "spans": {"Indicator: com.circle.android": [[0, 18]], "Indicator: com.coinbase.android": [[19, 39]], "Indicator: com.walmart.android": [[40, 59]], "Indicator: com.bestbuy.android": [[60, 79]], "Indicator: com.ebay.gumtree.au": [[80, 99]], "Indicator: com.ebay.mobile": [[100, 115]], "Indicator: com.westernunion.android.mtapp": [[116, 146]], "Indicator: com.moneybookers.skrillpayments": [[147, 178]], "Indicator: com.gyft.android": [[179, 195]], "Indicator: com.amazon.mShop.android.shopping": [[196, 229]], "Indicator: com.comarch.mobile.banking.bgzbnpparibas.biznes": [[230, 277]], "Indicator: pl.bnpbgzparibas.firmapp": [[278, 302]], "Indicator: com.finanteq.finance.bgz": [[303, 327]], "Indicator: pl.upaid.bgzbnpp": [[328, 344]]}, "info": {"id": "cyner_mitre_train_01064", "source": "cyner_mitre_train"}}
+{"text": "de.postbank.finanzassistent pl.bph de.comdirect.android com.starfinanz.smob.android.sfinanzstatus de.sdvrz.ihb.mobile.app pl.ing.mojeing com.ing.mobile pl.ing.ingksiegowosc com.comarch.security.mobilebanking com.comarch.mobile.investment.ing com.ingcb.mobile.cbportal de.buhl.finanzblick pl.pkobp.iko pl.ipko.mobile pl.inteligo.mobile de.number26.android", "spans": {"Indicator: de.postbank.finanzassistent": [[0, 27]], "Indicator: pl.bph": [[28, 34]], "Indicator: de.comdirect.android": [[35, 55]], "Indicator: com.starfinanz.smob.android.sfinanzstatus": [[56, 97]], "Indicator: de.sdvrz.ihb.mobile.app": [[98, 121]], "Indicator: pl.ing.mojeing": [[122, 136]], "Indicator: com.ing.mobile": [[137, 151]], "Indicator: pl.ing.ingksiegowosc": [[152, 172]], "Indicator: com.comarch.security.mobilebanking": [[173, 207]], "Indicator: com.comarch.mobile.investment.ing": [[208, 241]], "Indicator: com.ingcb.mobile.cbportal": [[242, 267]], "Indicator: de.buhl.finanzblick": [[268, 287]], "Indicator: pl.pkobp.iko": [[288, 300]], "Indicator: pl.ipko.mobile": [[301, 315]], "Indicator: pl.inteligo.mobile": [[316, 334]], "Indicator: de.number26.android": [[335, 354]]}, "info": {"id": "cyner_mitre_train_01065", "source": "cyner_mitre_train"}}
+{"text": "pl.millennium.corpApp eu.transfer24.app pl.aliorbank.aib pl.corelogic.mtoken alior.bankingapp.android com.ferratumbank.mobilebank com.swmind.vcc.android.bzwbk_mobile.app de.schildbach.wallet piuk.blockchain.android com.bitcoin.mwallet com.btcontract.wallet com.bitpay.wallet com.bitpay.copay btc.org.freewallet.app org.electrum.electrum", "spans": {"Indicator: pl.corelogic.mtoken": [[57, 76]], "Indicator: alior.bankingapp.android": [[77, 101]], "Indicator: com.ferratumbank.mobilebank": [[102, 129]], "Indicator: com.swmind.vcc.android.bzwbk_mobile.app": [[130, 169]], "Indicator: de.schildbach.wallet": [[170, 190]], "Indicator: piuk.blockchain.android": [[191, 214]], "Indicator: com.bitcoin.mwallet": [[215, 234]], "Indicator: com.btcontract.wallet": [[235, 256]], "Indicator: com.bitpay.wallet": [[257, 274]], "Indicator: com.bitpay.copay": [[275, 291]], "Indicator: btc.org.freewallet.app": [[292, 314]], "Indicator: org.electrum.electrum": [[315, 336]]}, "info": {"id": "cyner_mitre_train_01066", "source": "cyner_mitre_train"}}
+{"text": "com.xapo com.airbitz com.kibou.bitcoin com.qcan.mobile.bitcoin.wallet me.cryptopay.android com.bitcoin.wallet lt.spectrofinance.spectrocoin.android.wallet com.kryptokit.jaxx com.wirex bcn.org.freewallet.app com.hashengineering.bitcoincash.wallet bcc.org.freewallet.app com.coinspace.app btg.org.freewallet.app net.bither", "spans": {"Indicator: com.xapo": [[0, 8]], "Indicator: com.airbitz": [[9, 20]], "Indicator: com.kibou.bitcoin": [[21, 38]], "Indicator: com.qcan.mobile.bitcoin.wallet": [[39, 69]], "Indicator: me.cryptopay.android": [[70, 90]], "Indicator: com.bitcoin.wallet": [[91, 109]], "Indicator: lt.spectrofinance.spectrocoin.android.wallet": [[110, 154]], "Indicator: com.kryptokit.jaxx": [[155, 173]], "Indicator: com.wirex": [[174, 183]], "Indicator: bcn.org.freewallet.app": [[184, 206]], "Indicator: com.hashengineering.bitcoincash.wallet": [[207, 245]], "Indicator: bcc.org.freewallet.app": [[246, 268]], "Indicator: com.coinspace.app": [[269, 286]], "Indicator: btg.org.freewallet.app": [[287, 309]], "Indicator: net.bither": [[310, 320]]}, "info": {"id": "cyner_mitre_train_01067", "source": "cyner_mitre_train"}}
+{"text": "co.edgesecure.app com.arcbit.arcbit distributedlab.wallet de.schildbach.wallet_test com.aegiswallet com.plutus.wallet com.coincorner.app.crypt eth.org.freewallet.app secret.access secret.pattern RuMMS : The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing April 26 , 2016 Introduction Recently we observed an Android malware family being used to attack users in Russia .", "spans": {"Indicator: co.edgesecure.app": [[0, 17]], "Indicator: com.arcbit.arcbit": [[18, 35]], "Indicator: distributedlab.wallet": [[36, 57]], "Indicator: de.schildbach.wallet_test": [[58, 83]], "Indicator: com.aegiswallet": [[84, 99]], "Indicator: com.plutus.wallet": [[100, 117]], "Indicator: com.coincorner.app.crypt": [[118, 142]], "Indicator: eth.org.freewallet.app": [[143, 165]], "Indicator: secret.access": [[166, 179]], "Indicator: secret.pattern": [[180, 194]], "Malware: RuMMS": [[195, 200]], "System: Android": [[224, 231]], "Malware: Android": [[336, 343]]}, "info": {"id": "cyner_mitre_train_01068", "source": "cyner_mitre_train"}}
+{"text": "The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia .", "spans": {}, "info": {"id": "cyner_mitre_train_01069", "source": "cyner_mitre_train"}}
+{"text": "Because all the URLs used in this campaign have the form of hxxp : //yyyyyyyy [ .", "spans": {"Indicator: hxxp : //yyyyyyyy [ .": [[60, 81]]}, "info": {"id": "cyner_mitre_train_01070", "source": "cyner_mitre_train"}}
+{"text": "] XXXX.ru/mms.apk ( where XXXX.ru represents the hosting provider ’ s domain ) , we named this malware family RuMMS .", "spans": {"Indicator: XXXX.ru": [[26, 33]], "Malware: RuMMS": [[110, 115]]}, "info": {"id": "cyner_mitre_train_01071", "source": "cyner_mitre_train"}}
+{"text": "To lure the victims to download the malware , threat actors use SMS phishing – sending a short SMS message containing a malicious URL to the potential victims .", "spans": {}, "info": {"id": "cyner_mitre_train_01072", "source": "cyner_mitre_train"}}
+{"text": "Unwary users who click the seemingly innocuous link will have their device infected with RuMMS malware .", "spans": {"Malware: RuMMS": [[89, 94]]}, "info": {"id": "cyner_mitre_train_01073", "source": "cyner_mitre_train"}}
+{"text": "Figure 1 describes this infection process and the main behaviors of RuMMS .", "spans": {"Malware: RuMMS": [[68, 73]]}, "info": {"id": "cyner_mitre_train_01074", "source": "cyner_mitre_train"}}
+{"text": "On April 3 , 2016 , we still observed new RuMMS samples emerging in the wild .", "spans": {"Malware: RuMMS": [[42, 47]]}, "info": {"id": "cyner_mitre_train_01075", "source": "cyner_mitre_train"}}
+{"text": "The earliest identified sample , however , can be traced back to Jan. 18 , 2016 .", "spans": {}, "info": {"id": "cyner_mitre_train_01076", "source": "cyner_mitre_train"}}
+{"text": "Within this time period , we identified close to 300 samples belonging to this family ( all sample hashes are listed in the Appendix ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01077", "source": "cyner_mitre_train"}}
+{"text": "After landing on the victim ’ s phone , the RuMMS apps will request device administrator privileges , remove their icons to hide themselves from users , and remain running in the background to perform a series of malicious behaviors .", "spans": {"Malware: RuMMS": [[44, 49]]}, "info": {"id": "cyner_mitre_train_01078", "source": "cyner_mitre_train"}}
+{"text": "So far we have identified the following behaviors : Sending device information to a remote command and control ( C2 ) server .", "spans": {}, "info": {"id": "cyner_mitre_train_01079", "source": "cyner_mitre_train"}}
+{"text": "Contacting the C2 server for instructions .", "spans": {}, "info": {"id": "cyner_mitre_train_01080", "source": "cyner_mitre_train"}}
+{"text": "Sending SMS messages to financial institutions to query account balances .", "spans": {}, "info": {"id": "cyner_mitre_train_01081", "source": "cyner_mitre_train"}}
+{"text": "Uploading any incoming SMS messages ( including the balance inquiry results ) to the remote C2 server .", "spans": {}, "info": {"id": "cyner_mitre_train_01082", "source": "cyner_mitre_train"}}
+{"text": "Sending C2-specified SMS messages to phone numbers in the victim ’ s contacts .", "spans": {}, "info": {"id": "cyner_mitre_train_01083", "source": "cyner_mitre_train"}}
+{"text": "Forward incoming phone calls to intercept voice-based two-factor authentication .", "spans": {}, "info": {"id": "cyner_mitre_train_01084", "source": "cyner_mitre_train"}}
+{"text": "Each of these behaviors is under the control of the remote C2 server .", "spans": {}, "info": {"id": "cyner_mitre_train_01085", "source": "cyner_mitre_train"}}
+{"text": "In other words , the C2 server can specify the message contents to be sent , the time period in which to forward the voice call , and the recipients of outgoing messages .", "spans": {}, "info": {"id": "cyner_mitre_train_01086", "source": "cyner_mitre_train"}}
+{"text": "As part of our investigation into this malware , we emulated an infected Android device in order to communicate with the RuMMS C2 server .", "spans": {"System: Android": [[73, 80]], "Malware: RuMMS": [[121, 126]]}, "info": {"id": "cyner_mitre_train_01087", "source": "cyner_mitre_train"}}
+{"text": "During one session , the C2 server commanded our emulated device to send four different SMS messages to four different phone numbers , all of which were associated with Russian financial institutions .", "spans": {}, "info": {"id": "cyner_mitre_train_01088", "source": "cyner_mitre_train"}}
+{"text": "At least three of the messages were intended to check a user �� s account balance at the institution ( we could not confirm the purpose of the fourth ) .Through additional research , we identified several forum posts where victims complained of funds ( up to 600 rubles ) were transferred out of their accounts after RuMMS infected their phones .", "spans": {"Malware: RuMMS": [[316, 321]]}, "info": {"id": "cyner_mitre_train_01089", "source": "cyner_mitre_train"}}
+{"text": "We do not know exactly how many people have been infected with RuMMS malware .", "spans": {"Malware: RuMMS": [[63, 68]]}, "info": {"id": "cyner_mitre_train_01090", "source": "cyner_mitre_train"}}
+{"text": "However , our data suggests that there have been at least 2,729 infections between January 2016 and early April 2016 , with a peak in March of more than 1,100 infections .", "spans": {}, "info": {"id": "cyner_mitre_train_01091", "source": "cyner_mitre_train"}}
+{"text": "Smishing : The Major Way To Distribute RuMMS We have not observed any instances of RuMMS on Google Play or other online app stores .", "spans": {"Malware: RuMMS": [[39, 44], [83, 88]], "System: Google Play": [[92, 103]]}, "info": {"id": "cyner_mitre_train_01092", "source": "cyner_mitre_train"}}
+{"text": "Smishing ( SMS phishing ) is currently the primary way threat actors are distributing the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_01093", "source": "cyner_mitre_train"}}
+{"text": "The process starts when an SMS phishing message arrives at a user ’ s phone .", "spans": {}, "info": {"id": "cyner_mitre_train_01094", "source": "cyner_mitre_train"}}
+{"text": "An example SMS message is shown in Figure 1 .", "spans": {}, "info": {"id": "cyner_mitre_train_01095", "source": "cyner_mitre_train"}}
+{"text": "The message translates roughly to “ You got a photo in MMS format : hxxp : //yyyyyyyy.XXXX.ru/mms.apk. ” So far we identified seven different URLs being used to spread RuMMS in the wild .", "spans": {"Indicator: hxxp : //yyyyyyyy.XXXX.ru/mms.apk.": [[68, 102]], "Malware: RuMMS": [[168, 173]]}, "info": {"id": "cyner_mitre_train_01096", "source": "cyner_mitre_train"}}
+{"text": "All of the URLs reference the file “ mms.apk ” and all use the domain “ XXXX.ru ” , which belongs to a top five shared hosting platform in Russia ( the domain itself has been obfuscated to anonymize the provider ) .", "spans": {"Indicator: mms.apk": [[37, 44]], "Indicator: XXXX.ru": [[72, 79]]}, "info": {"id": "cyner_mitre_train_01097", "source": "cyner_mitre_train"}}
+{"text": "The threat actors registered at least seven subdomains through the hosting provider , each consisting of eight random-looking characters ( asdfgjcr , cacama18 , cacamadf , konkonq2 , mmsmtsh5 , riveroer , and sdfkjhl2 .", "spans": {"Indicator: asdfgjcr": [[139, 147]], "Indicator: cacama18": [[150, 158]], "Indicator: cacamadf": [[161, 169]], "Indicator: konkonq2": [[172, 180]], "Indicator: mmsmtsh5": [[183, 191]], "Indicator: riveroer": [[194, 202]], "Indicator: sdfkjhl2": [[209, 217]]}, "info": {"id": "cyner_mitre_train_01098", "source": "cyner_mitre_train"}}
+{"text": ") As of this writing , no files were hosted at any of the links .", "spans": {}, "info": {"id": "cyner_mitre_train_01099", "source": "cyner_mitre_train"}}
+{"text": "The threat actors seem to have abandoned these URLs and might be looking into other ways to reach more victims .", "spans": {}, "info": {"id": "cyner_mitre_train_01100", "source": "cyner_mitre_train"}}
+{"text": "Use of a shared hosting service to distribute malware is highly flexible and low cost for the threat actors .", "spans": {}, "info": {"id": "cyner_mitre_train_01101", "source": "cyner_mitre_train"}}
+{"text": "It is also much harder for network defenders or researchers to track a campaign where the infrastructure is a moving target .", "spans": {}, "info": {"id": "cyner_mitre_train_01102", "source": "cyner_mitre_train"}}
+{"text": "Many top providers in Russia offer cheap prices for their shared hosting services , and some even provide free 30-day trial periods .", "spans": {}, "info": {"id": "cyner_mitre_train_01103", "source": "cyner_mitre_train"}}
+{"text": "Threat actors can register subdomains through the hosting provider and use the provider ’ s services for a short-period campaign .", "spans": {}, "info": {"id": "cyner_mitre_train_01104", "source": "cyner_mitre_train"}}
+{"text": "A few days later they can cancel the trial and do not need to pay a penny .", "spans": {}, "info": {"id": "cyner_mitre_train_01105", "source": "cyner_mitre_train"}}
+{"text": "In addition , these out-of-the-box hosting services usually provide better infrastructure than the attackers could manage to construct ( or compromise ) themselves .", "spans": {}, "info": {"id": "cyner_mitre_train_01106", "source": "cyner_mitre_train"}}
+{"text": "RuMMS Code Analysis All RuMMS samples share the same behaviors , major parts of which are shown in Figure 1 .", "spans": {"Malware: RuMMS": [[0, 5], [24, 29]]}, "info": {"id": "cyner_mitre_train_01107", "source": "cyner_mitre_train"}}
+{"text": "However , the underlying code can be quite different in that various obfuscation mechanisms were adopted to evade detection by anti-virus tools .", "spans": {}, "info": {"id": "cyner_mitre_train_01108", "source": "cyner_mitre_train"}}
+{"text": "We used a sample app named “ org.starsizew ” with an MD5 of d8caad151e07025fdbf5f3c26e3ceaff to analyze RuMMS ’ s code .", "spans": {"Indicator: org.starsizew": [[29, 42]], "Indicator: d8caad151e07025fdbf5f3c26e3ceaff": [[60, 92]], "Malware: RuMMS": [[104, 109]]}, "info": {"id": "cyner_mitre_train_01109", "source": "cyner_mitre_train"}}
+{"text": "Several of the main components of RuMMS are shown in Figure 2 .", "spans": {"Malware: RuMMS": [[34, 39]]}, "info": {"id": "cyner_mitre_train_01110", "source": "cyner_mitre_train"}}
+{"text": "The activity class “ org.starsizew.MainActivity ” executes when the app is started .", "spans": {"Indicator: org.starsizew.MainActivity": [[21, 47]]}, "info": {"id": "cyner_mitre_train_01111", "source": "cyner_mitre_train"}}
+{"text": "It first starts another activity defined in “ org.starsizew.Aa ” to request device administrator privileges , and then calls the following API of “ android.content.pm.PackageManager ” ( the Android package manager to remove its own icon on the home screen in order to conceal the existence of RuMMS from the user : At the same time , ” org.starsizew.MainActivity ” will start the main service as defined in “ org.starsizew.Tb ” , and use a few mechanisms to keep the main service running continuously", "spans": {"Indicator: org.starsizew.Aa": [[46, 62]], "Indicator: android.content.pm.PackageManager": [[148, 181]], "System: Android": [[190, 197]], "Malware: RuMMS": [[293, 298]], "Indicator: org.starsizew.MainActivity": [[336, 362]], "Indicator: org.starsizew.Tb": [[409, 425]]}, "info": {"id": "cyner_mitre_train_01112", "source": "cyner_mitre_train"}}
+{"text": "in the background .", "spans": {}, "info": {"id": "cyner_mitre_train_01113", "source": "cyner_mitre_train"}}
+{"text": "The class “ org.starsizew.Ac ” is designed for this purpose ; its only task is to check if the main service is running , and restart the main service if the answer is no .", "spans": {"Indicator: org.starsizew.Ac": [[12, 28]]}, "info": {"id": "cyner_mitre_train_01114", "source": "cyner_mitre_train"}}
+{"text": "The class “ org.starsizew.Tb ” also has a self-monitoring mechanism to restart itself when its own onDestroy API is triggered .", "spans": {"Indicator: org.starsizew.Tb": [[12, 28]]}, "info": {"id": "cyner_mitre_train_01115", "source": "cyner_mitre_train"}}
+{"text": "Other than that , its major functionality is to collect private device information , upload it to a remote C2 server , and handle any commands as requested by the C2 server .", "spans": {}, "info": {"id": "cyner_mitre_train_01116", "source": "cyner_mitre_train"}}
+{"text": "All those functions are implemented in asynchronous tasks by “ org.starsizew.i ” .", "spans": {"Indicator: org.starsizew.i": [[63, 78]]}, "info": {"id": "cyner_mitre_train_01117", "source": "cyner_mitre_train"}}
+{"text": "The class “ org.starsizew.Ma ” is registered to intercept incoming SMS messages , the arrival of which will trigger the Android system to call its “ onReceive ” API .", "spans": {"Indicator: org.starsizew.Ma": [[12, 28]], "System: Android": [[120, 127]]}, "info": {"id": "cyner_mitre_train_01118", "source": "cyner_mitre_train"}}
+{"text": "Its major functionality is also implemented through the call of the asynchronous task ( “ org.starsizew.i ” ) , including uploading the incoming SMS messages to the remote C2 server and executing any commands as instructed by the remote attacker .", "spans": {"Indicator: org.starsizew.i": [[90, 105]]}, "info": {"id": "cyner_mitre_train_01119", "source": "cyner_mitre_train"}}
+{"text": "C2 Communication The C2 communication includes two parts : sending information to the remote HTTP server and parsing the server ’ s response to execute any commands as instructed by the remote attackers .", "spans": {}, "info": {"id": "cyner_mitre_train_01120", "source": "cyner_mitre_train"}}
+{"text": "The functionality for these two parts is implemented by doInBackground and onPostExecute respectively , two API methods of “ android.os.AsyncTask ” as extended by class “ org.starsizew.i ” .", "spans": {"Indicator: android.os.AsyncTask": [[125, 145]], "Indicator: org.starsizew.i": [[171, 186]]}, "info": {"id": "cyner_mitre_train_01121", "source": "cyner_mitre_train"}}
+{"text": "Figure 3 .", "spans": {}, "info": {"id": "cyner_mitre_train_01122", "source": "cyner_mitre_train"}}
+{"text": "Method doInBackground : to send information to remote C2 server As seen from the major code body of method doInBackground shown in Figure 3 ( some of the original classes and methods are renamed for easier understanding ) , there are three calls to HttpPost with different contents as parameters .", "spans": {}, "info": {"id": "cyner_mitre_train_01123", "source": "cyner_mitre_train"}}
+{"text": "At line 5 , local variable v4 specifies the first parameter url , which can be changed by the remote C2 server later .", "spans": {}, "info": {"id": "cyner_mitre_train_01124", "source": "cyner_mitre_train"}}
+{"text": "These URLs are all in the form of “ http : // $ C2. $ SERVER. $ IP/api/ ?", "spans": {"Indicator: http : // $ C2. $ SERVER. $ IP/api/ ?": [[36, 73]]}, "info": {"id": "cyner_mitre_train_01125", "source": "cyner_mitre_train"}}
+{"text": "id= $ NUM ” .", "spans": {}, "info": {"id": "cyner_mitre_train_01126", "source": "cyner_mitre_train"}}
+{"text": "The second parameter is a constant string “ POST ” , and the third parameter is a series of key-value pairs to be sent , assembled at runtime .", "spans": {}, "info": {"id": "cyner_mitre_train_01127", "source": "cyner_mitre_train"}}
+{"text": "The value of the first item , whose key is “ method ” ( line 7 ) , indicates the type of the contents : install , info and sms .", "spans": {}, "info": {"id": "cyner_mitre_train_01128", "source": "cyner_mitre_train"}}
+{"text": "The first type of content , starting with “ method=install ” , will be sent when the app is started for the first time , including the following device private information : Victim identifier Network operator Device model Device OS version Phone number Device identifier App version Country The second type of information will be sent periodically to indicate that the device is alive .", "spans": {}, "info": {"id": "cyner_mitre_train_01129", "source": "cyner_mitre_train"}}
+{"text": "It only has two parts , the method indicated by word “ info ” and the victim identifier .", "spans": {}, "info": {"id": "cyner_mitre_train_01130", "source": "cyner_mitre_train"}}
+{"text": "The third type of information will be sent when RuMMS intercepts any SMS messages , including the balance inquiry results when it contacts the SMS code of a particular financial service .", "spans": {"Malware: RuMMS": [[48, 53]]}, "info": {"id": "cyner_mitre_train_01131", "source": "cyner_mitre_train"}}
+{"text": "Method onPostExecute parses the response from the above HTTP session and executes the commands provided by the remote attacker .", "spans": {}, "info": {"id": "cyner_mitre_train_01132", "source": "cyner_mitre_train"}}
+{"text": "As seen from the code in Figure 5 , the commands RuMMS supports right now include : install_true : to modify app preference to indicate that the C2 server received the victim device ’ s status .", "spans": {"Malware: RuMMS": [[49, 54]]}, "info": {"id": "cyner_mitre_train_01133", "source": "cyner_mitre_train"}}
+{"text": "sms_send : to send C2-specified SMS messages to C2-specified recipients .", "spans": {}, "info": {"id": "cyner_mitre_train_01134", "source": "cyner_mitre_train"}}
+{"text": "sms_grab : to upload periodically the SMS messages in the inbox to C2 server .", "spans": {}, "info": {"id": "cyner_mitre_train_01135", "source": "cyner_mitre_train"}}
+{"text": "delivery : to deliver specified text to all victim ’ s contacts ( SMS worming ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01136", "source": "cyner_mitre_train"}}
+{"text": "call_number : to forward phone calls to intercept voice based two-factor authentication .", "spans": {}, "info": {"id": "cyner_mitre_train_01137", "source": "cyner_mitre_train"}}
+{"text": "new_url : to change the URL of the C2 server in the app preference .", "spans": {}, "info": {"id": "cyner_mitre_train_01138", "source": "cyner_mitre_train"}}
+{"text": "ussd : to call a C2-specified phone number .", "spans": {}, "info": {"id": "cyner_mitre_train_01139", "source": "cyner_mitre_train"}}
+{"text": "Figure 5 .", "spans": {}, "info": {"id": "cyner_mitre_train_01140", "source": "cyner_mitre_train"}}
+{"text": "Method onPostExecute : to handle instructions from remote C2 Figure 6 shows an example response sent back from one C2 server .", "spans": {}, "info": {"id": "cyner_mitre_train_01141", "source": "cyner_mitre_train"}}
+{"text": "Note that inside this single response , there is one “ install_true ” command , one “ sms_grab ” command and four “ sms_send ” commands .", "spans": {}, "info": {"id": "cyner_mitre_train_01142", "source": "cyner_mitre_train"}}
+{"text": "With the four “ sms_send ” commands , the messages as specified in the key “ text ” will be sent immediately to the specified short numbers .", "spans": {}, "info": {"id": "cyner_mitre_train_01143", "source": "cyner_mitre_train"}}
+{"text": "Our analysis suggests that the four short numbers are associated with Russian financial institutions , presumably where a victim would be likely to have accounts .", "spans": {}, "info": {"id": "cyner_mitre_train_01144", "source": "cyner_mitre_train"}}
+{"text": "Figure 6 .", "spans": {}, "info": {"id": "cyner_mitre_train_01145", "source": "cyner_mitre_train"}}
+{"text": "Example Response in JSON format In particular , short number “ +7494 ” is associated with a payment service provider in Russia .", "spans": {}, "info": {"id": "cyner_mitre_train_01146", "source": "cyner_mitre_train"}}
+{"text": "The provider ’ s website described how the code 7494 can be used to provide a series of payment-related capabilities .", "spans": {}, "info": {"id": "cyner_mitre_train_01147", "source": "cyner_mitre_train"}}
+{"text": "For example , sending text “ Balance ” will trigger a response with the victim ’ s wallet balance .", "spans": {}, "info": {"id": "cyner_mitre_train_01148", "source": "cyner_mitre_train"}}
+{"text": "Sending text “ confirm 1 ” will include proof of payment .", "spans": {}, "info": {"id": "cyner_mitre_train_01149", "source": "cyner_mitre_train"}}
+{"text": "Sending text “ call on ” will activate the USSD payment confirmation service .", "spans": {}, "info": {"id": "cyner_mitre_train_01150", "source": "cyner_mitre_train"}}
+{"text": "During our investigation , we observed the C2 server sending multiple “ balance ” commands to different institutions , presumably to query the victim ’ s financial account balances .", "spans": {}, "info": {"id": "cyner_mitre_train_01151", "source": "cyner_mitre_train"}}
+{"text": "RuMMS can upload responses to the balance inquiries ( received via SMS message ) to the remote C2 server , which can send back additional commands to be sent from the victim to the provider ’ s payment service .", "spans": {"Malware: RuMMS": [[0, 5]]}, "info": {"id": "cyner_mitre_train_01152", "source": "cyner_mitre_train"}}
+{"text": "These could include resetting the user ’ s PIN , enabling or disabling various alerts and confirmations , and confirming the user ’ s identity .", "spans": {}, "info": {"id": "cyner_mitre_train_01153", "source": "cyner_mitre_train"}}
+{"text": "RuMMS Samples , C2 , Hosting Sites , Infections and Timeline In total we captured 297 RuMMS samples , all of which attempt to contact an initial C2 server that we extracted from the app package .", "spans": {"Malware: RuMMS": [[0, 5], [86, 91]]}, "info": {"id": "cyner_mitre_train_01154", "source": "cyner_mitre_train"}}
+{"text": "Figure 7 lists the IP addresses of these C2 servers , the number of RuMMS apps that connect to each of them , and the example URL used as the first parameter of the HttpPost operation ( used in the code of Figure 3 ) .", "spans": {"Malware: RuMMS": [[68, 73]]}, "info": {"id": "cyner_mitre_train_01155", "source": "cyner_mitre_train"}}
+{"text": "This indicates that multiple C2 servers were used in this campaign , but one ( 37.1.207.31 ) was the most heavily used .", "spans": {"Indicator: 37.1.207.31": [[79, 90]]}, "info": {"id": "cyner_mitre_train_01156", "source": "cyner_mitre_train"}}
+{"text": "Figure 7 .", "spans": {}, "info": {"id": "cyner_mitre_train_01157", "source": "cyner_mitre_train"}}
+{"text": "RuMMS samples and C2 servers Figure 8 shows how these samples , C2 servers and hosting websites are related to each other , including when they were compiled or observed .", "spans": {"Malware: RuMMS": [[0, 5]]}, "info": {"id": "cyner_mitre_train_01158", "source": "cyner_mitre_train"}}
+{"text": "In the quadrant , the smaller boxes in blue-gray represent particular apps in the RuMMS family , while the bigger boxes in deep-blue represent C2 servers used by some RuMMS apps .", "spans": {"Malware: RuMMS": [[82, 87], [167, 172]]}, "info": {"id": "cyner_mitre_train_01159", "source": "cyner_mitre_train"}}
+{"text": "The dotted arrows represent the use of a particular C2 server by a specific app to send information and fetch instructions .", "spans": {}, "info": {"id": "cyner_mitre_train_01160", "source": "cyner_mitre_train"}}
+{"text": "In this figure we have 11 RuMMS samples , all of which were hosted on the website as shown in the “ y ” axis .", "spans": {"Malware: RuMMS": [[26, 31]]}, "info": {"id": "cyner_mitre_train_01161", "source": "cyner_mitre_train"}}
+{"text": "The dates on the “ x ” axis show the dates when we first saw these apps in the wild .", "spans": {}, "info": {"id": "cyner_mitre_train_01162", "source": "cyner_mitre_train"}}
+{"text": "This figure demonstrates the following interesting information : The time range when threat actors distributed RuMMS on those shared-hosting websites is from January 2016 to March 2016 .", "spans": {"Malware: RuMMS": [[111, 116]]}, "info": {"id": "cyner_mitre_train_01163", "source": "cyner_mitre_train"}}
+{"text": "Threat actors used different websites to host different payloads at different times .", "spans": {}, "info": {"id": "cyner_mitre_train_01164", "source": "cyner_mitre_train"}}
+{"text": "This kind of “ moving target ” behavior made it harder to track their actions .", "spans": {}, "info": {"id": "cyner_mitre_train_01165", "source": "cyner_mitre_train"}}
+{"text": "The same websites have hosted different RuMMS samples at different dates .", "spans": {"Malware: RuMMS": [[40, 45]]}, "info": {"id": "cyner_mitre_train_01166", "source": "cyner_mitre_train"}}
+{"text": "C2 servers are shared by multiple samples .", "spans": {}, "info": {"id": "cyner_mitre_train_01167", "source": "cyner_mitre_train"}}
+{"text": "This matches our observations of C2 servers as shown in Figure 7 .", "spans": {}, "info": {"id": "cyner_mitre_train_01168", "source": "cyner_mitre_train"}}
+{"text": "Figure 8 .", "spans": {}, "info": {"id": "cyner_mitre_train_01169", "source": "cyner_mitre_train"}}
+{"text": "RuMMS samples , hosting sites , C2 servers from Jan. 2016 to Mar .", "spans": {"Malware: RuMMS": [[0, 5]]}, "info": {"id": "cyner_mitre_train_01170", "source": "cyner_mitre_train"}}
+{"text": "2016 We do not know exactly how many people have been infected with RuMMS malware ; however , our data suggests that there are at least 2,729 infections with RuMMS samples from January 2016 to early April 2016 .", "spans": {"Malware: RuMMS": [[68, 73], [158, 163]]}, "info": {"id": "cyner_mitre_train_01171", "source": "cyner_mitre_train"}}
+{"text": "Figure 9 shows the number of RuMMS infections recorded in the last four months .", "spans": {"Malware: RuMMS": [[29, 34]]}, "info": {"id": "cyner_mitre_train_01172", "source": "cyner_mitre_train"}}
+{"text": "When we first observed the malware in January , we recorded 380 infections .", "spans": {}, "info": {"id": "cyner_mitre_train_01173", "source": "cyner_mitre_train"}}
+{"text": "In February , we recorded 767 infections .", "spans": {}, "info": {"id": "cyner_mitre_train_01174", "source": "cyner_mitre_train"}}
+{"text": "In March , it peaked at 1,169 infections .", "spans": {}, "info": {"id": "cyner_mitre_train_01175", "source": "cyner_mitre_train"}}
+{"text": "In April , at the time of writing this post , we recorded 413 RuMMS infections .", "spans": {"Malware: RuMMS": [[62, 67]]}, "info": {"id": "cyner_mitre_train_01176", "source": "cyner_mitre_train"}}
+{"text": "Although the propagation trend seems to be slowing down a bit , the figure tells us that RuMMS malware is still alive in the wild .", "spans": {"Malware: RuMMS": [[89, 94]]}, "info": {"id": "cyner_mitre_train_01177", "source": "cyner_mitre_train"}}
+{"text": "We continue to monitor its progress .", "spans": {}, "info": {"id": "cyner_mitre_train_01178", "source": "cyner_mitre_train"}}
+{"text": "Conclusion Smishing ( SMS phishing ) offers a unique vector to infect mobile users .", "spans": {}, "info": {"id": "cyner_mitre_train_01179", "source": "cyner_mitre_train"}}
+{"text": "The recent RuMMS campaign shows that Smishing is still a popular means for threat actors to distribute their malware .", "spans": {"Malware: RuMMS": [[11, 16]]}, "info": {"id": "cyner_mitre_train_01180", "source": "cyner_mitre_train"}}
+{"text": "In addition , the use of shared-hosting providers adds flexibility to the threat actor ’ s campaign and makes it harder for defending parties to track these moving targets .", "spans": {}, "info": {"id": "cyner_mitre_train_01181", "source": "cyner_mitre_train"}}
+{"text": "Fortunately , FireEye Mobile Threat Prevention platform can recognize the malicious SMS and networking behaviors used by these RuMMS samples , and help us quickly identify the threat .", "spans": {"System: FireEye Mobile Threat Prevention": [[14, 46]], "Malware: RuMMS": [[127, 132]]}, "info": {"id": "cyner_mitre_train_01182", "source": "cyner_mitre_train"}}
+{"text": "To protect yourself from these threats , FireEye suggests that users : Take caution before clicking any links where you are not sure about the origin .", "spans": {"Organization: FireEye": [[41, 48]]}, "info": {"id": "cyner_mitre_train_01183", "source": "cyner_mitre_train"}}
+{"text": "Don ’ t install apps outside the official app store .", "spans": {}, "info": {"id": "cyner_mitre_train_01184", "source": "cyner_mitre_train"}}
+{"text": "Exodus : New Android Spyware Made in Italy Mar 29 Summary We identified a new Android spyware platform we named Exodus , which is composed of two stages we call Exodus One and Exodus Two .", "spans": {"Malware: Exodus": [[0, 6], [112, 118]], "System: Android": [[13, 20], [78, 85]], "Malware: Exodus One": [[161, 171]], "Malware: Exodus Two": [[176, 186]]}, "info": {"id": "cyner_mitre_train_01185", "source": "cyner_mitre_train"}}
+{"text": "We have collected numerous samples spanning from 2016 to early 2019 .", "spans": {}, "info": {"id": "cyner_mitre_train_01186", "source": "cyner_mitre_train"}}
+{"text": "Instances of this spyware were found on the Google Play Store , disguised as service applications from mobile operators .", "spans": {"System: Google Play Store": [[44, 61]]}, "info": {"id": "cyner_mitre_train_01187", "source": "cyner_mitre_train"}}
+{"text": "Both the Google Play Store pages and the decoys of the malicious apps are in Italian .", "spans": {"System: Google Play Store": [[9, 26]]}, "info": {"id": "cyner_mitre_train_01188", "source": "cyner_mitre_train"}}
+{"text": "According to publicly available statistics , as well as confirmation from Google , most of these apps collected a few dozens installations each , with one case reaching over 350 .", "spans": {"Organization: Google": [[74, 80]]}, "info": {"id": "cyner_mitre_train_01189", "source": "cyner_mitre_train"}}
+{"text": "All of the victims are located in Italy .", "spans": {}, "info": {"id": "cyner_mitre_train_01190", "source": "cyner_mitre_train"}}
+{"text": "All of these Google Play Store pages have been taken down by Google .", "spans": {"System: Google Play Store": [[13, 30]], "Organization: Google": [[61, 67]]}, "info": {"id": "cyner_mitre_train_01191", "source": "cyner_mitre_train"}}
+{"text": "We believe this spyware platform is developed by an Italian company called eSurv , which primarily operates in the business of video surveillance .", "spans": {"Organization: eSurv": [[75, 80]]}, "info": {"id": "cyner_mitre_train_01192", "source": "cyner_mitre_train"}}
+{"text": "According to public records it appears that eSurv began to also develop intrusion software in 2016 .", "spans": {"Organization: eSurv": [[44, 49]]}, "info": {"id": "cyner_mitre_train_01193", "source": "cyner_mitre_train"}}
+{"text": "Exodus is equipped with extensive collection and interception capabilities .", "spans": {"Malware: Exodus": [[0, 6]]}, "info": {"id": "cyner_mitre_train_01194", "source": "cyner_mitre_train"}}
+{"text": "Worryingly , some of the modifications enforced by the spyware might expose the infected devices to further compromise or data tampering .", "spans": {}, "info": {"id": "cyner_mitre_train_01195", "source": "cyner_mitre_train"}}
+{"text": "Disguised Spyware Uploaded on Google Play Store We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years .", "spans": {"System: Google Play Store": [[30, 47], [125, 142]]}, "info": {"id": "cyner_mitre_train_01196", "source": "cyner_mitre_train"}}
+{"text": "These apps would remain available on the Play Store for months and would eventually be re-uploaded .", "spans": {"System: Play Store": [[41, 51]]}, "info": {"id": "cyner_mitre_train_01197", "source": "cyner_mitre_train"}}
+{"text": "While details would vary , all of the identified copies of this spyware shared a similar disguise .", "spans": {}, "info": {"id": "cyner_mitre_train_01198", "source": "cyner_mitre_train"}}
+{"text": "In most cases they would be crafted to appear as applications distributed by unspecified mobile operators in Italy .", "spans": {}, "info": {"id": "cyner_mitre_train_01199", "source": "cyner_mitre_train"}}
+{"text": "Often the app description on the Play Store would reference some SMS messages the targets would supposedly receive leading them to the Play Store page .", "spans": {"System: Play Store": [[33, 43], [135, 145]]}, "info": {"id": "cyner_mitre_train_01200", "source": "cyner_mitre_train"}}
+{"text": "All of the Play Store pages we identified and all of the decoys of the apps themselves are written in Italian .", "spans": {"System: Play Store": [[11, 21]]}, "info": {"id": "cyner_mitre_train_01201", "source": "cyner_mitre_train"}}
+{"text": "According to Google , whom we have contacted to alert about our discoveries , nearly 25 variants of this spyware were uploaded on Google Play Store .", "spans": {"Organization: Google": [[13, 19]], "System: Google Play Store": [[130, 147]]}, "info": {"id": "cyner_mitre_train_01202", "source": "cyner_mitre_train"}}
+{"text": "Google Play has removed the apps and they stated that \" thanks to enhanced detection models , Google Play Protect will now be able to better detect future variants of these applications '' .", "spans": {"System: Google Play": [[0, 11]], "System: Google Play Protect": [[94, 113]]}, "info": {"id": "cyner_mitre_train_01203", "source": "cyner_mitre_train"}}
+{"text": "While Google did not share with us the total number of infected devices , they confirmed that one of these malicious apps collected over 350 installations through the Play Store , while other variants collected few dozens each , and that all infections were located in Italy .", "spans": {"System: Play Store": [[167, 177]]}, "info": {"id": "cyner_mitre_train_01204", "source": "cyner_mitre_train"}}
+{"text": "We have directly observed multiple copies of Exodus with more than 50 installs and we can estimate the total number of infections to amount in the several hundreds , if not a thousand or more .", "spans": {"Malware: Exodus": [[45, 51]]}, "info": {"id": "cyner_mitre_train_01205", "source": "cyner_mitre_train"}}
+{"text": "Stage 1 : Exodus One The first stage installed by downloading the malicious apps uploaded on Google Play Store only acts as a dropper .", "spans": {"Malware: Exodus One": [[10, 20]], "System: Google Play Store": [[93, 110]]}, "info": {"id": "cyner_mitre_train_01206", "source": "cyner_mitre_train"}}
+{"text": "Following are some examples of the decoys used by these droppers : The purpose of Exodus One seems to be to collect some basic identifying information about the device ( namely the IMEI code and the phone number ) and send it to the Command & Control server .", "spans": {"Malware: Exodus One": [[82, 92]]}, "info": {"id": "cyner_mitre_train_01207", "source": "cyner_mitre_train"}}
+{"text": "This is usually done in order to validate the target of a new infection .", "spans": {}, "info": {"id": "cyner_mitre_train_01208", "source": "cyner_mitre_train"}}
+{"text": "This is further corroborated by some older and unobfuscated samples from 2016 , whose primary classes are named CheckValidTarget .", "spans": {}, "info": {"id": "cyner_mitre_train_01209", "source": "cyner_mitre_train"}}
+{"text": "During our tests the spyware was upgraded to the second stage on our test device immediately after the first check-ins .", "spans": {}, "info": {"id": "cyner_mitre_train_01210", "source": "cyner_mitre_train"}}
+{"text": "This suggests that the operators of the Command & Control are not enforcing a validation of the targets .", "spans": {}, "info": {"id": "cyner_mitre_train_01211", "source": "cyner_mitre_train"}}
+{"text": "Additionally , during a period of several days , our infected test device was never remotely disinfected by the operators .", "spans": {}, "info": {"id": "cyner_mitre_train_01212", "source": "cyner_mitre_train"}}
+{"text": "For the purpose of this report we analyze here the Exodus One sample with hash 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884 which communicated with the Command & Control server at 54.71.249.137 .", "spans": {"Malware: Exodus One": [[51, 61]], "Indicator: 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884": [[79, 143]], "Indicator: 54.71.249.137": [[200, 213]]}, "info": {"id": "cyner_mitre_train_01213", "source": "cyner_mitre_train"}}
+{"text": "Other samples communicated with other servers listed at the bottom of this report .", "spans": {}, "info": {"id": "cyner_mitre_train_01214", "source": "cyner_mitre_train"}}
+{"text": "Exodus One checks-in by sending a POST request containing the app package name , the device IMEI and an encrypted body containing additional device information .", "spans": {}, "info": {"id": "cyner_mitre_train_01215", "source": "cyner_mitre_train"}}
+{"text": "The encrypted body is composed of various identifiers which are joined together : doFinal ( ) is called to encrypt the device information string : The user agent string is built from the package name and IMEI number : Finally the HTTP request is sent to the server at https : //54.71.249.137/eddd0317-2bdc-4140-86cb-0e8d7047b874 .", "spans": {"Indicator: https : //54.71.249.137/eddd0317-2bdc-4140-86cb-0e8d7047b874": [[268, 328]]}, "info": {"id": "cyner_mitre_train_01216", "source": "cyner_mitre_train"}}
+{"text": "Many of the strings in the application are XOR 'd with the key Kjk1MmphFG : After some additional requests , the dropper made a POST request to https : //54.71.249.137/56e087c9-fc56-49bb-bbd0-4fafc4acd6e1 which returned a zip file containing the second stage binaries .", "spans": {"Indicator: https : //54.71.249.137/56e087c9-fc56-49bb-bbd0-4fafc4acd6e1": [[144, 204]]}, "info": {"id": "cyner_mitre_train_01217", "source": "cyner_mitre_train"}}
+{"text": "Stage 2 : Exodus Two The Zip archive returned by the check-in performed by Exodus One is a collection of files including the primary payload mike.jar and several compiled utilities that serve different functions .", "spans": {"Malware: Exodus Two": [[10, 20]], "Malware: Exodus One": [[75, 85]], "Indicator: mike.jar": [[141, 149]]}, "info": {"id": "cyner_mitre_train_01218", "source": "cyner_mitre_train"}}
+{"text": "At least in most recent versions , as of January 2019 , the Zip archive would actually contain the i686 , arm and arm64 versions of all deployed binaries .", "spans": {}, "info": {"id": "cyner_mitre_train_01219", "source": "cyner_mitre_train"}}
+{"text": "File Name Modified Date SHA256 null_arm 2018-02-27 06:44:00 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 null_i686 2018-02-27 06:44:00 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 null_arm64 2018-02-27 06:43:00 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88", "spans": {"Indicator: 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88": [[60, 124], [251, 315]], "Indicator: c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658": [[155, 219]]}, "info": {"id": "cyner_mitre_train_01220", "source": "cyner_mitre_train"}}
+{"text": "sepolicy-inject_arm 2019-01-08 04:55:00 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 sepolicy-inject_arm64 2019-01-08 04:55:00 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a sepolicy-inject_i686 2019-01-08 04:55:00 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6", "spans": {"Indicator: 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8": [[40, 104]], "Indicator: 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a": [[147, 211]], "Indicator: 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6": [[253, 317]]}, "info": {"id": "cyner_mitre_train_01221", "source": "cyner_mitre_train"}}
+{"text": "rootdaemon_arm 2019-01-08 04:55:00 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 rootdaemon_arm64 2019-01-08 04:55:00 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 mike.jar 2018-12-06 05:50:00 a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e", "spans": {"Indicator: 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4": [[35, 99]], "Indicator: 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5": [[137, 201]], "Indicator: mike.jar": [[202, 210]], "Indicator: a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e": [[231, 295]]}, "info": {"id": "cyner_mitre_train_01222", "source": "cyner_mitre_train"}}
+{"text": "rootdaemon_i686 2019-01-08 04:55:00 b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 zygotedaemonarm 2019-01-08 04:55:00 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f zygotedaemonarm64 2019-01-08 04:55:00 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59", "spans": {"Indicator: b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7": [[36, 100]], "Indicator: e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f": [[137, 201]], "Indicator: 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59": [[240, 304]]}, "info": {"id": "cyner_mitre_train_01223", "source": "cyner_mitre_train"}}
+{"text": "zygotedaemoni686 2019-01-08 04:55:00 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33 sapp.apk 2019-01-08 04:53:00 4bf1446c412dd5c552539490d03e999a6ceb96ae60a9e7846427612bec316619 placeholder 2018-03-29 16:31:00 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "spans": {"Indicator: 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33": [[37, 101]], "Indicator: sapp.apk": [[102, 110]], "Indicator: 4bf1446c412dd5c552539490d03e999a6ceb96ae60a9e7846427612bec316619": [[131, 195]], "Indicator: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855": [[228, 292]]}, "info": {"id": "cyner_mitre_train_01224", "source": "cyner_mitre_train"}}
+{"text": "After download , Exodus One would dynamically load and execute the primary stage 2 payload mike.jar using the Android API DexClassLoader ( ) .", "spans": {"Malware: Exodus One": [[17, 27]], "Indicator: mike.jar": [[91, 99]], "System: Android API": [[110, 121]]}, "info": {"id": "cyner_mitre_train_01225", "source": "cyner_mitre_train"}}
+{"text": "mike.jar implements most of the data collection and exfiltration capabilities of this spyware .", "spans": {"Indicator: mike.jar": [[0, 8]]}, "info": {"id": "cyner_mitre_train_01226", "source": "cyner_mitre_train"}}
+{"text": "Of the various binaries downloaded , the most interesting are null , which serves as a local and reverse shell , and rootdaemon , which takes care of privilege escalation and data acquisition .", "spans": {}, "info": {"id": "cyner_mitre_train_01227", "source": "cyner_mitre_train"}}
+{"text": "rootdaemon will first attempt to jailbreak the device using a modified version of the DirtyCow exploit .", "spans": {"Vulnerability: DirtyCow exploit": [[86, 102]]}, "info": {"id": "cyner_mitre_train_01228", "source": "cyner_mitre_train"}}
+{"text": "Similarly to another Android spyware made in Italy , originally discovered by Lukas Stefanko and later named Skygofree and analyzed in depth by Kaspersky Labs , Exodus also takes advantage of \" protectedapps '' , a feature in Huawei phones that allows to configure power-saving options for running applications .", "spans": {"System: Android": [[21, 28]], "Malware: Skygofree": [[109, 118]], "Organization: Kaspersky Labs": [[144, 158]], "Malware: Exodus": [[161, 167]], "Organization: Huawei": [[226, 232]]}, "info": {"id": "cyner_mitre_train_01229", "source": "cyner_mitre_train"}}
+{"text": "By manipulating a SQLite database , Exodus is able to keep itself running even when the screen goes off and the application would otherwise be suspended to reduce battery consumption .", "spans": {"Malware: Exodus": [[36, 42]]}, "info": {"id": "cyner_mitre_train_01230", "source": "cyner_mitre_train"}}
+{"text": "Additionally , rootdaemon attempts to remove its own power usage statistics from Huawei phones ' SystemManager : Similarly , the malicious application probably attempts to minimize traces on Samsung phones by adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/apm_sp_status_of_apps.xml the following lines : And adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/com.samsung.android.securitylogagent_preferences.xml", "spans": {"Organization: Huawei": [[81, 87]], "Organization: Samsung": [[191, 198]], "Indicator: /data/data/com.samsung.android.securitylogagent/shared_prefs/apm_sp_status_of_apps.xml": [[228, 314]], "Indicator: /data/data/com.samsung.android.securitylogagent/shared_prefs/com.samsung.android.securitylogagent_preferences.xml": [[360, 473]]}, "info": {"id": "cyner_mitre_train_01231", "source": "cyner_mitre_train"}}
+{"text": "these lines instead : Data Collection and Exfiltration As mentioned , mike.jar equips the spyware with extensive collection capabilities , including : Retrieve a list of installed applications .", "spans": {"Indicator: mike.jar": [[70, 78]]}, "info": {"id": "cyner_mitre_train_01232", "source": "cyner_mitre_train"}}
+{"text": "Record surroundings using the built-in microphone in 3gp format .", "spans": {}, "info": {"id": "cyner_mitre_train_01233", "source": "cyner_mitre_train"}}
+{"text": "Retrieve the browsing history and bookmarks from Chrome and SBrowser ( the browser shipped with Samsung phones ) .", "spans": {"System: Chrome": [[49, 55]], "System: SBrowser": [[60, 68]], "Organization: Samsung": [[96, 103]]}, "info": {"id": "cyner_mitre_train_01234", "source": "cyner_mitre_train"}}
+{"text": "Extract events from the Calendar app .", "spans": {"System: Calendar app": [[24, 36]]}, "info": {"id": "cyner_mitre_train_01235", "source": "cyner_mitre_train"}}
+{"text": "Extract the calls log .", "spans": {}, "info": {"id": "cyner_mitre_train_01236", "source": "cyner_mitre_train"}}
+{"text": "Record phone calls audio in 3gp format .", "spans": {}, "info": {"id": "cyner_mitre_train_01237", "source": "cyner_mitre_train"}}
+{"text": "Take pictures with the embedded camera .", "spans": {}, "info": {"id": "cyner_mitre_train_01238", "source": "cyner_mitre_train"}}
+{"text": "Collect information on surrounding cellular towers ( BTS ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01239", "source": "cyner_mitre_train"}}
+{"text": "Extract the address book .", "spans": {"System: address book": [[12, 24]]}, "info": {"id": "cyner_mitre_train_01240", "source": "cyner_mitre_train"}}
+{"text": "Extract the contacts list from the Facebook app .", "spans": {"System: Facebook app": [[35, 47]]}, "info": {"id": "cyner_mitre_train_01241", "source": "cyner_mitre_train"}}
+{"text": "Extract logs from Facebook Messenger conversations .", "spans": {"System: Facebook Messenger": [[18, 36]]}, "info": {"id": "cyner_mitre_train_01242", "source": "cyner_mitre_train"}}
+{"text": "Take a screenshot of any app in foreground .", "spans": {}, "info": {"id": "cyner_mitre_train_01243", "source": "cyner_mitre_train"}}
+{"text": "Extract information on pictures from the Gallery .", "spans": {}, "info": {"id": "cyner_mitre_train_01244", "source": "cyner_mitre_train"}}
+{"text": "Extract information from th GMail app .", "spans": {"System: GMail": [[28, 33]]}, "info": {"id": "cyner_mitre_train_01245", "source": "cyner_mitre_train"}}
+{"text": "Dump data from the IMO messenger app .", "spans": {"System: messenger": [[23, 32]]}, "info": {"id": "cyner_mitre_train_01246", "source": "cyner_mitre_train"}}
+{"text": "Extract call logs , contacts and messages from the Skype app .", "spans": {"System: Skype": [[51, 56]]}, "info": {"id": "cyner_mitre_train_01247", "source": "cyner_mitre_train"}}
+{"text": "Retrieve all SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_train_01248", "source": "cyner_mitre_train"}}
+{"text": "Extract messages and the encryption key from the Telegram app .", "spans": {"System: Telegram": [[49, 57]]}, "info": {"id": "cyner_mitre_train_01249", "source": "cyner_mitre_train"}}
+{"text": "Dump data from the Viber messenger app .", "spans": {"System: Viber messenger": [[19, 34]]}, "info": {"id": "cyner_mitre_train_01250", "source": "cyner_mitre_train"}}
+{"text": "Extract logs from WhatsApp .", "spans": {"System: WhatsApp": [[18, 26]]}, "info": {"id": "cyner_mitre_train_01251", "source": "cyner_mitre_train"}}
+{"text": "Retrieve media exchanged through WhatsApp .", "spans": {"System: WhatsApp": [[33, 41]]}, "info": {"id": "cyner_mitre_train_01252", "source": "cyner_mitre_train"}}
+{"text": "Extract the Wi-Fi network 's password .", "spans": {}, "info": {"id": "cyner_mitre_train_01253", "source": "cyner_mitre_train"}}
+{"text": "Extract data from WeChat app .", "spans": {"System: WeChat": [[18, 24]]}, "info": {"id": "cyner_mitre_train_01254", "source": "cyner_mitre_train"}}
+{"text": "Extract current GPS coordinates of the phone .", "spans": {}, "info": {"id": "cyner_mitre_train_01255", "source": "cyner_mitre_train"}}
+{"text": "While some of these acquisition are performed purely through code in mike.jar , some others that require access to , for example , SQLite databases or other files in the application 's storage are performed through rootdaemon instead , which should be running with root privileges .", "spans": {"Indicator: mike.jar": [[69, 77]]}, "info": {"id": "cyner_mitre_train_01256", "source": "cyner_mitre_train"}}
+{"text": "In order to achieve this , mike.jar connects to rootdaemon through various TCP ports that the daemon binds on some extraction routines for supported applications : Port 6202 : WhatsApp extraction service .", "spans": {"Indicator: mike.jar": [[27, 35]], "Indicator: Port 6202": [[164, 173]], "System: WhatsApp": [[176, 184]]}, "info": {"id": "cyner_mitre_train_01257", "source": "cyner_mitre_train"}}
+{"text": "Ports 6203 and 6204 : Facebook extraction service .", "spans": {"Indicator: Ports 6203 and 6204": [[0, 19]], "Organization: Facebook": [[22, 30]]}, "info": {"id": "cyner_mitre_train_01258", "source": "cyner_mitre_train"}}
+{"text": "Port 6205 : Gmail extraction service .", "spans": {"Indicator: Port 6205": [[0, 9]], "System: Gmail": [[12, 17]]}, "info": {"id": "cyner_mitre_train_01259", "source": "cyner_mitre_train"}}
+{"text": "Port 6206 : Skype extraction service .", "spans": {"Indicator: Port 6206": [[0, 9]], "System: Skype": [[12, 17]]}, "info": {"id": "cyner_mitre_train_01260", "source": "cyner_mitre_train"}}
+{"text": "Port 6207 : Viber extraction service .", "spans": {"Indicator: Port 6207": [[0, 9]], "System: Viber": [[12, 17]]}, "info": {"id": "cyner_mitre_train_01261", "source": "cyner_mitre_train"}}
+{"text": "Port 6208 : IMO extraction service .", "spans": {"Indicator: Port 6208": [[0, 9]], "System: IMO": [[12, 15]]}, "info": {"id": "cyner_mitre_train_01262", "source": "cyner_mitre_train"}}
+{"text": "Port 6209 : Telegram extraction service .", "spans": {"Indicator: Port 6209": [[0, 9]], "System: Telegram": [[12, 20]]}, "info": {"id": "cyner_mitre_train_01263", "source": "cyner_mitre_train"}}
+{"text": "Port 6210 : SBrowser extraction service .", "spans": {"Indicator: Port 6210": [[0, 9]], "System: SBrowser": [[12, 20]]}, "info": {"id": "cyner_mitre_train_01264", "source": "cyner_mitre_train"}}
+{"text": "Port 6211 : Calendar extraction service .", "spans": {"Indicator: Port 6211": [[0, 9]], "System: Calendar": [[12, 20]]}, "info": {"id": "cyner_mitre_train_01265", "source": "cyner_mitre_train"}}
+{"text": "Port 6212 : Chrome extraction service .", "spans": {"Indicator: Port 6212": [[0, 9]], "System: Chrome": [[12, 18]]}, "info": {"id": "cyner_mitre_train_01266", "source": "cyner_mitre_train"}}
+{"text": "These services appear to be running on all network interfaces and are therefore accessible to anyone sharing a local network with an infected device .", "spans": {}, "info": {"id": "cyner_mitre_train_01267", "source": "cyner_mitre_train"}}
+{"text": "Following we can see an example of a connection to port 6209 which is used to extract data from the Telegram app .", "spans": {"Indicator: port 6209": [[51, 60]], "System: Telegram": [[100, 108]]}, "info": {"id": "cyner_mitre_train_01268", "source": "cyner_mitre_train"}}
+{"text": "We are able to send commands to the service such as dumpmsgdb or getkey ( which dumps the tgnet.dat file ) .", "spans": {"Indicator: tgnet.dat file": [[90, 104]]}, "info": {"id": "cyner_mitre_train_01269", "source": "cyner_mitre_train"}}
+{"text": "Data acquired from mike.jar 's extraction modules is normally XORed and stored in a folder named .lost+found on the SD card .", "spans": {"Indicator: mike.jar": [[19, 27]]}, "info": {"id": "cyner_mitre_train_01270", "source": "cyner_mitre_train"}}
+{"text": "Data is eventually exfiltrated over a TLS connection to the Command & Control server ws.my-local-weather [ .", "spans": {"Indicator: server ws.my-local-weather [ .": [[78, 108]]}, "info": {"id": "cyner_mitre_train_01271", "source": "cyner_mitre_train"}}
+{"text": "] com through an upload queue .", "spans": {}, "info": {"id": "cyner_mitre_train_01272", "source": "cyner_mitre_train"}}
+{"text": "As mentioned before , our test device was automatically from stage one to stage two , which started collecting data .", "spans": {}, "info": {"id": "cyner_mitre_train_01273", "source": "cyner_mitre_train"}}
+{"text": "For example , the password of the WiFi network used by the phone was stored in the folder /storage/emulated/0/.lost+found/0BBDA068-9D27-4B55-B226-299FCF2B4242/ using the following file name format DD_MM_2019_HH_mm_ss_XXXXXXXXXXXXX.txt.crypt ( the datetime followed by the IMEI ) .", "spans": {"Indicator: /storage/emulated/0/.lost+found/0BBDA068-9D27-4B55-B226-299FCF2B4242/": [[90, 159]], "Indicator: DD_MM_2019_HH_mm_ss_XXXXXXXXXXXXX.txt.crypt": [[197, 240]]}, "info": {"id": "cyner_mitre_train_01274", "source": "cyner_mitre_train"}}
+{"text": "Eventually we observed the agent exfiltrate the WiFi password from our test phone to the Command & Control server : Similarly , the agent also sent to the Command & Control the list of installed apps : This Command & Control seems to have been active since at least April 2017 and was registered impersonating the legitimate service AccuWeather .", "spans": {"System: AccuWeather": [[333, 344]]}, "info": {"id": "cyner_mitre_train_01275", "source": "cyner_mitre_train"}}
+{"text": "Local and Remote Shells In order to execute commands on the infected devices , as well as to provide a reverse shell to the Command & Control operators , Exodus Two immediately attempts to execute a payload it downloads with the name null .", "spans": {"Malware: Exodus Two": [[154, 164]]}, "info": {"id": "cyner_mitre_train_01276", "source": "cyner_mitre_train"}}
+{"text": "Once launched , null will first verify whether it is able to fork on the system and that there is no other instance of itself currently running by checking whether the local port number 6842 is available .", "spans": {"Indicator: port number 6842": [[174, 190]]}, "info": {"id": "cyner_mitre_train_01277", "source": "cyner_mitre_train"}}
+{"text": "This payload will then attempt to instantiate a remote reverse /system/bin/sh shell to the Command & Control ws.my-local-weather [ .", "spans": {"Indicator: /system/bin/sh": [[63, 77]], "Indicator: ws.my-local-weather [ .": [[109, 132]]}, "info": {"id": "cyner_mitre_train_01278", "source": "cyner_mitre_train"}}
+{"text": "] com on port 22011 .", "spans": {"Indicator: port 22011": [[9, 19]]}, "info": {"id": "cyner_mitre_train_01279", "source": "cyner_mitre_train"}}
+{"text": "It is worth noticing that this remote reverse shell does not employ any transport cryptography .", "spans": {}, "info": {"id": "cyner_mitre_train_01280", "source": "cyner_mitre_train"}}
+{"text": "The traffic transits in clear and is therefore potentially exposed to man-in-the-middle attacks : At the same time , null will also bind a local shell on 0.0.0.0:6842 .", "spans": {"Indicator: 0.0.0.0:6842": [[154, 166]]}, "info": {"id": "cyner_mitre_train_01281", "source": "cyner_mitre_train"}}
+{"text": "This local port is used by Exodus Two to execute various commands on the Android device , such as enabling or disabling certain services , or parsing app databases .", "spans": {"Malware: Exodus Two": [[27, 37]], "System: Android": [[73, 80]]}, "info": {"id": "cyner_mitre_train_01282", "source": "cyner_mitre_train"}}
+{"text": "However , binding a shell on all available interfaces will obviously make it accessible to anyone who is sharing at least a local network with an infected device .", "spans": {}, "info": {"id": "cyner_mitre_train_01283", "source": "cyner_mitre_train"}}
+{"text": "For example , if an infected device is connected to a public Wi-Fi network any other host will be able to obtain a terminal on the device without any form of authentication or verification by simply connecting to the port .", "spans": {}, "info": {"id": "cyner_mitre_train_01284", "source": "cyner_mitre_train"}}
+{"text": "If the mobile operator does n't enforce proper client isolation , it is possible that the infected devices are also exposed to the rest of the cellular network .", "spans": {}, "info": {"id": "cyner_mitre_train_01285", "source": "cyner_mitre_train"}}
+{"text": "Obviously , this inevitably leaves the device open not only to further compromise but to data tampering as well .", "spans": {}, "info": {"id": "cyner_mitre_train_01286", "source": "cyner_mitre_train"}}
+{"text": "null is not the only payload opening a shell on the phone .", "spans": {}, "info": {"id": "cyner_mitre_train_01287", "source": "cyner_mitre_train"}}
+{"text": "The rootdaemon binary in fact offers several other possibilities to execute commands on the infected device just by connecting to TCP port 6200 and issuing one of the following commands .", "spans": {"Indicator: port 6200": [[134, 143]]}, "info": {"id": "cyner_mitre_train_01288", "source": "cyner_mitre_train"}}
+{"text": "Sending the command sh to TCP port 6200 results in a full terminal being dropped : Sending the command cmd followed by a proper terminal command will execute it and print the output ( in the example we use id which displays the identity of the system user running the issued commands ) : Doing the same as above but with command sucmd will run the terminal command as root : Other commands supported by rootdaemon on TCP port 6200 are su ( which in our tests did n't properly work ) , loadsocketpolicy , loadfilepolicy , remount and removeroot", "spans": {"Indicator: port 6200": [[30, 39], [421, 430]]}, "info": {"id": "cyner_mitre_train_01289", "source": "cyner_mitre_train"}}
+{"text": ".", "spans": {}, "info": {"id": "cyner_mitre_train_01290", "source": "cyner_mitre_train"}}
+{"text": "At the cost of possibly being overly verbose , following is the output of an nmap scan of the infected Android device from a laptop in the same local network , which further demonstrantes the availability of the same open TCP ports that we have mentioned thus far : Identification of eSurv Presence of Italian language At a first look , the first samples of the spyware we obtained did not show immediately evident connections to any company .", "spans": {"Organization: eSurv": [[284, 289]]}, "info": {"id": "cyner_mitre_train_01291", "source": "cyner_mitre_train"}}
+{"text": "However , the persistent presence of Italian language both on the Google Play Store pages as well as inside the spyware code was a clear sign that an Italian actor was behind the creation of this platform .", "spans": {"System: Google Play": [[66, 77]]}, "info": {"id": "cyner_mitre_train_01292", "source": "cyner_mitre_train"}}
+{"text": "Initially some particular words from the decompiled classes.dex of Exodus Two sent us in the right direction .", "spans": {"Indicator: classes.dex": [[52, 63]], "Malware: Exodus": [[67, 73]]}, "info": {"id": "cyner_mitre_train_01293", "source": "cyner_mitre_train"}}
+{"text": "\" Mundizza '' is a dialectal word , a derivative of the proper Italian word \" immondizia '' that translates to \" trash '' or \" garbage '' in English .", "spans": {}, "info": {"id": "cyner_mitre_train_01294", "source": "cyner_mitre_train"}}
+{"text": "Interestingly , \" mundizza '' is typical of Calabria , a region in the south of Italy , and more specifically it appears to be language native of the city of Catanzaro .", "spans": {}, "info": {"id": "cyner_mitre_train_01295", "source": "cyner_mitre_train"}}
+{"text": "Additionally , some copies of Exodus One use the following XOR key : Rino Gattuso is a famous retired Italian footballer , originally from Calabria .", "spans": {}, "info": {"id": "cyner_mitre_train_01296", "source": "cyner_mitre_train"}}
+{"text": "While not too seriously , these elements made us restrict our research into surveillance companies from the region .", "spans": {}, "info": {"id": "cyner_mitre_train_01297", "source": "cyner_mitre_train"}}
+{"text": "Overlapping Infrastructure with eSurv Surveillance Cameras The Command & Control domain configured in several of the malicious applications found on Google Play Store , ws.my-local-weather [ .", "spans": {"System: Google Play Store": [[149, 166]], "Indicator: ws.my-local-weather [ .": [[169, 192]]}, "info": {"id": "cyner_mitre_train_01298", "source": "cyner_mitre_train"}}
+{"text": "] com , points to the IP address 54.69.156.31 which serves a self-signed TLS certificate with the certificate common name MyCert and fingerprint 11:41:45:2F : A7:07:23:54 : AE:9A : CE : F4 : FE:56 : AE : AC : B1 : C2:15:9F:6A : FC:1E : CC:7D : F8:61 : E3:25:26:73:6A .", "spans": {"Indicator: 54.69.156.31": [[33, 45]], "Indicator: 11:41:45:2F : A7:07:23:54": [[145, 170]], "Indicator: AE:9A : CE : F4 : FE:56 : AE : AC": [[173, 206]], "Indicator: B1 : C2:15:9F:6A : FC:1E : CC:7D": [[209, 241]], "Indicator: : F8:61 : E3:25:26:73:6A": [[242, 266]]}, "info": {"id": "cyner_mitre_train_01299", "source": "cyner_mitre_train"}}
+{"text": "A search for this certificate fingerprint on the Internet scanning service Censys returns 8 additional servers : IP address 34.208.71.9 34.212.92.0 34.216.43.114 52.34.144.229 54.69.156.31 54.71.249.137 54.189.5.198 78.5.0.195 207.180.245.74 Opening the Command & Control web page in a browser presents a Basic Authentication prompt : Closing this prompt causes the server to send a \" 401 Unauthorized Response '' with an \" Access Denied '' message in Italian", "spans": {"Indicator: 34.208.71.9": [[124, 135]], "Indicator: 34.212.92.0": [[136, 147]], "Indicator: 34.216.43.114": [[148, 161]], "Indicator: 52.34.144.229": [[162, 175]], "Indicator: 54.69.156.31": [[176, 188]], "Indicator: 54.71.249.137": [[189, 202]], "Indicator: 54.189.5.198": [[203, 215]], "Indicator: 78.5.0.195": [[216, 226]], "Indicator: 207.180.245.74": [[227, 241]]}, "info": {"id": "cyner_mitre_train_01300", "source": "cyner_mitre_train"}}
+{"text": ".", "spans": {}, "info": {"id": "cyner_mitre_train_01301", "source": "cyner_mitre_train"}}
+{"text": "All of the other IP address we discovered sharing the same TLS certificate behave in the same way .", "spans": {}, "info": {"id": "cyner_mitre_train_01302", "source": "cyner_mitre_train"}}
+{"text": "The Command & Control server also displays a favicon image which looks like a small orange ball .", "spans": {}, "info": {"id": "cyner_mitre_train_01303", "source": "cyner_mitre_train"}}
+{"text": "At the time of writing , a reverse image search for the favicon on Shodan using the query http.favicon.hash:990643579 returned around 40 web servers which use the same favicon .", "spans": {"Indicator: http.favicon.hash:990643579": [[90, 117]]}, "info": {"id": "cyner_mitre_train_01304", "source": "cyner_mitre_train"}}
+{"text": "Many of these servers are control panels for video surveillance systems developed by the Italian company eSurv , based in Catanzaro , in Calabria , Italy .", "spans": {}, "info": {"id": "cyner_mitre_train_01305", "source": "cyner_mitre_train"}}
+{"text": "Their publicly advertised products include CCTV management systems , surveillance drones , face and license plate recognition systems .", "spans": {}, "info": {"id": "cyner_mitre_train_01306", "source": "cyner_mitre_train"}}
+{"text": "eSurv 's logo is identical to the Command & Control server favicon .", "spans": {"Organization: eSurv": [[0, 5]]}, "info": {"id": "cyner_mitre_train_01307", "source": "cyner_mitre_train"}}
+{"text": "Older samples connecting to eSurv Finally , Google shared with us some older samples of Exodus One ( with hashes 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f and a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f ) which are not obfuscated and use the following disguise : The configuration of these older samples", "spans": {"Organization: eSurv": [[28, 33]], "Organization: Google": [[44, 50]], "Malware: Exodus One": [[88, 98]], "Indicator: 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f": [[113, 177]], "Indicator: a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f": [[182, 246]]}, "info": {"id": "cyner_mitre_train_01308", "source": "cyner_mitre_train"}}
+{"text": "is very similar to newer ones , but it provides additional insights being not obfuscated : Firstly we can notice that , instead of generic domain names or IP addresses , these samples communicated with a Command & Control server located at attiva.exodus.esurv [ .", "spans": {"Indicator: attiva.exodus.esurv [ .": [[240, 263]]}, "info": {"id": "cyner_mitre_train_01309", "source": "cyner_mitre_train"}}
+{"text": "] it ( \" attiva '' is the Italian for \" activate '' ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01310", "source": "cyner_mitre_train"}}
+{"text": "( We named the spyware \" Exodus '' after this Command & Control domain name .", "spans": {}, "info": {"id": "cyner_mitre_train_01311", "source": "cyner_mitre_train"}}
+{"text": ") Following is the snippet of code in these older Exodus One samples showing the connection to the Command & Control : Below is the almost identical composition of the request to the Command & Control server in mike.jar ( also containing the path 7e661733-e332-429a-a7e2-23649f27690f ) : To further corroborate the connection of the Exodus spyware with eSurv , the domain attiva.exodus.esurv.it resolves to the IP 212.47.242.236 which , according to", "spans": {"Malware: Exodus One": [[50, 60]], "Indicator: mike.jar": [[211, 219]], "Malware: Exodus spyware": [[333, 347]], "Indicator: domain attiva.exodus.esurv.it": [[365, 394]], "Indicator: 212.47.242.236": [[414, 428]]}, "info": {"id": "cyner_mitre_train_01312", "source": "cyner_mitre_train"}}
+{"text": "public passive DNS data , in 2017 was used to host the domain server1cs.exodus.connexxa.it .", "spans": {"Indicator: domain server1cs.exodus.connexxa.it": [[55, 90]]}, "info": {"id": "cyner_mitre_train_01313", "source": "cyner_mitre_train"}}
+{"text": "Connexxa was a company also from Catanzaro .", "spans": {}, "info": {"id": "cyner_mitre_train_01314", "source": "cyner_mitre_train"}}
+{"text": "According to publicly available information , the founder of Connexxa seems to also be the CEO of eSurv .", "spans": {"Organization: Connexxa": [[61, 69]], "Organization: eSurv": [[98, 103]]}, "info": {"id": "cyner_mitre_train_01315", "source": "cyner_mitre_train"}}
+{"text": "Interestingly , we found other DNS records mostly from 2017 that follow a similar pattern and appear to contain two-letters codes for districts in Italy : Server City server1bo.exodus.connexxa [ .", "spans": {"Indicator: server1bo.exodus.connexxa [ .": [[167, 196]]}, "info": {"id": "cyner_mitre_train_01316", "source": "cyner_mitre_train"}}
+{"text": "] it Bologna server1bs.exodus.connexxa [ .", "spans": {"Indicator: server1bs.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner_mitre_train_01317", "source": "cyner_mitre_train"}}
+{"text": "] it Brescia server1cs.exodus.connexxa [ .", "spans": {"Indicator: server1cs.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner_mitre_train_01318", "source": "cyner_mitre_train"}}
+{"text": "] it Cosenza server1ct.exodus.connexxa [ .", "spans": {"Indicator: server1ct.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner_mitre_train_01319", "source": "cyner_mitre_train"}}
+{"text": "] it Catania server1fermo.exodus.connexxa [ .", "spans": {"Indicator: server1fermo.exodus.connexxa [ .": [[13, 45]]}, "info": {"id": "cyner_mitre_train_01320", "source": "cyner_mitre_train"}}
+{"text": "] it server1fi.exodus.connexxa [ .", "spans": {"Indicator: server1fi.exodus.connexxa [ .": [[5, 34]]}, "info": {"id": "cyner_mitre_train_01321", "source": "cyner_mitre_train"}}
+{"text": "] it Firenze server1gioiat.exodus.connexxa [ .", "spans": {"Indicator: server1gioiat.exodus.connexxa [ .": [[13, 46]]}, "info": {"id": "cyner_mitre_train_01322", "source": "cyner_mitre_train"}}
+{"text": "] it server1na.exodus.connexxa [ .", "spans": {"Indicator: server1na.exodus.connexxa [ .": [[5, 34]]}, "info": {"id": "cyner_mitre_train_01323", "source": "cyner_mitre_train"}}
+{"text": "] it Napoli server1rc.exodus.connexxa [ .", "spans": {"Indicator: server1rc.exodus.connexxa [ .": [[12, 41]]}, "info": {"id": "cyner_mitre_train_01324", "source": "cyner_mitre_train"}}
+{"text": "] it Reggio Calabria server2ct.exodus.connexxa [ .", "spans": {"Indicator: server2ct.exodus.connexxa [ .": [[21, 50]]}, "info": {"id": "cyner_mitre_train_01325", "source": "cyner_mitre_train"}}
+{"text": "] it Catania server2cz.exodus.connexxa [ .", "spans": {"Indicator: server2cz.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner_mitre_train_01326", "source": "cyner_mitre_train"}}
+{"text": "] it Catanzaro server2fi.exodus.connexxa [ .", "spans": {"Indicator: server2fi.exodus.connexxa [ .": [[15, 44]]}, "info": {"id": "cyner_mitre_train_01327", "source": "cyner_mitre_train"}}
+{"text": "] it Firenze server2mi.exodus.connexxa [ .", "spans": {"Indicator: server2mi.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner_mitre_train_01328", "source": "cyner_mitre_train"}}
+{"text": "] it Milano server2rc.exodus.connexxa [ .", "spans": {"Indicator: server2rc.exodus.connexxa [ .": [[12, 41]]}, "info": {"id": "cyner_mitre_train_01329", "source": "cyner_mitre_train"}}
+{"text": "] it Reggio Calabria server3bo.exodus.connexxa [ .", "spans": {"Indicator: server3bo.exodus.connexxa [ .": [[21, 50]]}, "info": {"id": "cyner_mitre_train_01330", "source": "cyner_mitre_train"}}
+{"text": "] it Bologna server3ct.exodus.connexxa [ .", "spans": {"Indicator: server3ct.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner_mitre_train_01331", "source": "cyner_mitre_train"}}
+{"text": "] it Catania server3.exodus.connexxa [ .", "spans": {"Indicator: server3.exodus.connexxa [ .": [[13, 40]]}, "info": {"id": "cyner_mitre_train_01332", "source": "cyner_mitre_train"}}
+{"text": "] it server3fi.exodus.connexxa [ .", "spans": {"Indicator: server3fi.exodus.connexxa [ .": [[5, 34]]}, "info": {"id": "cyner_mitre_train_01333", "source": "cyner_mitre_train"}}
+{"text": "] it Firenze server4fi.exodus.connexxa [ .", "spans": {"Indicator: server4fi.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner_mitre_train_01334", "source": "cyner_mitre_train"}}
+{"text": "] it Firenze serverrt.exodus.connexxa [ .", "spans": {"Indicator: serverrt.exodus.connexxa [ .": [[13, 41]]}, "info": {"id": "cyner_mitre_train_01335", "source": "cyner_mitre_train"}}
+{"text": "] it Public Resume Confirms Development of Android Agent Additionally , an employee of eSurv quite precisely described their work in developing an \" agent to gather data from Android devices and send it to a C & C server '' as well as researching \" vulnerabilities in mobile devices ( mainly Android ) '' in a publicly available resume .", "spans": {"System: Android": [[43, 50], [175, 182], [292, 299]], "Organization: eSurv": [[87, 92]]}, "info": {"id": "cyner_mitre_train_01336", "source": "cyner_mitre_train"}}
+{"text": "Further details in it reflect characteristics of Exodus ( such as the bypass of power managers we described from Exodus One , and more ) : Indicators of Compromise Exodus One 011b6bcebd543d4eb227e840f04e188fb01f2335b0b81684b60e6b45388d3820 0f5f1409b1ebbee4aa837d20479732e11399d37f05b47b5359dc53a4001314e5 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f", "spans": {"Malware: Exodus": [[49, 55]], "Malware: Exodus One": [[113, 123], [164, 174]], "Indicator: 011b6bcebd543d4eb227e840f04e188fb01f2335b0b81684b60e6b45388d3820": [[175, 239]], "Indicator: 0f5f1409b1ebbee4aa837d20479732e11399d37f05b47b5359dc53a4001314e5": [[240, 304]], "Indicator: 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f": [[305, 369]]}, "info": {"id": "cyner_mitre_train_01337", "source": "cyner_mitre_train"}}
+{"text": "26fef238028ee4b5b8da631c77bfb44ada3d5db8129c45dea5df6a51c9ea5f55 33a9da16d096426c82f150e39fc4f9172677885cfeaedcff10c86414e88be802 34d000ee1e36efd10eb37e2b79d69249d5a85682a61390a89a1b9391c46bf2ba 4f6146956b50ae3a6e80a1c1f771dba848ba677064eb0e166df5804ac2766898", "spans": {"Indicator: 26fef238028ee4b5b8da631c77bfb44ada3d5db8129c45dea5df6a51c9ea5f55": [[0, 64]], "Indicator: 33a9da16d096426c82f150e39fc4f9172677885cfeaedcff10c86414e88be802": [[65, 129]], "Indicator: 34d000ee1e36efd10eb37e2b79d69249d5a85682a61390a89a1b9391c46bf2ba": [[130, 194]], "Indicator: 4f6146956b50ae3a6e80a1c1f771dba848ba677064eb0e166df5804ac2766898": [[195, 259]]}, "info": {"id": "cyner_mitre_train_01338", "source": "cyner_mitre_train"}}
+{"text": "5db49122d866967295874ab2c1ce23a7cde50212ff044bbea1da9b49bb9bc149 70e2eea5609c6954c61f2e5e0a3aea832d0643df93d18d7d78b6f9444dcceef0 80810a8ec9624f317f832ac2e212dba033212258285344661e5da11b0d9f0b62 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884", "spans": {"Indicator: 5db49122d866967295874ab2c1ce23a7cde50212ff044bbea1da9b49bb9bc149": [[0, 64]], "Indicator: 70e2eea5609c6954c61f2e5e0a3aea832d0643df93d18d7d78b6f9444dcceef0": [[65, 129]], "Indicator: 80810a8ec9624f317f832ac2e212dba033212258285344661e5da11b0d9f0b62": [[130, 194]], "Indicator: 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884": [[195, 259]]}, "info": {"id": "cyner_mitre_train_01339", "source": "cyner_mitre_train"}}
+{"text": "a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f db59407f72666526fca23d31e3b4c5df86f25eff178e17221219216c6975c63f e0acbb0d7e55fb67e550a6bf5cf5c499a9960eaf5f037b785f9004585202593b Exodus One Package Names com.phonecarrier.linecheck", "spans": {"Indicator: a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f": [[0, 64]], "Indicator: db59407f72666526fca23d31e3b4c5df86f25eff178e17221219216c6975c63f": [[65, 129]], "Indicator: e0acbb0d7e55fb67e550a6bf5cf5c499a9960eaf5f037b785f9004585202593b": [[130, 194]], "Malware: Exodus One": [[195, 205]], "Indicator: com.phonecarrier.linecheck": [[220, 246]]}, "info": {"id": "cyner_mitre_train_01340", "source": "cyner_mitre_train"}}
+{"text": "rm.rf operatore.italia it.offertetelefonicheperte it.servizipremium assistenza.sim assistenza.linea.riattiva assistenza.linea it.promofferte Exodus Two 64c11fdb317d6b7c9930e639f55863df592f23f3c7c861ddd97048891a90c64b a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e Exodus Two", "spans": {"Indicator: operatore.italia it.offertetelefonicheperte": [[6, 49]], "Indicator: it.servizipremium": [[50, 67]], "Indicator: assistenza.sim": [[68, 82]], "Indicator: assistenza.linea.riattiva": [[83, 108]], "Indicator: assistenza.linea": [[109, 125]], "Indicator: it.promofferte": [[126, 140]], "Malware: Exodus Two": [[141, 151], [282, 292]], "Indicator: 64c11fdb317d6b7c9930e639f55863df592f23f3c7c861ddd97048891a90c64b": [[152, 216]], "Indicator: a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e": [[217, 281]]}, "info": {"id": "cyner_mitre_train_01341", "source": "cyner_mitre_train"}}
+{"text": "ELF Utilities 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33", "spans": {"Indicator: 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4": [[14, 78]], "Indicator: 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59": [[79, 143]], "Indicator: 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6": [[144, 208]], "Indicator: 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33": [[209, 273]]}, "info": {"id": "cyner_mitre_train_01342", "source": "cyner_mitre_train"}}
+{"text": "3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a", "spans": {"Indicator: 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5": [[0, 64]], "Indicator: 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8": [[65, 129]], "Indicator: 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88": [[130, 194]], "Indicator: 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a": [[195, 259]]}, "info": {"id": "cyner_mitre_train_01343", "source": "cyner_mitre_train"}}
+{"text": "b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f", "spans": {"Indicator: b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7": [[0, 64]], "Indicator: c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658": [[65, 129]], "Indicator: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855": [[130, 194]], "Indicator: e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f": [[195, 259]]}, "info": {"id": "cyner_mitre_train_01344", "source": "cyner_mitre_train"}}
+{"text": "Command & Controls ad1.fbsba [ .", "spans": {"Indicator: ad1.fbsba [ .": [[19, 32]]}, "info": {"id": "cyner_mitre_train_01345", "source": "cyner_mitre_train"}}
+{"text": "] com ws.my-local-weather [ .", "spans": {"Indicator: ws.my-local-weather [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_01346", "source": "cyner_mitre_train"}}
+{"text": "] com 54.71.249 [ .", "spans": {"Indicator: 54.71.249 [ .": [[6, 19]]}, "info": {"id": "cyner_mitre_train_01347", "source": "cyner_mitre_train"}}
+{"text": "] 137 54.69.156 [ .", "spans": {"Indicator: 54.69.156 [ .": [[6, 19]]}, "info": {"id": "cyner_mitre_train_01348", "source": "cyner_mitre_train"}}
+{"text": "] 31 162.243.172 [ .", "spans": {"Indicator: 162.243.172 [ .": [[5, 20]]}, "info": {"id": "cyner_mitre_train_01349", "source": "cyner_mitre_train"}}
+{"text": "] 208 attiva.exodus.esurv [ .", "spans": {"Indicator: attiva.exodus.esurv [ .": [[6, 29]]}, "info": {"id": "cyner_mitre_train_01350", "source": "cyner_mitre_train"}}
+{"text": "] it The rise of mobile banker Asacub 28 AUG 2018 We encountered the Trojan-Banker.AndroidOS.Asacub family for the first time in 2015 , when the first versions of the malware were detected , analyzed , and found to be more adept at spying than stealing funds .", "spans": {"Malware: Asacub": [[31, 37]], "Malware: Trojan-Banker.AndroidOS.Asacub": [[69, 99]]}, "info": {"id": "cyner_mitre_train_01351", "source": "cyner_mitre_train"}}
+{"text": "The Trojan has evolved since then , aided by a large-scale distribution campaign by its creators ( in spring-summer 2017 ) , helping Asacub to claim top spots in last year ’ s ranking by number of attacks among mobile banking Trojans , outperforming other families such as Svpeng and Faketoken .", "spans": {"Malware: Asacub": [[133, 139]], "Malware: Svpeng": [[273, 279]], "Malware: Faketoken": [[284, 293]]}, "info": {"id": "cyner_mitre_train_01352", "source": "cyner_mitre_train"}}
+{"text": "We decided to take a peek under the hood of a modern member of the Asacub family .", "spans": {"Malware: Asacub": [[67, 73]]}, "info": {"id": "cyner_mitre_train_01353", "source": "cyner_mitre_train"}}
+{"text": "Our eyes fell on the latest version of the Trojan , which is designed to steal money from owners of Android devices connected to the mobile banking service of one of Russia ’ s largest banks .", "spans": {"System: Android": [[100, 107]]}, "info": {"id": "cyner_mitre_train_01354", "source": "cyner_mitre_train"}}
+{"text": "Asacub versions Sewn into the body of the Trojan is the version number , consisting of two or three digits separated by periods .", "spans": {"Malware: Asacub": [[0, 6]]}, "info": {"id": "cyner_mitre_train_01355", "source": "cyner_mitre_train"}}
+{"text": "The numbering seems to have started anew after the version 9 .", "spans": {}, "info": {"id": "cyner_mitre_train_01356", "source": "cyner_mitre_train"}}
+{"text": "The name Asacub appeared with version 4 in late 2015 ; previous versions were known as Trojan-SMS.AndroidOS.Smaps .", "spans": {"Malware: Asacub": [[9, 15]], "Indicator: Trojan-SMS.AndroidOS.Smaps": [[87, 113]]}, "info": {"id": "cyner_mitre_train_01357", "source": "cyner_mitre_train"}}
+{"text": "Versions 5.X.X-8.X.X were active in 2016 , and versions 9.X.X-1.X.X in 2017 .", "spans": {}, "info": {"id": "cyner_mitre_train_01358", "source": "cyner_mitre_train"}}
+{"text": "In 2018 , the most actively distributed versions were 5.0.0 and 5.0.3 .", "spans": {}, "info": {"id": "cyner_mitre_train_01359", "source": "cyner_mitre_train"}}
+{"text": "Communication with C & C Although Asacub ’ s capabilities gradually evolved , its network behavior and method of communication with the command-and-control ( C & C ) server changed little .", "spans": {"Malware: Asacub": [[34, 40]]}, "info": {"id": "cyner_mitre_train_01360", "source": "cyner_mitre_train"}}
+{"text": "This strongly suggested that the banking Trojans , despite differing in terms of capability , belong to the same family .", "spans": {}, "info": {"id": "cyner_mitre_train_01361", "source": "cyner_mitre_train"}}
+{"text": "Data was always sent to the C & C server via HTTP in the body of a POST request in encrypted form to the relative address /something/index.php .", "spans": {"Indicator: /something/index.php": [[122, 142]]}, "info": {"id": "cyner_mitre_train_01362", "source": "cyner_mitre_train"}}
+{"text": "In earlier versions , the something part of the relative path was a partially intelligible , yet random mix of words and short combinations of letters and numbers separated by an underscore , for example , “ bee_bomb ” or “ my_te2_mms ” .", "spans": {}, "info": {"id": "cyner_mitre_train_01363", "source": "cyner_mitre_train"}}
+{"text": "Example of traffic from an early version of Asacub ( 2015 ) The data transmitted and received is encrypted with the RC4 algorithm and encoded using the base64 standard .", "spans": {"Malware: Asacub": [[44, 50]]}, "info": {"id": "cyner_mitre_train_01364", "source": "cyner_mitre_train"}}
+{"text": "The C & C address and the encryption key ( one for different modifications in versions 4.x and 5.x , and distinct for different C & Cs in later versions ) are stitched into the body of the Trojan .", "spans": {}, "info": {"id": "cyner_mitre_train_01365", "source": "cyner_mitre_train"}}
+{"text": "In early versions of Asacub , .com , .biz , .info , .in , .pw were used as top-level domains .", "spans": {"Malware: Asacub": [[21, 27]]}, "info": {"id": "cyner_mitre_train_01366", "source": "cyner_mitre_train"}}
+{"text": "In the 2016 version , the value of the User-Agent header changed , as did the method of generating the relative path in the URL : now the part before /index.php is a mix of a pronounceable ( if not entirely meaningful ) word and random letters and numbers , for example , “ muromec280j9tqeyjy5sm1qy71 ” or “ parabbelumf8jgybdd6w0qa0 ” .", "spans": {"Indicator: muromec280j9tqeyjy5sm1qy71": [[274, 300]], "Indicator: parabbelumf8jgybdd6w0qa0": [[308, 332]]}, "info": {"id": "cyner_mitre_train_01367", "source": "cyner_mitre_train"}}
+{"text": "Moreover , incoming traffic from the C & C server began to use gzip compression , and the top-level domain for all C & Cs was .com : Since December 2016 , the changes in C & C communication methods have affected only how the relative path in the URL is generated : the pronounceable word was replaced by a rather long random combination of letters and numbers , for example , “ ozvi4malen7dwdh ” or “ f29u8oi77024clufhw1u5ws62 ” .", "spans": {"Indicator: ozvi4malen7dwdh": [[378, 393]], "Indicator: f29u8oi77024clufhw1u5ws62": [[401, 426]]}, "info": {"id": "cyner_mitre_train_01368", "source": "cyner_mitre_train"}}
+{"text": "At the time of writing this article , no other significant changes in Asacub ’ s network behavior had been observed : The origin of Asacub It is fairly safe to say that the Asacub family evolved from Trojan-SMS.AndroidOS.Smaps .", "spans": {"Malware: Asacub": [[70, 76], [132, 138], [173, 179]], "Indicator: Trojan-SMS.AndroidOS.Smaps": [[200, 226]]}, "info": {"id": "cyner_mitre_train_01369", "source": "cyner_mitre_train"}}
+{"text": "Communication between both Trojans and their C & C servers is based on the same principle , the relative addresses to which Trojans send network requests are generated in a similar manner , and the set of possible commands that the two Trojans can perform also overlaps .", "spans": {}, "info": {"id": "cyner_mitre_train_01370", "source": "cyner_mitre_train"}}
+{"text": "What ’ s more , the numbering of Asacub versions is a continuation of the Smaps system .", "spans": {"Malware: Asacub": [[33, 39]], "Malware: Smaps": [[74, 79]]}, "info": {"id": "cyner_mitre_train_01371", "source": "cyner_mitre_train"}}
+{"text": "The main difference is that Smaps transmits data as plain text , while Asacub encrypts data with the RC4 algorithm and then encodes it into base64 format .", "spans": {"Malware: Smaps": [[28, 33]], "Malware: Asacub": [[71, 77]]}, "info": {"id": "cyner_mitre_train_01372", "source": "cyner_mitre_train"}}
+{"text": "Let ’ s compare examples of traffic from Smaps and Asacub — an initializing request to the C & C server with information about the infected device and a response from the server with a command for execution : Smaps request Asacub request Decrypted data from Asacub traffic : { “ id ” : ” 532bf15a-b784-47e5-92fa-72198a2929f5″ , ” type ” : ” get ” , ” info ” : ” imei:365548770159066 , country : PL , cell : Tele2", "spans": {"Malware: Smaps": [[41, 46], [209, 214]], "Malware: Asacub": [[51, 57], [223, 229], [258, 264]], "Indicator: 532bf15a-b784-47e5-92fa-72198a2929f5″": [[288, 325]]}, "info": {"id": "cyner_mitre_train_01373", "source": "cyner_mitre_train"}}
+{"text": ", android:4.2.2 , model : GT-N5100 , phonenumber : +486679225120 , sim:6337076348906359089f , app : null , ver:5.0.2″ } Data sent to the server [ { “ command ” : ” sent & & & ” , ” params ” : { “ to ” : ” +79262000900″ , ” body ” : ” \\u0410\\u0412\\u0422\\u041e\\u041f\\u041b\\u0410\\u0422\\u0415\\u0416", "spans": {}, "info": {"id": "cyner_mitre_train_01374", "source": "cyner_mitre_train"}}
+{"text": "1000 50″ , ” timestamp ” : ” 1452272572″ } } , { “ command ” : ” sent & & & ” , ” params ” : { “ to ” : ” +79262000900″ , ” body ” : ” BALANCE ” , ” timestamp ” : ” 1452272573″ } } ] Instructions received from the server A comparison can also be made of the format in which Asacub and Smaps forward incoming SMS ( encoded with the base64 algorithm ) from the device to the C & C server : Smaps", "spans": {}, "info": {"id": "cyner_mitre_train_01375", "source": "cyner_mitre_train"}}
+{"text": "format Asacub format Decrypted data from Asacub traffic : { “ data ” : ” 2015:10:14_02:41:15″ , ” id ” : ” 532bf15a-b784-47e5-92fa-72198a2929f5″ , ” text ” : ” SSB0aG91Z2h0IHdlIGdvdCBwYXN0IHRoaXMhISBJJ20gbm90IGh1bmdyeSBhbmQgbmU= ” , ” number ” : ” 1790″ , ” type", "spans": {"Indicator: 532bf15a-b784-47e5-92fa-72198a2929f5″": [[107, 144]]}, "info": {"id": "cyner_mitre_train_01376", "source": "cyner_mitre_train"}}
+{"text": "” : ” load ” } Propagation The banking Trojan is propagated via phishing SMS containing a link and an offer to view a photo or MMS .", "spans": {}, "info": {"id": "cyner_mitre_train_01377", "source": "cyner_mitre_train"}}
+{"text": "The link points to a web page with a similar sentence and a button for downloading the APK file of the Trojan to the device .", "spans": {}, "info": {"id": "cyner_mitre_train_01378", "source": "cyner_mitre_train"}}
+{"text": "The Trojan download window Asacub masquerades under the guise of an MMS app or a client of a popular free ads service .", "spans": {"Malware: Asacub": [[27, 33]]}, "info": {"id": "cyner_mitre_train_01379", "source": "cyner_mitre_train"}}
+{"text": "We came across the names Photo , Message , Avito Offer , and MMS Message .", "spans": {}, "info": {"id": "cyner_mitre_train_01380", "source": "cyner_mitre_train"}}
+{"text": "App icons under which Asacub masks itself The APK files of the Trojan are downloaded from sites such as mmsprivate [ .", "spans": {"Malware: Asacub": [[22, 28]], "Indicator: mmsprivate [ .": [[104, 118]]}, "info": {"id": "cyner_mitre_train_01381", "source": "cyner_mitre_train"}}
+{"text": "] site , photolike [ .", "spans": {"Indicator: photolike [ .": [[9, 22]]}, "info": {"id": "cyner_mitre_train_01382", "source": "cyner_mitre_train"}}
+{"text": "] fun , you-foto [ .", "spans": {"Indicator: you-foto [ .": [[8, 20]]}, "info": {"id": "cyner_mitre_train_01383", "source": "cyner_mitre_train"}}
+{"text": "] site , and mms4you [ .", "spans": {"Indicator: mms4you [ .": [[13, 24]]}, "info": {"id": "cyner_mitre_train_01384", "source": "cyner_mitre_train"}}
+{"text": "] me under names in the format : photo_ [ number ] _img.apk , mms_ [ number ] _img.apk avito_ [ number ] .apk , mms.img_ [ number ] _photo.apk , mms [ number ] _photo.image.apk , mms [ number ] _photo.img.apk , mms.img.photo_ [ number ] .apk , photo_ [ number ] _obmen.img.apk .", "spans": {"Indicator: photo_ [ number ] _img.apk": [[33, 59]], "Indicator: mms_ [ number ] _img.apk": [[62, 86]], "Indicator: avito_ [ number ] .apk": [[87, 109]], "Indicator: mms.img_ [ number ] _photo.apk": [[112, 142]], "Indicator: mms [ number ] _photo.image.apk": [[145, 176]], "Indicator: mms [ number ] _photo.img.apk": [[179, 208]], "Indicator: mms.img.photo_ [ number ] .apk": [[211, 241]], "Indicator: photo_ [ number ] _obmen.img.apk": [[244, 276]]}, "info": {"id": "cyner_mitre_train_01385", "source": "cyner_mitre_train"}}
+{"text": "For the Trojan to install , the user must allow installation of apps from unknown sources in the device settings .", "spans": {}, "info": {"id": "cyner_mitre_train_01386", "source": "cyner_mitre_train"}}
+{"text": "Infection During installation , depending on the version of the Trojan , Asacub prompts the user either for Device Administrator rights or for permission to use AccessibilityService .", "spans": {"Malware: Asacub": [[73, 79]]}, "info": {"id": "cyner_mitre_train_01387", "source": "cyner_mitre_train"}}
+{"text": "After receiving the rights , it sets itself as the default SMS app and disappears from the device screen .", "spans": {}, "info": {"id": "cyner_mitre_train_01388", "source": "cyner_mitre_train"}}
+{"text": "If the user ignores or rejects the request , the window reopens every few seconds .", "spans": {}, "info": {"id": "cyner_mitre_train_01389", "source": "cyner_mitre_train"}}
+{"text": "The Trojan requests Device Administrator rights The Trojan requests permission to use AccessibilityService After installation , the Trojan starts communicating with the cybercriminals ’ C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_01390", "source": "cyner_mitre_train"}}
+{"text": "All data is transmitted in JSON format ( after decryption ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01391", "source": "cyner_mitre_train"}}
+{"text": "It includes information about the smartphone model , the OS version , the mobile operator , and the Trojan version .", "spans": {}, "info": {"id": "cyner_mitre_train_01392", "source": "cyner_mitre_train"}}
+{"text": "Let ’ s take an in-depth look at Asacub 5.0.3 , the most widespread version in 2018 .", "spans": {"Malware: Asacub": [[33, 39]]}, "info": {"id": "cyner_mitre_train_01393", "source": "cyner_mitre_train"}}
+{"text": "Structure of data sent to the server : To begin with , the Trojan sends information about the device to the server : In response , the server sends the code of the command for execution ( “ command ” ) , its parameters ( “ params ” ) , and the time delay before execution ( “ waitrun ” in milliseconds ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01394", "source": "cyner_mitre_train"}}
+{"text": "List of commands sewn into the body of the Trojan : Command code Parameters Actions 2 – Sending a list of contacts from the address book of the infected device to the C & C server 7 “ to ” : int Calling the specified number 11 “ to ” : int , “ body ” : string Sending an SMS with the specified text to the specified number 19 “ text ” : string , “ n ” : string Sending SMS with the specified text to numbers from the address book of the infected device , with the name of the addressee from the", "spans": {"System: address book": [[124, 136], [417, 429]]}, "info": {"id": "cyner_mitre_train_01395", "source": "cyner_mitre_train"}}
+{"text": "address book substituted into the message text 40 “ text ” : string Shutting down applications with specific names ( antivirus and banking applications ) The set of possible commands is the most significant difference between the various flavors of Asacub .", "spans": {"System: address book": [[0, 12]], "Malware: Asacub": [[249, 255]]}, "info": {"id": "cyner_mitre_train_01396", "source": "cyner_mitre_train"}}
+{"text": "In the 2015-early 2016 versions examined in this article , C & C instructions in JSON format contained the name of the command in text form ( “ get_sms ” , “ block_phone ” ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01397", "source": "cyner_mitre_train"}}
+{"text": "In later versions , instead of the name of the command , its numerical code was transmitted .", "spans": {}, "info": {"id": "cyner_mitre_train_01398", "source": "cyner_mitre_train"}}
+{"text": "The same numerical code corresponded to one command in different versions , but the set of supported commands varied .", "spans": {}, "info": {"id": "cyner_mitre_train_01399", "source": "cyner_mitre_train"}}
+{"text": "For example , version 9.0.7 ( 2017 ) featured the following set of commands : 2 , 4 , 8 , 11 , 12 , 15 , 16 , 17 , 18 , 19 , 20 .", "spans": {}, "info": {"id": "cyner_mitre_train_01400", "source": "cyner_mitre_train"}}
+{"text": "After receiving the command , the Trojan attempts to execute it , before informing C & C of the execution status and any data received .", "spans": {}, "info": {"id": "cyner_mitre_train_01401", "source": "cyner_mitre_train"}}
+{"text": "The “ id ” value inside the “ data ” block is equal to the “ timestamp ” value of the relevant command : In addition , the Trojan sets itself as the default SMS application and , on receiving a new SMS , forwards the sender ’ s number and the message text in base64 format to the cybercriminal : Thus , Asacub can withdraw funds from a bank card linked to the phone by sending SMS for the transfer of funds to another account using the number of the card or mobile phone .", "spans": {"Malware: Asacub": [[303, 309]]}, "info": {"id": "cyner_mitre_train_01402", "source": "cyner_mitre_train"}}
+{"text": "Moreover , the Trojan intercepts SMS from the bank that contain one-time passwords and information about the balance of the linked bank card .", "spans": {}, "info": {"id": "cyner_mitre_train_01403", "source": "cyner_mitre_train"}}
+{"text": "Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS and send them to the required number .", "spans": {}, "info": {"id": "cyner_mitre_train_01404", "source": "cyner_mitre_train"}}
+{"text": "What ’ s more , the user can not check the balance via mobile banking or change any settings there , because after receiving the command with code 40 , the Trojan prevents the banking app from running on the phone .", "spans": {}, "info": {"id": "cyner_mitre_train_01405", "source": "cyner_mitre_train"}}
+{"text": "User messages created by the Trojan during installation typically contain grammatical and spelling errors , and use a mixture of Cyrillic and Latin characters .", "spans": {}, "info": {"id": "cyner_mitre_train_01406", "source": "cyner_mitre_train"}}
+{"text": "The Trojan also employs various obfuscation methods : from the simplest , such as string concatenation and renaming of classes and methods , to implementing functions in native code and embedding SO libraries in C/C++ in the APK file , which requires the use of additional tools or dynamic analysis for deobfuscation , since most tools for static analysis of Android apps support only Dalvik bytecode .", "spans": {}, "info": {"id": "cyner_mitre_train_01407", "source": "cyner_mitre_train"}}
+{"text": "In some versions of Asacub , strings in the app are encrypted using the same algorithm as data sent to C & C , but with different keys .", "spans": {"Malware: Asacub": [[20, 26]]}, "info": {"id": "cyner_mitre_train_01408", "source": "cyner_mitre_train"}}
+{"text": "Example of using native code for obfuscation Examples of using string concatenation for obfuscation Example of encrypting strings in the Trojan Asacub distribution geography Asacub is primarily aimed at Russian users : 98 % of infections ( 225,000 ) occur in Russia , since the cybercriminals specifically target clients of a major Russian bank .", "spans": {"Malware: Asacub": [[144, 150], [174, 180]]}, "info": {"id": "cyner_mitre_train_01409", "source": "cyner_mitre_train"}}
+{"text": "The Trojan also hit users from Ukraine , Turkey , Germany , Belarus , Poland , Armenia , Kazakhstan , the US , and other countries .", "spans": {}, "info": {"id": "cyner_mitre_train_01410", "source": "cyner_mitre_train"}}
+{"text": "Conclusion The case of Asacub shows that mobile malware can function for several years with minimal changes to the distribution scheme .", "spans": {"Malware: Asacub": [[23, 29]]}, "info": {"id": "cyner_mitre_train_01411", "source": "cyner_mitre_train"}}
+{"text": "It is basically SMS spam : many people still follow suspicious links , install software from third-party sources , and give permissions to apps without a second thought .", "spans": {}, "info": {"id": "cyner_mitre_train_01412", "source": "cyner_mitre_train"}}
+{"text": "At the same time , cybercriminals are reluctant to change the method of communication with the C & C server , since this would require more effort and reap less benefit than modifying the executable file .", "spans": {}, "info": {"id": "cyner_mitre_train_01413", "source": "cyner_mitre_train"}}
+{"text": "The most significant change in this particular Trojan ’ s history was the encryption of data sent between the device and C & C .", "spans": {}, "info": {"id": "cyner_mitre_train_01414", "source": "cyner_mitre_train"}}
+{"text": "That said , so as to hinder detection of new versions , the Trojan ’ s APK file and the C & C server domains are changed regularly , and the Trojan download links are often one-time-use .", "spans": {}, "info": {"id": "cyner_mitre_train_01415", "source": "cyner_mitre_train"}}
+{"text": "IOCs C & C IP addresses : 155.133.82.181 155.133.82.240 155.133.82.244 185.234.218.59 195.22.126.160 195.22.126.163 195.22.126.80 195.22.126.81 5.45.73.24 5.45.74.130 IP addresses from which the Trojan was downloaded : 185.174.173.31 185.234.218.59 188.166.156.110 195.22.126.160 195.22.126.80 195.22.126.81", "spans": {"Indicator: 155.133.82.181": [[26, 40]], "Indicator: 155.133.82.240": [[41, 55]], "Indicator: 155.133.82.244": [[56, 70]], "Indicator: 185.234.218.59": [[71, 85], [234, 248]], "Indicator: 195.22.126.160": [[86, 100], [265, 279]], "Indicator: 195.22.126.163": [[101, 115]], "Indicator: 195.22.126.80": [[116, 129], [280, 293]], "Indicator: 195.22.126.81": [[130, 143], [294, 307]], "Indicator: 5.45.73.24": [[144, 154]], "Indicator: 5.45.74.130 IP addresses": [[155, 179]], "Indicator: 185.174.173.31": [[219, 233]], "Indicator: 188.166.156.110": [[249, 264]]}, "info": {"id": "cyner_mitre_train_01416", "source": "cyner_mitre_train"}}
+{"text": "195.22.126.82 195.22.126.83 SHA256 : 158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67 3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d f3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637 df61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8", "spans": {"Indicator: 195.22.126.82": [[0, 13]], "Indicator: 195.22.126.83": [[14, 27]], "Indicator: 158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67": [[37, 101]], "Indicator: 3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d": [[102, 166]], "Indicator: f3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637": [[167, 231]], "Indicator: df61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8": [[232, 296]]}, "info": {"id": "cyner_mitre_train_01417", "source": "cyner_mitre_train"}}
+{"text": "c0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184 d791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514 38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9 27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c", "spans": {"Indicator: c0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184": [[0, 64]], "Indicator: d791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514": [[65, 129]], "Indicator: 38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9": [[130, 194]], "Indicator: 27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c": [[195, 259]]}, "info": {"id": "cyner_mitre_train_01418", "source": "cyner_mitre_train"}}
+{"text": "31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d 87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951 eabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101 Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM", "spans": {"Indicator: 31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d": [[0, 64]], "Indicator: 87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951": [[65, 129]], "Indicator: eabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101": [[130, 194]], "System: ARM": [[255, 258]]}, "info": {"id": "cyner_mitre_train_01419", "source": "cyner_mitre_train"}}
+{"text": "Maker May 12 , 2016 Mohit Kumar How to Hack an Android device ?", "spans": {"System: Android": [[47, 54]]}, "info": {"id": "cyner_mitre_train_01420", "source": "cyner_mitre_train"}}
+{"text": "It is possibly one of the most frequently asked questions on the Internet .", "spans": {}, "info": {"id": "cyner_mitre_train_01421", "source": "cyner_mitre_train"}}
+{"text": "Although it 's not pretty simple to hack Android devices and gadgets , sometimes you just get lucky to find a backdoor access .", "spans": {"System: Android": [[41, 48]]}, "info": {"id": "cyner_mitre_train_01422", "source": "cyner_mitre_train"}}
+{"text": "Thanks to Allwinner , a Chinese ARM system-on-a-chip maker , which has recently been caught shipping a version of Linux Kernel with an incredibly simple and easy-to-use built-in backdoor .", "spans": {"Organization: Allwinner": [[10, 19]], "System: ARM": [[32, 35]], "System: Linux": [[114, 119]]}, "info": {"id": "cyner_mitre_train_01423", "source": "cyner_mitre_train"}}
+{"text": "Chinese fabless semiconductor company Allwinner is a leading supplier of application processors that are used in many low-cost Android tablets , ARM-based PCs , set-top boxes , and other electronic devices worldwide .", "spans": {"Organization: Allwinner": [[38, 47]], "System: Android": [[127, 134]], "Organization: ARM-based": [[145, 154]]}, "info": {"id": "cyner_mitre_train_01424", "source": "cyner_mitre_train"}}
+{"text": "Simple Backdoor Exploit to Hack Android Devices All you need to do to gain root access of an affected Android device is… Send the text \" rootmydevice '' to any undocumented debugging process .", "spans": {"System: Android": [[32, 39], [102, 109]]}, "info": {"id": "cyner_mitre_train_01425", "source": "cyner_mitre_train"}}
+{"text": "The local privileges escalation backdoor code for debugging ARM-powered Android devices managed to make its way in shipped firmware after firmware makers wrote their own kernel code underneath a custom Android build for their devices , though the mainstream kernel source is unaffected .", "spans": {"System: ARM-powered": [[60, 71]], "System: Android": [[72, 79], [202, 209]]}, "info": {"id": "cyner_mitre_train_01426", "source": "cyner_mitre_train"}}
+{"text": "The backdoor code is believed to have been left by mistake by the authors after completing the debugging process .", "spans": {}, "info": {"id": "cyner_mitre_train_01427", "source": "cyner_mitre_train"}}
+{"text": "For exploiting this issue , any process running with any UID can be converted into root easily by simply using the following command : echo \" rootmydevice '' > /proc/sunxi_debug/sunxi_debug The Linux 3.4-sunxi kernel was originally designed to support the Android operating system on Allwinner ARM for tablets , but later it was used to port Linux to many Allwinner processors on boards like Banana Pi micro-PCs , Orange Pi , and other devices .", "spans": {"Indicator: rootmydevice": [[142, 154]], "Indicator: Linux 3.4-sunxi": [[194, 209]], "System: Android": [[256, 263]], "Organization: Allwinner": [[284, 293], [356, 365]], "System: ARM": [[294, 297]], "System: Linux": [[342, 347]], "System: Banana Pi micro-PCs": [[392, 411]], "System: Orange Pi": [[414, 423]]}, "info": {"id": "cyner_mitre_train_01428", "source": "cyner_mitre_train"}}
+{"text": "At the forum of the Armbian operating system , a moderator who goes by the name Tkaiser noted that the backdoor code could remotely be exploitable \" if combined with networked services that might allow access to /proc .", "spans": {"System: Armbian": [[20, 27]], "Indicator: /proc": [[212, 217]]}, "info": {"id": "cyner_mitre_train_01429", "source": "cyner_mitre_train"}}
+{"text": "'' This security hole is currently present in every operating system image for A83T , H3 or H8 devices that rely on kernel 3.4 , he added .", "spans": {"System: A83T": [[79, 83]], "System: H3": [[86, 88]], "System: H8": [[92, 94]], "System: kernel 3.4": [[116, 126]]}, "info": {"id": "cyner_mitre_train_01430", "source": "cyner_mitre_train"}}
+{"text": "This blunder made by the company has been frustrating to many developers .", "spans": {}, "info": {"id": "cyner_mitre_train_01431", "source": "cyner_mitre_train"}}
+{"text": "Allwinner has also been less transparent about the backdoor code .", "spans": {"Organization: Allwinner": [[0, 9]]}, "info": {"id": "cyner_mitre_train_01432", "source": "cyner_mitre_train"}}
+{"text": "David Manouchehri released the information about the backdoor through its own Github account ( Pastebin ) and then apparently deleted it .", "spans": {"Organization: Github": [[78, 84]], "Organization: Pastebin": [[95, 103]]}, "info": {"id": "cyner_mitre_train_01433", "source": "cyner_mitre_train"}}
+{"text": "Mobile Malware Evolution : 2013 24 FEB 2014 The mobile malware sector is growing rapidly both technologically and structurally .", "spans": {}, "info": {"id": "cyner_mitre_train_01434", "source": "cyner_mitre_train"}}
+{"text": "It is safe to say that today ’ s cybercriminal is no longer a lone hacker but part of a serious business operation .", "spans": {}, "info": {"id": "cyner_mitre_train_01435", "source": "cyner_mitre_train"}}
+{"text": "There are various types of actors involved in the mobile malware industry : virus writers , testers , interface designers of both the malicious apps and the web pages they are distributed from , owners of the partner programs that spread the malware , and mobile botnet owners .", "spans": {}, "info": {"id": "cyner_mitre_train_01436", "source": "cyner_mitre_train"}}
+{"text": "This division of labor among the cybercriminals can also be seen in the behavior of their Trojans .", "spans": {}, "info": {"id": "cyner_mitre_train_01437", "source": "cyner_mitre_train"}}
+{"text": "In 2013 , there was evidence of cooperation ( most probably on a commercial basis ) between different groups of virus writers .", "spans": {}, "info": {"id": "cyner_mitre_train_01438", "source": "cyner_mitre_train"}}
+{"text": "For example , the botnet Trojan-SMS.AndroidOS.Opfake.a , in addition to its own activity , also spread Backdoor.AndroidOS.Obad.a by sending spam containing a link to the malware to the victim ’ s list of contacts .", "spans": {"Malware: Trojan-SMS.AndroidOS.Opfake.a": [[25, 54]], "Malware: Backdoor.AndroidOS.Obad.a": [[103, 128]]}, "info": {"id": "cyner_mitre_train_01439", "source": "cyner_mitre_train"}}
+{"text": "It is now clear that a distinct industry has developed and is becoming more focused on extracting profits , which is clearly evident from the functionality of the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_01440", "source": "cyner_mitre_train"}}
+{"text": "2013 in figures A total of 143,211 new modifications of malicious programs targeting mobile devices were detected in all of 2013 ( as of January 1 , 2014 ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01441", "source": "cyner_mitre_train"}}
+{"text": "In 2013 , 3,905,502 installation packages were used by cybercriminals to distribute mobile malware .", "spans": {}, "info": {"id": "cyner_mitre_train_01442", "source": "cyner_mitre_train"}}
+{"text": "Overall in 2012-2013 we detected approximately 10,000,000 unique malicious installation packages : Different installation packages can install programs with the same functionality that differ only in terms of the malicious app interface and , for instance , the content of the text messages it spreads .", "spans": {}, "info": {"id": "cyner_mitre_train_01443", "source": "cyner_mitre_train"}}
+{"text": "Android remains a prime target for malicious attacks .", "spans": {"System: Android": [[0, 7]]}, "info": {"id": "cyner_mitre_train_01444", "source": "cyner_mitre_train"}}
+{"text": "98.05 % of all malware detected in 2013 targeted this platform , confirming both the popularity of this mobile OS and the vulnerability of its architecture .", "spans": {}, "info": {"id": "cyner_mitre_train_01445", "source": "cyner_mitre_train"}}
+{"text": "Most mobile malware is designed to steal users ’ money , including SMS-Trojans , and lots of backdoors and Trojans .", "spans": {}, "info": {"id": "cyner_mitre_train_01446", "source": "cyner_mitre_train"}}
+{"text": "Over the year , the number of mobile malware modifications designed for phishing , the theft of credit card information and money increased by a factor of 19.7 .", "spans": {}, "info": {"id": "cyner_mitre_train_01447", "source": "cyner_mitre_train"}}
+{"text": "In 2013 , Kaspersky Lab mobile products prevented 2,500 infections by banking Trojans .", "spans": {"Organization: Kaspersky Lab": [[10, 23]]}, "info": {"id": "cyner_mitre_train_01448", "source": "cyner_mitre_train"}}
+{"text": "Methods and techniques 2013 not only saw a radical increase in output from mobile virus writers but also saw them actively applying methods and technologies that allowed cybercriminals to use their malware more effectively .", "spans": {}, "info": {"id": "cyner_mitre_train_01449", "source": "cyner_mitre_train"}}
+{"text": "There were several distinct areas where mobile malware underwent advances .", "spans": {}, "info": {"id": "cyner_mitre_train_01450", "source": "cyner_mitre_train"}}
+{"text": "Distribution Cybercriminals made use of some exceptionally sophisticated methods to infect mobile devices .", "spans": {}, "info": {"id": "cyner_mitre_train_01451", "source": "cyner_mitre_train"}}
+{"text": "Infecting legal web resources help spread mobile malware via popular websites .", "spans": {}, "info": {"id": "cyner_mitre_train_01452", "source": "cyner_mitre_train"}}
+{"text": "More and more smartphone and tablet owners use their devices to access websites , unaware that even the most reputable resources can be hacked .", "spans": {}, "info": {"id": "cyner_mitre_train_01453", "source": "cyner_mitre_train"}}
+{"text": "According to our data , 0.4 % of the websites visited by users of our products were compromised sites .", "spans": {}, "info": {"id": "cyner_mitre_train_01454", "source": "cyner_mitre_train"}}
+{"text": "Distribution via alternative app stores .", "spans": {}, "info": {"id": "cyner_mitre_train_01455", "source": "cyner_mitre_train"}}
+{"text": "In Asia there are numerous companies producing Android-based devices and Android apps , and many of them offer users their own app stores containing programs that can not be found in Google Play .", "spans": {"System: Android-based": [[47, 60]], "System: Android": [[73, 80]], "System: Google Play": [[183, 194]]}, "info": {"id": "cyner_mitre_train_01456", "source": "cyner_mitre_train"}}
+{"text": "The purely nominal control over the applications uploaded to these stores means attackers can conceal Trojans in apps made to look like innocent games or utilities .", "spans": {}, "info": {"id": "cyner_mitre_train_01457", "source": "cyner_mitre_train"}}
+{"text": "Distribution via botnets .", "spans": {}, "info": {"id": "cyner_mitre_train_01458", "source": "cyner_mitre_train"}}
+{"text": "As a rule , bots self-proliferate by sending out text messages with a malicious link to addresses in the victim ’ s address book .", "spans": {}, "info": {"id": "cyner_mitre_train_01459", "source": "cyner_mitre_train"}}
+{"text": "We also registered one episode of mobile malware spreading via a third-party botnet .", "spans": {}, "info": {"id": "cyner_mitre_train_01460", "source": "cyner_mitre_train"}}
+{"text": "Resistance to anti-malware protection The ability of malicious software to operate continuously on the victim ’ s mobile device is an important aspect of its development .", "spans": {}, "info": {"id": "cyner_mitre_train_01461", "source": "cyner_mitre_train"}}
+{"text": "The longer a Trojan “ lives ” on a smartphone , the more money it will make for the owner .", "spans": {}, "info": {"id": "cyner_mitre_train_01462", "source": "cyner_mitre_train"}}
+{"text": "This is an area where virus writers are actively working , resulting in a large number of technological innovations .", "spans": {}, "info": {"id": "cyner_mitre_train_01463", "source": "cyner_mitre_train"}}
+{"text": "Criminals are increasingly using obfuscation , the deliberate act of creating complex code to make it difficult to analyze .", "spans": {}, "info": {"id": "cyner_mitre_train_01464", "source": "cyner_mitre_train"}}
+{"text": "The more complex the obfuscation , the longer it will take an antivirus solution to neutralize the malicious code .", "spans": {}, "info": {"id": "cyner_mitre_train_01465", "source": "cyner_mitre_train"}}
+{"text": "Tellingly , current virus writers have mastered commercial obfuscators .", "spans": {}, "info": {"id": "cyner_mitre_train_01466", "source": "cyner_mitre_train"}}
+{"text": "This implies they have made considerable investments .", "spans": {}, "info": {"id": "cyner_mitre_train_01467", "source": "cyner_mitre_train"}}
+{"text": "For example , one commercial obfuscator , which cost €350 , was used for Trojans and Opfak.bo Obad.a Android vulnerabilities are used by criminals for three reasons : to bypass the code integrity check when installing an application ( vulnerability Master Key ) ; to enhance the rights of malicious applications , considerably extending their capabilities ; and to make it more difficult to remove malware .", "spans": {"Malware: Opfak.bo Obad.a": [[85, 100]]}, "info": {"id": "cyner_mitre_train_01468", "source": "cyner_mitre_train"}}
+{"text": "For example , Svpeng uses a previously unknown vulnerability to protect itself from being removed manually or by the antivirus program .", "spans": {"Malware: Svpeng": [[14, 20]]}, "info": {"id": "cyner_mitre_train_01469", "source": "cyner_mitre_train"}}
+{"text": "Cybercriminals also exploit the Master Key vulnerability and have learned to embed unsigned executable files in Android installation packages .", "spans": {"Vulnerability: Master Key vulnerability": [[32, 56]], "System: Android": [[112, 119]]}, "info": {"id": "cyner_mitre_train_01470", "source": "cyner_mitre_train"}}
+{"text": "Digital signature verification can be bypassed by giving the malicious file exactly the same name as a legitimate file and placing it on the same level in the archive .", "spans": {}, "info": {"id": "cyner_mitre_train_01471", "source": "cyner_mitre_train"}}
+{"text": "The system verifies the signature of the legitimate file while installing the malicious file .", "spans": {}, "info": {"id": "cyner_mitre_train_01472", "source": "cyner_mitre_train"}}
+{"text": "Unfortunately , there is a specific feature of Android vulnerabilities that means it is only possible to get rid of them by receiving an update from the device manufacturers .", "spans": {}, "info": {"id": "cyner_mitre_train_01473", "source": "cyner_mitre_train"}}
+{"text": "However , many users are in no hurry to update the operating systems of their products .", "spans": {}, "info": {"id": "cyner_mitre_train_01474", "source": "cyner_mitre_train"}}
+{"text": "If a smartphone or tablet was released more than a year ago , it is probably no longer supported by the manufacturer and patching of vulnerabilities is no longer provided .", "spans": {}, "info": {"id": "cyner_mitre_train_01475", "source": "cyner_mitre_train"}}
+{"text": "In that case , the only help comes from an antivirus solution , for example , Kaspersky Internet Security for Android .", "spans": {"System: Kaspersky Internet Security": [[78, 105]], "System: Android": [[110, 117]]}, "info": {"id": "cyner_mitre_train_01476", "source": "cyner_mitre_train"}}
+{"text": "Embedding malicious code in legitimate programs helps conceal infections from the victim .", "spans": {}, "info": {"id": "cyner_mitre_train_01477", "source": "cyner_mitre_train"}}
+{"text": "Of course , this does not mean the digital signature of the software developer can be used .", "spans": {}, "info": {"id": "cyner_mitre_train_01478", "source": "cyner_mitre_train"}}
+{"text": "However , due to the absence of certification centers verifying the digital signatures of Android programs , nothing prevents criminals from adding their own signature .", "spans": {}, "info": {"id": "cyner_mitre_train_01479", "source": "cyner_mitre_train"}}
+{"text": "As a result , a copy of Angry Birds installed from an unofficial app store or downloaded from a forum could easily contain malicious functionality .", "spans": {"System: Angry Birds": [[24, 35]]}, "info": {"id": "cyner_mitre_train_01480", "source": "cyner_mitre_train"}}
+{"text": "Capabilities and functionality In 2013 , we detected several technological innovations developed and used by criminals in their malicious software .", "spans": {}, "info": {"id": "cyner_mitre_train_01481", "source": "cyner_mitre_train"}}
+{"text": "Below are descriptions of some of the most interesting .", "spans": {}, "info": {"id": "cyner_mitre_train_01482", "source": "cyner_mitre_train"}}
+{"text": "Control of malware from a single center provides maximum flexibility .", "spans": {}, "info": {"id": "cyner_mitre_train_01483", "source": "cyner_mitre_train"}}
+{"text": "Botnets can make considerably more money than autonomous Trojans .", "spans": {}, "info": {"id": "cyner_mitre_train_01484", "source": "cyner_mitre_train"}}
+{"text": "It comes as no surprise then that many SMS-Trojans include bot functionality .", "spans": {}, "info": {"id": "cyner_mitre_train_01485", "source": "cyner_mitre_train"}}
+{"text": "According to our estimates , about 60 % of mobile malware are elements of both large and small mobile botnets .", "spans": {}, "info": {"id": "cyner_mitre_train_01486", "source": "cyner_mitre_train"}}
+{"text": "By using Google Cloud Messaging botnet owners can operate without a C & C server , thus eliminating the threat of the botnet being detected and blocked by law enforcement authorities .", "spans": {"System: Google Cloud Messaging": [[9, 31]]}, "info": {"id": "cyner_mitre_train_01487", "source": "cyner_mitre_train"}}
+{"text": "Google Cloud Messaging is designed to send short message ( up to 4 KB ) to mobile devices via Google services .", "spans": {"System: Google Cloud Messaging": [[0, 22]], "Organization: Google": [[94, 100]]}, "info": {"id": "cyner_mitre_train_01488", "source": "cyner_mitre_train"}}
+{"text": "The developer simply has to register and receive a unique ID for his applications .", "spans": {}, "info": {"id": "cyner_mitre_train_01489", "source": "cyner_mitre_train"}}
+{"text": "The commands received via GCM can not be blocked immediately on an infected device .", "spans": {"System: GCM": [[26, 29]]}, "info": {"id": "cyner_mitre_train_01490", "source": "cyner_mitre_train"}}
+{"text": "We have detected several malicious programs using GCM for command and control – the widespread Trojan-SMS.AndroidOS.FakeInst.a , Trojan-SMS.AndroidOS.Agent.ao , and Trojan-SMS.AndroidOS.OpFake.a among others .", "spans": {"System: GCM": [[50, 53]], "Malware: Trojan-SMS.AndroidOS.FakeInst.a": [[95, 126]], "Malware: Trojan-SMS.AndroidOS.Agent.ao": [[129, 158]], "Malware: Trojan-SMS.AndroidOS.OpFake.a": [[165, 194]]}, "info": {"id": "cyner_mitre_train_01491", "source": "cyner_mitre_train"}}
+{"text": "Google is actively combating this use of the service , responding quickly to reports from antivirus companies and blocking the IDs of cybercriminals .", "spans": {"Organization: Google": [[0, 6]]}, "info": {"id": "cyner_mitre_train_01492", "source": "cyner_mitre_train"}}
+{"text": "Attacks on Windows XP allows mobile malware to infect a PC after connecting a smartphone or tablet .", "spans": {"System: Windows XP": [[11, 21]]}, "info": {"id": "cyner_mitre_train_01493", "source": "cyner_mitre_train"}}
+{"text": "In early 2013 we detected two identical applications on Google Play that were allegedly designed for cleaning the operating system of Android-based devices from unnecessary processes .", "spans": {"System: Google Play": [[56, 67]], "System: Android-based": [[134, 147]]}, "info": {"id": "cyner_mitre_train_01494", "source": "cyner_mitre_train"}}
+{"text": "In fact , the applications are designed to download the autorun.inf file , an icon file and the win32-Trojan file , which the mobile malicious program locates in the root directory of an SD card .", "spans": {"Indicator: autorun.inf file": [[56, 72]], "System: win32-Trojan": [[96, 108]], "System: SD card": [[187, 194]]}, "info": {"id": "cyner_mitre_train_01495", "source": "cyner_mitre_train"}}
+{"text": "On connecting a smartphone in the USB drive emulation mode to a computer running Windows XP , the system automatically starts the Trojan ( if AutoPlay on the external media is not disabled ) and is infected .", "spans": {"System: USB drive": [[34, 43]], "System: Windows XP": [[81, 91]]}, "info": {"id": "cyner_mitre_train_01496", "source": "cyner_mitre_train"}}
+{"text": "The Trojan allows the criminals to remotely control the victim ’ s computer and is capable of recording sound from a microphone .", "spans": {}, "info": {"id": "cyner_mitre_train_01497", "source": "cyner_mitre_train"}}
+{"text": "We would like to emphasize that this method of attack only works on Windows XP and Android versions prior to 2.2 .", "spans": {"System: Windows XP": [[68, 78]], "System: Android": [[83, 90]]}, "info": {"id": "cyner_mitre_train_01498", "source": "cyner_mitre_train"}}
+{"text": "The most advanced mobile malicious programs today are Trojans targeting users ’ bank accounts – the most attractive source of criminal earnings .", "spans": {}, "info": {"id": "cyner_mitre_train_01499", "source": "cyner_mitre_train"}}
+{"text": "Trend of the year : mobile banking Trojans 2013 was marked by a rapid rise in the number of Android banking Trojans .", "spans": {"System: Android": [[92, 99]]}, "info": {"id": "cyner_mitre_train_01500", "source": "cyner_mitre_train"}}
+{"text": "The cyber industry of mobile malware is becoming more focused on making profits more effectively , i.e. , mobile phishing , theft of credit card information , money transfers from bank cards to mobile phones and from phones to the criminalas ’ e-wallets .", "spans": {}, "info": {"id": "cyner_mitre_train_01501", "source": "cyner_mitre_train"}}
+{"text": "Cybercriminals have become obsessed by this method of illegal earnings : at the beginning of the year we knew only 67 banking Trojans , but by the end of the year there were already 1321 unique samples .", "spans": {}, "info": {"id": "cyner_mitre_train_01502", "source": "cyner_mitre_train"}}
+{"text": "Kaspersky Lab mobile products prevented 2,500 infections by banking Trojans .", "spans": {"System: Kaspersky Lab": [[0, 13]]}, "info": {"id": "cyner_mitre_train_01503", "source": "cyner_mitre_train"}}
+{"text": "mobile_treats_2013_04s The number of mobile banking Trojans in our collection Mobile banking Trojans can run together with Win-32 Trojans to bypass the two-factor authentication – mTAN theft ( the theft of banking verification codes that banks send their customers in SMS messages ) .", "spans": {"System: Win-32": [[123, 129]]}, "info": {"id": "cyner_mitre_train_01504", "source": "cyner_mitre_train"}}
+{"text": "However , in 2013 , autonomous mobile banking Trojans developed further .", "spans": {}, "info": {"id": "cyner_mitre_train_01505", "source": "cyner_mitre_train"}}
+{"text": "Currently , such Trojans attack a limited number of bank customers , but it is expected that cybercriminals will invent new techniques that will allow them to expand the number and the geography of potential victims .", "spans": {}, "info": {"id": "cyner_mitre_train_01506", "source": "cyner_mitre_train"}}
+{"text": "mobile_treats_2013_05s Infections caused by mobile banking programs Today , the majority of banking Trojan attacks affect users in Russia and the CIS .", "spans": {}, "info": {"id": "cyner_mitre_train_01507", "source": "cyner_mitre_train"}}
+{"text": "However , this situation will not last long : given the cybercriminals ’ interest in user bank accounts , the activity of mobile banking Trojans is expected to grow in other countries in 2014 .", "spans": {}, "info": {"id": "cyner_mitre_train_01508", "source": "cyner_mitre_train"}}
+{"text": "As mentioned above , banking Trojans are perhaps the most complex of all mobile threats , and Svpeng is one of the most striking examples .", "spans": {"Malware: Svpeng": [[94, 100]]}, "info": {"id": "cyner_mitre_train_01509", "source": "cyner_mitre_train"}}
+{"text": "Svpeng In mid-July , we detected Trojan-SMS.AndroidOS.Svpeng.a which , unlike its SMS Trojan counterparts , is focused on stealing money from the victiim ’ s bank account rather than from his mobile phone .", "spans": {"Malware: Svpeng": [[0, 6]], "Malware: Trojan-SMS.AndroidOS.Svpeng.a": [[33, 62]]}, "info": {"id": "cyner_mitre_train_01510", "source": "cyner_mitre_train"}}
+{"text": "It can not act independently and operates strictly in accordance with commands received from the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_01511", "source": "cyner_mitre_train"}}
+{"text": "This malicious program spreads via SMS spam and from compromised legitimate sites that redirect mobile users to a malicious resource .", "spans": {}, "info": {"id": "cyner_mitre_train_01512", "source": "cyner_mitre_train"}}
+{"text": "There the user is prompted to download and install a Trojan imitating an Adobe Flash Player update .", "spans": {"System: Adobe Flash Player": [[73, 91]]}, "info": {"id": "cyner_mitre_train_01513", "source": "cyner_mitre_train"}}
+{"text": "Svpeng is capable of doing lots of things .", "spans": {"Malware: Svpeng": [[0, 6]]}, "info": {"id": "cyner_mitre_train_01514", "source": "cyner_mitre_train"}}
+{"text": "It collects information about the smartphone ( IMEI , country , service provider , operating system language ) and sends it to the host via the HTTP POST request .", "spans": {}, "info": {"id": "cyner_mitre_train_01515", "source": "cyner_mitre_train"}}
+{"text": "This appears to be necessary to determine the number of banks the victim may use .", "spans": {}, "info": {"id": "cyner_mitre_train_01516", "source": "cyner_mitre_train"}}
+{"text": "Svpeng is only currently attacking clients of Russian banks .", "spans": {"Malware: Svpeng": [[0, 6]]}, "info": {"id": "cyner_mitre_train_01517", "source": "cyner_mitre_train"}}
+{"text": "Typically , however , cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally , attacking users in other countries .", "spans": {}, "info": {"id": "cyner_mitre_train_01518", "source": "cyner_mitre_train"}}
+{"text": "It steals SMS messages and information about voice calls .", "spans": {}, "info": {"id": "cyner_mitre_train_01519", "source": "cyner_mitre_train"}}
+{"text": "It helps the attacker find out which banks the owner of the smartphone calls – the Trojan receives a list of bank phone numbers from its C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_01520", "source": "cyner_mitre_train"}}
+{"text": "It steals money from the victim ’ s bank account .", "spans": {}, "info": {"id": "cyner_mitre_train_01521", "source": "cyner_mitre_train"}}
+{"text": "In Russia , some major banks offer their clients a special service that allows them to transfer money from their bank card to their mobile phone account .", "spans": {}, "info": {"id": "cyner_mitre_train_01522", "source": "cyner_mitre_train"}}
+{"text": "Customers have to send a set text message from their phone to a specific bank number .", "spans": {}, "info": {"id": "cyner_mitre_train_01523", "source": "cyner_mitre_train"}}
+{"text": "Svpeng sends the corresponding messages to the SMS services of two banks .", "spans": {"Malware: Svpeng": [[0, 6]]}, "info": {"id": "cyner_mitre_train_01524", "source": "cyner_mitre_train"}}
+{"text": "Svpeng does this to check if the cards from these banks are attached to the number of the infected phone and to find out the account balance .", "spans": {"Malware: Svpeng": [[0, 6]]}, "info": {"id": "cyner_mitre_train_01525", "source": "cyner_mitre_train"}}
+{"text": "If the phone is attached to a bank card , commands are sent from the C & C server with instructions to transfer money from the user ’ s bank account to his/her mobile account .", "spans": {}, "info": {"id": "cyner_mitre_train_01526", "source": "cyner_mitre_train"}}
+{"text": "The cybercriminals then send this money to a digital wallet or to a premium number and cash it in .", "spans": {}, "info": {"id": "cyner_mitre_train_01527", "source": "cyner_mitre_train"}}
+{"text": "It steals logins and passwords to online banking accounts by substituting he window displayed by the bank application .", "spans": {}, "info": {"id": "cyner_mitre_train_01528", "source": "cyner_mitre_train"}}
+{"text": "Currently , this only affects Russian banks , but the technology behind Svpeng could easily be used to target other banking applications .", "spans": {"Malware: Svpeng": [[72, 78]]}, "info": {"id": "cyner_mitre_train_01529", "source": "cyner_mitre_train"}}
+{"text": "It steals bank card information ( the number , the expiry date , CVC2/CVV2 ) imitating the process of registering the bank card with Google Play .", "spans": {"System: Google Play": [[133, 144]]}, "info": {"id": "cyner_mitre_train_01530", "source": "cyner_mitre_train"}}
+{"text": "If the user has launched Play Market , the Trojan intercepts the event and displays a window on top of the Google Play window , prompting the user to enter his/her bank card details in the fake window .", "spans": {"System: Play Market": [[25, 36]], "System: Google Play": [[107, 118]]}, "info": {"id": "cyner_mitre_train_01531", "source": "cyner_mitre_train"}}
+{"text": "The data entered by the user is sent to the cybercriminals .", "spans": {}, "info": {"id": "cyner_mitre_train_01532", "source": "cyner_mitre_train"}}
+{"text": "mobile_treats_2013_06s It extorts money from users by threatening to block the smartphone : it displays a message demanding $ 500 to unblock the device .", "spans": {}, "info": {"id": "cyner_mitre_train_01533", "source": "cyner_mitre_train"}}
+{"text": "In actual fact , the Trojan does not block anything and the phone can be used without any problems .", "spans": {}, "info": {"id": "cyner_mitre_train_01534", "source": "cyner_mitre_train"}}
+{"text": "It hides traces of its activity by masking the outgoing and incoming text messages and blocking calls and messages from numbers belonging to the bank .", "spans": {}, "info": {"id": "cyner_mitre_train_01535", "source": "cyner_mitre_train"}}
+{"text": "The Trojan gets the list of bank phone numbers from its C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_01536", "source": "cyner_mitre_train"}}
+{"text": "It protects itself from deletion by requesting Device Administrator rights during the installation .", "spans": {}, "info": {"id": "cyner_mitre_train_01537", "source": "cyner_mitre_train"}}
+{"text": "As a result , the Trojan delete button in the list of applications becomes inactive , which may cause problems for inexperienced users .", "spans": {}, "info": {"id": "cyner_mitre_train_01538", "source": "cyner_mitre_train"}}
+{"text": "It is impossible to deprive it of these rights without the use of specialized tools ( such as Kaspersky Internet Security for Android ) .", "spans": {"System: Kaspersky Internet Security": [[94, 121]], "System: Android": [[126, 133]]}, "info": {"id": "cyner_mitre_train_01539", "source": "cyner_mitre_train"}}
+{"text": "To protect itself from being removed , Svpeng uses a previously unknown vulnerability in Android .", "spans": {"Malware: Svpeng": [[39, 45]], "System: Android": [[89, 96]]}, "info": {"id": "cyner_mitre_train_01540", "source": "cyner_mitre_train"}}
+{"text": "It uses the same trick to prevent the smartphone from being returned to its factory settings .", "spans": {}, "info": {"id": "cyner_mitre_train_01541", "source": "cyner_mitre_train"}}
+{"text": "The Trojan is distributed in Russia and CIS countries .", "spans": {}, "info": {"id": "cyner_mitre_train_01542", "source": "cyner_mitre_train"}}
+{"text": "But , as we have already mentioned , the criminals could easily turn their attention to users in other countries .", "spans": {}, "info": {"id": "cyner_mitre_train_01543", "source": "cyner_mitre_train"}}
+{"text": "Perkele and Wroba Foreign users have also been on the receiving end of several malicious innovations targeting bank accounts .", "spans": {"Malware: Perkele": [[0, 7]], "Malware: Wroba": [[12, 17]]}, "info": {"id": "cyner_mitre_train_01544", "source": "cyner_mitre_train"}}
+{"text": "The Perkele Android Trojan not only attacks Russian users but also clients of several European banks .", "spans": {"Malware: Perkele": [[4, 11]]}, "info": {"id": "cyner_mitre_train_01545", "source": "cyner_mitre_train"}}
+{"text": "It is of interest primarily because it operates in conjunction with various banking win32-Trojans .", "spans": {"System: win32-Trojans": [[84, 97]]}, "info": {"id": "cyner_mitre_train_01546", "source": "cyner_mitre_train"}}
+{"text": "Its main task is to bypass the two-factor authentication of the client in the online banking system .", "spans": {}, "info": {"id": "cyner_mitre_train_01547", "source": "cyner_mitre_train"}}
+{"text": "Due to the specific nature of its activity , Perkele is distributed in a rather unusual way .", "spans": {"Malware: Perkele": [[45, 52]]}, "info": {"id": "cyner_mitre_train_01548", "source": "cyner_mitre_train"}}
+{"text": "When a user enters an Internet banking site on a computer infected by banking malware ( ZeuS , Citadel ) , a request about the smartphone number and type of operating system is injected into the code of the authentication page .", "spans": {"Malware: ZeuS": [[88, 92]], "Malware: Citadel": [[95, 102]]}, "info": {"id": "cyner_mitre_train_01549", "source": "cyner_mitre_train"}}
+{"text": "This data is immediately sent to the cybercriminals and the computer displays the QR code containing a link to the alleged certificate of the online banking system .", "spans": {}, "info": {"id": "cyner_mitre_train_01550", "source": "cyner_mitre_train"}}
+{"text": "After scanning the QR code and installing a component downloaded from the link , the user infects his smartphone with the Trojan program that boasts functionality that is of great interest to the attackers .", "spans": {}, "info": {"id": "cyner_mitre_train_01551", "source": "cyner_mitre_train"}}
+{"text": "Perkele intercepts mTANs ( confirmation codes for banking operations ) sent by the bank via text message .", "spans": {"Malware: Perkele": [[0, 7]]}, "info": {"id": "cyner_mitre_train_01552", "source": "cyner_mitre_train"}}
+{"text": "By using the login and password stolen from the browser , the Windows Trojan initiates a fake transaction while Perkele intercepts ( via the C & C server ) the mTAN sent by the bank to the user .", "spans": {"Malware: Perkele": [[112, 119]]}, "info": {"id": "cyner_mitre_train_01553", "source": "cyner_mitre_train"}}
+{"text": "Money then disappears from the victim ’ s account and is cashed in without the owner ’ s knowledge .", "spans": {}, "info": {"id": "cyner_mitre_train_01554", "source": "cyner_mitre_train"}}
+{"text": "The Korean malware Wroba , in addition to the traditional vector of infection via file-sharing services , spreads via alternative app stores .", "spans": {"Malware: Wroba": [[19, 24]]}, "info": {"id": "cyner_mitre_train_01555", "source": "cyner_mitre_train"}}
+{"text": "Once it infects a device , Wroba behaves very aggressively .", "spans": {"Malware: Wroba": [[27, 32]]}, "info": {"id": "cyner_mitre_train_01556", "source": "cyner_mitre_train"}}
+{"text": "It searches for mobile banking applications , removes them and uploads counterfeit versions .", "spans": {}, "info": {"id": "cyner_mitre_train_01557", "source": "cyner_mitre_train"}}
+{"text": "From the outside , they are indistinguishable from the legitimate applications .", "spans": {}, "info": {"id": "cyner_mitre_train_01558", "source": "cyner_mitre_train"}}
+{"text": "However , they possess no banking functions , and merely steal the logins and passwords entered by users .", "spans": {}, "info": {"id": "cyner_mitre_train_01559", "source": "cyner_mitre_train"}}
+{"text": "ViperRAT : The Mobile APT Targeting The Israeli Defense Force That Should Be On Your Radar February 16 , 2017 ViperRAT is an active , advanced persistent threat ( APT ) that sophisticated threat actors are actively using to target and spy on the Israeli Defense Force.The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off of the device , and seem most interested in exfiltrating images and audio content .", "spans": {"Malware: ViperRAT": [[0, 8], [110, 118], [297, 305]], "Organization: Israeli Defense Force": [[40, 61]], "Organization: Israeli Defense Force.The": [[246, 271]]}, "info": {"id": "cyner_mitre_train_01560", "source": "cyner_mitre_train"}}
+{"text": "The attackers are also hijacking the device camera to take pictures .", "spans": {}, "info": {"id": "cyner_mitre_train_01561", "source": "cyner_mitre_train"}}
+{"text": "Using data collected from the Lookout global sensor network , the Lookout research team was able to gain unique visibility into the ViperRAT malware , including 11 new , unreported applications .", "spans": {"Organization: Lookout": [[30, 37]], "Malware: ViperRAT": [[132, 140]]}, "info": {"id": "cyner_mitre_train_01562", "source": "cyner_mitre_train"}}
+{"text": "We also discovered and analyzed live , misconfigured malicious command and control servers ( C2 ) , from which we were able to identify how the attacker gets new , infected apps to secretly install and the types of activities they are monitoring .", "spans": {}, "info": {"id": "cyner_mitre_train_01563", "source": "cyner_mitre_train"}}
+{"text": "In addition , we uncovered the IMEIs of the targeted individuals ( IMEIs will not be shared publicly for the privacy and safety of the victims ) as well as the types of exfiltrated content .", "spans": {}, "info": {"id": "cyner_mitre_train_01564", "source": "cyner_mitre_train"}}
+{"text": "In aggregate , the type of information stolen could let an attacker know where a person is , with whom they are associated ( including contacts ’ profile photos ) , the messages they are sending , the websites they visit and search history , screenshots that reveal data from other apps on the device , the conversations they have in the presence of the device , and a myriad of images including anything at which device ’ s camera is pointed .", "spans": {}, "info": {"id": "cyner_mitre_train_01565", "source": "cyner_mitre_train"}}
+{"text": "Lookout has determined ViperRAT is a very sophisticated threat that adds to the mounting evidence that targeted mobile attacks against governments and business is a real problem .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: ViperRAT": [[23, 31]]}, "info": {"id": "cyner_mitre_train_01566", "source": "cyner_mitre_train"}}
+{"text": "Lookout researchers have been tracking this threat for the last month .", "spans": {"Organization: Lookout": [[0, 7]]}, "info": {"id": "cyner_mitre_train_01567", "source": "cyner_mitre_train"}}
+{"text": "Given that this is an active threat , we ’ ve been working behind-the-scenes with our customers to ensure both personal and enterprise customers are protected from this threat and only decided to come forward with this information after the research team at Kaspersky released a report earlier today .", "spans": {"Organization: Kaspersky": [[258, 267]]}, "info": {"id": "cyner_mitre_train_01568", "source": "cyner_mitre_train"}}
+{"text": "Additionally , we have determined that though original reports of this story attribute this surveillanceware tool to Hamas , this may not be the case , as we demonstrate below .", "spans": {"Organization: Hamas": [[117, 122]]}, "info": {"id": "cyner_mitre_train_01569", "source": "cyner_mitre_train"}}
+{"text": "The increasing sophistication of surveillanceware The structure of the surveillanceware indicates it is very sophisticated .", "spans": {}, "info": {"id": "cyner_mitre_train_01570", "source": "cyner_mitre_train"}}
+{"text": "Analysis indicates there are currently two distinct variants of ViperRAT .", "spans": {"Malware: ViperRAT": [[64, 72]]}, "info": {"id": "cyner_mitre_train_01571", "source": "cyner_mitre_train"}}
+{"text": "The first variant is a “ first stage application , ” that performs basic profiling of a device , and under certain conditions attempts to download and install a much more comprehensive surveillanceware component , which is the second variant .", "spans": {}, "info": {"id": "cyner_mitre_train_01572", "source": "cyner_mitre_train"}}
+{"text": "The first variant involves social engineering the target into downloading a trojanized app .", "spans": {}, "info": {"id": "cyner_mitre_train_01573", "source": "cyner_mitre_train"}}
+{"text": "Previous reports alleged this surveillanceware tool was deployed using ‘ honey traps ’ where the actor behind it would reach out to targets via fake social media profiles of young women .", "spans": {}, "info": {"id": "cyner_mitre_train_01574", "source": "cyner_mitre_train"}}
+{"text": "After building an initial rapport with targets , the actors behind these social media accounts would instruct victims to install an additional app for easier communication .", "spans": {}, "info": {"id": "cyner_mitre_train_01575", "source": "cyner_mitre_train"}}
+{"text": "Specifically , Lookout determined these were trojanized versions of the apps SR Chat and YeeCall Pro .", "spans": {"Organization: Lookout": [[15, 22]], "System: SR Chat": [[77, 84]], "System: YeeCall Pro": [[89, 100]]}, "info": {"id": "cyner_mitre_train_01576", "source": "cyner_mitre_train"}}
+{"text": "We also uncovered ViperRAT in a billiards game , an Israeli Love Songs player , and a Move To iOS app .", "spans": {"Malware: ViperRAT": [[18, 26]], "System: iOS": [[94, 97]]}, "info": {"id": "cyner_mitre_train_01577", "source": "cyner_mitre_train"}}
+{"text": "The second stage The second stage apps contain the surveillanceware capabilities .", "spans": {}, "info": {"id": "cyner_mitre_train_01578", "source": "cyner_mitre_train"}}
+{"text": "Lookout uncovered nine secondary payload applications : * These apps have not been previously reported and were discovered using data from the Lookout global sensor network , which collects app and device information from over 100 million sensors to provide researchers and customers with a holistic look at the mobile threat ecosystem today .", "spans": {"Organization: Lookout": [[0, 7], [143, 150]]}, "info": {"id": "cyner_mitre_train_01579", "source": "cyner_mitre_train"}}
+{"text": "Naming additional payload applications as system updates is a clever technique used by malware authors to trick victims into believing a threat isn ’ t present on their device .", "spans": {}, "info": {"id": "cyner_mitre_train_01580", "source": "cyner_mitre_train"}}
+{"text": "ViperRAT takes this one step further by using its dropper app to identify an appropriate second stage ‘ update ’ that may go unnoticed .", "spans": {"Malware: ViperRAT": [[0, 8]]}, "info": {"id": "cyner_mitre_train_01581", "source": "cyner_mitre_train"}}
+{"text": "For example , if a victim has Viber on their device , it will choose to retrieve the Viber Update second stage .", "spans": {"System: Viber": [[30, 35]], "System: Viber Update": [[85, 97]]}, "info": {"id": "cyner_mitre_train_01582", "source": "cyner_mitre_train"}}
+{"text": "If he doesn ’ t have Viber , the generically-named System Updates app gets downloaded and installed instead .", "spans": {}, "info": {"id": "cyner_mitre_train_01583", "source": "cyner_mitre_train"}}
+{"text": "What was taken The actors behind ViperRAT seem to be particularly interested in image data .", "spans": {"Malware: ViperRAT": [[33, 41]]}, "info": {"id": "cyner_mitre_train_01584", "source": "cyner_mitre_train"}}
+{"text": "We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these , 97 percent , were highly likely encrypted images taken using the device camera .", "spans": {}, "info": {"id": "cyner_mitre_train_01585", "source": "cyner_mitre_train"}}
+{"text": "We also observed automatically generated files on the C2 , indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF and Office documents .", "spans": {}, "info": {"id": "cyner_mitre_train_01586", "source": "cyner_mitre_train"}}
+{"text": "This should be highly alarming to any government agency or enterprise .", "spans": {}, "info": {"id": "cyner_mitre_train_01587", "source": "cyner_mitre_train"}}
+{"text": "We observed legitimate exfiltrated files of the following types of data : Contact information Compressed recorded audio in the Adaptive Multi-Rate ( amr ) file format Images captured from the device camera Images stored on both internal device and SDCard storage that are listed in the MediaStore Device geolocation information SMS content Chrome browser search history and bookmarks Call log information Cell tower information Device network metadata ; such as phone number , device software version , network country , network operator , SIM country , SIM operator , SIM serial , IMSI , voice mail number , phone", "spans": {}, "info": {"id": "cyner_mitre_train_01588", "source": "cyner_mitre_train"}}
+{"text": "type , network type , data state , data activity , call state , SIM state , whether device is roaming , and if SMS is supported .", "spans": {}, "info": {"id": "cyner_mitre_train_01589", "source": "cyner_mitre_train"}}
+{"text": "Standard browser search history Standard browser bookmarks Device handset metadata ; such as brand , display , hardware , manufacturer , product , serial , radio version , and SDK .", "spans": {}, "info": {"id": "cyner_mitre_train_01590", "source": "cyner_mitre_train"}}
+{"text": "Command and control API calls ViperRAT samples are capable of communicating to C2 servers through an exposed API as well as websockets .", "spans": {"Malware: ViperRAT": [[30, 38]]}, "info": {"id": "cyner_mitre_train_01591", "source": "cyner_mitre_train"}}
+{"text": "Below is a collection of API methods and a brief description around their purpose .", "spans": {}, "info": {"id": "cyner_mitre_train_01592", "source": "cyner_mitre_train"}}
+{"text": "On attribution Media reporting on ViperRAT thus far attributes this surveillanceware tool to Hamas .", "spans": {"Malware: ViperRAT": [[34, 42]], "Organization: Hamas": [[93, 98]]}, "info": {"id": "cyner_mitre_train_01593", "source": "cyner_mitre_train"}}
+{"text": "Israeli media published the first reports about the social networking and social engineering aspects of this campaign .", "spans": {}, "info": {"id": "cyner_mitre_train_01594", "source": "cyner_mitre_train"}}
+{"text": "However it ’ s unclear whether organizations that later reported on ViperRAT performed their own independent research or simply based their content on the original Israeli report .", "spans": {"Malware: ViperRAT": [[68, 76]]}, "info": {"id": "cyner_mitre_train_01595", "source": "cyner_mitre_train"}}
+{"text": "Hamas is not widely known for having a sophisticated mobile capability , which makes it unlikely they are directly responsible for ViperRAT .", "spans": {"Organization: Hamas": [[0, 5]], "Malware: ViperRAT": [[131, 139]]}, "info": {"id": "cyner_mitre_train_01596", "source": "cyner_mitre_train"}}
+{"text": "ViperRAT has been operational for quite some time , with what appears to be a test application that surfaced in late 2015 .", "spans": {"Malware: ViperRAT": [[0, 8]]}, "info": {"id": "cyner_mitre_train_01597", "source": "cyner_mitre_train"}}
+{"text": "Many of the default strings in this application are in Arabic , including the name .", "spans": {}, "info": {"id": "cyner_mitre_train_01598", "source": "cyner_mitre_train"}}
+{"text": "It is unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic .", "spans": {}, "info": {"id": "cyner_mitre_train_01599", "source": "cyner_mitre_train"}}
+{"text": "This leads us to believe this is another actor .", "spans": {}, "info": {"id": "cyner_mitre_train_01600", "source": "cyner_mitre_train"}}
+{"text": "What this means for you All Lookout customers are protected from this threat .", "spans": {"Organization: Lookout": [[28, 35]]}, "info": {"id": "cyner_mitre_train_01601", "source": "cyner_mitre_train"}}
+{"text": "However , the existence of threats like ViperRAT and Pegasus , the most sophisticated piece of mobile surveillanceware we ’ ve seen to date , are evidence that attackers are targeting mobile devices .", "spans": {"Malware: ViperRAT": [[40, 48]], "Malware: Pegasus": [[53, 60]]}, "info": {"id": "cyner_mitre_train_01602", "source": "cyner_mitre_train"}}
+{"text": "Mobile devices are at the frontier of cyber espionage , and other criminal motives .", "spans": {}, "info": {"id": "cyner_mitre_train_01603", "source": "cyner_mitre_train"}}
+{"text": "Enterprise and government employees all use these devices in their day-to-day work , which means IT and security leaders within these organizations must prioritize mobile in their security strategies .", "spans": {}, "info": {"id": "cyner_mitre_train_01604", "source": "cyner_mitre_train"}}
+{"text": "Check Point researchers discovered another widespread malware campaign on Google Play , Google ’ s official app store .", "spans": {"Organization: Check Point": [[0, 11]], "System: Google Play": [[74, 85]], "Organization: Google": [[88, 94]]}, "info": {"id": "cyner_mitre_train_01605", "source": "cyner_mitre_train"}}
+{"text": "The malware , dubbed “ Judy ” , is an auto-clicking adware which was found on 41 apps developed by a Korean company .", "spans": {"Malware: Judy": [[23, 27]]}, "info": {"id": "cyner_mitre_train_01606", "source": "cyner_mitre_train"}}
+{"text": "The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements , generating revenues for the perpetrators behind it .", "spans": {}, "info": {"id": "cyner_mitre_train_01607", "source": "cyner_mitre_train"}}
+{"text": "The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads .", "spans": {}, "info": {"id": "cyner_mitre_train_01608", "source": "cyner_mitre_train"}}
+{"text": "Some of the apps we discovered resided on Google Play for several years , but all were recently updated .", "spans": {"System: Google Play": [[42, 53]]}, "info": {"id": "cyner_mitre_train_01609", "source": "cyner_mitre_train"}}
+{"text": "It is unclear how long the malicious code existed inside the apps , hence the actual spread of the malware remains unknown .", "spans": {}, "info": {"id": "cyner_mitre_train_01610", "source": "cyner_mitre_train"}}
+{"text": "We also found several apps containing the malware , which were developed by other developers on Google Play .", "spans": {"System: Google Play": [[96, 107]]}, "info": {"id": "cyner_mitre_train_01611", "source": "cyner_mitre_train"}}
+{"text": "The connection between the two campaigns remains unclear , and it is possible that one borrowed code from the other , knowingly or unknowingly .", "spans": {}, "info": {"id": "cyner_mitre_train_01612", "source": "cyner_mitre_train"}}
+{"text": "The oldest app of the second campaign was last updated in April 2016 , meaning that the malicious code hid for a long time on the Play store undetected .", "spans": {"System: Play store": [[130, 140]]}, "info": {"id": "cyner_mitre_train_01613", "source": "cyner_mitre_train"}}
+{"text": "These apps also had a large amount of downloads between 4 and 18 million , meaning the total spread of the malware may have reached between 8.5 and 36.5 million users .", "spans": {}, "info": {"id": "cyner_mitre_train_01614", "source": "cyner_mitre_train"}}
+{"text": "Similar to previous malware which infiltrated Google Play , such as FalseGuide and Skinner , Judy relies on the communication with its Command and Control server ( C & C ) for its operation .", "spans": {"System: Google Play": [[46, 57]], "Malware: FalseGuide": [[68, 78]], "Malware: Skinner": [[83, 90]]}, "info": {"id": "cyner_mitre_train_01615", "source": "cyner_mitre_train"}}
+{"text": "After Check Point notified Google about this threat , the apps were swiftly removed from the Play store .", "spans": {"Organization: Check Point": [[6, 17]], "Organization: Google": [[27, 33]], "System: Play store": [[93, 103]]}, "info": {"id": "cyner_mitre_train_01616", "source": "cyner_mitre_train"}}
+{"text": "How Judy operates : To bypass Bouncer , Google Play ’ s protection , the hackers create a seemingly benign bridgehead app , meant to establish connection to the victim ’ s device , and insert it into the app store .", "spans": {"Malware: Judy": [[4, 8]], "System: Bouncer": [[30, 37]], "System: Google Play": [[40, 51]]}, "info": {"id": "cyner_mitre_train_01617", "source": "cyner_mitre_train"}}
+{"text": "Once a user downloads a malicious app , it silently registers receivers which establish a connection with the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_01618", "source": "cyner_mitre_train"}}
+{"text": "The server replies with the actual malicious payload , which includes JavaScript code , a user-agent string and URLs controlled by the malware author .", "spans": {}, "info": {"id": "cyner_mitre_train_01619", "source": "cyner_mitre_train"}}
+{"text": "The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website .", "spans": {}, "info": {"id": "cyner_mitre_train_01620", "source": "cyner_mitre_train"}}
+{"text": "Once the targeted website is launched , the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure .", "spans": {"System: Google ads": [[117, 127]]}, "info": {"id": "cyner_mitre_train_01621", "source": "cyner_mitre_train"}}
+{"text": "Upon clicking the ads , the malware author receives payment from the website developer , which pays for the illegitimate clicks and traffic .", "spans": {}, "info": {"id": "cyner_mitre_train_01622", "source": "cyner_mitre_train"}}
+{"text": "The JavaScript code locates the targeted ads by searching for iframes which contain ads from Google ads infrastructure , as shown in the image below : The fraudulent clicks generate a large revenue for the perpetrators , especially since the malware reached a presumably wide spread .", "spans": {"System: Google ads": [[93, 103]]}, "info": {"id": "cyner_mitre_train_01623", "source": "cyner_mitre_train"}}
+{"text": "Who is behind Judy ?", "spans": {"Malware: Judy": [[14, 18]]}, "info": {"id": "cyner_mitre_train_01624", "source": "cyner_mitre_train"}}
+{"text": "The malicious apps are all developed by a Korean company named Kiniwini , registered on Google Play as ENISTUDIO corp .", "spans": {"Organization: Kiniwini": [[63, 71]], "System: Google Play": [[88, 99]], "Organization: ENISTUDIO corp": [[103, 117]]}, "info": {"id": "cyner_mitre_train_01625", "source": "cyner_mitre_train"}}
+{"text": "The company develops mobile apps for both Android and iOS platforms .", "spans": {"System: Android": [[42, 49]], "System: iOS": [[54, 57]]}, "info": {"id": "cyner_mitre_train_01626", "source": "cyner_mitre_train"}}
+{"text": "It is quite unusual to find an actual organization behind mobile malware , as most of them are developed by purely malicious actors .", "spans": {}, "info": {"id": "cyner_mitre_train_01627", "source": "cyner_mitre_train"}}
+{"text": "It is important to note that the activity conducted by the malware is not borderline advertising , but definitely an illegitimate use of the users ’ mobile devices for generating fraudulent clicks , benefiting the attackers .", "spans": {}, "info": {"id": "cyner_mitre_train_01628", "source": "cyner_mitre_train"}}
+{"text": "In addition to the clicking activity , Judy displays a large amount of advertisements , which in some cases leave users with no option but clicking on the ad itself .", "spans": {"Malware: Judy": [[39, 43]]}, "info": {"id": "cyner_mitre_train_01629", "source": "cyner_mitre_train"}}
+{"text": "Although most apps have positive ratings , some of the users have noticed and reported Judy ’ s suspicious activities , as seen in the images below : As seen in previous malware , such as DressCode , a high reputation does not necessarily indicate that the app is safe for use .", "spans": {"Malware: Judy": [[87, 91]], "Malware: DressCode": [[188, 197]]}, "info": {"id": "cyner_mitre_train_01630", "source": "cyner_mitre_train"}}
+{"text": "Hackers can hide their apps ’ real intentions or even manipulate users into leaving positive ratings , in some cases unknowingly .", "spans": {}, "info": {"id": "cyner_mitre_train_01631", "source": "cyner_mitre_train"}}
+{"text": "Users can not rely on the official app stores for their safety , and should implement advanced security protections capable of detecting and blocking zero-day mobile malware .", "spans": {}, "info": {"id": "cyner_mitre_train_01632", "source": "cyner_mitre_train"}}
+{"text": "PHA Family Highlights : Bread ( and Friends ) January 9 , 2020 In this edition of our PHA Family Highlights series we introduce Bread , a large-scale billing fraud family .", "spans": {"Malware: Bread": [[24, 29], [128, 133]]}, "info": {"id": "cyner_mitre_train_01633", "source": "cyner_mitre_train"}}
+{"text": "We first started tracking Bread ( also known as Joker ) in early 2017 , identifying apps designed solely for SMS fraud .", "spans": {"Malware: Bread": [[26, 31]], "Malware: Joker": [[48, 53]]}, "info": {"id": "cyner_mitre_train_01634", "source": "cyner_mitre_train"}}
+{"text": "As the Play Store has introduced new policies and Google Play Protect has scaled defenses , Bread apps were forced to continually iterate to search for gaps .", "spans": {"System: Play Store": [[7, 17]], "System: Google Play Protect": [[50, 69]], "Malware: Bread": [[92, 97]]}, "info": {"id": "cyner_mitre_train_01635", "source": "cyner_mitre_train"}}
+{"text": "They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected .", "spans": {}, "info": {"id": "cyner_mitre_train_01636", "source": "cyner_mitre_train"}}
+{"text": "Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere .", "spans": {"System: Play Store": [[85, 95]]}, "info": {"id": "cyner_mitre_train_01637", "source": "cyner_mitre_train"}}
+{"text": "In this post , we show how Google Play Protect has defended against a well organized , persistent attacker and share examples of their techniques .", "spans": {"System: Google Play Protect": [[27, 46]]}, "info": {"id": "cyner_mitre_train_01638", "source": "cyner_mitre_train"}}
+{"text": "TL ; DR Google Play Protect detected and removed 1.7k unique Bread apps from the Play Store before ever being downloaded by users Bread apps originally performed SMS fraud , but have largely abandoned this for WAP billing following the introduction of new Play policies restricting use of the SEND_SMS permission and increased coverage by Google Play Protect More information on stats and relative impact is available in the Android Security 2018 Year in Review report BILLING FRAUD Bread apps typically fall into two categories : SMS fraud ( older versions ) and toll fraud ( newer versions ) .", "spans": {"System: Google Play Protect": [[8, 27], [339, 358]], "Malware: Bread": [[61, 66], [130, 135], [483, 488]], "System: Play Store": [[81, 91]], "System: Play": [[256, 260]], "System: Android": [[425, 432]]}, "info": {"id": "cyner_mitre_train_01639", "source": "cyner_mitre_train"}}
+{"text": "Both of these types of fraud take advantage of mobile billing techniques involving the user ’ s carrier .", "spans": {}, "info": {"id": "cyner_mitre_train_01640", "source": "cyner_mitre_train"}}
+{"text": "SMS Billing Carriers may partner with vendors to allow users to pay for services by SMS .", "spans": {}, "info": {"id": "cyner_mitre_train_01641", "source": "cyner_mitre_train"}}
+{"text": "The user simply needs to text a prescribed keyword to a prescribed number ( shortcode ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01642", "source": "cyner_mitre_train"}}
+{"text": "A charge is then added to the user ’ s bill with their mobile service provider .", "spans": {}, "info": {"id": "cyner_mitre_train_01643", "source": "cyner_mitre_train"}}
+{"text": "Toll Billing Carriers may also provide payment endpoints over a web page .", "spans": {}, "info": {"id": "cyner_mitre_train_01644", "source": "cyner_mitre_train"}}
+{"text": "The user visits the URL to complete the payment and enters their phone number .", "spans": {}, "info": {"id": "cyner_mitre_train_01645", "source": "cyner_mitre_train"}}
+{"text": "Verification that the request is coming from the user ’ s device is completed using two possible methods : The user connects to the site over mobile data , not WiFi ( so the service provider directly handles the connection and can validate the phone number ) ; or The user must retrieve a code sent to them via SMS and enter it into the web page ( thereby proving access to the provided phone number ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01646", "source": "cyner_mitre_train"}}
+{"text": "Fraud Both of the billing methods detailed above provide device verification , but not user verification .", "spans": {}, "info": {"id": "cyner_mitre_train_01647", "source": "cyner_mitre_train"}}
+{"text": "The carrier can determine that the request originates from the user ’ s device , but does not require any interaction from the user that can not be automated .", "spans": {}, "info": {"id": "cyner_mitre_train_01648", "source": "cyner_mitre_train"}}
+{"text": "Malware authors use injected clicks , custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user .", "spans": {}, "info": {"id": "cyner_mitre_train_01649", "source": "cyner_mitre_train"}}
+{"text": "STRING & DATA OBFUSCATION Bread apps have used many innovative and classic techniques to hide strings from analysis engines .", "spans": {}, "info": {"id": "cyner_mitre_train_01650", "source": "cyner_mitre_train"}}
+{"text": "Here are some highlights .", "spans": {}, "info": {"id": "cyner_mitre_train_01651", "source": "cyner_mitre_train"}}
+{"text": "Standard Encryption Frequently , Bread apps take advantage of standard crypto libraries in ` java.util.crypto ` .", "spans": {"Indicator: java.util.crypto": [[93, 109]]}, "info": {"id": "cyner_mitre_train_01652", "source": "cyner_mitre_train"}}
+{"text": "We have discovered apps using AES , Blowfish , and DES as well as combinations of these to encrypt their strings .", "spans": {}, "info": {"id": "cyner_mitre_train_01653", "source": "cyner_mitre_train"}}
+{"text": "Custom Encryption Other variants have used custom-implemented encryption algorithms .", "spans": {}, "info": {"id": "cyner_mitre_train_01654", "source": "cyner_mitre_train"}}
+{"text": "Some common techniques include : basic XOR encryption , nested XOR and custom key-derivation methods .", "spans": {}, "info": {"id": "cyner_mitre_train_01655", "source": "cyner_mitre_train"}}
+{"text": "Some variants have gone so far as to use a different key for the strings of each class .", "spans": {}, "info": {"id": "cyner_mitre_train_01656", "source": "cyner_mitre_train"}}
+{"text": "Split Strings Encrypted strings can be a signal that the code is trying to hide something .", "spans": {}, "info": {"id": "cyner_mitre_train_01657", "source": "cyner_mitre_train"}}
+{"text": "Bread has used a few tricks to keep strings in plaintext while preventing basic string matching .", "spans": {"Malware: Bread": [[0, 5]]}, "info": {"id": "cyner_mitre_train_01658", "source": "cyner_mitre_train"}}
+{"text": "Going one step further , these substrings are sometimes scattered throughout the code , retrieved from static variables and method calls .", "spans": {}, "info": {"id": "cyner_mitre_train_01659", "source": "cyner_mitre_train"}}
+{"text": "Various versions may also change the index of the split ( e.g .", "spans": {}, "info": {"id": "cyner_mitre_train_01660", "source": "cyner_mitre_train"}}
+{"text": "“ .clic ” and “ k ( ) ; ” ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01661", "source": "cyner_mitre_train"}}
+{"text": "Delimiters Another technique to obfuscate unencrypted strings uses repeated delimiters .", "spans": {}, "info": {"id": "cyner_mitre_train_01662", "source": "cyner_mitre_train"}}
+{"text": "A short , constant string of characters is inserted at strategic points to break up keywords : At runtime , the delimiter is removed before using the string : API OBFUSCATION SMS and toll fraud generally requires a few basic behaviors ( for example , disabling WiFi or accessing SMS ) , which are accessible by a handful of APIs .", "spans": {}, "info": {"id": "cyner_mitre_train_01663", "source": "cyner_mitre_train"}}
+{"text": "Given that there are a limited number of behaviors required to identify billing fraud , Bread apps have had to try a wide variety of techniques to mask usage of these APIs .", "spans": {"Malware: Bread": [[88, 93]]}, "info": {"id": "cyner_mitre_train_01664", "source": "cyner_mitre_train"}}
+{"text": "Reflection Most methods for hiding API usage tend to use Java reflection in some way .", "spans": {}, "info": {"id": "cyner_mitre_train_01665", "source": "cyner_mitre_train"}}
+{"text": "In some samples , Bread has simply directly called the Reflect API on strings decrypted at runtime .", "spans": {"Malware: Bread": [[18, 23]]}, "info": {"id": "cyner_mitre_train_01666", "source": "cyner_mitre_train"}}
+{"text": "JNI Bread has also tested our ability to analyze native code .", "spans": {"Malware: Bread": [[4, 9]]}, "info": {"id": "cyner_mitre_train_01667", "source": "cyner_mitre_train"}}
+{"text": "In one sample , no SMS-related code appears in the DEX file , but there is a native method registered .", "spans": {}, "info": {"id": "cyner_mitre_train_01668", "source": "cyner_mitre_train"}}
+{"text": "Two strings are passed into the call , the shortcode and keyword used for SMS billing ( getter methods renamed here for clarity ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01669", "source": "cyner_mitre_train"}}
+{"text": "In the native library , it stores the strings to access the SMS API .", "spans": {}, "info": {"id": "cyner_mitre_train_01670", "source": "cyner_mitre_train"}}
+{"text": "The nativesend method uses the Java Native Interface ( JNI ) to fetch and call the Android SMS API .", "spans": {"System: Android": [[83, 90]]}, "info": {"id": "cyner_mitre_train_01671", "source": "cyner_mitre_train"}}
+{"text": "The following is a screenshot from IDA with comments showing the strings and JNI functions .", "spans": {}, "info": {"id": "cyner_mitre_train_01672", "source": "cyner_mitre_train"}}
+{"text": "WebView JavaScript Interface Continuing on the theme of cross-language bridges , Bread has also tried out some obfuscation methods utilizing JavaScript in WebViews .", "spans": {"Malware: Bread": [[81, 86]]}, "info": {"id": "cyner_mitre_train_01673", "source": "cyner_mitre_train"}}
+{"text": "The following method is declared in the DEX .", "spans": {}, "info": {"id": "cyner_mitre_train_01674", "source": "cyner_mitre_train"}}
+{"text": "Without context , this method does not reveal much about its intended behavior , and there are no calls made to it anywhere in the DEX .", "spans": {}, "info": {"id": "cyner_mitre_train_01675", "source": "cyner_mitre_train"}}
+{"text": "However , the app does create a WebView and registers a JavaScript interface to this class .", "spans": {}, "info": {"id": "cyner_mitre_train_01676", "source": "cyner_mitre_train"}}
+{"text": "This gives JavaScript run in the WebView access to this method .", "spans": {}, "info": {"id": "cyner_mitre_train_01677", "source": "cyner_mitre_train"}}
+{"text": "The app loads a URL pointing to a Bread-controlled server .", "spans": {}, "info": {"id": "cyner_mitre_train_01678", "source": "cyner_mitre_train"}}
+{"text": "The response contains some basic HTML and JavaScript .", "spans": {}, "info": {"id": "cyner_mitre_train_01679", "source": "cyner_mitre_train"}}
+{"text": "In green , we can see the references to the SMS API .", "spans": {}, "info": {"id": "cyner_mitre_train_01680", "source": "cyner_mitre_train"}}
+{"text": "In red , we see those values being passed into the suspicious Java method through the registered interface .", "spans": {}, "info": {"id": "cyner_mitre_train_01681", "source": "cyner_mitre_train"}}
+{"text": "Now , using these strings method1 can use reflection to call sendTextMessage and process the payment .", "spans": {}, "info": {"id": "cyner_mitre_train_01682", "source": "cyner_mitre_train"}}
+{"text": "PACKING In addition to implementing custom obfuscation techniques , apps have used several commercially available packers including : Qihoo360 , AliProtect and SecShell .", "spans": {"System: Qihoo360": [[134, 142]], "System: AliProtect": [[145, 155]], "System: SecShell": [[160, 168]]}, "info": {"id": "cyner_mitre_train_01683", "source": "cyner_mitre_train"}}
+{"text": "More recently , we have seen Bread-related apps trying to hide malicious code in a native library shipped with the APK .", "spans": {"Malware: Bread-related": [[29, 42]]}, "info": {"id": "cyner_mitre_train_01684", "source": "cyner_mitre_train"}}
+{"text": "Earlier this year , we discovered apps hiding a JAR in the data section of an ELF file which it then dynamically loads using DexClassLoader .", "spans": {}, "info": {"id": "cyner_mitre_train_01685", "source": "cyner_mitre_train"}}
+{"text": "The figure below shows a fragment of encrypted JAR stored in .rodata section of a shared object shipped with the APK as well as the XOR key used for decryption .", "spans": {}, "info": {"id": "cyner_mitre_train_01686", "source": "cyner_mitre_train"}}
+{"text": "After we blocked those samples , they moved a significant portion of malicious functionality into the native library , which resulted in a rather peculiar back and forth between Dalvik and native code : COMMAND & CONTROL Dynamic Shortcodes & Content Early versions of Bread utilized a basic command and control infrastructure to dynamically deliver content and retrieve billing details .", "spans": {}, "info": {"id": "cyner_mitre_train_01687", "source": "cyner_mitre_train"}}
+{"text": "In the example server response below , the green fields show text to be shown to the user .", "spans": {}, "info": {"id": "cyner_mitre_train_01688", "source": "cyner_mitre_train"}}
+{"text": "The red fields are used as the shortcode and keyword for SMS billing .", "spans": {}, "info": {"id": "cyner_mitre_train_01689", "source": "cyner_mitre_train"}}
+{"text": "State Machines Since various carriers implement the billing process differently , Bread has developed several variants containing generalized state machines implementing all possible steps .", "spans": {"Malware: Bread": [[82, 87]]}, "info": {"id": "cyner_mitre_train_01690", "source": "cyner_mitre_train"}}
+{"text": "At runtime , the apps can check which carrier the device is connected to and fetch a configuration object from the command and control server .", "spans": {}, "info": {"id": "cyner_mitre_train_01691", "source": "cyner_mitre_train"}}
+{"text": "The configuration contains a list of steps to execute with URLs and JavaScript .", "spans": {}, "info": {"id": "cyner_mitre_train_01692", "source": "cyner_mitre_train"}}
+{"text": "The steps implemented include : Load a URL in a WebView Run JavaScript in WebView Toggle WiFi state Toggle mobile data state Read/modify SMS inbox Solve captchas Captchas One of the more interesting states implements the ability to solve basic captchas ( obscured letters and numbers ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01693", "source": "cyner_mitre_train"}}
+{"text": "First , the app creates a JavaScript function to call a Java method , getImageBase64 , exposed to WebView using addJavascriptInterface .", "spans": {}, "info": {"id": "cyner_mitre_train_01694", "source": "cyner_mitre_train"}}
+{"text": "The value used to replace GET_IMG_OBJECT comes from the JSON configuration .", "spans": {}, "info": {"id": "cyner_mitre_train_01695", "source": "cyner_mitre_train"}}
+{"text": "The app then uses JavaScript injection to create a new script in the carrier ’ s web page to run the new function .", "spans": {}, "info": {"id": "cyner_mitre_train_01696", "source": "cyner_mitre_train"}}
+{"text": "The base64-encoded image is then uploaded to an image recognition service .", "spans": {}, "info": {"id": "cyner_mitre_train_01697", "source": "cyner_mitre_train"}}
+{"text": "If the text is retrieved successfully , the app uses JavaScript injection again to submit the HTML form with the captcha answer .", "spans": {}, "info": {"id": "cyner_mitre_train_01698", "source": "cyner_mitre_train"}}
+{"text": "CLOAKING Client-side Carrier Checks In our basic command & control example above , we didn ’ t address the ( incorrectly labeled ) “ imei ” field .", "spans": {}, "info": {"id": "cyner_mitre_train_01699", "source": "cyner_mitre_train"}}
+{"text": "This contains the Mobile Country Code ( MCC ) and Mobile Network Code ( MNC ) values that the billing process will work for .", "spans": {}, "info": {"id": "cyner_mitre_train_01700", "source": "cyner_mitre_train"}}
+{"text": "In this example , the server response contains several values for Thai carriers .", "spans": {}, "info": {"id": "cyner_mitre_train_01701", "source": "cyner_mitre_train"}}
+{"text": "The app checks if the device ’ s network matches one of those provided by the server .", "spans": {}, "info": {"id": "cyner_mitre_train_01702", "source": "cyner_mitre_train"}}
+{"text": "If it does , it will commence with the billing process .", "spans": {}, "info": {"id": "cyner_mitre_train_01703", "source": "cyner_mitre_train"}}
+{"text": "If the value does not match , the app skips the “ disclosure ” page and billing process and brings the user straight to the app content .", "spans": {}, "info": {"id": "cyner_mitre_train_01704", "source": "cyner_mitre_train"}}
+{"text": "In some versions , the server would only return valid responses several days after the apps were submitted .", "spans": {}, "info": {"id": "cyner_mitre_train_01705", "source": "cyner_mitre_train"}}
+{"text": "Server-side Carrier Checks In the JavaScript bridge API obfuscation example covered above , the server supplied the app with the necessary strings to complete the billing process .", "spans": {}, "info": {"id": "cyner_mitre_train_01706", "source": "cyner_mitre_train"}}
+{"text": "However , analysts may not always see the indicators of compromise in the server ’ s response .", "spans": {}, "info": {"id": "cyner_mitre_train_01707", "source": "cyner_mitre_train"}}
+{"text": "In this example , the requests to the server take the following form : Here , the “ operator ” query parameter is the Mobile Country Code and Mobile Network Code .", "spans": {}, "info": {"id": "cyner_mitre_train_01708", "source": "cyner_mitre_train"}}
+{"text": "The server can use this information to determine if the user ’ s carrier is one of Bread ’ s targets .", "spans": {"Malware: Bread": [[83, 88]]}, "info": {"id": "cyner_mitre_train_01709", "source": "cyner_mitre_train"}}
+{"text": "If not , the response is scrubbed of the strings used to complete the billing fraud .", "spans": {}, "info": {"id": "cyner_mitre_train_01710", "source": "cyner_mitre_train"}}
+{"text": "MISLEADING USERS Bread apps sometimes display a pop-up to the user that implies some form of compliance or disclosure , showing terms and conditions or a confirm button .", "spans": {"Malware: Bread": [[17, 22]]}, "info": {"id": "cyner_mitre_train_01711", "source": "cyner_mitre_train"}}
+{"text": "However , the actual text would often only display a basic welcome message .", "spans": {}, "info": {"id": "cyner_mitre_train_01712", "source": "cyner_mitre_train"}}
+{"text": "Other versions included all the pieces needed for a valid disclosure message .", "spans": {}, "info": {"id": "cyner_mitre_train_01713", "source": "cyner_mitre_train"}}
+{"text": "However , there are still two issues here : The numbers to contact for cancelling the subscription are not real The billing process commences even if you don ’ t hit the “ Confirm ” button Even if the disclosure here displayed accurate information , the user would often find that the advertised functionality of the app did not match the actual content .", "spans": {}, "info": {"id": "cyner_mitre_train_01714", "source": "cyner_mitre_train"}}
+{"text": "Bread apps frequently contain no functionality beyond the billing process or simply clone content from other popular apps .", "spans": {"Malware: Bread": [[0, 5]]}, "info": {"id": "cyner_mitre_train_01715", "source": "cyner_mitre_train"}}
+{"text": "VERSIONING Bread has also leveraged an abuse tactic unique to app stores : versioning .", "spans": {"Malware: Bread": [[11, 16]]}, "info": {"id": "cyner_mitre_train_01716", "source": "cyner_mitre_train"}}
+{"text": "Some apps have started with clean versions , in an attempt to grow user bases and build the developer accounts ’ reputations .", "spans": {}, "info": {"id": "cyner_mitre_train_01717", "source": "cyner_mitre_train"}}
+{"text": "Only later is the malicious code introduced , through an update .", "spans": {}, "info": {"id": "cyner_mitre_train_01718", "source": "cyner_mitre_train"}}
+{"text": "Interestingly , early “ clean ” versions contain varying levels of signals that the updates will include malicious code later .", "spans": {}, "info": {"id": "cyner_mitre_train_01719", "source": "cyner_mitre_train"}}
+{"text": "Some are first uploaded with all the necessary code except the one line that actually initializes the billing process .", "spans": {}, "info": {"id": "cyner_mitre_train_01720", "source": "cyner_mitre_train"}}
+{"text": "Others may have the necessary permissions , but are missing the classes containing the fraud code .", "spans": {}, "info": {"id": "cyner_mitre_train_01721", "source": "cyner_mitre_train"}}
+{"text": "And others have all malicious content removed , except for log comments referencing the payment process .", "spans": {}, "info": {"id": "cyner_mitre_train_01722", "source": "cyner_mitre_train"}}
+{"text": "All of these methods attempt to space out the introduction of possible signals in various stages , testing for gaps in the publication process .", "spans": {}, "info": {"id": "cyner_mitre_train_01723", "source": "cyner_mitre_train"}}
+{"text": "However , GPP does not treat new apps and updates any differently from an analysis perspective .", "spans": {}, "info": {"id": "cyner_mitre_train_01724", "source": "cyner_mitre_train"}}
+{"text": "FAKE REVIEWS When early versions of apps are first published , many five star reviews appear with comments like : “ So .. good .. ” “ very beautiful ” Later , 1 star reviews from real users start appearing with comments like : “ Deception ” “ The app is not honest … ” SUMMARY Sheer volume appears to be the preferred approach for Bread developers .", "spans": {"Malware: Bread": [[331, 336]]}, "info": {"id": "cyner_mitre_train_01725", "source": "cyner_mitre_train"}}
+{"text": "At different times , we have seen three or more active variants using different approaches or targeting different carriers .", "spans": {}, "info": {"id": "cyner_mitre_train_01726", "source": "cyner_mitre_train"}}
+{"text": "Within each variant , the malicious code present in each sample may look nearly identical with only one evasion technique changed .", "spans": {}, "info": {"id": "cyner_mitre_train_01727", "source": "cyner_mitre_train"}}
+{"text": "Sample 1 may use AES-encrypted strings with reflection , while Sample 2 ( submitted on the same day ) will use the same code but with plaintext strings .", "spans": {"Organization: AES-encrypted": [[17, 30]]}, "info": {"id": "cyner_mitre_train_01728", "source": "cyner_mitre_train"}}
+{"text": "At peak times of activity , we have seen up to 23 different apps from this family submitted to Play in one day .", "spans": {"System: Play": [[95, 99]]}, "info": {"id": "cyner_mitre_train_01729", "source": "cyner_mitre_train"}}
+{"text": "At other times , Bread appears to abandon hope of making a variant successful and we see a gap of a week or longer before the next variant .", "spans": {"Malware: Bread": [[17, 22]]}, "info": {"id": "cyner_mitre_train_01730", "source": "cyner_mitre_train"}}
+{"text": "This family showcases the amount of resources that malware authors now have to expend .", "spans": {}, "info": {"id": "cyner_mitre_train_01731", "source": "cyner_mitre_train"}}
+{"text": "Google Play Protect is constantly updating detection engines and warning users of malicious apps installed on their device .", "spans": {"System: Google Play Protect": [[0, 19]]}, "info": {"id": "cyner_mitre_train_01732", "source": "cyner_mitre_train"}}
+{"text": "SELECTED SAMPLES Package Name SHA-256 Digest com.rabbit.artcamera 18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f org.horoscope.astrology.predict 6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26 com.theforest.rotatemarswallpaper 4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09", "spans": {"Indicator: com.rabbit.artcamera": [[45, 65]], "Indicator: 18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f": [[66, 130]], "Indicator: org.horoscope.astrology.predict": [[131, 162]], "Indicator: 6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26": [[163, 227]], "Indicator: com.theforest.rotatemarswallpaper": [[228, 261]], "Indicator: 4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09": [[262, 326]]}, "info": {"id": "cyner_mitre_train_01733", "source": "cyner_mitre_train"}}
+{"text": "com.jspany.temp 0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5 com.hua.ru.quan 780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86 com.rongnea.udonood 8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131", "spans": {"Indicator: com.jspany.temp": [[0, 15]], "Indicator: 0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5": [[16, 80]], "Indicator: com.hua.ru.quan": [[81, 96]], "Indicator: 780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86": [[97, 161]], "Indicator: com.rongnea.udonood": [[162, 181]], "Indicator: 8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131": [[182, 246]]}, "info": {"id": "cyner_mitre_train_01734", "source": "cyner_mitre_train"}}
+{"text": "com.mbv.a.wp 01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68 com.pho.nec.sg b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b Exobot ( Marcher ) - Android banking Trojan on the rise February 2017 Introduction The past months many different banking Trojans for", "spans": {"Indicator: com.mbv.a.wp": [[0, 12]], "Indicator: 01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68": [[13, 77]], "Indicator: com.pho.nec.sg": [[78, 92]], "Indicator: b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b": [[93, 157]], "Malware: Exobot": [[158, 164]], "Malware: Marcher": [[167, 174]], "System: Android": [[179, 186]]}, "info": {"id": "cyner_mitre_train_01735", "source": "cyner_mitre_train"}}
+{"text": "the Android platform have received media attention .", "spans": {"System: Android": [[4, 11]]}, "info": {"id": "cyner_mitre_train_01736", "source": "cyner_mitre_train"}}
+{"text": "One of these , called Marcher ( aka Exobot ) , seems to be especially active with different samples appearing on a daily basis .", "spans": {"Malware: Marcher": [[22, 29]], "Malware: Exobot": [[36, 42]]}, "info": {"id": "cyner_mitre_train_01737", "source": "cyner_mitre_train"}}
+{"text": "This malware variant also appears to be technically superior to many other banking Trojans being able to use its overlay attack even on Android 6 , which has technical improvements compared to the previous Android versions to prevent such attacks .", "spans": {"System: Android 6": [[136, 145]], "System: Android": [[206, 213]]}, "info": {"id": "cyner_mitre_train_01738", "source": "cyner_mitre_train"}}
+{"text": "The main infection vector is a phishing attack using SMS/MMS .", "spans": {}, "info": {"id": "cyner_mitre_train_01739", "source": "cyner_mitre_train"}}
+{"text": "The social engineering message includes a link that leads to a fake version of a popular app , using names like Runtastic , WhatsApp or Netflix .", "spans": {"System: Runtastic": [[112, 121]], "System: WhatsApp": [[124, 132]], "System: Netflix": [[136, 143]]}, "info": {"id": "cyner_mitre_train_01740", "source": "cyner_mitre_train"}}
+{"text": "On installation , the app requests the user to provide SMS storage access and high Android privileges such as Device Admin .", "spans": {"System: Android": [[83, 90]]}, "info": {"id": "cyner_mitre_train_01741", "source": "cyner_mitre_train"}}
+{"text": "Other infection vectors include pornographic websites serving apps called Adobe Flash or YouPorn .", "spans": {"System: Adobe Flash": [[74, 85]], "System: YouPorn": [[89, 96]]}, "info": {"id": "cyner_mitre_train_01742", "source": "cyner_mitre_train"}}
+{"text": "The Marcher banking malware uses two main attack vectors .", "spans": {"Malware: Marcher": [[4, 11]]}, "info": {"id": "cyner_mitre_train_01743", "source": "cyner_mitre_train"}}
+{"text": "The first attack vector is to compromise the out of band authentication for online banks that rely on SMS using SMS forwarding .", "spans": {}, "info": {"id": "cyner_mitre_train_01744", "source": "cyner_mitre_train"}}
+{"text": "The second attack vector , the overlay attack , shows a customized phishing window whenever a targeted application is started on the device .", "spans": {}, "info": {"id": "cyner_mitre_train_01745", "source": "cyner_mitre_train"}}
+{"text": "The overlay window is often indistinguishable from the expected screen ( such as a login screen for a banking app ) and is used to steal the victim ’ s banking credentials .", "spans": {}, "info": {"id": "cyner_mitre_train_01746", "source": "cyner_mitre_train"}}
+{"text": "The target list and bank specific fake login pages can be dynamically updated via their C2 panel ( dashboard back-end ) which significantly increases the adaptability and scalability of this attack .", "spans": {}, "info": {"id": "cyner_mitre_train_01747", "source": "cyner_mitre_train"}}
+{"text": "In addition , this type of Android banking malware does not require the device to be rooted or the app to have any specific Android permission ( besides android.permission.INTERNET to retrieve the overlay contents and send its captured data ) .", "spans": {"System: Android": [[27, 34], [124, 131]], "Indicator: android.permission.INTERNET": [[153, 180]]}, "info": {"id": "cyner_mitre_train_01748", "source": "cyner_mitre_train"}}
+{"text": "The many changes we see in the way the attacks are performed show that attackers are heavily experimenting to find the best way of infecting a mobile device and abusing existing functionality to perform successful phishing attacks .", "spans": {}, "info": {"id": "cyner_mitre_train_01749", "source": "cyner_mitre_train"}}
+{"text": "The next stage in device infection could be the use of exploit kits and malvertising , which would be quite effective due the many Android vulnerabilities and consumers with unpatched devices .", "spans": {"Vulnerability: Android vulnerabilities": [[131, 154]], "Vulnerability: unpatched devices": [[174, 191]]}, "info": {"id": "cyner_mitre_train_01750", "source": "cyner_mitre_train"}}
+{"text": "In addition future Trojans could leverage root exploits to make them almost impossible to remove and give malicious actors the ability to hook generic low level API ’ s that are used by all ( banking ) applications , just like the attack vector as has been used on the desktop platform for years .", "spans": {}, "info": {"id": "cyner_mitre_train_01751", "source": "cyner_mitre_train"}}
+{"text": "Technical Analysis Permissions Marcher ’ s APK size is fairly small ( only 683KB for sample eb8f02fc30ec49e4af1560e54b53d1a7 ) , much smaller than most legitimate apps and other popular mobile malware samples .", "spans": {"Malware: Marcher": [[31, 38]], "Indicator: eb8f02fc30ec49e4af1560e54b53d1a7": [[92, 124]]}, "info": {"id": "cyner_mitre_train_01752", "source": "cyner_mitre_train"}}
+{"text": "This sample only includes Dalvik bytecode and resources without any native libraries .", "spans": {}, "info": {"id": "cyner_mitre_train_01753", "source": "cyner_mitre_train"}}
+{"text": "The package name ( vyn.hhsdzgvoexobmkygffzwuewrbikzud ) and its many activities and services have randomized names , probably to make it a bit more difficult to detect the package using blacklisting .", "spans": {"Indicator: vyn.hhsdzgvoexobmkygffzwuewrbikzud": [[19, 53]]}, "info": {"id": "cyner_mitre_train_01754", "source": "cyner_mitre_train"}}
+{"text": "The set of permissions required by Marcher according to the manifest is as follows : ∗ android.permission.CHANGE_NETWORK_STATE ( change network connectivity state ) ∗ android.permission.SEND_SMS ( send SMS messages ) ∗ android.permission.USES_POLICY_FORCE_LOCK ( lock the device ) ∗ android.permission.RECEIVE_BOOT_COMPLETED ( start malware when device boots ) ∗ android.permission.INTERNET ( communicate with the internet ) ∗ android.permission.VIBRATE", "spans": {"Malware: Marcher": [[35, 42]], "Indicator: android.permission.CHANGE_NETWORK_STATE": [[87, 126]], "Indicator: android.permission.SEND_SMS": [[167, 194]], "Indicator: android.permission.USES_POLICY_FORCE_LOCK": [[219, 260]], "Indicator: android.permission.RECEIVE_BOOT_COMPLETED": [[283, 324]], "Indicator: android.permission.INTERNET": [[363, 390]], "Indicator: android.permission.VIBRATE": [[427, 453]]}, "info": {"id": "cyner_mitre_train_01755", "source": "cyner_mitre_train"}}
+{"text": "( control the vibrator ) ∗ android.permission.ACCESS_WIFI_STATE ( view information about the status of Wi-Fi ) ∗ android.permission.WRITE_SMS ( edit/delete SMS ) ∗ android.permission.ACCESS_NETWORK_STATE ( view the status of all networks ) ∗ android.permission.WAKE_LOCK ( prevent the phone from going to sleep ) ∗ android.permission.GET_TASKS ( retrieve running applications ) ∗ android.permission.CALL_PHONE ( call phone numbers )", "spans": {"Indicator: android.permission.ACCESS_WIFI_STATE": [[27, 63]], "Indicator: android.permission.WRITE_SMS": [[113, 141]], "Indicator: android.permission.ACCESS_NETWORK_STATE": [[164, 203]], "Indicator: android.permission.WAKE_LOCK": [[242, 270]], "Indicator: android.permission.GET_TASKS": [[315, 343]], "Indicator: android.permission.CALL_PHONE": [[380, 409]]}, "info": {"id": "cyner_mitre_train_01756", "source": "cyner_mitre_train"}}
+{"text": "∗ android.permission.WRITE_SETTINGS ( read/write global system settings ) ∗ android.permission.RECEIVE_SMS ( intercept SMS messages ) ∗ android.permission.READ_PHONE_STATE ( read phone details of the device such as phone number and serial number ) ∗ android.permission.CHANGE_WIFI_STATE ( connect to and disconnect from Wi-Fi networks and make changes to configured networks ) ∗ android.permission.READ_CONTACTS ( read all contact data ) * android.permission.READ_SMS", "spans": {"Indicator: android.permission.WRITE_SETTINGS": [[2, 35]], "Indicator: android.permission.RECEIVE_SMS": [[76, 106]], "Indicator: android.permission.READ_PHONE_STATE": [[136, 171]], "Indicator: android.permission.CHANGE_WIFI_STATE": [[250, 286]], "Indicator: android.permission.READ_CONTACTS": [[379, 411]], "Indicator: android.permission.READ_SMS": [[440, 467]]}, "info": {"id": "cyner_mitre_train_01757", "source": "cyner_mitre_train"}}
+{"text": "( read SMS messages ) Obviously a fairly significant list of permissions of which many are suspicious , especially when combined .", "spans": {}, "info": {"id": "cyner_mitre_train_01758", "source": "cyner_mitre_train"}}
+{"text": "Runtastic sample permission prompt Runtastic sample permission prompt Checking foreground app Marcher is one of the few Android banking Trojans to use the AndroidProcesses library , which enables the application to obtain the name of the Android package that is currently running in the foreground .", "spans": {"System: Runtastic": [[0, 9], [35, 44]], "Malware: Marcher": [[94, 101]], "System: Android": [[238, 245]]}, "info": {"id": "cyner_mitre_train_01759", "source": "cyner_mitre_train"}}
+{"text": "This library is used because it uses the only ( publicly known ) way to retrieve this information on Android 6 ( using the process OOM score read from the /proc directory ) .", "spans": {"System: Android 6": [[101, 110]]}, "info": {"id": "cyner_mitre_train_01760", "source": "cyner_mitre_train"}}
+{"text": "When the current app on the foreground matches with an app targeted by the malware , the Trojan will show the corresponding phishing overlay , making the user think it is the app that was just started .", "spans": {}, "info": {"id": "cyner_mitre_train_01761", "source": "cyner_mitre_train"}}
+{"text": "Dynamic overlays When victims open up a targeted app , Marcher smoothly displays an overlay , a customized WebView , looks in its application preferences ( main_prefs.xml ) and decides which specified URL is needed for the targeted app .", "spans": {"Malware: Marcher": [[55, 62]]}, "info": {"id": "cyner_mitre_train_01762", "source": "cyner_mitre_train"}}
+{"text": "The complete list of apps can be seen below .", "spans": {}, "info": {"id": "cyner_mitre_train_01763", "source": "cyner_mitre_train"}}
+{"text": "The phishing pages shown in the overlay use Ajax calls to communicate with a PHP back-end which stores all user input .", "spans": {}, "info": {"id": "cyner_mitre_train_01764", "source": "cyner_mitre_train"}}
+{"text": "The C2 backend url looks like this : https : //evilhost/c2folder/njs2/ ?", "spans": {"Indicator: https : //evilhost/c2folder/njs2/ ?": [[37, 72]]}, "info": {"id": "cyner_mitre_train_01765", "source": "cyner_mitre_train"}}
+{"text": "fields [ ] .", "spans": {}, "info": {"id": "cyner_mitre_train_01766", "source": "cyner_mitre_train"}}
+{"text": "There is no way to access the original app again even if victims terminate the overlay process and reopen app , until credit card ( name , number , expiry date , security code ) and/or bank information ( PIN , VBV passcode , date of birth , etc .", "spans": {}, "info": {"id": "cyner_mitre_train_01767", "source": "cyner_mitre_train"}}
+{"text": ") are filled in and verified .", "spans": {}, "info": {"id": "cyner_mitre_train_01768", "source": "cyner_mitre_train"}}
+{"text": "The information is then stored in local app database as well as sent to the backend .", "spans": {}, "info": {"id": "cyner_mitre_train_01769", "source": "cyner_mitre_train"}}
+{"text": "Agent Smith : A New Species of Mobile Malware July 10 , 2019 Check Point Researchers recently discovered a new variant of mobile malware that quietly infected around 25 million devices , while the user remains completely unaware .", "spans": {"Malware: Agent Smith": [[0, 11]], "Organization: Check Point": [[61, 72]]}, "info": {"id": "cyner_mitre_train_01770", "source": "cyner_mitre_train"}}
+{"text": "Disguised as Google related app , the core part of malware exploits various known Android vulnerabilities and automatically replaces installed apps on the device with malicious versions without the user ’ s interaction .", "spans": {"Organization: Google": [[13, 19]], "Vulnerability: Android vulnerabilities": [[82, 105]]}, "info": {"id": "cyner_mitre_train_01771", "source": "cyner_mitre_train"}}
+{"text": "This unique on-device , just-in-time ( JIT ) approach inspired researchers to dub this malware as “ Agent Smith ” .", "spans": {"Malware: Agent Smith": [[100, 111]]}, "info": {"id": "cyner_mitre_train_01772", "source": "cyner_mitre_train"}}
+{"text": "“ Agent Smith ” currently uses its broad access to the device ’ s resources to show fraudulent ads for financial gain .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_mitre_train_01773", "source": "cyner_mitre_train"}}
+{"text": "This activity resembles previous campaigns such as Gooligan , HummingBad and CopyCat .", "spans": {"Malware: Gooligan": [[51, 59]], "Malware: HummingBad": [[62, 72]], "Malware: CopyCat": [[77, 84]]}, "info": {"id": "cyner_mitre_train_01774", "source": "cyner_mitre_train"}}
+{"text": "The primary targets , so far , are based in India though other Asian countries such as Pakistan and Bangladesh are also affected .", "spans": {}, "info": {"id": "cyner_mitre_train_01775", "source": "cyner_mitre_train"}}
+{"text": "In a much-improved Android security environment , the actors behind Agent Smith seem to have moved into the more complex world of constantly searching for new loopholes , such as Janus , Bundle and Man-in-the-Disk , to achieve a 3-stage infection chain , in order to build a botnet of controlled devices to earn profit for the perpetrator .", "spans": {"System: Android": [[19, 26]], "Malware: Agent Smith": [[68, 79]], "Vulnerability: Janus": [[179, 184]], "Vulnerability: Bundle": [[187, 193]], "Vulnerability: Man-in-the-Disk": [[198, 213]]}, "info": {"id": "cyner_mitre_train_01776", "source": "cyner_mitre_train"}}
+{"text": "“ Agent Smith ” is possibly the first campaign seen that ingrates and weaponized all these loopholes and are described in detail below .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_mitre_train_01777", "source": "cyner_mitre_train"}}
+{"text": "In this case , “ Agent Smith ” is being used to for financial gain through the use of malicious advertisements .", "spans": {"Malware: Agent Smith": [[17, 28]]}, "info": {"id": "cyner_mitre_train_01778", "source": "cyner_mitre_train"}}
+{"text": "However , it could easily be used for far more intrusive and harmful purposes such as banking credential theft .", "spans": {}, "info": {"id": "cyner_mitre_train_01779", "source": "cyner_mitre_train"}}
+{"text": "Indeed , due to its ability to hide it ’ s icon from the launcher and impersonates any popular existing apps on a device , there are endless possibilities for this sort of malware to harm a user ’ s device .", "spans": {}, "info": {"id": "cyner_mitre_train_01780", "source": "cyner_mitre_train"}}
+{"text": "Check Point Research has submitted data to Google and law enforcement units to facilitate further investigation .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google": [[43, 49]]}, "info": {"id": "cyner_mitre_train_01781", "source": "cyner_mitre_train"}}
+{"text": "As a result , information related to the malicious actor is tentatively redacted in this publication .", "spans": {}, "info": {"id": "cyner_mitre_train_01782", "source": "cyner_mitre_train"}}
+{"text": "Check Point has worked closely with Google and at the time of publishing , no malicious apps remain on the Play Store .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google": [[36, 42]], "System: Play Store": [[107, 117]]}, "info": {"id": "cyner_mitre_train_01783", "source": "cyner_mitre_train"}}
+{"text": "Encounter In early 2019 , the Check Point Research team observed a surge of Android malware attack attempts against users in India which had strong characteristics of Janus vulnerability abuse ; All samples our team collected during preliminary investigation had the ability to hide their app icons and claim to be Google related updaters or vending modules ( a key component of Google Play framework ) .", "spans": {"Organization: Check Point": [[30, 41]], "System: Android": [[76, 83]], "Vulnerability: Janus": [[167, 172]], "Organization: Google": [[315, 321]], "System: Google Play": [[379, 390]]}, "info": {"id": "cyner_mitre_train_01784", "source": "cyner_mitre_train"}}
+{"text": "Upon further analysis it became clear this application was as malicious as they come and initially resembled the CopyCat malware , discovered by Check Point Research back in April 2016 .", "spans": {"Malware: CopyCat": [[113, 120]], "Organization: Check Point": [[145, 156]]}, "info": {"id": "cyner_mitre_train_01785", "source": "cyner_mitre_train"}}
+{"text": "As the research progressed , it started to reveal unique characteristics which made us believe we were looking at an all-new malware campaign found in the wild .", "spans": {}, "info": {"id": "cyner_mitre_train_01786", "source": "cyner_mitre_train"}}
+{"text": "After a series of technical analysis ( which is covered in detail below ) and heuristic threat hunting , we discovered that a complete “ Agent Smith ” infection has three main phases : A dropper app lures victim to install itself voluntarily .", "spans": {"Malware: Agent Smith": [[137, 148]]}, "info": {"id": "cyner_mitre_train_01787", "source": "cyner_mitre_train"}}
+{"text": "The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files .", "spans": {}, "info": {"id": "cyner_mitre_train_01788", "source": "cyner_mitre_train"}}
+{"text": "Dropper variants are usually barely functioning photo utility , games , or sex related apps .", "spans": {}, "info": {"id": "cyner_mitre_train_01789", "source": "cyner_mitre_train"}}
+{"text": "The dropper automatically decrypts and installs its core malware APK which later conducts malicious patching and app updates .", "spans": {}, "info": {"id": "cyner_mitre_train_01790", "source": "cyner_mitre_train"}}
+{"text": "The core malware is usually disguised as Google Updater , Google Update for U or “ com.google.vending ” .", "spans": {"Organization: Google": [[41, 47], [58, 64]], "Indicator: com.google.vending": [[83, 101]]}, "info": {"id": "cyner_mitre_train_01791", "source": "cyner_mitre_train"}}
+{"text": "The core malware ’ s icon is hidden .", "spans": {}, "info": {"id": "cyner_mitre_train_01792", "source": "cyner_mitre_train"}}
+{"text": "The core malware extracts the device ’ s installed app list .", "spans": {}, "info": {"id": "cyner_mitre_train_01793", "source": "cyner_mitre_train"}}
+{"text": "If it finds apps on its prey list ( hard-coded or sent from C & C server ) , it will extract the base APK of the target innocent app on the device , patch the APK with malicious ads modules , install the APK back and replace the original one as if it is an update .", "spans": {}, "info": {"id": "cyner_mitre_train_01794", "source": "cyner_mitre_train"}}
+{"text": "“ Agent Smith ” repacks its prey apps at smali/baksmali code level .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_mitre_train_01795", "source": "cyner_mitre_train"}}
+{"text": "During the final update installation process , it relies on the Janus vulnerability to bypass Android ’ s APK integrity checks .", "spans": {"Vulnerability: Janus": [[64, 69]], "System: Android": [[94, 101]]}, "info": {"id": "cyner_mitre_train_01796", "source": "cyner_mitre_train"}}
+{"text": "Upon kill chain completion , “ Agent Smith ” will then hijack compromised user apps to show ads .", "spans": {"Malware: Agent Smith": [[31, 42]]}, "info": {"id": "cyner_mitre_train_01797", "source": "cyner_mitre_train"}}
+{"text": "In certain situations , variants intercept compromised apps ’ original legitimate ads display events and report back to the intended ad-exchange with the “ Agent Smith ” campaign hacker ’ s ad IDs .", "spans": {"Malware: Agent Smith": [[156, 167]]}, "info": {"id": "cyner_mitre_train_01798", "source": "cyner_mitre_train"}}
+{"text": "Our intelligence shows “ Agent Smith ” droppers proliferate through third-party app store “ 9Apps ” , a UC team backed store , targeted mostly at Indian ( Hindi ) , Arabic , and Indonesian users .", "spans": {"Malware: Agent Smith": [[25, 36]], "System: 9Apps": [[92, 97]]}, "info": {"id": "cyner_mitre_train_01799", "source": "cyner_mitre_train"}}
+{"text": "“ Agent Smith ” itself , though , seems to target mainly India users .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_mitre_train_01800", "source": "cyner_mitre_train"}}
+{"text": "Unlike previously discovered non Google Play centric campaigns whose victims almost exclusively come from less developed countries and regions , “ Agent Smith ” successfully penetrated into noticeable number of devices in developed countries such as Saudi Arabia , UK and US .", "spans": {"System: Google Play": [[33, 44]], "Malware: Agent Smith": [[147, 158]]}, "info": {"id": "cyner_mitre_train_01801", "source": "cyner_mitre_train"}}
+{"text": "Technical Analysis “ Agent Smith ” has a modular structure and consists of the following modules : Loader Core Boot Patch AdSDK Updater As stated above , the first step of this infection chain is the dropper .", "spans": {"Malware: Agent Smith": [[21, 32]]}, "info": {"id": "cyner_mitre_train_01802", "source": "cyner_mitre_train"}}
+{"text": "The dropper is a repacked legitimate application which contains an additional piece of code – “ loader ” .", "spans": {}, "info": {"id": "cyner_mitre_train_01803", "source": "cyner_mitre_train"}}
+{"text": "The loader has a very simple purpose , extract and run the “ core ” module of “ Agent Smith ” .", "spans": {"Malware: Agent Smith": [[80, 91]]}, "info": {"id": "cyner_mitre_train_01804", "source": "cyner_mitre_train"}}
+{"text": "The “ core ” module communicates with the C & C server , receiving the predetermined list of popular apps to scan the device for .", "spans": {}, "info": {"id": "cyner_mitre_train_01805", "source": "cyner_mitre_train"}}
+{"text": "If any application from that list was found , it utilizes the Janus vulnerability to inject the “ boot ” module into the repacked application .", "spans": {"Vulnerability: Janus": [[62, 67]]}, "info": {"id": "cyner_mitre_train_01806", "source": "cyner_mitre_train"}}
+{"text": "After the next run of the infected application , the “ boot ” module will run the “ patch ” module , which hooks the methods from known ad SDKs to its own implementation .", "spans": {}, "info": {"id": "cyner_mitre_train_01807", "source": "cyner_mitre_train"}}
+{"text": "Figure 1 : ‘ Agent Smith ’ s modular structure Technical Analysis – Loader Module The “ loader ” module , as stated above , extracts and runs the “ core ” module .", "spans": {"Malware: Agent Smith": [[13, 24]]}, "info": {"id": "cyner_mitre_train_01808", "source": "cyner_mitre_train"}}
+{"text": "While the “ core ” module resides inside the APK file , it is encrypted and disguised as a JPG file – the first two bytes are actually the magic header of JPG files , while the rest of the data is encoded with an XOR cipher .", "spans": {}, "info": {"id": "cyner_mitre_train_01809", "source": "cyner_mitre_train"}}
+{"text": "Figure 2 : “ Agent Smith ’ s jpg file structure After the extraction , the “ loader ” module adds the code to the application while using the legitimate mechanism by Android to handle large DEX files .", "spans": {"Malware: Agent Smith": [[13, 24]], "System: Android": [[166, 173]]}, "info": {"id": "cyner_mitre_train_01810", "source": "cyner_mitre_train"}}
+{"text": "Figure 3 : Loading core malicious code into the benign application Once the “ core ” module is extracted and loaded , the “ loader ” uses the reflection technique to initialize and start the “ core ” module .", "spans": {}, "info": {"id": "cyner_mitre_train_01811", "source": "cyner_mitre_train"}}
+{"text": "Figure 4 : Loader calls initialization method Technical Analysis – Core Module With the main purpose of spreading the infection , “ Agent Smith ” implements in the “ core ” module : A series of ‘ Bundle ’ vulnerabilities , which is used to install applications without the victim ’ s awareness .", "spans": {"Malware: Agent Smith": [[132, 143]], "Vulnerability: Bundle": [[196, 202]]}, "info": {"id": "cyner_mitre_train_01812", "source": "cyner_mitre_train"}}
+{"text": "The Janus vulnerability , which allows the actor to replace any application with an infected version .", "spans": {"Vulnerability: Janus": [[4, 9]]}, "info": {"id": "cyner_mitre_train_01813", "source": "cyner_mitre_train"}}
+{"text": "The “ core ” module contacts the C & C server , trying to get a fresh list of applications to search for , or if that fails , use a default app list : whatsapp lenovo.anyshare.gps mxtech.videoplayer.ad jio.jioplay.tv jio.media.jiobeats jiochat.jiochatapp jio.join good.gamecollection opera.mini.native startv.hotstar meitu.beautyplusme domobile.applock touchtype.swiftkey flipkart.android cn.xender", "spans": {"System: whatsapp": [[151, 159]], "Indicator: lenovo.anyshare.gps": [[160, 179]], "Indicator: mxtech.videoplayer.ad": [[180, 201]], "Indicator: jio.jioplay.tv": [[202, 216]], "Indicator: jio.media.jiobeats": [[217, 235]], "Indicator: jiochat.jiochatapp": [[236, 254]], "Indicator: jio.join": [[255, 263]], "Indicator: good.gamecollection": [[264, 283]], "Indicator: opera.mini.native": [[284, 301]], "Indicator: startv.hotstar": [[302, 316]], "Indicator: meitu.beautyplusme": [[317, 335]], "Indicator: domobile.applock": [[336, 352]], "Indicator: touchtype.swiftkey": [[353, 371]], "Indicator: flipkart.android": [[372, 388]], "Indicator: cn.xender": [[389, 398]]}, "info": {"id": "cyner_mitre_train_01814", "source": "cyner_mitre_train"}}
+{"text": "eterno truecaller For each application on the list , the “ core ” module checks for a matching version and MD5 hash of the installed application , and also checks for the application running in the user-space .", "spans": {}, "info": {"id": "cyner_mitre_train_01815", "source": "cyner_mitre_train"}}
+{"text": "If all conditions are met , “ Agent Smith ” tries to infect the application .", "spans": {"Malware: Agent Smith": [[30, 41]]}, "info": {"id": "cyner_mitre_train_01816", "source": "cyner_mitre_train"}}
+{"text": "The “ core ” module will use one of two methods to infect the application – Decompile and Binary .", "spans": {}, "info": {"id": "cyner_mitre_train_01817", "source": "cyner_mitre_train"}}
+{"text": "The decompile method is based on the fact that Android applications are Java-based , meaning it is possible to recompile it .", "spans": {"System: Android": [[47, 54]]}, "info": {"id": "cyner_mitre_train_01818", "source": "cyner_mitre_train"}}
+{"text": "Therefore , “ Agent Smith ” decompiles both the original application and the malicious payload and fuses them together .", "spans": {"Malware: Agent Smith": [[14, 25]]}, "info": {"id": "cyner_mitre_train_01819", "source": "cyner_mitre_train"}}
+{"text": "Figure 5 : core module mixes malicious payload with the original application While decompiling the original app , “ Agent Smith ” has the opportunity to modify the methods inside , replace some of the methods in the original application that handles advertisement with its own code and focus on methods communicating with ‘ AdMob ’ , ‘ Facebook ’ , ‘ MoPub ’ and ‘ Unity Ads ’ .", "spans": {"Malware: Agent Smith": [[116, 127]], "System: AdMob": [[324, 329]], "System: Facebook": [[336, 344]], "System: MoPub": [[351, 356]], "System: Unity Ads": [[365, 374]]}, "info": {"id": "cyner_mitre_train_01820", "source": "cyner_mitre_train"}}
+{"text": "Figure 6 : Targeted ad network Figure 7 : Injection example After all of the required changes , “ Agent Smith ” compiles the application and builds a DEX file containing both the original code of the original application and the malicious payload .", "spans": {"Malware: Agent Smith": [[98, 109]]}, "info": {"id": "cyner_mitre_train_01821", "source": "cyner_mitre_train"}}
+{"text": "In some cases , the decompilation process will fail , and “ Agent Smith ” will try another method for infecting the original application – A binary patch , which simply provides a binary file of the “ boot ” module of “ Agent Smith ” .", "spans": {"Malware: Agent Smith": [[60, 71], [220, 231]]}, "info": {"id": "cyner_mitre_train_01822", "source": "cyner_mitre_train"}}
+{"text": "Once the payload is prepared , “ Agent Smith ” uses it to build another APK file , exploiting the Janus vulnerability : Figure 8 : The new infected APK file structure Solely injecting the code of the loader is not enough .", "spans": {"Malware: Agent Smith": [[33, 44]], "Vulnerability: Janus": [[98, 103]]}, "info": {"id": "cyner_mitre_train_01823", "source": "cyner_mitre_train"}}
+{"text": "As “ Agent Smith ” uses a modular approach , and as stated earlier , the original loader extracts everything from the assets , the usage of the Janus vulnerability can only change the code of the original application , not the resources .", "spans": {"Malware: Agent Smith": [[5, 16]], "Vulnerability: Janus": [[144, 149]]}, "info": {"id": "cyner_mitre_train_01824", "source": "cyner_mitre_train"}}
+{"text": "This means that the only thing possible in this case is to replace its DEX file .", "spans": {}, "info": {"id": "cyner_mitre_train_01825", "source": "cyner_mitre_train"}}
+{"text": "To overcome this issue , “ Agent Smith ” found another solution .", "spans": {"Malware: Agent Smith": [[27, 38]]}, "info": {"id": "cyner_mitre_train_01826", "source": "cyner_mitre_train"}}
+{"text": "Seeing as the system loader of the DEX files ( ART ) fully ignores everything that goes after the data section , the patcher writes all of its resources right there .", "spans": {}, "info": {"id": "cyner_mitre_train_01827", "source": "cyner_mitre_train"}}
+{"text": "This action changes the original file size of the DEX file , which makes the malicious resources a part of the DEX file , a section that is ignored by the signature validation process .", "spans": {}, "info": {"id": "cyner_mitre_train_01828", "source": "cyner_mitre_train"}}
+{"text": "Figure 9 : Malware secretly adds malicious resources to the DEX file Now , after the alteration of the original application , Android ’ s package manager will think that this is an update for the application signed by the same certificate , but in reality , it will execute the malicious DEX file .", "spans": {"System: Android": [[126, 133]]}, "info": {"id": "cyner_mitre_train_01829", "source": "cyner_mitre_train"}}
+{"text": "Even now , this is still not enough .", "spans": {}, "info": {"id": "cyner_mitre_train_01830", "source": "cyner_mitre_train"}}
+{"text": "“ Agent Smith ” needs to be updated/installed without the user ’ s consent .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_mitre_train_01831", "source": "cyner_mitre_train"}}
+{"text": "To achieve this , “ Agent Smith ” utilizes a series of 1-day vulnerabilities , which allows any application to run an activity inside a system application , even if this activity is not exported .", "spans": {"Malware: Agent Smith": [[20, 31]], "Vulnerability: 1-day vulnerabilities": [[55, 76]]}, "info": {"id": "cyner_mitre_train_01832", "source": "cyner_mitre_train"}}
+{"text": "The malicious application sends a request to choose a network account , a specific account that can only be processed by authentication services exported by the malicious application .", "spans": {}, "info": {"id": "cyner_mitre_train_01833", "source": "cyner_mitre_train"}}
+{"text": "The system service ‘ AccountManagerService ’ looks for the application that can process this request .", "spans": {}, "info": {"id": "cyner_mitre_train_01834", "source": "cyner_mitre_train"}}
+{"text": "While doing so , it will reach a service exported by “ Agent Smith ” , and sends out an authentication request that would lead to a call to the ‘ addAccount ’ method .", "spans": {"Malware: Agent Smith": [[55, 66]]}, "info": {"id": "cyner_mitre_train_01835", "source": "cyner_mitre_train"}}
+{"text": "Then , a request is formed in such a way that an activity that installs the application is called , bypassing all security checks .", "spans": {}, "info": {"id": "cyner_mitre_train_01836", "source": "cyner_mitre_train"}}
+{"text": "Figure 10 : The algorithm of the malicious update , while “ Agent Smith ” updates application If all that has failed , “ Agent Smith ” turns to Man-in-the-Disk vulnerability for ‘ SHAREit ’ or ‘ Xender ’ applications .", "spans": {"Malware: Agent Smith": [[60, 71], [121, 132]], "Vulnerability: Man-in-the-Disk": [[144, 159]], "System: SHAREit": [[180, 187]], "System: Xender": [[195, 201]]}, "info": {"id": "cyner_mitre_train_01837", "source": "cyner_mitre_train"}}
+{"text": "This is a very simple process , which is replacing their update file on SD card with its own malicious payload .", "spans": {}, "info": {"id": "cyner_mitre_train_01838", "source": "cyner_mitre_train"}}
+{"text": "Figure 11 : ‘ Agent Smith ’ uses man-in-disk to install the malicious update Technical Analysis – Boot Module The “ boot ” module is basically another “ loader ” module , but this time it ’ s executed in the infected application .", "spans": {"Malware: Agent Smith": [[14, 25]], "Vulnerability: man-in-disk": [[33, 44]]}, "info": {"id": "cyner_mitre_train_01839", "source": "cyner_mitre_train"}}
+{"text": "The purpose of this module is to extract and execute a malicious payload – the “ patch ” module .", "spans": {}, "info": {"id": "cyner_mitre_train_01840", "source": "cyner_mitre_train"}}
+{"text": "The infected application contains its payload inside the DEX file .", "spans": {}, "info": {"id": "cyner_mitre_train_01841", "source": "cyner_mitre_train"}}
+{"text": "All that is needed is to get the original size of the DEX file and read everything that comes after this offset .", "spans": {}, "info": {"id": "cyner_mitre_train_01842", "source": "cyner_mitre_train"}}
+{"text": "Figure 12 : Boot module After the patch module is extracted , the “ boot ” module executes it , using the same method described in the “ loader ” module .", "spans": {}, "info": {"id": "cyner_mitre_train_01843", "source": "cyner_mitre_train"}}
+{"text": "The “ boot ” module has placeholder classes for the entry points of the infected applications .", "spans": {}, "info": {"id": "cyner_mitre_train_01844", "source": "cyner_mitre_train"}}
+{"text": "This allows the “ boot ” module to execute the payloads when the infected application is started .", "spans": {}, "info": {"id": "cyner_mitre_train_01845", "source": "cyner_mitre_train"}}
+{"text": "Figure 13 : placeholder classes in Boot module Technical Analysis – Patch Module When “ Agent Smith ” has reached its goal – a malicious payload running inside the original application , with hooks on various methods – at this point , everything lies with maintaining the required code in case of an update for the original application .", "spans": {"Malware: Agent Smith": [[88, 99]]}, "info": {"id": "cyner_mitre_train_01846", "source": "cyner_mitre_train"}}
+{"text": "While investing a lot of resources in the development of this malware , the actor behind “ Agent Smith ” does not want a real update to remove all of the changes made , so here is where the “ patch ” module comes in to play With the sole purpose of disabling automatic updates for the infected application , this module observes the update directory for the original application and removes the file once it appears .", "spans": {"Malware: Agent Smith": [[91, 102]]}, "info": {"id": "cyner_mitre_train_01847", "source": "cyner_mitre_train"}}
+{"text": "Another trick in “ Agent Smith ’ s arsenal is to change the settings of the update timeout , making the original application wait endlessly for the update check .", "spans": {"Malware: Agent Smith": [[19, 30]]}, "info": {"id": "cyner_mitre_train_01848", "source": "cyner_mitre_train"}}
+{"text": "Figure 14 : disabling infected apps auto-update Figure 15 : changing the settings of the update timeout The Ad Displaying Payload Following all of the above , now is the time to take a look into the actual payload that displays ads to the victim .", "spans": {}, "info": {"id": "cyner_mitre_train_01849", "source": "cyner_mitre_train"}}
+{"text": "In the injected payload , the module implements the method ‘ callActivityOnCreate ’ .", "spans": {}, "info": {"id": "cyner_mitre_train_01850", "source": "cyner_mitre_train"}}
+{"text": "At any time an infected application will create an activity , this method will be called , and call ‘ requestAd ’ from “ Agent Smith ’ s code .", "spans": {"Malware: Agent Smith": [[121, 132]]}, "info": {"id": "cyner_mitre_train_01851", "source": "cyner_mitre_train"}}
+{"text": "“ Agent Smith ” will replace the original application ’ s activities with an in-house SDK ’ s activity , which will show the banner received from the server .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_mitre_train_01852", "source": "cyner_mitre_train"}}
+{"text": "In the case of the infected application not specified in the code , “ Agent Smith ” will simply show ads on the activity being loaded .", "spans": {"Malware: Agent Smith": [[70, 81]]}, "info": {"id": "cyner_mitre_train_01853", "source": "cyner_mitre_train"}}
+{"text": "Figure 16 : integrating an in-house ad SDK Figure 17 : replacing original app activities with the malicious ad SDK activity Figure 18 : the malware showing ads on any activity being loaded Connecting the Dots As our malware sample analysis took the team closer to reveal the “ Agent Smith ” campaign in its entirety and it is here that the C & C server investigation enters the center stage .", "spans": {}, "info": {"id": "cyner_mitre_train_01854", "source": "cyner_mitre_train"}}
+{"text": "We started with most frequently used C & C domains “ a * * * d.com ” , “ a * * * d.net ” , and “ a * * * d.org ” .", "spans": {"Indicator: a * * * d.com": [[53, 66]], "Indicator: a * * * d.net": [[73, 86]], "Indicator: a * * * d.org": [[97, 110]]}, "info": {"id": "cyner_mitre_train_01855", "source": "cyner_mitre_train"}}
+{"text": "Among multiple sub-domains , “ ad.a * * * d.org ” and “ gd.a * * * d.org ” both historically resolved to the same suspicious IP address .", "spans": {"Indicator: ad.a * * * d.org": [[31, 47]], "Indicator: gd.a * * * d.org": [[56, 72]]}, "info": {"id": "cyner_mitre_train_01856", "source": "cyner_mitre_train"}}
+{"text": "The reverse DNS history of this IP brought “ ads.i * * * e.com ” into our attention .", "spans": {"Indicator: ads.i * * * e.com": [[45, 62]]}, "info": {"id": "cyner_mitre_train_01857", "source": "cyner_mitre_train"}}
+{"text": "An extended malware hunting process returned to us a large set of “ Agent Smith ” dropper variants which helped us further deduce a relation among multiple C & C server infrastructures .", "spans": {"Malware: Agent Smith": [[68, 79]]}, "info": {"id": "cyner_mitre_train_01858", "source": "cyner_mitre_train"}}
+{"text": "In a different period of the “ Agent Smith ” campaign , droppers and core modules used various combinations of the “ a * * * d ” and “ i * * * e ” domains for malicious operations such as prey list query , patch request and ads request .", "spans": {"Malware: Agent Smith": [[31, 42]]}, "info": {"id": "cyner_mitre_train_01859", "source": "cyner_mitre_train"}}
+{"text": "With a bit of luck , we managed to find logs in which the evidence showed “ Agent Smith ’ s C & C front end routinely distributes a workload between “ w.h * * * g.com ” and “ tt.a * * * d.net ” .", "spans": {"Malware: Agent Smith": [[76, 87]], "Indicator: w.h * * * g.com": [[151, 166]], "Indicator: tt.a * * * d.net": [[175, 191]]}, "info": {"id": "cyner_mitre_train_01860", "source": "cyner_mitre_train"}}
+{"text": "An in-depth understanding of the “ Agent Smith ’ s campaign C & C infrastructure enabled us to reach the conclusion that the owner of “ i * * * e.com ” , “ h * * * g.com ” is the group of hackers behind “ Agent Smith ” .", "spans": {"Malware: Agent Smith": [[35, 46], [205, 216]], "Indicator: “ i * * * e.com": [[134, 149]], "Indicator: h * * * g.com": [[156, 169]]}, "info": {"id": "cyner_mitre_train_01861", "source": "cyner_mitre_train"}}
+{"text": "Figure 19 : C & C infrastructure diagram The Infection Landscape “ Agent Smith ” droppers show a very greedy infection tactic .", "spans": {"Malware: Agent Smith": [[67, 78]]}, "info": {"id": "cyner_mitre_train_01862", "source": "cyner_mitre_train"}}
+{"text": "It ’ s not enough for this malware family to swap just one innocent application with an infected double .", "spans": {}, "info": {"id": "cyner_mitre_train_01863", "source": "cyner_mitre_train"}}
+{"text": "It does so for each and every app on the device as long as the package names are on its prey list .", "spans": {}, "info": {"id": "cyner_mitre_train_01864", "source": "cyner_mitre_train"}}
+{"text": "Over time , this campaign will also infect the same device , repeatedly , with the latest malicious patches .", "spans": {}, "info": {"id": "cyner_mitre_train_01865", "source": "cyner_mitre_train"}}
+{"text": "This lead us to estimate there to be over 2.8 billion infections in total , on around 25 Million unique devices , meaning that on average , each victim would have suffered roughly 112 swaps of innocent applications .", "spans": {}, "info": {"id": "cyner_mitre_train_01866", "source": "cyner_mitre_train"}}
+{"text": "As an initial attack vector , “ Agent Smith ” abuses the 9Apps market – with over 360 different dropper variants .", "spans": {"Malware: Agent Smith": [[32, 43]], "System: 9Apps": [[57, 62]]}, "info": {"id": "cyner_mitre_train_01867", "source": "cyner_mitre_train"}}
+{"text": "To maximize profit , variants with “ MinSDK ” or “ OTA ” SDK are present to further infect victims with other adware families .", "spans": {}, "info": {"id": "cyner_mitre_train_01868", "source": "cyner_mitre_train"}}
+{"text": "The majority of droppers in 9Apps are games , while the rest fall into categories of adult entertainment , media player , photo utilities , and system utilities .", "spans": {"System: 9Apps": [[28, 33]]}, "info": {"id": "cyner_mitre_train_01869", "source": "cyner_mitre_train"}}
+{"text": "Figure 20 : dropper app category distribution Among the vast number of variants , the top 5 most infectious droppers alone have been downloaded more than 7.8 million times of the infection operations against innocent applications : Figure 21 : Top 5 most infectious droppers The “ Agent Smith ” campaign is primarily targeted at Indian users , who represent 59 % of the impacted population .", "spans": {"Malware: Agent Smith": [[281, 292]]}, "info": {"id": "cyner_mitre_train_01870", "source": "cyner_mitre_train"}}
+{"text": "Unlike previously seen non-GP ( Google Play ) centric malware campaigns , “ Agent Smith ” has a significant impact upon not only developing countries but also some developed countries where GP is readily available .", "spans": {"System: Google Play": [[32, 43]], "Malware: Agent Smith": [[76, 87]]}, "info": {"id": "cyner_mitre_train_01871", "source": "cyner_mitre_train"}}
+{"text": "For example , the US ( with around 303k infections ) , Saudi Arabia ( 245k ) , Australia ( 141k ) and the UK ( 137k ) .", "spans": {}, "info": {"id": "cyner_mitre_train_01872", "source": "cyner_mitre_train"}}
+{"text": "Figure 22 : world infection heat map Considering that India is by far the most infected county by “ Agent Smith ” , overall compromised device brand distribution is heavily influenced by brand popularity among Indian Android users : Figure 23 : infected brand distribution While most infections occurred on devices running Android 5 and 6 , we also see a considerable number of successful attacks against newer Android versions .", "spans": {"Malware: Agent Smith": [[100, 111]], "System: Android": [[217, 224], [411, 418]], "System: Android 5 and 6": [[323, 338]]}, "info": {"id": "cyner_mitre_train_01873", "source": "cyner_mitre_train"}}
+{"text": "It is a worrying observation .", "spans": {}, "info": {"id": "cyner_mitre_train_01874", "source": "cyner_mitre_train"}}
+{"text": "AOSP patched the Janus vulnerability since version 7 by introducing APK Signature Scheme V2 .", "spans": {"Vulnerability: Janus": [[17, 22]]}, "info": {"id": "cyner_mitre_train_01875", "source": "cyner_mitre_train"}}
+{"text": "However , in order to block Janus abuse , app developers need to sign their apps with the new scheme so that Android framework security component could conduct integrity checks with enhanced features .", "spans": {"Vulnerability: Janus": [[28, 33]], "System: Android": [[109, 116]]}, "info": {"id": "cyner_mitre_train_01876", "source": "cyner_mitre_train"}}
+{"text": "Figure 25 : infected Android version distribution To further analyze “ Agent Smith ” ’ s infection landscape , we dived into the top 10 infected countries : Country Total Devices Total Infection Event Count Avg .", "spans": {"System: Android": [[21, 28]], "Malware: Agent Smith": [[71, 82]]}, "info": {"id": "cyner_mitre_train_01877", "source": "cyner_mitre_train"}}
+{"text": "App Swap Per Device Avg .", "spans": {}, "info": {"id": "cyner_mitre_train_01878", "source": "cyner_mitre_train"}}
+{"text": "Droppers Per Device Avg .", "spans": {}, "info": {"id": "cyner_mitre_train_01879", "source": "cyner_mitre_train"}}
+{"text": "Months Device Remained Infected India 15,230,123 2,017,873,249 2.6 1.7 2.1 Bangladesh 2,539,913 208,026,886 2.4 1.5 2.2 Pakistan 1,686,216 94,296,907 2.4 1.6 2 Indonesia 572,025 67,685,983 2 1.5 2.2 Nepal 469,274 44,961,341 2.4 1.6 2.4 US 302,852 19,327,093 1.7 1.4 1.8 Nigeria 287,167 21,278,498 2.4 1.3 2.3 Hungary 282,826 7,856,064 1.7 1.3 1.7 Saudi Arabia 245,698 18,616,259 2.3", "spans": {}, "info": {"id": "cyner_mitre_train_01880", "source": "cyner_mitre_train"}}
+{"text": "1.6 1.9 Myanmar 234,338 9,729,572 1.5 1.4 1.9 “ Agent Smith ” Timeline Early signs of activity from the actor behind “ Agent Smith ” can be traced back to January 2016 .", "spans": {"Malware: Agent Smith": [[48, 59]]}, "info": {"id": "cyner_mitre_train_01881", "source": "cyner_mitre_train"}}
+{"text": "We classify this 40-month period into three main stages .", "spans": {}, "info": {"id": "cyner_mitre_train_01882", "source": "cyner_mitre_train"}}
+{"text": "January 2016 – May 2018 : In this stage , “ Agent Smith ” hackers started to try out 9Apps as a distribution channel for their adware .", "spans": {"Malware: Agent Smith": [[44, 55]]}, "info": {"id": "cyner_mitre_train_01883", "source": "cyner_mitre_train"}}
+{"text": "During this period , malware samples display some typical adware characteristics such as unnecessary permission requirements and pop-up windows .", "spans": {"System: windows": [[136, 143]]}, "info": {"id": "cyner_mitre_train_01884", "source": "cyner_mitre_train"}}
+{"text": "During this time , “ Agent Smith ” hackers eventually built up a vast number of app presence on 9Apps , which later would serve as publication channels for evolved droppers .", "spans": {"Malware: Agent Smith": [[21, 32]], "System: 9Apps": [[96, 101]]}, "info": {"id": "cyner_mitre_train_01885", "source": "cyner_mitre_train"}}
+{"text": "However , samples don ’ t have key capabilities to infect innocent apps on victim devices yet .", "spans": {}, "info": {"id": "cyner_mitre_train_01886", "source": "cyner_mitre_train"}}
+{"text": "May 2018 to April 2019 : This is the actual mature stage of “ Agent Smith ” campaign .", "spans": {"Malware: Agent Smith": [[62, 73]]}, "info": {"id": "cyner_mitre_train_01887", "source": "cyner_mitre_train"}}
+{"text": "From early 2018 prior to May , “ Agent Smith ” hackers started to experiment with Bundle Feng Shui , the key tool which gives “ Agent Smith ” malware family capabilities to infect innocent apps on the device .", "spans": {"Malware: Agent Smith": [[33, 44], [128, 139]]}, "info": {"id": "cyner_mitre_train_01888", "source": "cyner_mitre_train"}}
+{"text": "A series of pilot runs were executed .", "spans": {}, "info": {"id": "cyner_mitre_train_01889", "source": "cyner_mitre_train"}}
+{"text": "After some major upgrade , by mid-June , the “ Agent Smith ” campaign reached its peak .", "spans": {"Malware: Agent Smith": [[47, 58]]}, "info": {"id": "cyner_mitre_train_01890", "source": "cyner_mitre_train"}}
+{"text": "Its dropper family finished integration with Bundle Feng Shui and campaign C & C infrastructure was shifted to AWS cloud .", "spans": {"System: AWS": [[111, 114]]}, "info": {"id": "cyner_mitre_train_01891", "source": "cyner_mitre_train"}}
+{"text": "The Campaign achieved exponential growth from June to December 2018 with the infection number staying stable into early 2019 .", "spans": {}, "info": {"id": "cyner_mitre_train_01892", "source": "cyner_mitre_train"}}
+{"text": "Post-April 2019 : Starting from early 2019 , the new infection rate of “ Agent Smith ” dropped significantly .", "spans": {"Malware: Agent Smith": [[73, 84]]}, "info": {"id": "cyner_mitre_train_01893", "source": "cyner_mitre_train"}}
+{"text": "From early April , hackers started to build a new major update to the “ Agent Smith ” campaign under the name “ leechsdk ” .", "spans": {"Malware: Agent Smith": [[72, 83]]}, "info": {"id": "cyner_mitre_train_01894", "source": "cyner_mitre_train"}}
+{"text": "Figure 26 : “ Agent Smith ” Campaign timeline Greater “ Agent Smith ” Campaign Discovery Orchestrating a successful 9Apps centric malware campaign , the actor behind “ Agent Smith ” established solid strategies in malware proliferation and payload delivery .", "spans": {"Malware: Agent Smith": [[14, 25], [56, 67], [168, 179]], "System: 9Apps": [[116, 121]]}, "info": {"id": "cyner_mitre_train_01895", "source": "cyner_mitre_train"}}
+{"text": "The actor also built solid backend infrastructures which can handle high volume concurrent requests .", "spans": {}, "info": {"id": "cyner_mitre_train_01896", "source": "cyner_mitre_train"}}
+{"text": "During our extended threat hunting , we uncovered 11 apps on the Google Play store that contain a malicious yet dormant SDK related to “ Agent Smith ” actor .", "spans": {"System: Google Play store": [[65, 82]], "Malware: Agent Smith": [[137, 148]]}, "info": {"id": "cyner_mitre_train_01897", "source": "cyner_mitre_train"}}
+{"text": "This discovery indicates the actor ’ s ambition in expanding operations into Google Play store with previous success experience from the main “ Agent Smith ” campaign .", "spans": {"System: Google Play": [[77, 88]], "Malware: Agent Smith": [[144, 155]]}, "info": {"id": "cyner_mitre_train_01898", "source": "cyner_mitre_train"}}
+{"text": "Instead of embedding core malware payload in droppers , the actor switches to a more low-key SDK approach .", "spans": {}, "info": {"id": "cyner_mitre_train_01899", "source": "cyner_mitre_train"}}
+{"text": "In the dangerous module lies a kill switch logic which looks for the keyword “ infect ” .", "spans": {}, "info": {"id": "cyner_mitre_train_01900", "source": "cyner_mitre_train"}}
+{"text": "Once the keyword is present , the SDK will switch from innocent ads server to malicious payload delivery ones .", "spans": {}, "info": {"id": "cyner_mitre_train_01901", "source": "cyner_mitre_train"}}
+{"text": "Hence , we name this new spin-off campaign as Jaguar Kill Switch .", "spans": {}, "info": {"id": "cyner_mitre_train_01902", "source": "cyner_mitre_train"}}
+{"text": "The below code snippet is currently isolated and dormant .", "spans": {}, "info": {"id": "cyner_mitre_train_01903", "source": "cyner_mitre_train"}}
+{"text": "In the future , it will be invoked by malicious SDK during banner ads display .", "spans": {}, "info": {"id": "cyner_mitre_train_01904", "source": "cyner_mitre_train"}}
+{"text": "Figure 26 : the kill switch code snippet Evidence implies that the “ Agent Smith ” actor is currently laying the groundwork , increasing its Google Play penetration rate and waiting for the right timing to kick off attacks .", "spans": {"Malware: Agent Smith": [[69, 80]], "System: Google Play": [[141, 152]]}, "info": {"id": "cyner_mitre_train_01905", "source": "cyner_mitre_train"}}
+{"text": "By the time of this publication , two Jaguar Kill Switch infected app has reached 10 million downloads while others are still in their early stages .", "spans": {}, "info": {"id": "cyner_mitre_train_01906", "source": "cyner_mitre_train"}}
+{"text": "Check Point Research reported these dangerous apps to Google upon discovery .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google": [[54, 60]]}, "info": {"id": "cyner_mitre_train_01907", "source": "cyner_mitre_train"}}
+{"text": "Currently , all bespoke apps have been taken down from the Google Play store .", "spans": {"System: Google Play": [[59, 70]]}, "info": {"id": "cyner_mitre_train_01908", "source": "cyner_mitre_train"}}
+{"text": "Figure 28 : Jaguar Kill Switch infected GP apps Peek Into the Actor Based on all of the above , we connected “ Agent Smith ” campaign to a Chinese internet company located in Guangzhou whose front end legitimate business is to help Chinese Android developers publish and promote their apps on overseas platforms .", "spans": {"Malware: Agent Smith": [[111, 122]], "System: Android": [[240, 247]]}, "info": {"id": "cyner_mitre_train_01909", "source": "cyner_mitre_train"}}
+{"text": "Various recruitment posts on Chinese job sites and Chinese National Enterprise Credit Information Public System ( NECIPS ) data led us one step further , linking the actor to its legal entity name .", "spans": {"System: Chinese National Enterprise Credit Information Public System ( NECIPS )": [[51, 122]]}, "info": {"id": "cyner_mitre_train_01910", "source": "cyner_mitre_train"}}
+{"text": "Interestingly , we uncovered several expired job posting of Android reverse engineer from the actor ’ s front business published in 2018 and 2019 .", "spans": {"System: Android": [[60, 67]]}, "info": {"id": "cyner_mitre_train_01911", "source": "cyner_mitre_train"}}
+{"text": "It seems that the people who filled these roles are key to “ Agent Smith ’ s success , yet not quite necessary for actor ’ s legitimate side of business .", "spans": {"Malware: Agent Smith": [[61, 72]]}, "info": {"id": "cyner_mitre_train_01912", "source": "cyner_mitre_train"}}
+{"text": "With a better understanding of the “ Agent Smith ” actor than we had in the initial phase of campaign hunting , we examined the list of target innocent apps once again and discovered the actor ’ s unusual practices in choosing targets .", "spans": {"Malware: Agent Smith": [[37, 48]]}, "info": {"id": "cyner_mitre_train_01913", "source": "cyner_mitre_train"}}
+{"text": "It seems , “ Agent Smith ” prey list does not only have popular yet Janus vulnerable apps to ensure high proliferation , but also contain competitor apps of actor ’ s legitimate business arm to suppress competition .", "spans": {"Malware: Agent Smith": [[13, 24]], "Vulnerability: Janus": [[68, 73]]}, "info": {"id": "cyner_mitre_train_01914", "source": "cyner_mitre_train"}}
+{"text": "Conclusion Although the actor behind “ Agent Smith ” decided to make their illegally acquired profit by exploiting the use of ads , another actor could easily take a more intrusive and harmful route .", "spans": {"Malware: Agent Smith": [[39, 50]]}, "info": {"id": "cyner_mitre_train_01915", "source": "cyner_mitre_train"}}
+{"text": "With the ability to hide its icon from the launcher and hijack popular existing apps on a device , there are endless possibilities to harm a user ’ s digital even physical security .", "spans": {}, "info": {"id": "cyner_mitre_train_01916", "source": "cyner_mitre_train"}}
+{"text": "Today this malware shows unwanted ads , tomorrow it could steal sensitive information ; from private messages to banking credentials and much more .", "spans": {}, "info": {"id": "cyner_mitre_train_01917", "source": "cyner_mitre_train"}}
+{"text": "The “ Agent Smith ” campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android eco-system .", "spans": {"Malware: Agent Smith": [[6, 17]], "System: Android": [[129, 136]]}, "info": {"id": "cyner_mitre_train_01918", "source": "cyner_mitre_train"}}
+{"text": "It requires attention and action from system developers , device manufacturers , app developers , and users , so that vulnerability fixes are patched , distributed , adopted and installed in time .", "spans": {}, "info": {"id": "cyner_mitre_train_01919", "source": "cyner_mitre_train"}}
+{"text": "It is also another example for why organizations and consumers alike should have an advanced mobile threat prevention solution installed on the device to protect themselves against the possibility of unknowingly installing malicious apps , even from trusted app stores .", "spans": {}, "info": {"id": "cyner_mitre_train_01920", "source": "cyner_mitre_train"}}
+{"text": "Dvmap : the first Android malware with code injection 08 JUN 2017 In April 2017 we started observing new rooting malware being distributed through the Google Play Store .", "spans": {"Malware: Dvmap": [[0, 5]], "System: Android": [[18, 25]], "System: Google Play Store": [[151, 168]]}, "info": {"id": "cyner_mitre_train_01921", "source": "cyner_mitre_train"}}
+{"text": "Unlike other rooting malware , this Trojan not only installs its modules into the system , it also injects malicious code into the system runtime libraries .", "spans": {}, "info": {"id": "cyner_mitre_train_01922", "source": "cyner_mitre_train"}}
+{"text": "Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Indicator: Trojan.AndroidOS.Dvmap.a": [[36, 60]]}, "info": {"id": "cyner_mitre_train_01923", "source": "cyner_mitre_train"}}
+{"text": "The distribution of rooting malware through Google Play is not a new thing .", "spans": {"System: Google Play": [[44, 55]]}, "info": {"id": "cyner_mitre_train_01924", "source": "cyner_mitre_train"}}
+{"text": "For example , the Ztorg Trojan has been uploaded to Google Play almost 100 times since September 2016 .", "spans": {"Malware: Ztorg Trojan": [[18, 30]], "System: Google Play": [[52, 63]]}, "info": {"id": "cyner_mitre_train_01925", "source": "cyner_mitre_train"}}
+{"text": "But Dvmap is very special rooting malware .", "spans": {"Malware: Dvmap": [[4, 9]]}, "info": {"id": "cyner_mitre_train_01926", "source": "cyner_mitre_train"}}
+{"text": "It uses a variety of new techniques , but the most interesting thing is that it injects malicious code into the system libraries – libdmv.so or libandroid_runtime.so .", "spans": {"Indicator: libdmv.so": [[131, 140]], "Indicator: libandroid_runtime.so": [[144, 165]]}, "info": {"id": "cyner_mitre_train_01927", "source": "cyner_mitre_train"}}
+{"text": "This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime , and it has been downloaded from the Google Play Store more than 50,000 times .", "spans": {"Malware: Dvmap": [[11, 16]], "System: Android": [[27, 34]], "System: Google Play Store": [[146, 163]]}, "info": {"id": "cyner_mitre_train_01928", "source": "cyner_mitre_train"}}
+{"text": "Kaspersky Lab reported the Trojan to Google , and it has now been removed from the store .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Organization: Google": [[37, 43]]}, "info": {"id": "cyner_mitre_train_01929", "source": "cyner_mitre_train"}}
+{"text": "To bypass Google Play Store security checks , the malware creators used a very interesting method : they uploaded a clean app to the store at the end of March , 2017 , and would then update it with a malicious version for short period of time .", "spans": {"System: Google Play Store": [[10, 27]]}, "info": {"id": "cyner_mitre_train_01930", "source": "cyner_mitre_train"}}
+{"text": "Usually they would upload a clean version back on Google Play the very same day .", "spans": {"System: Google Play": [[50, 61]]}, "info": {"id": "cyner_mitre_train_01931", "source": "cyner_mitre_train"}}
+{"text": "They did this at least 5 times between 18 April and 15 May .", "spans": {}, "info": {"id": "cyner_mitre_train_01932", "source": "cyner_mitre_train"}}
+{"text": "All the malicious Dvmap apps had the same functionality .", "spans": {"Malware: Dvmap": [[18, 23]]}, "info": {"id": "cyner_mitre_train_01933", "source": "cyner_mitre_train"}}
+{"text": "They decrypt several archive files from the assets folder of the installation package , and launch an executable file from them with the name “ start. ” The interesting thing is that the Trojan supports even the 64-bit version of Android , which is very rare .", "spans": {"System: Android": [[230, 237]]}, "info": {"id": "cyner_mitre_train_01934", "source": "cyner_mitre_train"}}
+{"text": "All encrypted archives can be divided into two groups : the first comprises Game321.res , Game322.res , Game323.res and Game642.res – and these are used in the initial phase of infection , while the second group : Game324.res and Game644.res , are used in the main phase .", "spans": {"Indicator: Game321.res": [[76, 87]], "Indicator: Game322.res": [[90, 101]], "Indicator: Game323.res": [[104, 115]], "Indicator: Game642.res": [[120, 131]], "Indicator: Game324.res": [[214, 225]], "Indicator: Game644.res": [[230, 241]]}, "info": {"id": "cyner_mitre_train_01935", "source": "cyner_mitre_train"}}
+{"text": "Initial phase During this phase , the Trojan tries to gain root rights on the device and to install some modules .", "spans": {}, "info": {"id": "cyner_mitre_train_01936", "source": "cyner_mitre_train"}}
+{"text": "All archives from this phase contain the same files except for one called “ common ” .", "spans": {}, "info": {"id": "cyner_mitre_train_01937", "source": "cyner_mitre_train"}}
+{"text": "This is a local root exploit pack , and the Trojan uses 4 different exploit pack files , 3 for 32-bit systems and 1 for 64-bit-systems .", "spans": {}, "info": {"id": "cyner_mitre_train_01938", "source": "cyner_mitre_train"}}
+{"text": "If these files successfully gain root rights , the Trojan will install several tools into the system .", "spans": {}, "info": {"id": "cyner_mitre_train_01939", "source": "cyner_mitre_train"}}
+{"text": "It will also install the malicious app “ com.qualcmm.timeservices. ” These archives contain the file “ .root.sh ” which has some comments in Chinese : Main phase In this phase , the Trojan launches the “ start ” file from Game324.res or Game644.res .", "spans": {"Indicator: com.qualcmm.timeservices.": [[41, 66]], "Indicator: .root.sh": [[103, 111]], "Indicator: Game324.res": [[222, 233]], "Indicator: Game644.res": [[237, 248]]}, "info": {"id": "cyner_mitre_train_01940", "source": "cyner_mitre_train"}}
+{"text": "It will check the version of Android installed and decide which library should be patched .", "spans": {"System: Android": [[29, 36]]}, "info": {"id": "cyner_mitre_train_01941", "source": "cyner_mitre_train"}}
+{"text": "For Android 4.4.4 and older , the Trojan will patch method _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so , and for Android 5 and newer it will patch method nativeForkAndSpecialize from libandroid_runtime.so .", "spans": {"System: Android 4.4.4": [[4, 17]], "Indicator: libdvm.so": [[100, 109]], "System: Android": [[120, 127]], "Indicator: libandroid_runtime.so": [[190, 211]]}, "info": {"id": "cyner_mitre_train_01942", "source": "cyner_mitre_train"}}
+{"text": "Both of these libraries are runtime libraries related to Dalvik and ART runtime environments .", "spans": {"System: Dalvik": [[57, 63]], "System: ART": [[68, 71]]}, "info": {"id": "cyner_mitre_train_01943", "source": "cyner_mitre_train"}}
+{"text": "Before patching , the Trojan will backup the original library with a name bak_ { original name } .", "spans": {}, "info": {"id": "cyner_mitre_train_01944", "source": "cyner_mitre_train"}}
+{"text": "During patching , the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip .", "spans": {"Indicator: /system/bin/ip": [[115, 129]]}, "info": {"id": "cyner_mitre_train_01945", "source": "cyner_mitre_train"}}
+{"text": "This could be very dangerous and cause some devices to crash following the overwrite .", "spans": {}, "info": {"id": "cyner_mitre_train_01946", "source": "cyner_mitre_train"}}
+{"text": "Then the Trojan will put the patched library back into the system directory .", "spans": {}, "info": {"id": "cyner_mitre_train_01947", "source": "cyner_mitre_train"}}
+{"text": "After that , the Trojan will replace the original /system/bin/ip with a malicious one from the archive ( Game324.res or Game644.res ) .", "spans": {"Indicator: /system/bin/ip": [[50, 64]], "Indicator: Game324.res": [[105, 116]], "Indicator: Game644.res": [[120, 131]]}, "info": {"id": "cyner_mitre_train_01948", "source": "cyner_mitre_train"}}
+{"text": "In doing so , the Trojan can be sure that its malicious module will be executed with system rights .", "spans": {}, "info": {"id": "cyner_mitre_train_01949", "source": "cyner_mitre_train"}}
+{"text": "But the malicious ip file does not contain any methods from the original ip file .", "spans": {}, "info": {"id": "cyner_mitre_train_01950", "source": "cyner_mitre_train"}}
+{"text": "This means that all apps that were using this file will lose some functionality or even start crashing .", "spans": {}, "info": {"id": "cyner_mitre_train_01951", "source": "cyner_mitre_train"}}
+{"text": "Malicious module “ ip ” This file will be executed by the patched system library .", "spans": {}, "info": {"id": "cyner_mitre_train_01952", "source": "cyner_mitre_train"}}
+{"text": "It can turn off “ VerifyApps ” and enable the installation of apps from 3rd party stores by changing system settings .", "spans": {}, "info": {"id": "cyner_mitre_train_01953", "source": "cyner_mitre_train"}}
+{"text": "Furthermore , it can grant the “ com.qualcmm.timeservices ” app Device Administrator rights without any interaction with the user , just by running commands .", "spans": {"Indicator: com.qualcmm.timeservices": [[33, 57]]}, "info": {"id": "cyner_mitre_train_01954", "source": "cyner_mitre_train"}}
+{"text": "It is a very unusual way to get Device Administrator rights .", "spans": {}, "info": {"id": "cyner_mitre_train_01955", "source": "cyner_mitre_train"}}
+{"text": "Malicious app com.qualcmm.timeservices As I mentioned before , in the “ initial phase ” , the Trojan will install the “ com.qualcmm.timeservices ” app .", "spans": {"Indicator: com.qualcmm.timeservices": [[14, 38], [120, 144]]}, "info": {"id": "cyner_mitre_train_01956", "source": "cyner_mitre_train"}}
+{"text": "Its main purpose is to download archives and execute the “ start ” binary from them .", "spans": {}, "info": {"id": "cyner_mitre_train_01957", "source": "cyner_mitre_train"}}
+{"text": "During the investigation , this app was able to successfully connect to the command and control server , but it received no commands .", "spans": {}, "info": {"id": "cyner_mitre_train_01958", "source": "cyner_mitre_train"}}
+{"text": "So I don ’ t know what kind of files will be executed , but they could be malicious or advertising files .", "spans": {}, "info": {"id": "cyner_mitre_train_01959", "source": "cyner_mitre_train"}}
+{"text": "Conclusions This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques , including patching system libraries .", "spans": {"System: Google Play Store": [[52, 69]]}, "info": {"id": "cyner_mitre_train_01960", "source": "cyner_mitre_train"}}
+{"text": "It installs malicious modules with different functionality into the system .", "spans": {}, "info": {"id": "cyner_mitre_train_01961", "source": "cyner_mitre_train"}}
+{"text": "It looks like its main purpose is to get into the system and execute downloaded files with root rights .", "spans": {}, "info": {"id": "cyner_mitre_train_01962", "source": "cyner_mitre_train"}}
+{"text": "But I never received such files from their command and control server .", "spans": {}, "info": {"id": "cyner_mitre_train_01963", "source": "cyner_mitre_train"}}
+{"text": "These malicious modules report to the attackers about every step they are going to make .", "spans": {}, "info": {"id": "cyner_mitre_train_01964", "source": "cyner_mitre_train"}}
+{"text": "So I think that the authors are still testing this malware , because they use some techniques which can break the infected devices .", "spans": {}, "info": {"id": "cyner_mitre_train_01965", "source": "cyner_mitre_train"}}
+{"text": "But they already have a lot of infected users on whom to test their methods .", "spans": {}, "info": {"id": "cyner_mitre_train_01966", "source": "cyner_mitre_train"}}
+{"text": "I hope that by uncovering this malware at such an early stage , we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods .", "spans": {}, "info": {"id": "cyner_mitre_train_01967", "source": "cyner_mitre_train"}}
+{"text": "MD5 43680D1914F28E14C90436E1D42984E2 20D4B9EB9377C499917C4D69BF4CCEBE First widely distributed Android bootkit Malware infects more than 350,000 Devices January 29 , 2014 In the last quarter of 2013 , sale of a Smartphone with ANDROID operating system has increased and every second person you see is a DROID user .", "spans": {"Indicator: 43680D1914F28E14C90436E1D42984E2": [[4, 36]], "Indicator: 20D4B9EB9377C499917C4D69BF4CCEBE": [[37, 69]], "System: Android": [[95, 102]], "System: ANDROID": [[227, 234]], "System: DROID": [[303, 308]]}, "info": {"id": "cyner_mitre_train_01968", "source": "cyner_mitre_train"}}
+{"text": "A Russian security firm 'Doctor Web ' identified the first mass distributed Android bootkit malware called 'Android.Oldboot ' , a piece of malware that 's designed to re-infect devices after reboot , even if you delete all working components of it .", "spans": {"Organization: Web": [[32, 35]], "System: Android": [[76, 83]]}, "info": {"id": "cyner_mitre_train_01969", "source": "cyner_mitre_train"}}
+{"text": "The bootkit Android.Oldboot has infected more than 350,000 android users in China , Spain , Italy , Germany , Russia , Brazil , the USA and some Southeast Asian countries .", "spans": {"Malware: Android.Oldboot": [[12, 27]], "System: android": [[59, 66]]}, "info": {"id": "cyner_mitre_train_01970", "source": "cyner_mitre_train"}}
+{"text": "China seems to a mass victim of this kind of malware having a 92 % share .", "spans": {}, "info": {"id": "cyner_mitre_train_01971", "source": "cyner_mitre_train"}}
+{"text": "A Bootkit is a rootkit malware variant which infects the device at start-up and may encrypt disk or steal data , remove the application , open connection for Command and controller .", "spans": {}, "info": {"id": "cyner_mitre_train_01972", "source": "cyner_mitre_train"}}
+{"text": "A very unique technique is being used to inject this Trojan into an Android system where an attacker places a component of it into the boot partition of the file system and modify the 'init ' script ( initialize the operating system ) to re-load the malware as you switch on your android .", "spans": {"System: Android": [[68, 75]], "System: android": [[280, 287]]}, "info": {"id": "cyner_mitre_train_01973", "source": "cyner_mitre_train"}}
+{"text": "When you start your device , this script loads the Trojan 'imei_chk ' ( detects it as Android.Oldboot.1 ) which extract two files libgooglekernel.so ( Android.Oldboot.2 ) and GoogleKernel.apk ( Android.Oldboot.1.origin ) , copy them respectively in /system/lib and /system/app .", "spans": {"Indicator: Android.Oldboot.1": [[86, 103]], "Indicator: libgooglekernel.so": [[130, 148]], "Indicator: Android.Oldboot.2": [[151, 168]], "Indicator: GoogleKernel.apk": [[175, 191]], "Indicator: Android.Oldboot.1.origin": [[194, 218]], "Indicator: /system/lib and /system/app": [[249, 276]]}, "info": {"id": "cyner_mitre_train_01974", "source": "cyner_mitre_train"}}
+{"text": "Android.Oldboot acts as a system service and connects to the command-and-controller server using libgooglekernel.so library and receives commands to download , remove installed apps , and install malicious apps .", "spans": {"Malware: Android.Oldboot": [[0, 15]], "Indicator: libgooglekernel.so": [[97, 115]]}, "info": {"id": "cyner_mitre_train_01975", "source": "cyner_mitre_train"}}
+{"text": "Since it becomes a part of the boot partition , formatting the device will not solve the problem .", "spans": {}, "info": {"id": "cyner_mitre_train_01976", "source": "cyner_mitre_train"}}
+{"text": "The researchers believe that the devices somehow had the malware pre-loaded at the time of shipping from the manufacturer , or was likely distributed inside modified Android firmware .", "spans": {"System: Android": [[166, 173]]}, "info": {"id": "cyner_mitre_train_01977", "source": "cyner_mitre_train"}}
+{"text": "So , users should beware of certain modified Android firmware .", "spans": {"System: Android": [[45, 52]]}, "info": {"id": "cyner_mitre_train_01978", "source": "cyner_mitre_train"}}
+{"text": "Two weeks ago , Some Chinese Security Researchers have also detected a bootkit called 'Oldboot ' , possibly the same malware or another variant of it .", "spans": {}, "info": {"id": "cyner_mitre_train_01979", "source": "cyner_mitre_train"}}
+{"text": "\" Due to the special RAM disk feature of Android devices ' boot partition , all current mobile antivirus products in the world ca n't completely remove this Trojan or effectively repair the system .", "spans": {"System: Android": [[41, 48]]}, "info": {"id": "cyner_mitre_train_01980", "source": "cyner_mitre_train"}}
+{"text": "'' \" According to our statistics , as of today , there 're more than 500 , 000 Android devices infected by this bootkit in China in last six months .", "spans": {"System: Android": [[79, 86]]}, "info": {"id": "cyner_mitre_train_01981", "source": "cyner_mitre_train"}}
+{"text": "The Android malware Android.Oldboot is almost impossible to remove , not even with formatting your device .", "spans": {"System: Android": [[4, 11]], "Malware: Android.Oldboot": [[20, 35]]}, "info": {"id": "cyner_mitre_train_01982", "source": "cyner_mitre_train"}}
+{"text": "But if your device is not from a Chinese manufacturer , then chances that you are a victim of it , are very less .", "spans": {}, "info": {"id": "cyner_mitre_train_01983", "source": "cyner_mitre_train"}}
+{"text": "This bootkit is not the first of this kind .", "spans": {}, "info": {"id": "cyner_mitre_train_01984", "source": "cyner_mitre_train"}}
+{"text": "Two years back , in the month of March we reported , NQ Mobile Security Research Center uncovered the world 's first Android bootkit malware called 'DKFBootKit ' , that replaces certain boot processes and can begin running even before the system is completely booted up .", "spans": {"Organization: NQ Mobile Security": [[53, 71]], "System: Android": [[117, 124]]}, "info": {"id": "cyner_mitre_train_01985", "source": "cyner_mitre_train"}}
+{"text": "But Android.Oldboot malware is a bit more dangerous because even if you remove all working components of it from your android successfully , the component imei_chk will persist in a protected boot memory area and hence will reinstall itself on next boot and continuously infect the Smartphone .", "spans": {"Malware: Android.Oldboot": [[4, 19]], "System: android": [[118, 125]], "Indicator: imei_chk": [[155, 163]]}, "info": {"id": "cyner_mitre_train_01986", "source": "cyner_mitre_train"}}
+{"text": "Users are recommended to install apps from authorized stores such as Google Play , disable installation of apps from 'Unknown Sources ' and for a better security install a reputed security application .", "spans": {"System: Google Play": [[69, 80]]}, "info": {"id": "cyner_mitre_train_01987", "source": "cyner_mitre_train"}}
+{"text": "You can also try to re-flash your device with its original ROM .", "spans": {}, "info": {"id": "cyner_mitre_train_01988", "source": "cyner_mitre_train"}}
+{"text": "After flashing , the bootkit will be removed .", "spans": {}, "info": {"id": "cyner_mitre_train_01989", "source": "cyner_mitre_train"}}
+{"text": "FrozenCell : Multi-Platform Surveillance Campaign Against Palestinians October 5 , 2017 FrozenCell has been seen masquerading as various well known social media and chat applications as well as an app likely only used by Palestinian or Jordanian students sitting their 2016 general exams .", "spans": {"Malware: FrozenCell": [[0, 10], [88, 98]]}, "info": {"id": "cyner_mitre_train_01990", "source": "cyner_mitre_train"}}
+{"text": "Lookout researchers have discovered a new mobile surveillanceware family , FrozenCell .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: FrozenCell": [[75, 85]]}, "info": {"id": "cyner_mitre_train_01991", "source": "cyner_mitre_train"}}
+{"text": "The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party .", "spans": {"Organization: Fatah": [[159, 164]]}, "info": {"id": "cyner_mitre_train_01992", "source": "cyner_mitre_train"}}
+{"text": "FrozenCell is the mobile component of a multi-platform attack we 've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 , '' use to spy on victims through compromised mobile devices and desktops .", "spans": {"Malware: FrozenCell": [[0, 10]], "Malware: Two-tailed Scorpion/APT-C-23": [[100, 128]]}, "info": {"id": "cyner_mitre_train_01993", "source": "cyner_mitre_train"}}
+{"text": "The desktop components of this attack , previously discovered by Palo Alto Network , are known as KasperAgent and Micropsia .", "spans": {"Organization: Palo Alto Network": [[65, 82]], "Malware: KasperAgent": [[98, 109]], "Malware: Micropsia": [[114, 123]]}, "info": {"id": "cyner_mitre_train_01994", "source": "cyner_mitre_train"}}
+{"text": "We discovered 561MB of exfiltrated data from 24 compromised Android devices while investigating this threat .", "spans": {"System: Android": [[60, 67]]}, "info": {"id": "cyner_mitre_train_01995", "source": "cyner_mitre_train"}}
+{"text": "More data is appearing daily , leading us to believe the actors are still highly active .", "spans": {}, "info": {"id": "cyner_mitre_train_01996", "source": "cyner_mitre_train"}}
+{"text": "We are continuing to watch it closely .", "spans": {}, "info": {"id": "cyner_mitre_train_01997", "source": "cyner_mitre_train"}}
+{"text": "This threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns as a primary attack vector .", "spans": {}, "info": {"id": "cyner_mitre_train_01998", "source": "cyner_mitre_train"}}
+{"text": "Government agencies and enterprises should look at this threat as an example of the kind of spying that is now possible given how ubiquitous mobile devices are in the workplace .", "spans": {}, "info": {"id": "cyner_mitre_train_01999", "source": "cyner_mitre_train"}}
+{"text": "Attackers are keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying .", "spans": {"System: Android": [[155, 162]]}, "info": {"id": "cyner_mitre_train_02000", "source": "cyner_mitre_train"}}
+{"text": "All Lookout customers are protected from this threat .", "spans": {"Organization: Lookout": [[4, 11]]}, "info": {"id": "cyner_mitre_train_02001", "source": "cyner_mitre_train"}}
+{"text": "What it does FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat .", "spans": {"Malware: FrozenCell": [[13, 23]], "System: Facebook": [[78, 86]], "System: WhatsApp": [[89, 97]], "System: Messenger": [[100, 109]], "System: LINE": [[112, 116]], "System: LoveChat": [[123, 131]]}, "info": {"id": "cyner_mitre_train_02002", "source": "cyner_mitre_train"}}
+{"text": "We also detected it in apps targeted toward specific Middle Eastern demographics .", "spans": {}, "info": {"id": "cyner_mitre_train_02003", "source": "cyner_mitre_train"}}
+{"text": "For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination .", "spans": {"Malware: FrozenCell": [[32, 42]], "Indicator: Tawjihi 2016": [[69, 81]]}, "info": {"id": "cyner_mitre_train_02004", "source": "cyner_mitre_train"}}
+{"text": "Once installed on a device FrozenCell is capable of : Recording calls Retrieving generic phone metadata ( e.g. , cell location , mobile country code , mobile network code ) Geolocating a device Extracting SMS messages Retrieving a victim 's accounts Exfiltrating images Downloading and installing additional applications Searching for and exfiltrating pdf , doc , docx , ppt , pptx , xls , and xlsx file types Retrieving contacts The graph below represents a split of the types of data", "spans": {"Malware: FrozenCell": [[27, 37]]}, "info": {"id": "cyner_mitre_train_02005", "source": "cyner_mitre_train"}}
+{"text": "from only one misconfigured command and control server ( out of over 37 servers ) .", "spans": {}, "info": {"id": "cyner_mitre_train_02006", "source": "cyner_mitre_train"}}
+{"text": "This is only a small picture of the threat actor 's operations .", "spans": {}, "info": {"id": "cyner_mitre_train_02007", "source": "cyner_mitre_train"}}
+{"text": "Split of exfiltrated data Some noteworthy files identified in content taken from compromised devices include passport photos , audio recordings of calls , other images , and a PDF document with data on 484 individuals .", "spans": {}, "info": {"id": "cyner_mitre_train_02008", "source": "cyner_mitre_train"}}
+{"text": "The PDF lists dates of birth , gender , passport numbers , and names .", "spans": {}, "info": {"id": "cyner_mitre_train_02009", "source": "cyner_mitre_train"}}
+{"text": "Potential targets The actors behind FrozenCell used an online service that geolocates mobile devices based on nearby cell towers to track targets .", "spans": {"Malware: FrozenCell": [[36, 46]]}, "info": {"id": "cyner_mitre_train_02010", "source": "cyner_mitre_train"}}
+{"text": "This data shows a distinct concentration of infected devices beaconing from Gaza , Palestine .", "spans": {}, "info": {"id": "cyner_mitre_train_02011", "source": "cyner_mitre_train"}}
+{"text": "Map of potential targets Early samples of FrozenCell used an online service for storing geolocation information of infected devices .", "spans": {"Malware: FrozenCell": [[42, 52]]}, "info": {"id": "cyner_mitre_train_02012", "source": "cyner_mitre_train"}}
+{"text": "Analysis of this telemetry shows infected devices are completely based in Gaza , Palestine .", "spans": {}, "info": {"id": "cyner_mitre_train_02013", "source": "cyner_mitre_train"}}
+{"text": "It has not been confirmed whether these are from test devices or the devices of victims .", "spans": {}, "info": {"id": "cyner_mitre_train_02014", "source": "cyner_mitre_train"}}
+{"text": "We were also able to link the FrozenCell 's Android infrastructure to numerous desktop samples that are part of the larger multi-platform attack .", "spans": {"Malware: FrozenCell": [[30, 40]], "System: Android": [[44, 51]]}, "info": {"id": "cyner_mitre_train_02015", "source": "cyner_mitre_train"}}
+{"text": "It appears the attackers sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) .", "spans": {"Organization: Palestinian Security Services": [[124, 153]], "Organization: General Directorate of Civil Defence": [[160, 196]], "Organization: Ministry of the Interior": [[199, 223]], "Organization: Palestinian National Liberation Front": [[262, 299]]}, "info": {"id": "cyner_mitre_train_02016", "source": "cyner_mitre_train"}}
+{"text": "The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party .", "spans": {"Organization: Fatah": [[133, 138]]}, "info": {"id": "cyner_mitre_train_02017", "source": "cyner_mitre_train"}}
+{"text": "Some malicious files associated with these samples were titled the following : Council_of_ministres_decision Minutes of the Geneva Meeting on Troops Summary of today 's meetings.doc.exe The most important points of meeting the memory of the late President Abu Omar may Allah have mercy on him - Paper No .", "spans": {"Indicator: meetings.doc.exe": [[169, 185]]}, "info": {"id": "cyner_mitre_train_02018", "source": "cyner_mitre_train"}}
+{"text": "1 Fadi Alsalamin scandal with an Israeli officer - exclusive - watched before the deletion - Fadi Elsalameen The details of the assassination of President Arafat_06-12-2016_docx Quds.rar Many of these executables are associated with various short links created using Bit.ly , a URL shortening service .", "spans": {"Indicator: Quds.rar": [[178, 186]], "System: Bit.ly": [[267, 273]]}, "info": {"id": "cyner_mitre_train_02019", "source": "cyner_mitre_train"}}
+{"text": "After analyzing the traffic associated with these short links , we determined that each one was associated with a referral path from mail.mosa.pna.ps .", "spans": {"Indicator: mail.mosa.pna.ps": [[133, 149]]}, "info": {"id": "cyner_mitre_train_02020", "source": "cyner_mitre_train"}}
+{"text": "MOSA is the Palestinian Directorate of Social Development whose mandate is to achieve comprehensive development , social security , and economic growth for Palestinian families , according to publicly available information on this ministry .", "spans": {"Organization: MOSA": [[0, 4]]}, "info": {"id": "cyner_mitre_train_02021", "source": "cyner_mitre_train"}}
+{"text": "Infrastructure At the time of writing the following domains have either been used by this family or are currently active .", "spans": {}, "info": {"id": "cyner_mitre_train_02022", "source": "cyner_mitre_train"}}
+{"text": "We expect this list to grow given that this actor has changed its infrastructure numerous times in 2017 .", "spans": {}, "info": {"id": "cyner_mitre_train_02023", "source": "cyner_mitre_train"}}
+{"text": "cecilia-gilbert [ .", "spans": {"Indicator: cecilia-gilbert [ .": [[0, 19]]}, "info": {"id": "cyner_mitre_train_02024", "source": "cyner_mitre_train"}}
+{"text": "] comgooogel [ .", "spans": {"Indicator: [ .": [[13, 16]]}, "info": {"id": "cyner_mitre_train_02025", "source": "cyner_mitre_train"}}
+{"text": "] orgmary-crawley [ .", "spans": {"Indicator: [ .": [[18, 21]]}, "info": {"id": "cyner_mitre_train_02026", "source": "cyner_mitre_train"}}
+{"text": "] commydriveweb [ .", "spans": {"Indicator: [ .": [[16, 19]]}, "info": {"id": "cyner_mitre_train_02027", "source": "cyner_mitre_train"}}
+{"text": "] comrose-sturat [ .", "spans": {"Indicator: [ .": [[17, 20]]}, "info": {"id": "cyner_mitre_train_02028", "source": "cyner_mitre_train"}}
+{"text": "] infokalisi [ .", "spans": {"Indicator: [ .": [[13, 16]]}, "info": {"id": "cyner_mitre_train_02029", "source": "cyner_mitre_train"}}
+{"text": "] xyzdebra-morgan [ .", "spans": {"Indicator: [ .": [[18, 21]]}, "info": {"id": "cyner_mitre_train_02030", "source": "cyner_mitre_train"}}
+{"text": "] comarnani [ .", "spans": {"Indicator: [ .": [[12, 15]]}, "info": {"id": "cyner_mitre_train_02031", "source": "cyner_mitre_train"}}
+{"text": "] infoacount-manager [ .", "spans": {"Indicator: [ .": [[21, 24]]}, "info": {"id": "cyner_mitre_train_02032", "source": "cyner_mitre_train"}}
+{"text": "] infogooogel-drive [ .", "spans": {"Indicator: [ .": [[20, 23]]}, "info": {"id": "cyner_mitre_train_02033", "source": "cyner_mitre_train"}}
+{"text": "] commediauploader [ .", "spans": {"Indicator: [ .": [[19, 22]]}, "info": {"id": "cyner_mitre_train_02034", "source": "cyner_mitre_train"}}
+{"text": "] meacount-manager [ .", "spans": {"Indicator: [ .": [[19, 22]]}, "info": {"id": "cyner_mitre_train_02035", "source": "cyner_mitre_train"}}
+{"text": "] netupload404 [ .", "spans": {"Indicator: [ .": [[15, 18]]}, "info": {"id": "cyner_mitre_train_02036", "source": "cyner_mitre_train"}}
+{"text": "] clubupload999 [ .", "spans": {"Indicator: [ .": [[16, 19]]}, "info": {"id": "cyner_mitre_train_02037", "source": "cyner_mitre_train"}}
+{"text": "] infoal-amalhumandevelopment [ .", "spans": {"Indicator: [ .": [[30, 33]]}, "info": {"id": "cyner_mitre_train_02038", "source": "cyner_mitre_train"}}
+{"text": "] commargaery [ .", "spans": {"Indicator: [ .": [[14, 17]]}, "info": {"id": "cyner_mitre_train_02039", "source": "cyner_mitre_train"}}
+{"text": "] coupload202 [ .", "spans": {"Indicator: [ .": [[14, 17]]}, "info": {"id": "cyner_mitre_train_02040", "source": "cyner_mitre_train"}}
+{"text": "] comgo-mail-accounts [ .", "spans": {"Indicator: [ .": [[22, 25]]}, "info": {"id": "cyner_mitre_train_02041", "source": "cyner_mitre_train"}}
+{"text": "] comupload101 [ .", "spans": {"Indicator: [ .": [[15, 18]]}, "info": {"id": "cyner_mitre_train_02042", "source": "cyner_mitre_train"}}
+{"text": "] netsybil-parks [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02043", "source": "cyner_mitre_train"}}
+{"text": "] infodavos-seaworth [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02044", "source": "cyner_mitre_train"}}
+{"text": "] infoupload999 [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02045", "source": "cyner_mitre_train"}}
+{"text": "] orgacount-manager [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02046", "source": "cyner_mitre_train"}}
+{"text": "] comlila-tournai [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02047", "source": "cyner_mitre_train"}}
+{"text": "] comaccount-manager [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02048", "source": "cyner_mitre_train"}}
+{"text": "] orgmediauploader [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02049", "source": "cyner_mitre_train"}}
+{"text": "] infokalisi [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02050", "source": "cyner_mitre_train"}}
+{"text": "] orgaryastark [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02051", "source": "cyner_mitre_train"}}
+{"text": "] infomavis-dracula [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02052", "source": "cyner_mitre_train"}}
+{"text": "] comkalisi [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02053", "source": "cyner_mitre_train"}}
+{"text": "] infogoogle-support-team [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02054", "source": "cyner_mitre_train"}}
+{"text": "] com9oo91e [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02055", "source": "cyner_mitre_train"}}
+{"text": "] comuseraccount [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02056", "source": "cyner_mitre_train"}}
+{"text": "] websiteaccounts-fb [ .", "spans": {"Indicator: websiteaccounts-fb [ .": [[2, 24]]}, "info": {"id": "cyner_mitre_train_02057", "source": "cyner_mitre_train"}}
+{"text": "] comakashipro [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02058", "source": "cyner_mitre_train"}}
+{"text": "] comfeteh-asefa [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02059", "source": "cyner_mitre_train"}}
+{"text": "] comlagertha-lothbrok [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02060", "source": "cyner_mitre_train"}}
+{"text": "] info OpSec fails and use of cryptography While looking at this infrastructure , we identified that one of these domains has directory indexing enabled .", "spans": {}, "info": {"id": "cyner_mitre_train_02061", "source": "cyner_mitre_train"}}
+{"text": "This mistake in operational security allowed us to gain visibility into exfiltrated content for a number of devices .", "spans": {}, "info": {"id": "cyner_mitre_train_02062", "source": "cyner_mitre_train"}}
+{"text": "Continued mirroring suggests it is likely a regularly cleaned staging server .", "spans": {}, "info": {"id": "cyner_mitre_train_02063", "source": "cyner_mitre_train"}}
+{"text": "We sourced the over 561MB of exfiltrated data from this domain alone , all of which we found to be 7z compressed and password protected .", "spans": {}, "info": {"id": "cyner_mitre_train_02064", "source": "cyner_mitre_train"}}
+{"text": "Password generation for compressed files takes place client-side with each device using a unique key in most scenarios .", "spans": {}, "info": {"id": "cyner_mitre_train_02065", "source": "cyner_mitre_train"}}
+{"text": "Key information consists of an MD5 hash of the device 's Android ID , the device manufacturer , and the device model with each separated by an underscore .", "spans": {"System: Android": [[57, 64]]}, "info": {"id": "cyner_mitre_train_02066", "source": "cyner_mitre_train"}}
+{"text": "Visually , this can be represented as follows : Android ID When combined with our analysis of indexed directories on C2 infrastructure , we were able to easily automate the generation of the password used by each device and , in turn , successfully decompress all exfiltrated content from compromised devices .", "spans": {"System: Android": [[48, 55]]}, "info": {"id": "cyner_mitre_train_02067", "source": "cyner_mitre_train"}}
+{"text": "Indexed directories on C2 infrastructure While exfiltrated content is encrypted , information used to generate the password is plainly visible in the top level directories for each device .", "spans": {}, "info": {"id": "cyner_mitre_train_02068", "source": "cyner_mitre_train"}}
+{"text": "Taking this information from directory listings , like the one shown above , allowed for the decryption of all content .", "spans": {}, "info": {"id": "cyner_mitre_train_02069", "source": "cyner_mitre_train"}}
+{"text": "In this case , FrozenCell has primarily netted the actors behind it with recorded outbound calls followed closely by images and recorded incoming calls .", "spans": {"Malware: FrozenCell": [[15, 25]]}, "info": {"id": "cyner_mitre_train_02070", "source": "cyner_mitre_train"}}
+{"text": "FrozenCell is part of a very successful , multi-platform surveillance campaign .", "spans": {"Malware: FrozenCell": [[0, 10]]}, "info": {"id": "cyner_mitre_train_02071", "source": "cyner_mitre_train"}}
+{"text": "Attackers are growing smarter , targeting individuals through the devices and the services they use most .", "spans": {}, "info": {"id": "cyner_mitre_train_02072", "source": "cyner_mitre_train"}}
+{"text": "Government agencies and enterprises should plan to be hit from all angles - cloud services , mobile devices , laptops - in order to build comprehensive security strategies that work .", "spans": {}, "info": {"id": "cyner_mitre_train_02073", "source": "cyner_mitre_train"}}
+{"text": "TUESDAY , MAY 19 , 2020 The wolf is back ... NEWS SUMMARY Thai Android devices and users are being targeted by a modified version of DenDroid we are calling \" WolfRAT , '' now targeting messaging apps like WhatsApp , Facebook Messenger and Line .", "spans": {"System: Android": [[63, 70]], "Malware: DenDroid": [[133, 141]], "Malware: WolfRAT": [[159, 166]], "System: WhatsApp": [[206, 214]], "System: Facebook Messenger": [[217, 235]], "System: Line": [[240, 244]]}, "info": {"id": "cyner_mitre_train_02074", "source": "cyner_mitre_train"}}
+{"text": "We assess with high confidence that this modified version is operated by the infamous Wolf Research .", "spans": {"Organization: Wolf Research": [[86, 99]]}, "info": {"id": "cyner_mitre_train_02075", "source": "cyner_mitre_train"}}
+{"text": "This actor has shown a surprising level of amateur actions , including code overlaps , open-source project copy/paste , classes never being instanced , unstable packages and unsecured panels .", "spans": {}, "info": {"id": "cyner_mitre_train_02076", "source": "cyner_mitre_train"}}
+{"text": "EXECUTIVE SUMMARY Cisco Talos has discovered a new Android malware based on a leak of the DenDroid malware family .", "spans": {"Organization: Cisco Talos": [[18, 29]], "Malware: DenDroid": [[90, 98]]}, "info": {"id": "cyner_mitre_train_02077", "source": "cyner_mitre_train"}}
+{"text": "We named this malware \" WolfRAT '' due to strong links between this malware ( and the command and control ( C2 ) infrastructure ) and Wolf Research , an infamous organization that developed interception and espionage-based malware and was publicly described by CSIS during Virus Bulletin 2018 .", "spans": {"Malware: WolfRAT": [[24, 31]], "Organization: Wolf Research": [[134, 147]]}, "info": {"id": "cyner_mitre_train_02078", "source": "cyner_mitre_train"}}
+{"text": "We identified infrastructure overlaps and string references to previous Wolf Research work .", "spans": {"Organization: Wolf Research": [[72, 85]]}, "info": {"id": "cyner_mitre_train_02079", "source": "cyner_mitre_train"}}
+{"text": "The organization appears to be shut down , but the threat actors are still very active .", "spans": {}, "info": {"id": "cyner_mitre_train_02080", "source": "cyner_mitre_train"}}
+{"text": "We identified campaigns targeting Thai users and their devices .", "spans": {}, "info": {"id": "cyner_mitre_train_02081", "source": "cyner_mitre_train"}}
+{"text": "Some of the C2 servers are located in Thailand .", "spans": {}, "info": {"id": "cyner_mitre_train_02082", "source": "cyner_mitre_train"}}
+{"text": "The panels also contain Thai JavaScript comments and the domain names also contain references to Thai food , a tactic commonly employed to entice users to click/visit these C2 panels without much disruption .", "spans": {}, "info": {"id": "cyner_mitre_train_02083", "source": "cyner_mitre_train"}}
+{"text": "We identified a notable lack of sophistication in this investigation such as copy/paste , unstable code , dead code and panels that are freely open .", "spans": {}, "info": {"id": "cyner_mitre_train_02084", "source": "cyner_mitre_train"}}
+{"text": "What 's new ?", "spans": {}, "info": {"id": "cyner_mitre_train_02085", "source": "cyner_mitre_train"}}
+{"text": "WolfRAT is based on a previously leaked malware named DenDroid .", "spans": {"Malware: WolfRAT": [[0, 7]], "Malware: DenDroid": [[54, 62]]}, "info": {"id": "cyner_mitre_train_02086", "source": "cyner_mitre_train"}}
+{"text": "The new malware appears to be linked to the infamous Wolf Research organization and targets Android devices located in Thailand .", "spans": {"Organization: Wolf Research": [[53, 66]], "System: Android": [[92, 99]]}, "info": {"id": "cyner_mitre_train_02087", "source": "cyner_mitre_train"}}
+{"text": "How did it work ?", "spans": {}, "info": {"id": "cyner_mitre_train_02088", "source": "cyner_mitre_train"}}
+{"text": "The malware mimics legit services such as Google service , GooglePlay or Flash update .", "spans": {"Organization: Google": [[42, 48]], "System: GooglePlay": [[59, 69]], "System: Flash": [[73, 78]]}, "info": {"id": "cyner_mitre_train_02089", "source": "cyner_mitre_train"}}
+{"text": "The malware is not really advanced and is based on a lot of copy/paste from public sources available on the Internet .", "spans": {}, "info": {"id": "cyner_mitre_train_02090", "source": "cyner_mitre_train"}}
+{"text": "The C2 infrastructure contains a lack of sophistication such as open panels , reuse of old servers publicly tagged as malicious… So what ?", "spans": {}, "info": {"id": "cyner_mitre_train_02091", "source": "cyner_mitre_train"}}
+{"text": "After being publicly denounced by CSIS Group — a threat intelligence company in Denmark — Wolf Research was closed and a new organization named LokD was created .", "spans": {"Organization: CSIS Group": [[34, 44]], "Organization: Wolf Research": [[90, 103]], "Organization: LokD": [[144, 148]]}, "info": {"id": "cyner_mitre_train_02092", "source": "cyner_mitre_train"}}
+{"text": "This new organization seems to work on securing Android devices .", "spans": {"Organization: Android": [[48, 55]]}, "info": {"id": "cyner_mitre_train_02093", "source": "cyner_mitre_train"}}
+{"text": "However , thanks to the infrastructure sharing and forgotten panel names , we assess with high confidence that this actor is still active , it is still developing malware and has been using it from mid-June to today .", "spans": {}, "info": {"id": "cyner_mitre_train_02094", "source": "cyner_mitre_train"}}
+{"text": "On the C2 panel , we found a potential link between Wolf Research and another Cyprus organization named Coralco Tech .", "spans": {"Organization: Wolf Research": [[52, 65]], "Organization: Coralco Tech": [[104, 116]]}, "info": {"id": "cyner_mitre_train_02095", "source": "cyner_mitre_train"}}
+{"text": "This organization is also working on interception technology .", "spans": {}, "info": {"id": "cyner_mitre_train_02096", "source": "cyner_mitre_train"}}
+{"text": "LINKS TO WOLF INTELLIGENCE During the Virus Bulletin conference in 2018 , CSIS researchers Benoît Ancel and Aleksejs Kuprins did a presentation on Wolf Research and the offensive arsenal developed by the organization .", "spans": {"Organization: CSIS": [[74, 78]], "Organization: Wolf Research": [[147, 160]]}, "info": {"id": "cyner_mitre_train_02097", "source": "cyner_mitre_train"}}
+{"text": "They mentioned an Android , iOS and Windows remote access tool ( RAT ) .", "spans": {"System: Android": [[18, 25]], "System: iOS": [[28, 31]], "System: Windows": [[36, 43]]}, "info": {"id": "cyner_mitre_train_02098", "source": "cyner_mitre_train"}}
+{"text": "Their findings showed that Wolf is headquartered in Germany with offices in Cyprus , Bulgaria , Romania , India and ( possibly ) the U.S .", "spans": {}, "info": {"id": "cyner_mitre_train_02099", "source": "cyner_mitre_train"}}
+{"text": "The organization was closed after the CSIS presentation .", "spans": {"Organization: CSIS": [[38, 42]]}, "info": {"id": "cyner_mitre_train_02100", "source": "cyner_mitre_train"}}
+{"text": "However , the director created a new organization in Cyprus named LokD .", "spans": {"Organization: LokD": [[66, 70]]}, "info": {"id": "cyner_mitre_train_02101", "source": "cyner_mitre_train"}}
+{"text": "This new organization proposed the creation of a more secure Android phone .", "spans": {"System: Android": [[61, 68]]}, "info": {"id": "cyner_mitre_train_02102", "source": "cyner_mitre_train"}}
+{"text": "Based on the organization website , it also proposes services and developed zero-day vulnerabilities to test their own products : Zero-day research from lokd.com We can see that the organization owner still has an interest in Android devices .", "spans": {"Vulnerability: zero-day vulnerabilities": [[76, 100]], "Organization: lokd.com": [[153, 161]], "System: Android": [[226, 233]]}, "info": {"id": "cyner_mitre_train_02103", "source": "cyner_mitre_train"}}
+{"text": "Based on infrastructure overlaps and leaked information , we assess with high confidence that the malware we identified and present in this paper is linked to Wolf Research .", "spans": {"Organization: Wolf Research": [[159, 172]]}, "info": {"id": "cyner_mitre_train_02104", "source": "cyner_mitre_train"}}
+{"text": "One of the samples ( e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 ) uses the C2 server svcws [ .", "spans": {"Indicator: e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1": [[21, 85]], "Indicator: svcws [ .": [[107, 116]]}, "info": {"id": "cyner_mitre_train_02105", "source": "cyner_mitre_train"}}
+{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02106", "source": "cyner_mitre_train"}}
+{"text": "] com .", "spans": {}, "info": {"id": "cyner_mitre_train_02107", "source": "cyner_mitre_train"}}
+{"text": "Based on our research and Benoît Ancel 's tracker , this C2 was used by Wolf Intelligence : Additionally , we identified two empty panels on a C2 server .", "spans": {"Organization: Wolf Intelligence": [[72, 89]]}, "info": {"id": "cyner_mitre_train_02108", "source": "cyner_mitre_train"}}
+{"text": "The new one with the title \" Coralco Archimedes , '' and an older version with the title \" Wolf Intelligence : '' New panel Old panel The new panel name contains \" Coralco '' in its name .", "spans": {}, "info": {"id": "cyner_mitre_train_02109", "source": "cyner_mitre_train"}}
+{"text": "Coralco Tech is an organization located in Cyprus and providing interception tools .", "spans": {"Organization: Coralco Tech": [[0, 12]]}, "info": {"id": "cyner_mitre_train_02110", "source": "cyner_mitre_train"}}
+{"text": "We can not say for sure if Wolf Research and Coralco Tech are linked , but this panel name , their offerings and the panel layout would suggest it should be considered suspiciously linked .", "spans": {"Organization: Wolf Research": [[27, 40]], "Organization: Coralco Tech": [[45, 57]]}, "info": {"id": "cyner_mitre_train_02111", "source": "cyner_mitre_train"}}
+{"text": "Coralco Tech 's services description .", "spans": {}, "info": {"id": "cyner_mitre_train_02112", "source": "cyner_mitre_train"}}
+{"text": "VICTIMOLOGY ON THE IDENTIFIED CAMPAIGNS The campaigns we analyzed targeted Android devices in Thailand .", "spans": {"System: Android": [[75, 82]]}, "info": {"id": "cyner_mitre_train_02113", "source": "cyner_mitre_train"}}
+{"text": "The C2 server domain is linked to Thai food : Nampriknum [ .", "spans": {"Indicator: Nampriknum [ .": [[46, 60]]}, "info": {"id": "cyner_mitre_train_02114", "source": "cyner_mitre_train"}}
+{"text": "] net : Nam Phrik Num Somtum [ .", "spans": {"Indicator: Somtum [ .": [[22, 32]]}, "info": {"id": "cyner_mitre_train_02115", "source": "cyner_mitre_train"}}
+{"text": "] today : Som Tum We also identified comments in Thai on the C2 infrastructure mentioned in the previous chapter : MALWARE DenDroid The Android malware is based on the DenDroid Android malware .", "spans": {"Malware: DenDroid": [[123, 131], [168, 176]], "System: Android": [[136, 143]]}, "info": {"id": "cyner_mitre_train_02116", "source": "cyner_mitre_train"}}
+{"text": "Several analysis reports were published on this malware in 2014 and , finally , the source code was leaked in 2015 .", "spans": {}, "info": {"id": "cyner_mitre_train_02117", "source": "cyner_mitre_train"}}
+{"text": "The original leak is no longer available on github.com , but a copy can be found here .", "spans": {}, "info": {"id": "cyner_mitre_train_02118", "source": "cyner_mitre_train"}}
+{"text": "The table below shows the commands available to the operator for tasking on infected devices .", "spans": {}, "info": {"id": "cyner_mitre_train_02119", "source": "cyner_mitre_train"}}
+{"text": "This malware is simplistic in comparison to some modern-day Android malware .", "spans": {"System: Android": [[60, 67]]}, "info": {"id": "cyner_mitre_train_02120", "source": "cyner_mitre_train"}}
+{"text": "The best example of that is that it does n't take advantage of the accessibility framework , collecting information on non-rooted devices .", "spans": {}, "info": {"id": "cyner_mitre_train_02121", "source": "cyner_mitre_train"}}
+{"text": "The commands are self-explanatory and show the features included in the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_02122", "source": "cyner_mitre_train"}}
+{"text": "Some of them like takephoto , takevideo , recordaudio , getsentsms and uploadpictures are focused on espionage activities .", "spans": {}, "info": {"id": "cyner_mitre_train_02123", "source": "cyner_mitre_train"}}
+{"text": "Others like transferbot , promptupdate and promptuninstall are meant to help the operator manage the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_02124", "source": "cyner_mitre_train"}}
+{"text": "Version # 1 : June 2019 — Domain : databit [ .", "spans": {"Indicator: databit [ .": [[35, 46]]}, "info": {"id": "cyner_mitre_train_02125", "source": "cyner_mitre_train"}}
+{"text": "] today During our investigation , we identified at least four major releases of the RAT .", "spans": {}, "info": {"id": "cyner_mitre_train_02126", "source": "cyner_mitre_train"}}
+{"text": "The permissions on the first version of the malware lay out the foundations of a spying trojan .", "spans": {}, "info": {"id": "cyner_mitre_train_02127", "source": "cyner_mitre_train"}}
+{"text": "Permissions The package name follows the original style name used on DenDroid .", "spans": {"Malware: DenDroid": [[69, 77]]}, "info": {"id": "cyner_mitre_train_02128", "source": "cyner_mitre_train"}}
+{"text": "The code is obfuscated but not packed .", "spans": {}, "info": {"id": "cyner_mitre_train_02129", "source": "cyner_mitre_train"}}
+{"text": "This malware also contains a screen recorder .", "spans": {}, "info": {"id": "cyner_mitre_train_02130", "source": "cyner_mitre_train"}}
+{"text": "This feature is implemented using another open-source software package that can be found here .", "spans": {}, "info": {"id": "cyner_mitre_train_02131", "source": "cyner_mitre_train"}}
+{"text": "The service is implemented in the class com.serenegiant.service.ScreenRecorderService which is declared in the package manifest .", "spans": {"Indicator: com.serenegiant.service.ScreenRecorderService": [[40, 85]]}, "info": {"id": "cyner_mitre_train_02132", "source": "cyner_mitre_train"}}
+{"text": "During our analysis of this sample , we did notice that the class itself is never called or used by the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_02133", "source": "cyner_mitre_train"}}
+{"text": "It remains available within the source code but no method of use takes place .", "spans": {}, "info": {"id": "cyner_mitre_train_02134", "source": "cyner_mitre_train"}}
+{"text": "Version # 2 : June - Aug. 2019 — Domain : somtum [ .", "spans": {"Indicator: somtum [ .": [[42, 52]]}, "info": {"id": "cyner_mitre_train_02135", "source": "cyner_mitre_train"}}
+{"text": "] today This is the first version that shows the code organization evolution that will continue to be used on all other functions throughout this malware .", "spans": {}, "info": {"id": "cyner_mitre_train_02136", "source": "cyner_mitre_train"}}
+{"text": "Code structure Obviously , this code is not obfuscated when compared with the previous version it becomes clear that this is the same code base .", "spans": {}, "info": {"id": "cyner_mitre_train_02137", "source": "cyner_mitre_train"}}
+{"text": "One of the first changes that stands out is that the screen recording feature mentioned in the previous sample has been removed .", "spans": {}, "info": {"id": "cyner_mitre_train_02138", "source": "cyner_mitre_train"}}
+{"text": "A new class was added called com.utils.RestClient .", "spans": {"Indicator: com.utils.RestClient": [[29, 49]]}, "info": {"id": "cyner_mitre_train_02139", "source": "cyner_mitre_train"}}
+{"text": "This class is based on public code belonging to the package praeda.muzikmekan , which can be found here among other places .", "spans": {"Indicator: praeda.muzikmekan": [[60, 77]]}, "info": {"id": "cyner_mitre_train_02140", "source": "cyner_mitre_train"}}
+{"text": "Just like in previous examples , the malware author does not use this package .", "spans": {}, "info": {"id": "cyner_mitre_train_02141", "source": "cyner_mitre_train"}}
+{"text": "Missing permissions The lack of the READ_FRAME_BUFFER permission can be justified by the removal of the screen record feature .", "spans": {}, "info": {"id": "cyner_mitre_train_02142", "source": "cyner_mitre_train"}}
+{"text": "The ACCESS_SUPERUSER may have been removed because it was deprecated upon the release of Android 5.0 Lollipop which happened in 2014 .", "spans": {"System: Android 5.0": [[89, 100]], "System: Lollipop": [[101, 109]]}, "info": {"id": "cyner_mitre_train_02143", "source": "cyner_mitre_train"}}
+{"text": "The reality is that the RAT permissions can be implemented just with the permissions declared on the manifest , thus there is no need for higher permissions .", "spans": {}, "info": {"id": "cyner_mitre_train_02144", "source": "cyner_mitre_train"}}
+{"text": "Version # 3 : Sept. - Dec. 2019 — Domain : ponethus [ .", "spans": {"Indicator: ponethus [ .": [[43, 55]]}, "info": {"id": "cyner_mitre_train_02145", "source": "cyner_mitre_train"}}
+{"text": "] com Given that there is some overlap in the previous two versions , it came as no surprise to us that we finally identified a sample which is an evolution based on both previous versions .", "spans": {}, "info": {"id": "cyner_mitre_train_02146", "source": "cyner_mitre_train"}}
+{"text": "This sample is clearly a mix between the two .", "spans": {}, "info": {"id": "cyner_mitre_train_02147", "source": "cyner_mitre_train"}}
+{"text": "This is also the first version where the package name changes into something that a less aware user may be tricked by , com.android.playup .", "spans": {"Indicator: com.android.playup": [[120, 138]]}, "info": {"id": "cyner_mitre_train_02148", "source": "cyner_mitre_train"}}
+{"text": "This version brings back the ACCESS_SUPERUSER and READ_FRAME_BUFFER permissions .", "spans": {}, "info": {"id": "cyner_mitre_train_02149", "source": "cyner_mitre_train"}}
+{"text": "However , this time , the permission is actually used .", "spans": {}, "info": {"id": "cyner_mitre_train_02150", "source": "cyner_mitre_train"}}
+{"text": "WhatsApp message capture The service com.serenegiant.service.ScreenRecorderService , is invoked by the ScreenRecorderActivity .", "spans": {"System: WhatsApp": [[0, 8]], "Indicator: com.serenegiant.service.ScreenRecorderService": [[37, 82]]}, "info": {"id": "cyner_mitre_train_02151", "source": "cyner_mitre_train"}}
+{"text": "Upon creation , this activity launches a thread that will loop on a 50-second interval .", "spans": {}, "info": {"id": "cyner_mitre_train_02152", "source": "cyner_mitre_train"}}
+{"text": "In the first iteration , the screen recording is started and will only stop when the RAT determines that WhatsApp is not running .", "spans": {"System: WhatsApp": [[105, 113]]}, "info": {"id": "cyner_mitre_train_02153", "source": "cyner_mitre_train"}}
+{"text": "It 's restarted in the next cycle independently based on if WhatsApp is running .", "spans": {"System: WhatsApp": [[60, 68]]}, "info": {"id": "cyner_mitre_train_02154", "source": "cyner_mitre_train"}}
+{"text": "In this version , the developer added more classes from the same package .", "spans": {}, "info": {"id": "cyner_mitre_train_02155", "source": "cyner_mitre_train"}}
+{"text": "Even though we could not find indications of being in use , two stand out .", "spans": {}, "info": {"id": "cyner_mitre_train_02156", "source": "cyner_mitre_train"}}
+{"text": "Bluetooth — which allows the interaction with the Bluetooth interface , and net/deacon — which implements a beaconing system based on UDP .", "spans": {}, "info": {"id": "cyner_mitre_train_02157", "source": "cyner_mitre_train"}}
+{"text": "Android shell A new package was added that allows the execution of commands in the Android shell .", "spans": {"System: Android": [[0, 7], [83, 90]]}, "info": {"id": "cyner_mitre_train_02158", "source": "cyner_mitre_train"}}
+{"text": "Again , this package source code is publicly available and can be found here .", "spans": {}, "info": {"id": "cyner_mitre_train_02159", "source": "cyner_mitre_train"}}
+{"text": "One of the uses the malware gives to this package is the execution of the command \" dumpsys '' to determine if certain activities are running .", "spans": {}, "info": {"id": "cyner_mitre_train_02160", "source": "cyner_mitre_train"}}
+{"text": "Check if chat apps are running In the above example , the malware is searching for Line , Facebook Messenger and WhatsApp activities .", "spans": {"System: Facebook Messenger": [[90, 108]], "System: WhatsApp": [[113, 121]]}, "info": {"id": "cyner_mitre_train_02161", "source": "cyner_mitre_train"}}
+{"text": "This is part of a class called CaptureService , which already existed in the previous version but it was not duly implemented .", "spans": {}, "info": {"id": "cyner_mitre_train_02162", "source": "cyner_mitre_train"}}
+{"text": "Previous version The capture service class implements the chat applications interception .", "spans": {}, "info": {"id": "cyner_mitre_train_02163", "source": "cyner_mitre_train"}}
+{"text": "Upon creation the class will start to take screenshots that will be stopped and uploaded to the C2 once the service ca n't find the targeted applications running .", "spans": {}, "info": {"id": "cyner_mitre_train_02164", "source": "cyner_mitre_train"}}
+{"text": "The core of this functionality is also based on an open-source project that can be found here .", "spans": {}, "info": {"id": "cyner_mitre_train_02165", "source": "cyner_mitre_train"}}
+{"text": "Another novelty is a VPN-related package , which is based on OrbotVPN .", "spans": {"System: OrbotVPN": [[61, 69]]}, "info": {"id": "cyner_mitre_train_02166", "source": "cyner_mitre_train"}}
+{"text": "Once again , it does n't seem to actually be in use .", "spans": {}, "info": {"id": "cyner_mitre_train_02167", "source": "cyner_mitre_train"}}
+{"text": "The same happens with the package squareup.otto , which is an open-source bus implementation focused on Android implementation .", "spans": {"Indicator: squareup.otto": [[34, 47]], "System: Android": [[104, 111]]}, "info": {"id": "cyner_mitre_train_02168", "source": "cyner_mitre_train"}}
+{"text": "Both sources can be found here and here .", "spans": {}, "info": {"id": "cyner_mitre_train_02169", "source": "cyner_mitre_train"}}
+{"text": "Version # 4 : April 2020 — Domain : nampriknum.net Following the same pattern , this version has some added features and others , which were not in use , removed .", "spans": {"Indicator: nampriknum.net": [[36, 50]]}, "info": {"id": "cyner_mitre_train_02170", "source": "cyner_mitre_train"}}
+{"text": "First of all the new package name is com.google.services , which can easily be confused with a legitimate Google service .", "spans": {"Indicator: com.google.services": [[37, 56]], "Organization: Google": [[106, 112]]}, "info": {"id": "cyner_mitre_train_02171", "source": "cyner_mitre_train"}}
+{"text": "The VPN package is no longer present , further reinforcing our conclusion that it was not in use .", "spans": {}, "info": {"id": "cyner_mitre_train_02172", "source": "cyner_mitre_train"}}
+{"text": "WolfRAT application screen The Google GMS and Firebase service has been added , however , no configuration has been found , even though services seem to be referenced in the of a new class .", "spans": {"Malware: WolfRAT": [[0, 7]], "System: Google GMS": [[31, 41]], "System: Firebase": [[46, 54]]}, "info": {"id": "cyner_mitre_train_02173", "source": "cyner_mitre_train"}}
+{"text": "The new class is called NotificationListener and extends the NotificationListenerService class .", "spans": {}, "info": {"id": "cyner_mitre_train_02174", "source": "cyner_mitre_train"}}
+{"text": "This would allow the RAT to receive system notifications .", "spans": {}, "info": {"id": "cyner_mitre_train_02175", "source": "cyner_mitre_train"}}
+{"text": "Notification handling method The class is only implemented in debug mode , pushing all captured information into the log .", "spans": {}, "info": {"id": "cyner_mitre_train_02176", "source": "cyner_mitre_train"}}
+{"text": "The usage of the PlusShare API in 2020 denotes some unprofessional development , since this is the API to access Google+ .", "spans": {"System: PlusShare": [[17, 26]], "Organization: Google+": [[113, 120]]}, "info": {"id": "cyner_mitre_train_02177", "source": "cyner_mitre_train"}}
+{"text": "This service , along with the API , was fully decommissioned in March 2019 .", "spans": {}, "info": {"id": "cyner_mitre_train_02178", "source": "cyner_mitre_train"}}
+{"text": "This version adds one significant class — it requests DEVICE_ADMIN privileges .", "spans": {}, "info": {"id": "cyner_mitre_train_02179", "source": "cyner_mitre_train"}}
+{"text": "Device admin policies Looking at the policy 's definition , we can see that it lists all the available policies even if most of them are deprecated on Android 10.0 and their usage results in a security exception .", "spans": {"System: Android 10.0": [[151, 163]]}, "info": {"id": "cyner_mitre_train_02180", "source": "cyner_mitre_train"}}
+{"text": "The code implementation again seems that it has been added for testing purposes only .", "spans": {}, "info": {"id": "cyner_mitre_train_02181", "source": "cyner_mitre_train"}}
+{"text": "Versions overview The DenDroid code base was kept to such an extent that even the original base64-encoded password was kept .", "spans": {"Malware: DenDroid": [[22, 30]]}, "info": {"id": "cyner_mitre_train_02182", "source": "cyner_mitre_train"}}
+{"text": "Original password The main service follows the same structure as the first version , the anti-analysis features are primitive , only checking the emulator environment without any kind of packing or obfuscation .", "spans": {}, "info": {"id": "cyner_mitre_train_02183", "source": "cyner_mitre_train"}}
+{"text": "The malware will start the main service if all the requested permissions and the device admin privileges are granted .", "spans": {}, "info": {"id": "cyner_mitre_train_02184", "source": "cyner_mitre_train"}}
+{"text": "Otherwise , it will launch an ACTION_APPLICATION_SETTINGS intent trying to trick the user to grant the permissions .", "spans": {}, "info": {"id": "cyner_mitre_train_02185", "source": "cyner_mitre_train"}}
+{"text": "Each sample contains a userId hardcoded , meaning that each sample can only be used in a victim .", "spans": {}, "info": {"id": "cyner_mitre_train_02186", "source": "cyner_mitre_train"}}
+{"text": "It seems , however , if the same victim has more than one device the malware can be reused since the IMEI is sent along with each data exfiltration .", "spans": {}, "info": {"id": "cyner_mitre_train_02187", "source": "cyner_mitre_train"}}
+{"text": "It is clear that this RAT is under intense development , however , the addition and removal of packages , along with the huge quantity of unused code and usage of deprecated and old techniques denotes an amateur development methodology .", "spans": {}, "info": {"id": "cyner_mitre_train_02188", "source": "cyner_mitre_train"}}
+{"text": "CONCLUSION We witness actors continually using open-source platforms , code and packages to create their own software .", "spans": {}, "info": {"id": "cyner_mitre_train_02189", "source": "cyner_mitre_train"}}
+{"text": "Some are carried out well , others , like WolfRAT , are designed with an overload of functionality in mind as opposed to factoring any sensible approach to the development aspect .", "spans": {"Malware: WolfRAT": [[42, 49]]}, "info": {"id": "cyner_mitre_train_02190", "source": "cyner_mitre_train"}}
+{"text": "After all , a working product is often more important than a stable product .", "spans": {}, "info": {"id": "cyner_mitre_train_02191", "source": "cyner_mitre_train"}}
+{"text": "We watched WolfRAT evolve through various iterations which shows that the actor wanted to ensure functional improvements — perhaps they had deadlines to meet for their customers , but with no thought given to removing old code blocks , classes , etc .", "spans": {"Malware: WolfRAT": [[11, 18]]}, "info": {"id": "cyner_mitre_train_02192", "source": "cyner_mitre_train"}}
+{"text": "throughout the Android package .", "spans": {"System: Android": [[15, 22]]}, "info": {"id": "cyner_mitre_train_02193", "source": "cyner_mitre_train"}}
+{"text": "WolfRAT is a specifically targeted RAT which we assess to be aimed at Thai individuals and , based on previous work from Wolf Research , most likely used as an intelligence-gathering tool or interception tool .", "spans": {"Malware: WolfRAT": [[0, 7]], "Organization: Wolf Research ,": [[121, 136]]}, "info": {"id": "cyner_mitre_train_02194", "source": "cyner_mitre_train"}}
+{"text": "This can be packaged and \" sold '' in many different ways to customers .", "spans": {}, "info": {"id": "cyner_mitre_train_02195", "source": "cyner_mitre_train"}}
+{"text": "A \" Tracking tool '' or an \" Admin tool '' are often cited for these kinds of tools for \" commercial '' or \" enterprise '' usage .", "spans": {}, "info": {"id": "cyner_mitre_train_02196", "source": "cyner_mitre_train"}}
+{"text": "Wolf Research claimed to shut down their operations but we clearly see that their previous work continues under another guise .", "spans": {}, "info": {"id": "cyner_mitre_train_02197", "source": "cyner_mitre_train"}}
+{"text": "The ability to carry out these types of intelligence-gathering activities on phones represents a huge score for the operator .", "spans": {}, "info": {"id": "cyner_mitre_train_02198", "source": "cyner_mitre_train"}}
+{"text": "The chat details , WhatsApp records , messengers and SMSs of the world carry some sensitive information which people often forget when communicating with their devices .", "spans": {"System: WhatsApp": [[19, 27]]}, "info": {"id": "cyner_mitre_train_02199", "source": "cyner_mitre_train"}}
+{"text": "We see WolfRAT specifically targeting a highly popular encrypted chat app in Asia , Line , which suggests that even a careful user with some awareness around end-to-end encryption chats would still be at the mercy of WolfRAT and it 's prying eyes .", "spans": {"Malware: WolfRAT": [[7, 14], [217, 224]], "System: Line": [[84, 88]]}, "info": {"id": "cyner_mitre_train_02200", "source": "cyner_mitre_train"}}
+{"text": "IOCS Hashes 139edb1bc033725539b117f50786f3d3362ed45845c57fe1f82e7ed72b044367 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e5f346d8f312cc1f93c2c6af611e2f50805c528934786ea173cabc6a39b14cda", "spans": {"Indicator: 139edb1bc033725539b117f50786f3d3362ed45845c57fe1f82e7ed72b044367": [[12, 76]], "Indicator: e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1": [[77, 141], [142, 206]], "Indicator: e5f346d8f312cc1f93c2c6af611e2f50805c528934786ea173cabc6a39b14cda": [[207, 271]]}, "info": {"id": "cyner_mitre_train_02201", "source": "cyner_mitre_train"}}
+{"text": "1849a50a6ac9b3eec51492745eeb14765fe2e78488d476b0336d8e41c2c581d4 d328fca14c4340fcd4a15e47562a436085e6b1bb5376b5ebd83d3e7218db64e7 59b9809dba857c5969f23f460a2bf0a337a71622a79671066675ec0acf89c810 120474682ea439eb0b28274c495d9610a73d892a4b8feeff268c670570db97e2", "spans": {"Indicator: 1849a50a6ac9b3eec51492745eeb14765fe2e78488d476b0336d8e41c2c581d4": [[0, 64]], "Indicator: d328fca14c4340fcd4a15e47562a436085e6b1bb5376b5ebd83d3e7218db64e7": [[65, 129]], "Indicator: 59b9809dba857c5969f23f460a2bf0a337a71622a79671066675ec0acf89c810": [[130, 194]], "Indicator: 120474682ea439eb0b28274c495d9610a73d892a4b8feeff268c670570db97e2": [[195, 259]]}, "info": {"id": "cyner_mitre_train_02202", "source": "cyner_mitre_train"}}
+{"text": "ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f", "spans": {"Indicator: ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83": [[0, 64]], "Indicator: 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a": [[65, 129]], "Indicator: 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e": [[130, 194]], "Indicator: 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f": [[195, 259]]}, "info": {"id": "cyner_mitre_train_02203", "source": "cyner_mitre_train"}}
+{"text": "ac5abaebd9f516b8b389450f7d27649801d746fb14963b848f9d6dad0a505e66 3a45d7a16937d4108b5b48f44d72bb319be645cbe15f003dc9e77fd52f45c065 Domains cvcws [ .", "spans": {"Indicator: ac5abaebd9f516b8b389450f7d27649801d746fb14963b848f9d6dad0a505e66": [[0, 64]], "Indicator: 3a45d7a16937d4108b5b48f44d72bb319be645cbe15f003dc9e77fd52f45c065": [[65, 129]], "Indicator: cvcws [ .": [[138, 147]]}, "info": {"id": "cyner_mitre_train_02204", "source": "cyner_mitre_train"}}
+{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02205", "source": "cyner_mitre_train"}}
+{"text": "] com svc [ .", "spans": {"Indicator: svc [ .": [[6, 13]]}, "info": {"id": "cyner_mitre_train_02206", "source": "cyner_mitre_train"}}
+{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02207", "source": "cyner_mitre_train"}}
+{"text": "] com www [ .", "spans": {"Indicator: www [ .": [[6, 13]]}, "info": {"id": "cyner_mitre_train_02208", "source": "cyner_mitre_train"}}
+{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02209", "source": "cyner_mitre_train"}}
+{"text": "] com webmail [ .", "spans": {"Indicator: webmail [ .": [[6, 17]]}, "info": {"id": "cyner_mitre_train_02210", "source": "cyner_mitre_train"}}
+{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02211", "source": "cyner_mitre_train"}}
+{"text": "] com nampriknum [ .", "spans": {"Indicator: nampriknum [ .": [[6, 20]]}, "info": {"id": "cyner_mitre_train_02212", "source": "cyner_mitre_train"}}
+{"text": "] net www [ .", "spans": {"Indicator: www [ .": [[6, 13]]}, "info": {"id": "cyner_mitre_train_02213", "source": "cyner_mitre_train"}}
+{"text": "] nampriknum [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02214", "source": "cyner_mitre_train"}}
+{"text": "] net svc [ .", "spans": {"Indicator: svc [ .": [[6, 13]]}, "info": {"id": "cyner_mitre_train_02215", "source": "cyner_mitre_train"}}
+{"text": "] nampriknum [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02216", "source": "cyner_mitre_train"}}
+{"text": "] net svcws [ .", "spans": {"Indicator: svcws [ .": [[6, 15]]}, "info": {"id": "cyner_mitre_train_02217", "source": "cyner_mitre_train"}}
+{"text": "] nampriknum [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02218", "source": "cyner_mitre_train"}}
+{"text": "] net svc [ .", "spans": {"Indicator: svc [ .": [[6, 13]]}, "info": {"id": "cyner_mitre_train_02219", "source": "cyner_mitre_train"}}
+{"text": "] somtum [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02220", "source": "cyner_mitre_train"}}
+{"text": "] today svcws [ .", "spans": {"Indicator: svcws [ .": [[8, 17]]}, "info": {"id": "cyner_mitre_train_02221", "source": "cyner_mitre_train"}}
+{"text": "] somtum [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02222", "source": "cyner_mitre_train"}}
+{"text": "] today www [ .", "spans": {"Indicator: www [ .": [[8, 15]]}, "info": {"id": "cyner_mitre_train_02223", "source": "cyner_mitre_train"}}
+{"text": "] somtum [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02224", "source": "cyner_mitre_train"}}
+{"text": "] today somtum [ .", "spans": {"Indicator: somtum [ .": [[8, 18]]}, "info": {"id": "cyner_mitre_train_02225", "source": "cyner_mitre_train"}}
+{"text": "] today shop [ .", "spans": {"Indicator: shop [ .": [[8, 16]]}, "info": {"id": "cyner_mitre_train_02226", "source": "cyner_mitre_train"}}
+{"text": "] databit [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02227", "source": "cyner_mitre_train"}}
+{"text": "] today svc [ .", "spans": {"Indicator: svc [ .": [[8, 15]]}, "info": {"id": "cyner_mitre_train_02228", "source": "cyner_mitre_train"}}
+{"text": "] databit [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02229", "source": "cyner_mitre_train"}}
+{"text": "] today test [ .", "spans": {"Indicator: test [ .": [[8, 16]]}, "info": {"id": "cyner_mitre_train_02230", "source": "cyner_mitre_train"}}
+{"text": "] databit [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02231", "source": "cyner_mitre_train"}}
+{"text": "] today www [ .", "spans": {"Indicator: www [ .": [[8, 15]]}, "info": {"id": "cyner_mitre_train_02232", "source": "cyner_mitre_train"}}
+{"text": "] databit [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02233", "source": "cyner_mitre_train"}}
+{"text": "] today admin [ .databit [ .today cendata [ .", "spans": {"Indicator: admin [ .databit [ .today": [[8, 33]], "Indicator: cendata [ .": [[34, 45]]}, "info": {"id": "cyner_mitre_train_02234", "source": "cyner_mitre_train"}}
+{"text": "] today svc [ .", "spans": {"Indicator: svc [ .": [[8, 15]]}, "info": {"id": "cyner_mitre_train_02235", "source": "cyner_mitre_train"}}
+{"text": "] cendata [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02236", "source": "cyner_mitre_train"}}
+{"text": "] today svcws [ .", "spans": {"Indicator: svcws [ .": [[8, 17]]}, "info": {"id": "cyner_mitre_train_02237", "source": "cyner_mitre_train"}}
+{"text": "] cendata [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02238", "source": "cyner_mitre_train"}}
+{"text": "] today www [ .", "spans": {"Indicator: www [ .": [[8, 15]]}, "info": {"id": "cyner_mitre_train_02239", "source": "cyner_mitre_train"}}
+{"text": "] cendata [ .", "spans": {}, "info": {"id": "cyner_mitre_train_02240", "source": "cyner_mitre_train"}}
+{"text": "] today PHA Family Highlights : Zen and its cousins January 11 , 2019 Google Play Protect detects Potentially Harmful Applications ( PHAs ) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to user data—commonly referred to as \" malware .", "spans": {"Malware: Zen": [[32, 35]], "System: Google Play Protect": [[70, 89], [146, 165]]}, "info": {"id": "cyner_mitre_train_02241", "source": "cyner_mitre_train"}}
+{"text": "'' in a variety of ways , such as static analysis , dynamic analysis , and machine learning .", "spans": {}, "info": {"id": "cyner_mitre_train_02242", "source": "cyner_mitre_train"}}
+{"text": "While our systems are great at automatically detecting and protecting against PHAs , we believe the best security comes from the combination of automated scanning and skilled human review .", "spans": {}, "info": {"id": "cyner_mitre_train_02243", "source": "cyner_mitre_train"}}
+{"text": "With this blog series we will be sharing our research analysis with the research and broader security community , starting with the PHA family , Zen .", "spans": {"Malware: Zen": [[145, 148]]}, "info": {"id": "cyner_mitre_train_02244", "source": "cyner_mitre_train"}}
+{"text": "Zen uses root permissions on a device to automatically enable a service that creates fake Google accounts .", "spans": {"Malware: Zen": [[0, 3]], "Organization: Google": [[90, 96]]}, "info": {"id": "cyner_mitre_train_02245", "source": "cyner_mitre_train"}}
+{"text": "These accounts are created by abusing accessibility services .", "spans": {}, "info": {"id": "cyner_mitre_train_02246", "source": "cyner_mitre_train"}}
+{"text": "Zen apps gain access to root permissions from a rooting trojan in its infection chain .", "spans": {"Malware: Zen": [[0, 3]]}, "info": {"id": "cyner_mitre_train_02247", "source": "cyner_mitre_train"}}
+{"text": "In this blog post , we do not differentiate between the rooting component and the component that abuses root : we refer to them interchangeably as Zen .", "spans": {"Malware: Zen": [[147, 150]]}, "info": {"id": "cyner_mitre_train_02248", "source": "cyner_mitre_train"}}
+{"text": "We also describe apps that we think are coming from the same author or a group of authors .", "spans": {}, "info": {"id": "cyner_mitre_train_02249", "source": "cyner_mitre_train"}}
+{"text": "All of the PHAs that are mentioned in this blog post were detected and removed by Google Play Protect .", "spans": {"System: Google Play Protect": [[82, 101]]}, "info": {"id": "cyner_mitre_train_02250", "source": "cyner_mitre_train"}}
+{"text": "Background Uncovering PHAs takes a lot of detective work and unraveling the mystery of how they 're possibly connected to other apps takes even more .", "spans": {}, "info": {"id": "cyner_mitre_train_02251", "source": "cyner_mitre_train"}}
+{"text": "PHA authors usually try to hide their tracks , so attribution is difficult .", "spans": {}, "info": {"id": "cyner_mitre_train_02252", "source": "cyner_mitre_train"}}
+{"text": "Sometimes , we can attribute different apps to the same author based on a small , unique pieces of evidence that suggest similarity , such as a repetition of an exceptionally rare code snippet , asset , or a particular string in the debug logs .", "spans": {}, "info": {"id": "cyner_mitre_train_02253", "source": "cyner_mitre_train"}}
+{"text": "Every once in a while , authors leave behind a trace that allows us to attribute not only similar apps , but also multiple different PHA families to the same group or person .", "spans": {}, "info": {"id": "cyner_mitre_train_02254", "source": "cyner_mitre_train"}}
+{"text": "However , the actual timeline of the creation of different variants is unclear .", "spans": {}, "info": {"id": "cyner_mitre_train_02255", "source": "cyner_mitre_train"}}
+{"text": "In April 2013 , we saw the first sample , which made heavy use of dynamic code loading ( i.e. , fetching executable code from remote sources after the initial app is installed ) .", "spans": {}, "info": {"id": "cyner_mitre_train_02256", "source": "cyner_mitre_train"}}
+{"text": "Dynamic code loading makes it impossible to state what kind of PHA it was .", "spans": {}, "info": {"id": "cyner_mitre_train_02257", "source": "cyner_mitre_train"}}
+{"text": "This sample displayed ads from various sources .", "spans": {}, "info": {"id": "cyner_mitre_train_02258", "source": "cyner_mitre_train"}}
+{"text": "More recent variants blend rooting capabilities and click fraud .", "spans": {}, "info": {"id": "cyner_mitre_train_02259", "source": "cyner_mitre_train"}}
+{"text": "As rooting exploits on Android become less prevalent and lucrative , PHA authors adapt their abuse or monetization strategy to focus on tactics like click fraud .", "spans": {"System: Android": [[23, 30]]}, "info": {"id": "cyner_mitre_train_02260", "source": "cyner_mitre_train"}}
+{"text": "This post does n't follow the chronological evolution of Zen , but instead covers relevant samples from least to most complex .", "spans": {"Malware: Zen": [[57, 60]]}, "info": {"id": "cyner_mitre_train_02261", "source": "cyner_mitre_train"}}
+{"text": "Apps with a custom-made advertisement SDK The simplest PHA from the author 's portfolio used a specially crafted advertisement SDK to create a proxy for all ads-related network traffic .", "spans": {}, "info": {"id": "cyner_mitre_train_02262", "source": "cyner_mitre_train"}}
+{"text": "By proxying all requests through a custom server , the real source of ads is opaque .", "spans": {}, "info": {"id": "cyner_mitre_train_02263", "source": "cyner_mitre_train"}}
+{"text": "This example shows one possible implementation of this technique .", "spans": {}, "info": {"id": "cyner_mitre_train_02264", "source": "cyner_mitre_train"}}
+{"text": "This approach allows the authors to combine ads from third-party advertising networks with ads they created for their own apps .", "spans": {}, "info": {"id": "cyner_mitre_train_02265", "source": "cyner_mitre_train"}}
+{"text": "It may even allow them to sell ad space directly to application developers .", "spans": {}, "info": {"id": "cyner_mitre_train_02266", "source": "cyner_mitre_train"}}
+{"text": "The advertisement SDK also collects statistics about clicks and impressions to make it easier to track revenue .", "spans": {}, "info": {"id": "cyner_mitre_train_02267", "source": "cyner_mitre_train"}}
+{"text": "Selling the ad traffic directly or displaying ads from other sources in a very large volume can provide direct profit to the app author from the advertisers .", "spans": {}, "info": {"id": "cyner_mitre_train_02268", "source": "cyner_mitre_train"}}
+{"text": "We have seen two types of apps that use this custom-made SDK .", "spans": {}, "info": {"id": "cyner_mitre_train_02269", "source": "cyner_mitre_train"}}
+{"text": "The first are games of very low quality that mimic the experience of popular mobile games .", "spans": {}, "info": {"id": "cyner_mitre_train_02270", "source": "cyner_mitre_train"}}
+{"text": "While the counterfeit games claim to provide similar functionality to the popular apps , they are simply used to display ads through a custom advertisement SDK .", "spans": {}, "info": {"id": "cyner_mitre_train_02271", "source": "cyner_mitre_train"}}
+{"text": "The second type of apps reveals an evolution in the author 's tactics .", "spans": {}, "info": {"id": "cyner_mitre_train_02272", "source": "cyner_mitre_train"}}
+{"text": "Instead of implementing very basic gameplay , the authors pirated and repackaged the original game in their app and bundled with it their advertisement SDK .", "spans": {}, "info": {"id": "cyner_mitre_train_02273", "source": "cyner_mitre_train"}}
+{"text": "The only noticeable difference is the game has more ads , including ads on the very first screen .", "spans": {}, "info": {"id": "cyner_mitre_train_02274", "source": "cyner_mitre_train"}}
+{"text": "In all cases , the ads are used to convince users to install other apps from different developer accounts , but written by the same group .", "spans": {}, "info": {"id": "cyner_mitre_train_02275", "source": "cyner_mitre_train"}}
+{"text": "Those apps use the same techniques to monetize their actions .", "spans": {}, "info": {"id": "cyner_mitre_train_02276", "source": "cyner_mitre_train"}}
+{"text": "Click fraud apps The authors ' tactics evolved from advertisement spam to real PHA ( Click Fraud ) .", "spans": {}, "info": {"id": "cyner_mitre_train_02277", "source": "cyner_mitre_train"}}
+{"text": "Click fraud PHAs simulate user clicks on ads instead of simply displaying ads and waiting for users to click them .", "spans": {}, "info": {"id": "cyner_mitre_train_02278", "source": "cyner_mitre_train"}}
+{"text": "This allows the PHA authors to monetize their apps more effectively than through regular advertising .", "spans": {}, "info": {"id": "cyner_mitre_train_02279", "source": "cyner_mitre_train"}}
+{"text": "This behavior negatively impacts advertisement networks and their clients because advertising budget is spent without acquiring real customers , and impacts user experience by consuming their data plan resources .", "spans": {}, "info": {"id": "cyner_mitre_train_02280", "source": "cyner_mitre_train"}}
+{"text": "The click fraud PHA requests a URL to the advertising network directly instead of proxying it through an additional SDK .", "spans": {}, "info": {"id": "cyner_mitre_train_02281", "source": "cyner_mitre_train"}}
+{"text": "The command & control server ( C & C server ) returns the URL to click along with a very long list of additional parameters in JSON format .", "spans": {}, "info": {"id": "cyner_mitre_train_02282", "source": "cyner_mitre_train"}}
+{"text": "After rendering the ad on the screen , the app tries to identify the part of the advertisement website to click .", "spans": {}, "info": {"id": "cyner_mitre_train_02283", "source": "cyner_mitre_train"}}
+{"text": "If that part is found , the app loads Javascript snippets from the JSON parameters to click a button or other HTML element , simulating a real user click .", "spans": {}, "info": {"id": "cyner_mitre_train_02284", "source": "cyner_mitre_train"}}
+{"text": "Because a user interacting with an ad often leads to a higher chance of the user purchasing something , ad networks often \" pay per click '' to developers who host their ads .", "spans": {}, "info": {"id": "cyner_mitre_train_02285", "source": "cyner_mitre_train"}}
+{"text": "Therefore , by simulating fraudulent clicks , these developers are making money without requiring a user to click on an advertisement .", "spans": {}, "info": {"id": "cyner_mitre_train_02286", "source": "cyner_mitre_train"}}
+{"text": "This example code shows a JSON reply returned by the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_02287", "source": "cyner_mitre_train"}}
+{"text": "It has been shortened for brevity .", "spans": {}, "info": {"id": "cyner_mitre_train_02288", "source": "cyner_mitre_train"}}
+{"text": "Based on this JSON reply , the app looks for an HTML snippet that corresponds to the active element ( show_hide btnnext ) and , if found , the Javascript snippet tries to perform a click ( ) method on it .", "spans": {}, "info": {"id": "cyner_mitre_train_02289", "source": "cyner_mitre_train"}}
+{"text": "Rooting trojans The Zen authors have also created a rooting trojan .", "spans": {"Malware: Zen": [[20, 23]]}, "info": {"id": "cyner_mitre_train_02290", "source": "cyner_mitre_train"}}
+{"text": "Using a publicly available rooting framework , the PHA attempts to root devices and gain persistence on them by reinstalling itself on the system partition of rooted device .", "spans": {}, "info": {"id": "cyner_mitre_train_02291", "source": "cyner_mitre_train"}}
+{"text": "Installing apps on the system partition makes it harder for the user to remove the app .", "spans": {}, "info": {"id": "cyner_mitre_train_02292", "source": "cyner_mitre_train"}}
+{"text": "This technique only works for unpatched devices running Android 4.3 or lower .", "spans": {"System: Android 4.3": [[56, 67]]}, "info": {"id": "cyner_mitre_train_02293", "source": "cyner_mitre_train"}}
+{"text": "Devices running Android 4.4 and higher are protected by Verified Boot .", "spans": {"System: Android 4.4": [[16, 27]]}, "info": {"id": "cyner_mitre_train_02294", "source": "cyner_mitre_train"}}
+{"text": "Zen 's rooting trojan apps target a specific device model with a very specific system image .", "spans": {"Malware: Zen": [[0, 3]]}, "info": {"id": "cyner_mitre_train_02295", "source": "cyner_mitre_train"}}
+{"text": "After achieving root access the app tries to replace the framework.jar file on the system partition .", "spans": {"Indicator: framework.jar": [[57, 70]]}, "info": {"id": "cyner_mitre_train_02296", "source": "cyner_mitre_train"}}
+{"text": "Replicating framework.jar allows the app to intercept and modify the behavior of the Android standard API .", "spans": {"Indicator: framework.jar": [[12, 25]], "System: Android": [[85, 92]]}, "info": {"id": "cyner_mitre_train_02297", "source": "cyner_mitre_train"}}
+{"text": "In particular , these apps try to add an additional method called statistics ( ) into the Activity class .", "spans": {}, "info": {"id": "cyner_mitre_train_02298", "source": "cyner_mitre_train"}}
+{"text": "When inserted , this method runs every time any Activity object in any Android app is created .", "spans": {}, "info": {"id": "cyner_mitre_train_02299", "source": "cyner_mitre_train"}}
+{"text": "This happens all the time in regular Android apps , as Activity is one of the fundamental Android UI elements .", "spans": {"System: Android": [[37, 44], [90, 97]]}, "info": {"id": "cyner_mitre_train_02300", "source": "cyner_mitre_train"}}
+{"text": "The only purpose of this method is to connect to the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_02301", "source": "cyner_mitre_train"}}
+{"text": "The Zen trojan After achieving persistence , the trojan downloads additional payloads , including another trojan called Zen .", "spans": {"Malware: Zen": [[4, 7], [120, 123]]}, "info": {"id": "cyner_mitre_train_02302", "source": "cyner_mitre_train"}}
+{"text": "Zen requires root to work correctly on the Android operating system .", "spans": {"Malware: Zen": [[0, 3]], "System: Android": [[43, 50]]}, "info": {"id": "cyner_mitre_train_02303", "source": "cyner_mitre_train"}}
+{"text": "The Zen trojan uses its root privileges to turn on accessibility service ( a service used to allow Android users with disabilities to use their devices ) for itself by writing to a system-wide setting value enabled_accessibility_services .", "spans": {"Malware: Zen": [[4, 7]], "System: Android": [[99, 106]]}, "info": {"id": "cyner_mitre_train_02304", "source": "cyner_mitre_train"}}
+{"text": "Zen does n't even check for the root privilege : it just assumes it has it .", "spans": {"Malware: Zen": [[0, 3]]}, "info": {"id": "cyner_mitre_train_02305", "source": "cyner_mitre_train"}}
+{"text": "This leads us to believe that Zen is just part of a larger infection chain .", "spans": {"Malware: Zen": [[30, 33]]}, "info": {"id": "cyner_mitre_train_02306", "source": "cyner_mitre_train"}}
+{"text": "The trojan implements three accessibility services directed at different Android API levels and uses these accessibility services , chosen by checking the operating system version , to create new Google accounts .", "spans": {"System: Android API": [[73, 84]], "Organization: Google": [[196, 202]]}, "info": {"id": "cyner_mitre_train_02307", "source": "cyner_mitre_train"}}
+{"text": "This is done by opening the Google account creation process and parsing the current view .", "spans": {"Organization: Google": [[28, 34]]}, "info": {"id": "cyner_mitre_train_02308", "source": "cyner_mitre_train"}}
+{"text": "The app then clicks the appropriate buttons , scrollbars , and other UI elements to go through account sign-up without user intervention .", "spans": {}, "info": {"id": "cyner_mitre_train_02309", "source": "cyner_mitre_train"}}
+{"text": "During the account sign-up process , Google may flag the account creation attempt as suspicious and prompt the app to solve a CAPTCHA .", "spans": {"Organization: Google": [[37, 43]]}, "info": {"id": "cyner_mitre_train_02310", "source": "cyner_mitre_train"}}
+{"text": "To get around this , the app then uses its root privilege to inject code into the Setup Wizard , extract the CAPTCHA image , and sends it to a remote server to try to solve the CAPTCHA .", "spans": {}, "info": {"id": "cyner_mitre_train_02311", "source": "cyner_mitre_train"}}
+{"text": "It is unclear if the remote server is capable of solving the CAPTCHA image automatically or if this is done manually by a human in the background .", "spans": {}, "info": {"id": "cyner_mitre_train_02312", "source": "cyner_mitre_train"}}
+{"text": "After the server returns the solution , the app enters it into the appropriate text field to complete the CAPTCHA challenge .", "spans": {}, "info": {"id": "cyner_mitre_train_02313", "source": "cyner_mitre_train"}}
+{"text": "The Zen trojan does not implement any kind of obfuscation except for one string that is encoded using Base64 encoding .", "spans": {"Malware: Zen": [[4, 7]]}, "info": {"id": "cyner_mitre_train_02314", "source": "cyner_mitre_train"}}
+{"text": "It 's one of the strings - \" How you 'll sign in '' - that it looks for during the account creation process .", "spans": {}, "info": {"id": "cyner_mitre_train_02315", "source": "cyner_mitre_train"}}
+{"text": "The code snippet below shows part of the screen parsing process .", "spans": {}, "info": {"id": "cyner_mitre_train_02316", "source": "cyner_mitre_train"}}
+{"text": "Apart from injecting code to read the CAPTCHA , the app also injects its own code into the system_server process , which requires root privileges .", "spans": {}, "info": {"id": "cyner_mitre_train_02317", "source": "cyner_mitre_train"}}
+{"text": "This indicates that the app tries to hide itself from any anti-PHA systems that look for a specific app process name or does not have the ability to scan the memory of the system_server process .", "spans": {}, "info": {"id": "cyner_mitre_train_02318", "source": "cyner_mitre_train"}}
+{"text": "The app also creates hooks to prevent the phone from rebooting , going to sleep or allowing the user from pressing hardware buttons during the account creation process .", "spans": {}, "info": {"id": "cyner_mitre_train_02319", "source": "cyner_mitre_train"}}
+{"text": "These hooks are created using the root access and a custom native code called Lmt_INJECT , although the algorithm for this is well known .", "spans": {}, "info": {"id": "cyner_mitre_train_02320", "source": "cyner_mitre_train"}}
+{"text": "First , the app has to turn off SELinux protection .", "spans": {"System: SELinux": [[32, 39]]}, "info": {"id": "cyner_mitre_train_02321", "source": "cyner_mitre_train"}}
+{"text": "Then the app finds a process id value for the process it wants to inject with code .", "spans": {}, "info": {"id": "cyner_mitre_train_02322", "source": "cyner_mitre_train"}}
+{"text": "This is done using a series of syscalls as outlined below .", "spans": {}, "info": {"id": "cyner_mitre_train_02323", "source": "cyner_mitre_train"}}
+{"text": "The \" source process '' refers to the Zen trojan running as root , while the \" target process '' refers to the process to which the code is injected and [ pid ] refers to the target process pid value .", "spans": {"Malware: Zen": [[38, 41]]}, "info": {"id": "cyner_mitre_train_02324", "source": "cyner_mitre_train"}}
+{"text": "The source process checks the mapping between a process id and a process name .", "spans": {}, "info": {"id": "cyner_mitre_train_02325", "source": "cyner_mitre_train"}}
+{"text": "This is done by reading the /proc/ [ pid ] /cmdline file .", "spans": {"Indicator: /proc/ [ pid ] /cmdline": [[28, 51]]}, "info": {"id": "cyner_mitre_train_02326", "source": "cyner_mitre_train"}}
+{"text": "This very first step fails in Android 7.0 and higher , even with a root permission .", "spans": {"System: Android 7.0": [[30, 41]]}, "info": {"id": "cyner_mitre_train_02327", "source": "cyner_mitre_train"}}
+{"text": "The /proc filesystem is now mounted with a hidepid=2 parameter , which means that the process can not access other process /proc/ [ pid ] directory .", "spans": {"Indicator: /proc": [[4, 9]], "Indicator: /proc/ [ pid ]": [[123, 137]]}, "info": {"id": "cyner_mitre_train_02328", "source": "cyner_mitre_train"}}
+{"text": "A ptrace_attach syscall is called .", "spans": {}, "info": {"id": "cyner_mitre_train_02329", "source": "cyner_mitre_train"}}
+{"text": "This allows the source process to trace the target .", "spans": {}, "info": {"id": "cyner_mitre_train_02330", "source": "cyner_mitre_train"}}
+{"text": "The source process looks at its own memory to calculate the offset between the beginning of the libc library and the mmap address .", "spans": {}, "info": {"id": "cyner_mitre_train_02331", "source": "cyner_mitre_train"}}
+{"text": "The source process reads /proc/ [ pid ] /maps to find where libc is located in the target process memory .", "spans": {"Indicator: /proc/ [ pid ] /maps": [[25, 45]]}, "info": {"id": "cyner_mitre_train_02332", "source": "cyner_mitre_train"}}
+{"text": "By adding the previously calculated offset , it can get the address of the mmap function in the target process memory .", "spans": {}, "info": {"id": "cyner_mitre_train_02333", "source": "cyner_mitre_train"}}
+{"text": "The source process tries to determine the location of dlopen , dlsym , and dlclose functions in the target process .", "spans": {}, "info": {"id": "cyner_mitre_train_02334", "source": "cyner_mitre_train"}}
+{"text": "It uses the same technique as it used to determine the offset to the mmap function .", "spans": {}, "info": {"id": "cyner_mitre_train_02335", "source": "cyner_mitre_train"}}
+{"text": "The source process writes the native shellcode into the memory region allocated by mmap .", "spans": {}, "info": {"id": "cyner_mitre_train_02336", "source": "cyner_mitre_train"}}
+{"text": "Additionally , it also writes addresses of dlopen , dlsym , and dlclose into the same region , so that they can be used by the shellcode .", "spans": {}, "info": {"id": "cyner_mitre_train_02337", "source": "cyner_mitre_train"}}
+{"text": "Shellcode simply uses dlopen to open a .so file within the target process and then dlsym to find a symbol in that file and run it .", "spans": {"Organization: symbol": [[99, 105]]}, "info": {"id": "cyner_mitre_train_02338", "source": "cyner_mitre_train"}}
+{"text": "The source process changes the registers in the target process so that PC register points directly to the shellcode .", "spans": {}, "info": {"id": "cyner_mitre_train_02339", "source": "cyner_mitre_train"}}
+{"text": "This is done using the ptrace syscall .", "spans": {}, "info": {"id": "cyner_mitre_train_02340", "source": "cyner_mitre_train"}}
+{"text": "This diagram illustrates the whole process .", "spans": {}, "info": {"id": "cyner_mitre_train_02341", "source": "cyner_mitre_train"}}
+{"text": "Summary PHA authors go to great lengths to come up with increasingly clever ways to monetize their apps .", "spans": {}, "info": {"id": "cyner_mitre_train_02342", "source": "cyner_mitre_train"}}
+{"text": "Zen family PHA authors exhibit a wide range of techniques , from simply inserting an advertising SDK to a sophisticated trojan .", "spans": {"Malware: Zen": [[0, 3]]}, "info": {"id": "cyner_mitre_train_02343", "source": "cyner_mitre_train"}}
+{"text": "The app that resulted in the largest number of affected users was the click fraud version , which was installed over 170,000 times at its peak in February 2018 .", "spans": {}, "info": {"id": "cyner_mitre_train_02344", "source": "cyner_mitre_train"}}
+{"text": "The most affected countries were India , Brazil , and Indonesia .", "spans": {}, "info": {"id": "cyner_mitre_train_02345", "source": "cyner_mitre_train"}}
+{"text": "In most cases , these click fraud apps were uninstalled by the users , probably due to the low quality of the apps .", "spans": {}, "info": {"id": "cyner_mitre_train_02346", "source": "cyner_mitre_train"}}
+{"text": "If Google Play Protect detects one of these apps , Google Play Protect will show a warning to users .", "spans": {"System: Google Play Protect": [[3, 22], [51, 70]]}, "info": {"id": "cyner_mitre_train_02347", "source": "cyner_mitre_train"}}
+{"text": "We are constantly on the lookout for new threats and we are expanding our protections .", "spans": {}, "info": {"id": "cyner_mitre_train_02348", "source": "cyner_mitre_train"}}
+{"text": "Every device with Google Play includes Google Play Protect and all apps on Google Play are automatically and periodically scanned by our solutions .", "spans": {"System: Google Play": [[18, 29], [75, 86]], "System: Google Play Protect": [[39, 58]]}, "info": {"id": "cyner_mitre_train_02349", "source": "cyner_mitre_train"}}
+{"text": "You can check the status of Google Play Protect on your device : Open your Android device 's Google Play Store app .", "spans": {"System: Google Play Protect": [[28, 47]], "System: Google Play Store": [[93, 110]]}, "info": {"id": "cyner_mitre_train_02350", "source": "cyner_mitre_train"}}
+{"text": "Tap Menu > Play Protect .", "spans": {}, "info": {"id": "cyner_mitre_train_02351", "source": "cyner_mitre_train"}}
+{"text": "Look for information about the status of your device .", "spans": {}, "info": {"id": "cyner_mitre_train_02352", "source": "cyner_mitre_train"}}
+{"text": "Hashes of samples Type Package name SHA256 digest Custom ads com.targetshoot.zombieapocalypse.sniper.zombieshootinggame 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928 Click fraud com.counterterrorist.cs.elite.combat.shootinggame 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04", "spans": {"Indicator: com.targetshoot.zombieapocalypse.sniper.zombieshootinggame": [[61, 119]], "Indicator: 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928": [[120, 184]], "Indicator: com.counterterrorist.cs.elite.combat.shootinggame": [[197, 246]], "Indicator: 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04": [[247, 311]]}, "info": {"id": "cyner_mitre_train_02353", "source": "cyner_mitre_train"}}
+{"text": "Rooting trojan com.android.world.news bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213 Zen trojan com.lmt.register eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d Mobile Campaign ‘ Bouncing Golf ’ Affects Middle East We uncovered a cyberespionage campaign targeting Middle", "spans": {"Indicator: bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213": [[38, 102]], "Malware: Zen": [[103, 106]], "Indicator: com.lmt.register": [[114, 130]], "Indicator: eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d": [[131, 195]], "Malware: Bouncing Golf": [[214, 227]]}, "info": {"id": "cyner_mitre_train_02354", "source": "cyner_mitre_train"}}
+{"text": "Eastern countries .", "spans": {}, "info": {"id": "cyner_mitre_train_02355", "source": "cyner_mitre_train"}}
+{"text": "We named this campaign “ Bouncing Golf ” based on the malware ’ s code in the package named “ golf. ” June 18 , 2019 We uncovered a cyberespionage campaign targeting Middle Eastern countries .", "spans": {"Malware: Bouncing Golf": [[25, 38]]}, "info": {"id": "cyner_mitre_train_02356", "source": "cyner_mitre_train"}}
+{"text": "We named this campaign “ Bouncing Golf ” based on the malware ’ s code in the package named “ golf. ” The malware involved , which Trend Micro detects as AndroidOS_GolfSpy.HRX , is notable for its wide range of cyberespionage capabilities .", "spans": {"Malware: Bouncing Golf": [[25, 38]], "Organization: Trend Micro": [[131, 142]], "Malware: AndroidOS_GolfSpy.HRX": [[154, 175]]}, "info": {"id": "cyner_mitre_train_02357", "source": "cyner_mitre_train"}}
+{"text": "Malicious codes are embedded in apps that the operators repackaged from legitimate applications .", "spans": {}, "info": {"id": "cyner_mitre_train_02358", "source": "cyner_mitre_train"}}
+{"text": "Monitoring the command and control ( C & C ) servers used by Bouncing Golf , we ’ ve so far observed more than 660 Android devices infected with GolfSpy .", "spans": {"Malware: Bouncing Golf": [[61, 74]], "System: Android": [[115, 122]], "Malware: GolfSpy": [[145, 152]]}, "info": {"id": "cyner_mitre_train_02359", "source": "cyner_mitre_train"}}
+{"text": "Much of the information being stolen appear to be military-related .", "spans": {}, "info": {"id": "cyner_mitre_train_02360", "source": "cyner_mitre_train"}}
+{"text": "The campaign ’ s attack vector is also interesting .", "spans": {}, "info": {"id": "cyner_mitre_train_02361", "source": "cyner_mitre_train"}}
+{"text": "These repackaged , malware-laden apps are neither on Google Play nor popular third-party app marketplaces , and we only saw the website hosting the malicious apps being promoted on social media when we followed GolfSpy ’ s trail .", "spans": {"System: Google Play": [[53, 64]], "Malware: GolfSpy": [[211, 218]]}, "info": {"id": "cyner_mitre_train_02362", "source": "cyner_mitre_train"}}
+{"text": "We were also able to analyze some GolfSpy samples sourced from the Trend Micro mobile app reputation service .", "spans": {"Malware: GolfSpy": [[34, 41]], "Organization: Trend Micro": [[67, 78]]}, "info": {"id": "cyner_mitre_train_02363", "source": "cyner_mitre_train"}}
+{"text": "Also of note is Bouncing Golf ’ s possible connection to a previously reported mobile cyberespionage campaign that researchers named Domestic Kitten .", "spans": {"Malware: Bouncing Golf": [[16, 29]], "Malware: Domestic Kitten": [[133, 148]]}, "info": {"id": "cyner_mitre_train_02364", "source": "cyner_mitre_train"}}
+{"text": "The strings of code , for one , are similarly structured .", "spans": {}, "info": {"id": "cyner_mitre_train_02365", "source": "cyner_mitre_train"}}
+{"text": "The data targeted for theft also have similar formats .", "spans": {}, "info": {"id": "cyner_mitre_train_02366", "source": "cyner_mitre_train"}}
+{"text": "Figure 1 .", "spans": {}, "info": {"id": "cyner_mitre_train_02367", "source": "cyner_mitre_train"}}
+{"text": "GolfSpy ’ s infection chain GolfSpy 's Potential Impact Given GolfSpy ’ s information-stealing capabilities , this malware can effectively hijack an infected Android device .", "spans": {"Malware: GolfSpy": [[0, 7], [28, 35], [62, 69]], "System: Android": [[158, 165]]}, "info": {"id": "cyner_mitre_train_02368", "source": "cyner_mitre_train"}}
+{"text": "Here is a list of information that GolfSpy steals : Device accounts List of applications installed in the device Device ’ s current running processes Battery status Bookmarks/Histories of the device ’ s default browser Call logs and records Clipboard contents Contacts , including those in VCard format Mobile operator information Files stored on SDcard Device location List of image , audio , and video files stored on the device Storage and memory information Connection information Sensor information SMS messages Pictures GolfSpy also has a function that lets it connect to a remote server to fetch and perform commands", "spans": {"Malware: GolfSpy": [[35, 42], [526, 533]]}, "info": {"id": "cyner_mitre_train_02369", "source": "cyner_mitre_train"}}
+{"text": ", including : searching for , listing , deleting , and renaming files as well as downloading a file into and retrieving a file from the device ; taking screenshots ; installing other application packages ( APK ) ; recording audio and video ; and updating the malware .", "spans": {}, "info": {"id": "cyner_mitre_train_02370", "source": "cyner_mitre_train"}}
+{"text": "Technical Analysis The repackaged applications are embedded with malicious code , which can be found in the com.golf package .", "spans": {"Indicator: com.golf": [[108, 116]]}, "info": {"id": "cyner_mitre_train_02371", "source": "cyner_mitre_train"}}
+{"text": "These repackaged apps pose as communication , news , lifestyle , book , and reference apps popularly used in the Middle East .", "spans": {}, "info": {"id": "cyner_mitre_train_02372", "source": "cyner_mitre_train"}}
+{"text": "The GolfSpy malware embedded in the apps is hardcoded with an internal name used by the attacker .", "spans": {"Malware: GolfSpy": [[4, 11]]}, "info": {"id": "cyner_mitre_train_02373", "source": "cyner_mitre_train"}}
+{"text": "Figure 2 .", "spans": {}, "info": {"id": "cyner_mitre_train_02374", "source": "cyner_mitre_train"}}
+{"text": "Icons of the apps that Bouncing Golf ’ s operators repackaged ( top ) and a comparison of packages between the original legitimate app ( bottom left ) and GolfSpy ( bottom right ) Figure 3 .", "spans": {"Malware: Bouncing Golf": [[23, 36]], "Malware: GolfSpy": [[155, 162]]}, "info": {"id": "cyner_mitre_train_02375", "source": "cyner_mitre_train"}}
+{"text": "GolfSpy ’ s configurations encoded by a custom algorithm ( right ) and its decoded version ( left ) As shown in Figure 3 , GolfSpy ’ s configurations ( e.g. , C & C server , secret keys ) are encoded by a customized algorithm .", "spans": {"Malware: GolfSpy": [[0, 7], [123, 130]]}, "info": {"id": "cyner_mitre_train_02376", "source": "cyner_mitre_train"}}
+{"text": "After it is launched , GolfSpy will generate a unique ID for the affected device and then collect its data such as SMS , contact list , location , and accounts in this format : “ % , [ ] , time ” ( shown in Figure 4 ) .", "spans": {"Malware: GolfSpy": [[23, 30]]}, "info": {"id": "cyner_mitre_train_02377", "source": "cyner_mitre_train"}}
+{"text": "The information is written into a file on the device .", "spans": {}, "info": {"id": "cyner_mitre_train_02378", "source": "cyner_mitre_train"}}
+{"text": "The attacker can choose the data types to collect , which are written in a certain format .", "spans": {}, "info": {"id": "cyner_mitre_train_02379", "source": "cyner_mitre_train"}}
+{"text": "Figure 4 .", "spans": {}, "info": {"id": "cyner_mitre_train_02380", "source": "cyner_mitre_train"}}
+{"text": "Code snippet showing GolfSpy generating UUID The value of % is in the range of 1-9 or a-j .", "spans": {"Malware: GolfSpy": [[21, 28]]}, "info": {"id": "cyner_mitre_train_02381", "source": "cyner_mitre_train"}}
+{"text": "Each value represents a different type of data to steal from the device : Value Data Type 1 Accounts 2 Installed APP list 3 Running processes list 4 Battery status 5 Browser bookmarks and histories 6 Call logs 7 Clipboard 8 Contacts 9 Mobile operator information a File list on SD card b Location c Image list d Audio list e Video list f Storage and memory information g Connection information h Sensors information i SMS messages j VCard format contacts Table 1 .", "spans": {}, "info": {"id": "cyner_mitre_train_02382", "source": "cyner_mitre_train"}}
+{"text": "The type of data corresponding to the value coded in GolfSpy Figure 5 shows the code snippets that are involved in monitoring and recording the device ’ s phone call .", "spans": {"Malware: GolfSpy": [[53, 60]]}, "info": {"id": "cyner_mitre_train_02383", "source": "cyner_mitre_train"}}
+{"text": "It will also take a photo using the device ’ s front camera when the user wakes the device .", "spans": {}, "info": {"id": "cyner_mitre_train_02384", "source": "cyner_mitre_train"}}
+{"text": "Apart from collecting the above data , the spyware monitors users ’ phone calls , records them , and saves the recorded file on the device .", "spans": {}, "info": {"id": "cyner_mitre_train_02385", "source": "cyner_mitre_train"}}
+{"text": "GolfSpy encrypts all the stolen data using a simple XOR operation with a pre-configured key before sending it to the C & C server using the HTTP POST method .", "spans": {"Malware: GolfSpy": [[0, 7]]}, "info": {"id": "cyner_mitre_train_02386", "source": "cyner_mitre_train"}}
+{"text": "Figure 5 .", "spans": {}, "info": {"id": "cyner_mitre_train_02387", "source": "cyner_mitre_train"}}
+{"text": "Code snippets showing how GolfSpy monitors phone calls via register receiver ( top left ) , its actions when the device is woken up ( top right ) , and how it encrypts the stolen data ( bottom ) The malware retrieves commands from the C & C server via HTTP , and attackers can steal specific files on the infected device .", "spans": {"Malware: GolfSpy": [[26, 33]]}, "info": {"id": "cyner_mitre_train_02388", "source": "cyner_mitre_train"}}
+{"text": "The command is a constructed string split into three parts using \" \" as a separator .", "spans": {}, "info": {"id": "cyner_mitre_train_02389", "source": "cyner_mitre_train"}}
+{"text": "The first part is the target directory , the second is a regular expression used to match specific files , while the last part is an ID .", "spans": {}, "info": {"id": "cyner_mitre_train_02390", "source": "cyner_mitre_train"}}
+{"text": "Figure 6 .", "spans": {}, "info": {"id": "cyner_mitre_train_02391", "source": "cyner_mitre_train"}}
+{"text": "Example of a command that steals specific files from an infected device ’ s application ( top ) , and GolfSpy ’ s parse-and-perform command ( bottom ) Apart from the HTTP POST method , GolfSpy also creates a socket connection to the remote C & C server in order to receive and perform additional commands .", "spans": {"Malware: GolfSpy": [[102, 109], [185, 192]]}, "info": {"id": "cyner_mitre_train_02392", "source": "cyner_mitre_train"}}
+{"text": "Stolen data will also be encrypted and sent to the C & C server via the socket connection .", "spans": {}, "info": {"id": "cyner_mitre_train_02393", "source": "cyner_mitre_train"}}
+{"text": "The encryption key is different from the one used for sending stolen data via HTTP .", "spans": {}, "info": {"id": "cyner_mitre_train_02394", "source": "cyner_mitre_train"}}
+{"text": "Figure 7 .", "spans": {}, "info": {"id": "cyner_mitre_train_02395", "source": "cyner_mitre_train"}}
+{"text": "The additional commands that attackers can carry out via a socket connection ( top ) and the key used to encrypt the stolen data ( bottom ) Correlating Bouncing Golf 's Activities We monitored Bouncing Golf ’ s C & C-related activities and saw that the campaign has affected more than 660 devices as of this writing .", "spans": {"Malware: Bouncing Golf": [[152, 165], [193, 206]]}, "info": {"id": "cyner_mitre_train_02396", "source": "cyner_mitre_train"}}
+{"text": "The small or limited number is understandable given the nature of this campaign , but we also expect it to increase or even diversify in terms of distribution .", "spans": {}, "info": {"id": "cyner_mitre_train_02397", "source": "cyner_mitre_train"}}
+{"text": "Most of the affected devices were located in the Middle East , and many of the stolen data we saw is military-related ( e.g. , images , documents ) .", "spans": {}, "info": {"id": "cyner_mitre_train_02398", "source": "cyner_mitre_train"}}
+{"text": "Bouncing Golf ’ s operators also try to cover their tracks .", "spans": {"Malware: Bouncing Golf": [[0, 13]]}, "info": {"id": "cyner_mitre_train_02399", "source": "cyner_mitre_train"}}
+{"text": "The registrant contact details of the C & C domains used in the campaign , for instance , were masked .", "spans": {}, "info": {"id": "cyner_mitre_train_02400", "source": "cyner_mitre_train"}}
+{"text": "The C & C server IP addresses used also appear to be disparate , as they were located in many European countries like Russia , France , Holland , and Germany .", "spans": {}, "info": {"id": "cyner_mitre_train_02401", "source": "cyner_mitre_train"}}
+{"text": "It ’ s not a definite correlation , but Bouncing Golf also seems to have a connection with Domestic Kitten due to similarities we found in their code .", "spans": {"Malware: Bouncing Golf": [[40, 53]], "Malware: Domestic Kitten": [[91, 106]]}, "info": {"id": "cyner_mitre_train_02402", "source": "cyner_mitre_train"}}
+{"text": "For example , the Android malware that both deploy share the same strings of code for their decoding algorithm .", "spans": {"System: Android": [[18, 25]]}, "info": {"id": "cyner_mitre_train_02403", "source": "cyner_mitre_train"}}
+{"text": "The data that Domestic Kitten steals follows a similar format with Bouncing Golf ’ s , with each type of data having a unique identifying character .", "spans": {"Malware: Domestic Kitten": [[14, 29]], "Malware: Bouncing Golf": [[67, 80]]}, "info": {"id": "cyner_mitre_train_02404", "source": "cyner_mitre_train"}}
+{"text": "It ’ s also worth noting that both campaigns repackage apps that are commonly used in their target ’ s countries , such as Telegram , Kik , and Plus messaging apps .", "spans": {"System: Telegram": [[123, 131]], "System: Kik": [[134, 137]], "System: Plus": [[144, 148]]}, "info": {"id": "cyner_mitre_train_02405", "source": "cyner_mitre_train"}}
+{"text": "Figure 8 .", "spans": {}, "info": {"id": "cyner_mitre_train_02406", "source": "cyner_mitre_train"}}
+{"text": "Code snippets showing : the decoding algorithm shared by both Bouncing Golf and Domestic Kitten ( top ) , the format of data that Domestic Kitten ’ s malware targets to steal ( center ) , and how both Bouncing Golf ( bottom left ) and Domestic Kitten ( bottom right ) use \" \" as a separator in their command strings .", "spans": {"Malware: Bouncing Golf": [[62, 75], [201, 214]], "Malware: Domestic Kitten": [[80, 95], [130, 145], [235, 250]]}, "info": {"id": "cyner_mitre_train_02407", "source": "cyner_mitre_train"}}
+{"text": "As we ’ ve seen in last year ’ s mobile threat landscape , we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity , employing tried-and-tested techniques to lure unwitting users .", "spans": {}, "info": {"id": "cyner_mitre_train_02408", "source": "cyner_mitre_train"}}
+{"text": "The extent of information that these kinds of threats can steal is also significant , as it lets attackers virtually take over a compromised device .", "spans": {}, "info": {"id": "cyner_mitre_train_02409", "source": "cyner_mitre_train"}}
+{"text": "Users should adopt best practices , while organizations should ensure that they balance the need for mobility and the importance of security .", "spans": {}, "info": {"id": "cyner_mitre_train_02410", "source": "cyner_mitre_train"}}
+{"text": "End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security™ .", "spans": {"Organization: Trend Micro™": [[95, 107]]}, "info": {"id": "cyner_mitre_train_02411", "source": "cyner_mitre_train"}}
+{"text": "Trend Micro™ Mobile Security for Enterprise provides device , compliance and application management , data protection , and configuration provisioning , as well as protects devices from attacks that exploit vulnerabilities , preventing unauthorized access to apps , and detecting and blocking malware and fraudulent websites .", "spans": {"Organization: Trend Micro™": [[0, 12]], "System: Mobile Security for Enterprise": [[13, 43]]}, "info": {"id": "cyner_mitre_train_02412", "source": "cyner_mitre_train"}}
+{"text": "Trend Micro ’ s Mobile App Reputation Service ( MARS ) covers Android and iOS threats using leading sandbox and machine learning technologies , protecting devices against malware , zero-day and known exploits , privacy leaks , and application vulnerabilities .", "spans": {"Organization: Trend Micro": [[0, 11]], "System: Mobile App Reputation Service": [[16, 45]], "System: Android": [[62, 69]], "System: iOS": [[74, 77]]}, "info": {"id": "cyner_mitre_train_02413", "source": "cyner_mitre_train"}}
+{"text": "Several weeks ago , Check Point Mobile Threat Prevention detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed a 0day mobile ransomware from Google Play dubbed “ Charger. ” This incident demonstrates how malware can be a dangerous threat to your business , and how advanced behavioral detection fills mobile security gaps attackers use to penetrate entire networks .", "spans": {"Organization: Check Point": [[20, 31]], "System: Android": [[86, 93]], "System: Google Play": [[197, 208]], "Malware: Charger.": [[218, 226]]}, "info": {"id": "cyner_mitre_train_02414", "source": "cyner_mitre_train"}}
+{"text": "Charger was found embedded in an app called EnergyRescue .", "spans": {"Malware: Charger": [[0, 7]], "Malware: EnergyRescue": [[44, 56]]}, "info": {"id": "cyner_mitre_train_02415", "source": "cyner_mitre_train"}}
+{"text": "The infected app steals contacts and SMS messages from the user ’ s device and asks for admin permissions .", "spans": {}, "info": {"id": "cyner_mitre_train_02416", "source": "cyner_mitre_train"}}
+{"text": "If granted , the ransomware locks the device and displays a message demanding payment : You need to pay for us , otherwise we will sell portion of your personal information on black market every 30 minutes .", "spans": {}, "info": {"id": "cyner_mitre_train_02417", "source": "cyner_mitre_train"}}
+{"text": "WE GIVE 100 % GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT .", "spans": {}, "info": {"id": "cyner_mitre_train_02418", "source": "cyner_mitre_train"}}
+{"text": "WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER !", "spans": {}, "info": {"id": "cyner_mitre_train_02419", "source": "cyner_mitre_train"}}
+{"text": "TURNING OFF YOUR PHONE IS MEANINGLESS , ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS !", "spans": {}, "info": {"id": "cyner_mitre_train_02420", "source": "cyner_mitre_train"}}
+{"text": "WE STILL CAN SELLING IT FOR SPAM , FAKE , BANK CRIME etc… We collect and download all of your personal data .", "spans": {}, "info": {"id": "cyner_mitre_train_02421", "source": "cyner_mitre_train"}}
+{"text": "All information about your social networks , Bank accounts , Credit Cards .", "spans": {}, "info": {"id": "cyner_mitre_train_02422", "source": "cyner_mitre_train"}}
+{"text": "We collect all data about your friends and family .", "spans": {}, "info": {"id": "cyner_mitre_train_02423", "source": "cyner_mitre_train"}}
+{"text": "The ransom demand for 0.2 Bitcoins ( roughly $ 180 ) is a much higher ransom demand than has been seen in mobile ransomware so far .", "spans": {}, "info": {"id": "cyner_mitre_train_02424", "source": "cyner_mitre_train"}}
+{"text": "By comparison , the DataLust ransomware demanded merely $ 15 .", "spans": {"Malware: DataLust": [[20, 28]]}, "info": {"id": "cyner_mitre_train_02425", "source": "cyner_mitre_train"}}
+{"text": "Payments are made to a specific Bitcoin account , but we haven ’ t identified any payments so far .", "spans": {"System: Bitcoin": [[32, 39]]}, "info": {"id": "cyner_mitre_train_02426", "source": "cyner_mitre_train"}}
+{"text": "Adware commonly found on Play collects profits from ad networks , but mobile ransomware inflicts direct harm to users .", "spans": {}, "info": {"id": "cyner_mitre_train_02427", "source": "cyner_mitre_train"}}
+{"text": "Like FakeDefender and DataLust , Charger could be an indicator of a wider effort by mobile malware developers to catch up with their PC ransomware cousins .", "spans": {"Malware: FakeDefender": [[5, 17]], "Malware: DataLust": [[22, 30]], "Malware: Charger": [[33, 40]]}, "info": {"id": "cyner_mitre_train_02428", "source": "cyner_mitre_train"}}
+{"text": "Similar to other malware seen in the past , Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine , Russia , or Belarus .", "spans": {"Malware: Charger": [[44, 51]]}, "info": {"id": "cyner_mitre_train_02429", "source": "cyner_mitre_train"}}
+{"text": "This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries .", "spans": {}, "info": {"id": "cyner_mitre_train_02430", "source": "cyner_mitre_train"}}
+{"text": "Most malware found on Google Play contains only a dropper that later downloads the real malicious components to the device .", "spans": {"System: Google Play": [[22, 33]]}, "info": {"id": "cyner_mitre_train_02431", "source": "cyner_mitre_train"}}
+{"text": "Charger , however , uses a heavy packing approach which it harder for the malware to stay hidden , so it must compensate with other means .", "spans": {"Malware: Charger": [[0, 7]]}, "info": {"id": "cyner_mitre_train_02432", "source": "cyner_mitre_train"}}
+{"text": "The developers of Charger gave it everything they had to boost its evasion capabilities and so it could stay hidden on Google Play for as long as possible .", "spans": {"Malware: Charger": [[18, 25]], "System: Google Play": [[119, 130]]}, "info": {"id": "cyner_mitre_train_02433", "source": "cyner_mitre_train"}}
+{"text": "The malware uses several advanced techniques to hide its real intentions and makes it harder to detect .", "spans": {}, "info": {"id": "cyner_mitre_train_02434", "source": "cyner_mitre_train"}}
+{"text": "It encodes strings into binary arrays , making it hard to inspect them .", "spans": {}, "info": {"id": "cyner_mitre_train_02435", "source": "cyner_mitre_train"}}
+{"text": "It loads code from encrypted resources dynamically , which most detection engines can not penetrate and inspect .", "spans": {}, "info": {"id": "cyner_mitre_train_02436", "source": "cyner_mitre_train"}}
+{"text": "The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through .", "spans": {}, "info": {"id": "cyner_mitre_train_02437", "source": "cyner_mitre_train"}}
+{"text": "It checks whether it is being run in an emulator before it starts its malicious activity .", "spans": {}, "info": {"id": "cyner_mitre_train_02438", "source": "cyner_mitre_train"}}
+{"text": "PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid .", "spans": {"Malware: Dendroid": [[145, 153]]}, "info": {"id": "cyner_mitre_train_02439", "source": "cyner_mitre_train"}}
+{"text": "Emulator and location conditions for the malware ’ s activity Check Point Mobile Threat Prevention customers are protected from Charger and similar malware .", "spans": {"Organization: Check Point": [[62, 73]], "Malware: Charger": [[128, 135]]}, "info": {"id": "cyner_mitre_train_02440", "source": "cyner_mitre_train"}}
+{"text": "Check Point ’ s Analysis and Response Team ( ART ) disclosed the finding to Android ’ s Security team who took the appropriate security steps to remove the infected app and added the malware to Android ’ s built-in protection mechanisms .", "spans": {"Organization: Check Point": [[0, 11]], "System: Android": [[76, 83], [194, 201]]}, "info": {"id": "cyner_mitre_train_02441", "source": "cyner_mitre_train"}}
+{"text": "Charger SHA256 hash : 58eb6c368e129b17559bdeacb3aed4d9a5d3596f774cf5ed3fdcf51775232ba0 Infostealer , Keylogger , and Ransomware in One : Anubis Targets More than 250 Android Applications October 29 , 2021 The Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android devices that could result in compromise if unsigned Android applications are permitted on the device .", "spans": {"Indicator: 58eb6c368e129b17559bdeacb3aed4d9a5d3596f774cf5ed3fdcf51775232ba0": [[22, 86]], "Malware: Anubis": [[137, 143]], "System: Android": [[166, 173], [306, 313], [366, 373]], "Organization: Cofense Phishing Defense Center": [[209, 240]]}, "info": {"id": "cyner_mitre_train_02442", "source": "cyner_mitre_train"}}
+{"text": "The campaign seeks to deliver Anubis , a particularly nasty piece of malware that was originally used for cyber espionage and retooled as a banking trojan .", "spans": {"Malware: Anubis": [[30, 36]]}, "info": {"id": "cyner_mitre_train_02443", "source": "cyner_mitre_train"}}
+{"text": "Anubis can completely hijack an Android mobile device , steal data , record phone calls , and even hold the device to ransom by encrypting the victim ’ s personal files .", "spans": {"Malware: Anubis": [[0, 6]], "System: Android": [[32, 39]]}, "info": {"id": "cyner_mitre_train_02444", "source": "cyner_mitre_train"}}
+{"text": "With mobile devices increasingly used in the corporate environment , thanks to the popularity of BYOD policies , this malware has the potential to cause serious harm , mostly to consumers , and businesses that allow the installation of unsigned applications .", "spans": {}, "info": {"id": "cyner_mitre_train_02445", "source": "cyner_mitre_train"}}
+{"text": "Here ’ s how it works : At first glance , the email shown in Figure 1 looks like any other phishing email that asks the user to download an invoice .", "spans": {}, "info": {"id": "cyner_mitre_train_02446", "source": "cyner_mitre_train"}}
+{"text": "However , this particular email downloads an Android Package Kit ( APK ) , which is the common format used by Android to distribute and install applications .", "spans": {"System: Android Package Kit": [[45, 64]], "System: Android": [[110, 117]]}, "info": {"id": "cyner_mitre_train_02447", "source": "cyner_mitre_train"}}
+{"text": "Let ’ s take a closer look at the suspicious file .", "spans": {}, "info": {"id": "cyner_mitre_train_02448", "source": "cyner_mitre_train"}}
+{"text": "Figure 1 – Phishing Email When the email link is opened from an Android device , an APK file ( Fattura002873.apk ) , is downloaded .", "spans": {"System: Android": [[64, 71]], "Indicator: Fattura002873.apk": [[95, 112]]}, "info": {"id": "cyner_mitre_train_02449", "source": "cyner_mitre_train"}}
+{"text": "Upon opening the file , the user is asked to enable “ Google Play Protect ” as shown in Figure 2 .", "spans": {"System: Google Play": [[54, 65]]}, "info": {"id": "cyner_mitre_train_02450", "source": "cyner_mitre_train"}}
+{"text": "However , this is not a genuine “ Google Play Protect ” screen ; instead it gives the app all the permissions it needs while simultaneously disabling the actual Google Play Protect .", "spans": {"System: Google Play": [[34, 45]], "System: Google Play Protect": [[161, 180]]}, "info": {"id": "cyner_mitre_train_02451", "source": "cyner_mitre_train"}}
+{"text": "Figure 2 – Granting Permissions The following permissions are granted to the app : Figure 3 – Permissions Granted to App A closer look at the code reveals the application gathers a list of installed applications to compare the results against a list of targeted applications ( Figure 4 ) .", "spans": {}, "info": {"id": "cyner_mitre_train_02452", "source": "cyner_mitre_train"}}
+{"text": "The malware mainly targets banking and financial applications , but also looks for popular shopping apps such as eBay or Amazon .", "spans": {"Organization: eBay": [[113, 117]], "Organization: Amazon": [[121, 127]]}, "info": {"id": "cyner_mitre_train_02453", "source": "cyner_mitre_train"}}
+{"text": "A full list of targeted applications is included in the IOC section at the end of this post .", "spans": {}, "info": {"id": "cyner_mitre_train_02454", "source": "cyner_mitre_train"}}
+{"text": "Once an application has been identified , Anubis overlays the original application with a fake login page to capture the user ’ s credentials .", "spans": {"Malware: Anubis": [[42, 48]]}, "info": {"id": "cyner_mitre_train_02455", "source": "cyner_mitre_train"}}
+{"text": "Figure 4 – Checking for installed apps Based on a thorough analysis of the code , the most interesting technical capabilities include : Capturing screenshots Enabling or changing administration settings Opening and visiting any URL Disabling Play Protect Recording audio Making phone calls Stealing the contact list Controlling the device via VNC Sending , receiving and deleting SMS Locking the device Encrypting files on the device and external drives Searching for files Retrieving the GPS location Capturing remote control commands from Twitter and Telegram Pushing overlays Reading the device ID The malware includes", "spans": {"System: Twitter": [[541, 548]], "System: Telegram": [[553, 561]]}, "info": {"id": "cyner_mitre_train_02456", "source": "cyner_mitre_train"}}
+{"text": "a keylogger that works in every app installed on the Android device .", "spans": {"System: Android": [[53, 60]]}, "info": {"id": "cyner_mitre_train_02457", "source": "cyner_mitre_train"}}
+{"text": "However , the keylogger needs to be specifically enabled by a command sent from the C2 server .", "spans": {}, "info": {"id": "cyner_mitre_train_02458", "source": "cyner_mitre_train"}}
+{"text": "The keylogger can track three different events ( Figure 5 ) : TYPE_VIEW_CLICKED Represents the event of clicking on a View-like Button , CompoundButton , etc .", "spans": {}, "info": {"id": "cyner_mitre_train_02459", "source": "cyner_mitre_train"}}
+{"text": "TYPE_VIEW_FOCUSED Represents the event of setting input focus of a View .", "spans": {}, "info": {"id": "cyner_mitre_train_02460", "source": "cyner_mitre_train"}}
+{"text": "TYPE_VIEW_TEXT_CHANGED Represents the event of changing the text of an EditText .", "spans": {}, "info": {"id": "cyner_mitre_train_02461", "source": "cyner_mitre_train"}}
+{"text": "Figure 5 – Keylogger component Figure 6 shows one of the most noteworthy functions of Anubis : its ransomware module .", "spans": {"Malware: Anubis": [[86, 92]]}, "info": {"id": "cyner_mitre_train_02462", "source": "cyner_mitre_train"}}
+{"text": "The malware searches both internal and external storage and encrypts them using RC4 .", "spans": {}, "info": {"id": "cyner_mitre_train_02463", "source": "cyner_mitre_train"}}
+{"text": "It adds the file extension .AnubisCrypt to each encrypted file and sends it to the C2 .", "spans": {"Indicator: .AnubisCrypt": [[27, 39]]}, "info": {"id": "cyner_mitre_train_02464", "source": "cyner_mitre_train"}}
+{"text": "Figure 6 – Ransomware component Anubis has been known to utilize Twitter or Telegram to retrieve the C2 address and this sample is no exception ( Figure 7 ) .", "spans": {"Malware: Anubis": [[32, 38]], "Organization: Twitter": [[65, 72]], "Organization: Telegram": [[76, 84]]}, "info": {"id": "cyner_mitre_train_02465", "source": "cyner_mitre_train"}}
+{"text": "Figure 7 – C2 As seen in Figure 8 , this version of Anubis is built to run on several iterations of the Android operating system , dating back to version 4.0.3 , which was released in 2012 .", "spans": {"Malware: Anubis": [[52, 58]], "System: Android": [[104, 111]]}, "info": {"id": "cyner_mitre_train_02466", "source": "cyner_mitre_train"}}
+{"text": "Figure 8 – Android requirements Android malware has been around for many years and will be with us for the foreseeable future .", "spans": {"System: Android": [[11, 18], [32, 39]]}, "info": {"id": "cyner_mitre_train_02467", "source": "cyner_mitre_train"}}
+{"text": "Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise .", "spans": {"System: Android": [[32, 39]]}, "info": {"id": "cyner_mitre_train_02468", "source": "cyner_mitre_train"}}
+{"text": "APK files will not natively open in an environment other than an Android device .", "spans": {"System: Android": [[65, 72]]}, "info": {"id": "cyner_mitre_train_02469", "source": "cyner_mitre_train"}}
+{"text": "With the increased use of Android phones in business environments , it is important to defend against these threats by ensuring devices are kept current with the latest updates .", "spans": {"System: Android": [[26, 33]]}, "info": {"id": "cyner_mitre_train_02470", "source": "cyner_mitre_train"}}
+{"text": "Limiting app installations on corporate devices , as well as ensuring that applications are created by trusted developers on official marketplaces , can help in reducing the risk of infection as well .", "spans": {}, "info": {"id": "cyner_mitre_train_02471", "source": "cyner_mitre_train"}}
+{"text": "ViceLeaker Operation : mobile espionage targeting Middle East 26 JUN 2019 In May 2018 , we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens .", "spans": {"Malware: ViceLeaker": [[0, 10]], "System: Android": [[140, 147]]}, "info": {"id": "cyner_mitre_train_02472", "source": "cyner_mitre_train"}}
+{"text": "Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims ; and a hash of the APK involved ( Android application ) was tagged in our sample feed for inspection .", "spans": {"Organization: Kaspersky": [[0, 9]], "System: Android": [[130, 137]]}, "info": {"id": "cyner_mitre_train_02473", "source": "cyner_mitre_train"}}
+{"text": "Once we looked into the file , we quickly found out that the inner-workings of the APK included a malicious payload , embedded in the original code of the application .", "spans": {}, "info": {"id": "cyner_mitre_train_02474", "source": "cyner_mitre_train"}}
+{"text": "This was an original spyware program , designed to exfiltrate almost all accessible information .", "spans": {}, "info": {"id": "cyner_mitre_train_02475", "source": "cyner_mitre_train"}}
+{"text": "During the course of our research , we noticed that we were not the only ones to have found the operation .", "spans": {}, "info": {"id": "cyner_mitre_train_02476", "source": "cyner_mitre_train"}}
+{"text": "Researchers from Bitdefender also released an analysis of one of the samples in a blogpost .", "spans": {"System: Bitdefender": [[17, 28]]}, "info": {"id": "cyner_mitre_train_02477", "source": "cyner_mitre_train"}}
+{"text": "Although something had already been published , we decided to do something different with the data we acquired .", "spans": {}, "info": {"id": "cyner_mitre_train_02478", "source": "cyner_mitre_train"}}
+{"text": "The following month , we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples .", "spans": {}, "info": {"id": "cyner_mitre_train_02479", "source": "cyner_mitre_train"}}
+{"text": "We decided to call the operation “ ViceLeaker ” , because of strings and variables in its code .", "spans": {"Malware: ViceLeaker": [[35, 45]]}, "info": {"id": "cyner_mitre_train_02480", "source": "cyner_mitre_train"}}
+{"text": "Mobile ViceLeaker The following table shows meta information on the observed samples , including compiler timestamps : MD5 Package Compiler C2 51df2597faa3fce38a4c5ae024f97b1c com.xapps.SexGameForAdults dexlib 2.x 188.165.28 [ .", "spans": {"Malware: ViceLeaker": [[7, 17]], "Indicator: 51df2597faa3fce38a4c5ae024f97b1c": [[143, 175]], "Indicator: com.xapps.SexGameForAdults": [[176, 202]], "Indicator: 188.165.28 [ .": [[214, 228]]}, "info": {"id": "cyner_mitre_train_02481", "source": "cyner_mitre_train"}}
+{"text": "] 251 2d108ff3a735dea1d1fdfa430f37fab2 com.psiphon3 dexlib 2.x 188.165.49 [ .", "spans": {"Indicator: 2d108ff3a735dea1d1fdfa430f37fab2": [[6, 38]], "Indicator: com.psiphon3": [[39, 51]], "Indicator: 188.165.49 [ .": [[63, 77]]}, "info": {"id": "cyner_mitre_train_02482", "source": "cyner_mitre_train"}}
+{"text": "] 205 7ed754a802f0b6a1740a99683173db73 com.psiphon3 dexlib 2.x 188.165.49 [ .", "spans": {"Indicator: 7ed754a802f0b6a1740a99683173db73": [[6, 38]], "Indicator: com.psiphon3": [[39, 51]], "Indicator: 188.165.49 [ .": [[63, 77]]}, "info": {"id": "cyner_mitre_train_02483", "source": "cyner_mitre_train"}}
+{"text": "] 205 3b89e5cd49c05ce6dc681589e6c368d9 ir.abed.dastan dexlib 2.x 185.141.60 [ .", "spans": {"Indicator: 3b89e5cd49c05ce6dc681589e6c368d9": [[6, 38]], "Indicator: ir.abed.dastan": [[39, 53]], "Indicator: 185.141.60 [ .": [[65, 79]]}, "info": {"id": "cyner_mitre_train_02484", "source": "cyner_mitre_train"}}
+{"text": "] 213 To backdoor legitimate applications , attackers used a Smali injection technique – a type of injection that allows attackers to disassemble the code of original app with the Baksmali tool , add their malicious code , and assemble it with Smali .", "spans": {}, "info": {"id": "cyner_mitre_train_02485", "source": "cyner_mitre_train"}}
+{"text": "As a result , due to such an unusual compilation process , there were signs in the dex file that point to dexlib , a library used by the Smali tool to assemble dex files .", "spans": {}, "info": {"id": "cyner_mitre_train_02486", "source": "cyner_mitre_train"}}
+{"text": "Original code of the APK on the left , versus injected APK on the right The analysis of the APK was rather interesting , because some of the actions were very common spyware features , such as the exfiltration of SMS messages , call logs and other data .", "spans": {}, "info": {"id": "cyner_mitre_train_02487", "source": "cyner_mitre_train"}}
+{"text": "However , in addition to the traditional functionality , there were also backdoor capabilities such as upload , download , delete files , camera takeover and record surrounding audio .", "spans": {}, "info": {"id": "cyner_mitre_train_02488", "source": "cyner_mitre_train"}}
+{"text": "The malware uses HTTP for communication with the C2 server for command handling and data exfiltration .", "spans": {}, "info": {"id": "cyner_mitre_train_02489", "source": "cyner_mitre_train"}}
+{"text": "Here is a command and control protocol fragment : Commands from C2 server parsing In total , the malicious APK handles 16 different commands : Command Endpoint Description 1 reqsmscal.php Send specified SMS message 2 reqsmscal.php Call specified number 3 reqsmscal.php Exfiltrate device info , such as phone model and OS version 4 reqsmscal.php Exfiltrate a list of all installed applications 5 reqsmscal.php Exfiltrate default browser history ( limited to a given date ) 6 reqsmscal.php", "spans": {"Indicator: reqsmscal.php": [[174, 187], [217, 230], [255, 268], [331, 344], [395, 408], [474, 487]]}, "info": {"id": "cyner_mitre_train_02490", "source": "cyner_mitre_train"}}
+{"text": "Exfiltrate Chrome browser history ( limited to a given date ) 7 reqsmscal.php Exfiltrate memory card file structure 8 reqsmscal.php Record surrounding sound for 80 seconds 1 reqcalllog.php Exfiltrate all call logs 2 reqcalllog.php Exfiltrate all SMS messages 3 reqcalllog.php Upload specified file from the device to the C2 4 reqcalllog.php Download file from specified URL and save on device 5 reqcalllog.php Delete specified file 6,7,8 reqcalllog.php Commands not yet", "spans": {"Indicator: reqsmscal.php": [[64, 77], [118, 131]], "Indicator: reqcalllog.php": [[174, 188], [216, 230], [261, 275], [326, 340], [395, 409], [438, 452]]}, "info": {"id": "cyner_mitre_train_02491", "source": "cyner_mitre_train"}}
+{"text": "implemented 9 reqcalllog.php Take photo ( muted audio ) with rear camera , send to C2 10 reqcalllog.php Take photo ( muted audio ) with front camera , send to C2 All observed samples with Smali injections were signed by the same debug certificate ( 0x936eacbe07f201df ) .", "spans": {"Indicator: reqcalllog.php": [[14, 28], [89, 103]]}, "info": {"id": "cyner_mitre_train_02492", "source": "cyner_mitre_train"}}
+{"text": "As we know from our investigation , traces of the first development activities were found at the end of 2016 , but the main distribution campaign began in 2018 ( end of 2017 ) .", "spans": {}, "info": {"id": "cyner_mitre_train_02493", "source": "cyner_mitre_train"}}
+{"text": "Based on our detection statistics , the main infection vector is the spread of Trojanized applications directly to victims via Telegram and WhatsApp messengers .", "spans": {}, "info": {"id": "cyner_mitre_train_02494", "source": "cyner_mitre_train"}}
+{"text": "There are the following relevant detection paths ( the last one is an alternative Telegram client – “ Telegram X “ ) : Name Detection path Sex Game For Adults 18.apk /storage/emulated/0/WhatsApp/Media/WhatsApp Documents/ 4_6032967490689041387.apk /storage/emulated/0/Telegram/Telegram Documents/ Psiphon-v91.apk /storage/emulated/0/Android/data/org.thunderdog.challegram/files/documents/ Backdoored Open Source During the course", "spans": {"Indicator: 18.apk": [[159, 165]], "Indicator: /storage/emulated/0/WhatsApp/Media/WhatsApp Documents/ 4_6032967490689041387.apk /storage/emulated/0/Telegram/Telegram Documents/": [[166, 295]], "Indicator: Psiphon-v91.apk": [[296, 311]], "Indicator: /storage/emulated/0/Android/data/org.thunderdog.challegram/files/documents/": [[312, 387]]}, "info": {"id": "cyner_mitre_train_02495", "source": "cyner_mitre_train"}}
+{"text": "of our analysis , we also found samples sharing code with the ViceLeaker malware , in particular they shared a delimiter that was used in both cases to parse commands from the C2 server .", "spans": {"Malware: ViceLeaker": [[62, 72]]}, "info": {"id": "cyner_mitre_train_02496", "source": "cyner_mitre_train"}}
+{"text": "This would be a very unusual coincidence .", "spans": {}, "info": {"id": "cyner_mitre_train_02497", "source": "cyner_mitre_train"}}
+{"text": "Even when a false flag might also be a possibility , we consider this to be unlikely .", "spans": {}, "info": {"id": "cyner_mitre_train_02498", "source": "cyner_mitre_train"}}
+{"text": "The samples sharing this overlap are modified versions of an open source Jabber/XMPP client called “ Conversations ” with some code additions .", "spans": {"System: Jabber/XMPP": [[73, 84]]}, "info": {"id": "cyner_mitre_train_02499", "source": "cyner_mitre_train"}}
+{"text": "The legitimate version of this app is also available on Google Play .", "spans": {"System: Google Play": [[56, 67]]}, "info": {"id": "cyner_mitre_train_02500", "source": "cyner_mitre_train"}}
+{"text": "The Conversations modified samples differ from the original one in the getKnownHosts method that was modified to replace the main XMPP host with the attackers ’ C2 server : It appears that the attackers were using a specific C2 for the use of that app .", "spans": {"System: XMPP": [[130, 134]]}, "info": {"id": "cyner_mitre_train_02501", "source": "cyner_mitre_train"}}
+{"text": "Another important modification is in the message transfer process : With this modification , an application sends device location coordinates with every message .", "spans": {}, "info": {"id": "cyner_mitre_train_02502", "source": "cyner_mitre_train"}}
+{"text": "There are also many other modifications , fully described in our private report .", "spans": {}, "info": {"id": "cyner_mitre_train_02503", "source": "cyner_mitre_train"}}
+{"text": "In addition , we did not see traces of the Smali injection .", "spans": {}, "info": {"id": "cyner_mitre_train_02504", "source": "cyner_mitre_train"}}
+{"text": "In this case we found traces of dx/dexmerge compilers , which means that , this time , the attackers just imported the original source code into an Android IDE ( such as Android Studio , for instance ) and compiled it with their own modifications .", "spans": {"System: Android": [[148, 155]], "System: Android Studio": [[170, 184]]}, "info": {"id": "cyner_mitre_train_02505", "source": "cyner_mitre_train"}}
+{"text": "In addition to adding the code , the attackers also changed the icon and package name .", "spans": {}, "info": {"id": "cyner_mitre_train_02506", "source": "cyner_mitre_train"}}
+{"text": "We do not know why , but we suspect that it was an attempt to hide the origin of the application .", "spans": {}, "info": {"id": "cyner_mitre_train_02507", "source": "cyner_mitre_train"}}
+{"text": "Conversations-based app mimics Telegram messenger Even when we originally thought this was a backdoored version of the Conversations app , used to infect victims , we didn´t discovered anything malicious in it .", "spans": {"System: Telegram messenger": [[31, 49]]}, "info": {"id": "cyner_mitre_train_02508", "source": "cyner_mitre_train"}}
+{"text": "This brought to us the hypothesis that this might be a version used by the group behind ViceLeaker for internal communication or for other , unclear purposes .", "spans": {"Malware: ViceLeaker": [[88, 98]]}, "info": {"id": "cyner_mitre_train_02509", "source": "cyner_mitre_train"}}
+{"text": "All the detections of this backdoored app were geolocated in Iran .", "spans": {}, "info": {"id": "cyner_mitre_train_02510", "source": "cyner_mitre_train"}}
+{"text": "Backdoored Conversations C2 server analysis During the analysis of the Smali injected apps and their C2 server infrastructure we hadn ’ t found any interesting clues , but things changed when we looked at the C2 server of the linked Conversations messenger .", "spans": {}, "info": {"id": "cyner_mitre_train_02511", "source": "cyner_mitre_train"}}
+{"text": "It uses “ 185.51.201 [ .", "spans": {"Indicator: 185.51.201 [ .": [[10, 24]]}, "info": {"id": "cyner_mitre_train_02512", "source": "cyner_mitre_train"}}
+{"text": "] 133 ” as a main C2 address , and there is only one domain that is hosted on this dedicated server – iliageram [ .", "spans": {"Indicator: iliageram [ .": [[102, 115]]}, "info": {"id": "cyner_mitre_train_02513", "source": "cyner_mitre_train"}}
+{"text": "] ir .", "spans": {}, "info": {"id": "cyner_mitre_train_02514", "source": "cyner_mitre_train"}}
+{"text": "Note that we later found versions that used the domain as a C2 directly instead of the IP address .", "spans": {}, "info": {"id": "cyner_mitre_train_02515", "source": "cyner_mitre_train"}}
+{"text": "The record contains a personal email address : WHOIS records of C2 server exposing the attacker ’ s email address We were aware of the possibility that the attackers might be using a compromised email account , so we dug deeper to find more information related to this email address .", "spans": {}, "info": {"id": "cyner_mitre_train_02516", "source": "cyner_mitre_train"}}
+{"text": "A quick search produced results about a personal page and , what is more interesting , a GitHub account that contains a forked Conversation repository .", "spans": {"Organization: GitHub": [[89, 95]]}, "info": {"id": "cyner_mitre_train_02517", "source": "cyner_mitre_train"}}
+{"text": "Related Github account contains forked Conversations repository Summarizing all the found clues , we have the following attribution flow : Conclusion The operation of ViceLeaker is still ongoing , as is our research .", "spans": {"Organization: Github": [[8, 14]], "Malware: ViceLeaker": [[167, 177]]}, "info": {"id": "cyner_mitre_train_02518", "source": "cyner_mitre_train"}}
+{"text": "The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner .", "spans": {}, "info": {"id": "cyner_mitre_train_02519", "source": "cyner_mitre_train"}}
+{"text": "Kaspersky detects and blocks samples of the ViceLeaker operation using the following verdict : Trojan-Spy.AndroidOS.ViceLeaker .", "spans": {"Organization: Kaspersky": [[0, 9]], "Malware: ViceLeaker": [[44, 54]], "Indicator: Trojan-Spy.AndroidOS.ViceLeaker .": [[95, 128]]}, "info": {"id": "cyner_mitre_train_02520", "source": "cyner_mitre_train"}}
+{"text": "* Actually , we are currently investigating whether this group might also be behind a large-scale web-oriented attack at the end of 2018 using code injection and exploiting SQL vulnerabilities .", "spans": {"Vulnerability: SQL vulnerabilities": [[173, 192]]}, "info": {"id": "cyner_mitre_train_02521", "source": "cyner_mitre_train"}}
+{"text": "Even when this would not be directly related to the Android malware described in this blogpost , it would be an indicator of wider capabilities and objectives of this actor .", "spans": {"System: Android": [[52, 59]]}, "info": {"id": "cyner_mitre_train_02522", "source": "cyner_mitre_train"}}
+{"text": "XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing We have been detecting a new wave of network attacks since early March , which , for now , are targeting Japan , Korea , China , Taiwan , and Hong Kong .", "spans": {"Malware: XLoader": [[0, 7]], "System: Android": [[8, 15]]}, "info": {"id": "cyner_mitre_train_02523", "source": "cyner_mitre_train"}}
+{"text": "Trend Micro detects these as ANDROIDOS_XLOADER.HRX .", "spans": {"Organization: Trend Micro": [[0, 11]], "Indicator: ANDROIDOS_XLOADER.HRX": [[29, 50]]}, "info": {"id": "cyner_mitre_train_02524", "source": "cyner_mitre_train"}}
+{"text": "By : Trend Micro April 20 , 2018 We have been detecting a new wave of network attacks since early March , which , for now , are targeting Japan , Korea , China , Taiwan , and Hong Kong .", "spans": {"Organization: Trend Micro": [[5, 16]]}, "info": {"id": "cyner_mitre_train_02525", "source": "cyner_mitre_train"}}
+{"text": "The attacks use Domain Name System ( DNS ) cache poisoning/DNS spoofing , possibly through infringement techniques such as brute-force or dictionary attacks , to distribute and install malicious Android apps .", "spans": {"System: Android": [[195, 202]]}, "info": {"id": "cyner_mitre_train_02526", "source": "cyner_mitre_train"}}
+{"text": "Trend Micro detects these as ANDROIDOS_XLOADER.HRX .", "spans": {"Organization: Trend Micro": [[0, 11]], "Indicator: ANDROIDOS_XLOADER.HRX": [[29, 50]]}, "info": {"id": "cyner_mitre_train_02527", "source": "cyner_mitre_train"}}
+{"text": "These malware pose as legitimate Facebook or Chrome applications .", "spans": {"System: Facebook": [[33, 41]], "System: Chrome": [[45, 51]]}, "info": {"id": "cyner_mitre_train_02528", "source": "cyner_mitre_train"}}
+{"text": "They are distributed from polluted DNS domains that send a notification to an unknowing victim ’ s device .", "spans": {}, "info": {"id": "cyner_mitre_train_02529", "source": "cyner_mitre_train"}}
+{"text": "The malicious apps can steal personally identifiable and financial data and install additional apps .", "spans": {}, "info": {"id": "cyner_mitre_train_02530", "source": "cyner_mitre_train"}}
+{"text": "XLoader can also hijack the infected device ( i.e. , send SMSs ) and sports self-protection/persistence mechanisms through device administrator privileges .", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner_mitre_train_02531", "source": "cyner_mitre_train"}}
+{"text": "Infection Chain As with our earlier reports in late March , the attack chain involves diverting internet traffic to attacker-specified domains by compromising and overwriting the router ’ s DNS settings .", "spans": {}, "info": {"id": "cyner_mitre_train_02532", "source": "cyner_mitre_train"}}
+{"text": "A fake alert will notify and urge the user to access the malicious domain and download XLoader .", "spans": {"Malware: XLoader": [[87, 94]]}, "info": {"id": "cyner_mitre_train_02533", "source": "cyner_mitre_train"}}
+{"text": "Technical Analysis XLoader first loads the encrypted payload from Assets/db as test.dex to drop the necessary modules then requests for device administrator privileges .", "spans": {"Malware: XLoader": [[19, 26]], "Indicator: Assets/db": [[66, 75]], "Indicator: test.dex": [[79, 87]]}, "info": {"id": "cyner_mitre_train_02534", "source": "cyner_mitre_train"}}
+{"text": "Once granted permission , it hides its icon from the launcher application list then starts a service that it keeps running in the background .", "spans": {}, "info": {"id": "cyner_mitre_train_02535", "source": "cyner_mitre_train"}}
+{"text": "The background service uses the reflection technique ( a feature that allows the inspection and modification of Java-based programs ’ internal properties ) to invoke the method com.Loader.start in the payload .", "spans": {"Indicator: com.Loader.start": [[177, 193]]}, "info": {"id": "cyner_mitre_train_02536", "source": "cyner_mitre_train"}}
+{"text": "Monitoring Broadcast Events XLoader registers many broadcast receivers in the payload dynamically ( to monitor broadcast events sent between system and applications ) .", "spans": {"Malware: XLoader": [[28, 35]]}, "info": {"id": "cyner_mitre_train_02537", "source": "cyner_mitre_train"}}
+{"text": "Registering broadcast receivers enable XLoader to trigger its malicious routines .", "spans": {"Malware: XLoader": [[39, 46]]}, "info": {"id": "cyner_mitre_train_02538", "source": "cyner_mitre_train"}}
+{"text": "Here is a list of broadcast actions : android.provider.Telephony.SMS_RECEIVED android.net.conn.CONNECTIVITY_CHANGE android.intent.action.BATTERY_CHANGED android.intent.action.USER_PRESENT android.intent.action.PHONE_STATE android.net.wifi.SCAN_RESULTS android.intent.action.PACKAGE_ADDED android.intent.action.PACKAGE_REMOVED android.intent.action.SCREEN_OFF android.intent.action.SCREEN_ON", "spans": {"Indicator: android.provider.Telephony.SMS_RECEIVED": [[38, 77]], "Indicator: android.net.conn.CONNECTIVITY_CHANGE": [[78, 114]], "Indicator: android.intent.action.BATTERY_CHANGED": [[115, 152]], "Indicator: android.intent.action.USER_PRESENT": [[153, 187]], "Indicator: android.intent.action.PHONE_STATE": [[188, 221]], "Indicator: android.net.wifi.SCAN_RESULTS": [[222, 251]], "Indicator: android.intent.action.PACKAGE_ADDED": [[252, 287]], "Indicator: android.intent.action.PACKAGE_REMOVED": [[288, 325]], "Indicator: android.intent.action.SCREEN_OFF": [[326, 358]], "Indicator: android.intent.action.SCREEN_ON": [[359, 390]]}, "info": {"id": "cyner_mitre_train_02539", "source": "cyner_mitre_train"}}
+{"text": "android.media.RINGER_MODE_CHANGED android.sms.msg.action.SMS_SEND android.sms.msg.action.SMS_DELIVERED Creating a Web Server to Phish XLoader creates a provisional web server to receive the broadcast events .", "spans": {"Indicator: android.media.RINGER_MODE_CHANGED": [[0, 33]], "Indicator: android.sms.msg.action.SMS_SEND": [[34, 65]], "Indicator: android.sms.msg.action.SMS_DELIVERED": [[66, 102]], "Malware: XLoader": [[134, 141]]}, "info": {"id": "cyner_mitre_train_02540", "source": "cyner_mitre_train"}}
+{"text": "It can also create a simple HTTP server on the infected device to deceive victims .", "spans": {}, "info": {"id": "cyner_mitre_train_02541", "source": "cyner_mitre_train"}}
+{"text": "It shows a web phishing page whenever the affected device receives a broadcast event ( i.e. , if a new package is installed or if the device ’ s screen is on ) to steal personal data , such as those keyed in for banking apps .", "spans": {}, "info": {"id": "cyner_mitre_train_02542", "source": "cyner_mitre_train"}}
+{"text": "The phishing page is translated in Korean , Japanese , Chinese , and English , which are hardcoded in the payload .", "spans": {}, "info": {"id": "cyner_mitre_train_02543", "source": "cyner_mitre_train"}}
+{"text": "It will appear differently to users depending on the language set on the device .", "spans": {}, "info": {"id": "cyner_mitre_train_02544", "source": "cyner_mitre_train"}}
+{"text": "XLoader as Spyware and Banking Trojan XLoader can also collect information related to usage of apps installed in the device .", "spans": {"Malware: XLoader": [[0, 7]], "Indicator: XLoader": [[38, 45]]}, "info": {"id": "cyner_mitre_train_02545", "source": "cyner_mitre_train"}}
+{"text": "Its data-stealing capabilities include collecting SMSs after receiving an SMS-related broadcast event and covertly recording phone calls .", "spans": {}, "info": {"id": "cyner_mitre_train_02546", "source": "cyner_mitre_train"}}
+{"text": "XLoader can also hijack accounts linked to financial or game-related apps installed on the affected device .", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner_mitre_train_02547", "source": "cyner_mitre_train"}}
+{"text": "XLoader can also start other attacker-specified packages .", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner_mitre_train_02548", "source": "cyner_mitre_train"}}
+{"text": "A possible attack scenario involves replacing legitimate apps with repackaged or malicious versions .", "spans": {}, "info": {"id": "cyner_mitre_train_02549", "source": "cyner_mitre_train"}}
+{"text": "By monitoring the package installation broadcast event , XLoader can start their packages .", "spans": {"Malware: XLoader": [[57, 64]]}, "info": {"id": "cyner_mitre_train_02550", "source": "cyner_mitre_train"}}
+{"text": "This enables it to launch malicious apps without the user ’ s awareness and explicit consent .", "spans": {}, "info": {"id": "cyner_mitre_train_02551", "source": "cyner_mitre_train"}}
+{"text": "We reverse engineered XLoader and found that it appears to target South Korea-based banks and game development companies .", "spans": {"Malware: XLoader": [[22, 29]]}, "info": {"id": "cyner_mitre_train_02552", "source": "cyner_mitre_train"}}
+{"text": "XLoader also prevents victims from accessing the device ’ s settings or using a known antivirus ( AV ) app in the country .", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner_mitre_train_02553", "source": "cyner_mitre_train"}}
+{"text": "XLoader can also load multiple malicious modules to receive and execute commands from its remote command-and-control ( C & C ) server , as shown below : Here ’ s a list of the modules and their functions : sendSms — send SMS/MMS to a specified address setWifi — enable or disable Wi-Fi connection gcont — collect all the device ’ s contacts lock — currently just an input lock status in the settings ( pref ) file , but may be used as a screenlocking ransomware bc — collect all contacts", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner_mitre_train_02554", "source": "cyner_mitre_train"}}
+{"text": "from the Android device and SIM card setForward — currently not implemented , but can be used to hijack the infected device getForward — currently not implemented , but can be used to hijack the infected device hasPkg — check the device whether a specified app is installed or not setRingerMode — set the device ’ s ringer mode setRecEnable — set the device ’ s ringer mode as silent reqState — get a detailed phone connection status , which includes activated network and Wi-Fi ( with or without password ) showHome —", "spans": {"System: Android": [[9, 16]]}, "info": {"id": "cyner_mitre_train_02555", "source": "cyner_mitre_train"}}
+{"text": "force the device ’ s back to the home screen getnpki : get files/content from the folder named NPKI ( contains certificates related to financial transactions ) http — access a specified network using HttpURLConnection onRecordAction — simulate a number-dialed tone call — call a specified number get_apps — get all the apps installed on the device show_fs_float_window — show a full-screen window for phishing Of note is XLoader ’ s abuse of the WebSocket protocol ( supported in many browsers", "spans": {"Malware: XLoader": [[421, 428]]}, "info": {"id": "cyner_mitre_train_02556", "source": "cyner_mitre_train"}}
+{"text": "and web applications ) via ws ( WebSockets ) or wss ( WebSockets over SSL/TLS ) to communicate with its C & C servers .", "spans": {}, "info": {"id": "cyner_mitre_train_02557", "source": "cyner_mitre_train"}}
+{"text": "The URLs — abused as part of XLoader ’ s C & C — are hidden in three webpages , and the C & C server that XLoader connects to differ per region .", "spans": {"Malware: XLoader": [[29, 36], [106, 113]]}, "info": {"id": "cyner_mitre_train_02558", "source": "cyner_mitre_train"}}
+{"text": "The abuse of the WebSocket protocol provides XLoader with a persistent connection between clients and servers where data can be transported any time .", "spans": {"Malware: XLoader": [[45, 52]]}, "info": {"id": "cyner_mitre_train_02559", "source": "cyner_mitre_train"}}
+{"text": "XLoader abuses the MessagePack ( a data interchange format ) to package the stolen data and exfiltrate it via the WebSocket protocol for faster and more efficient transmission .", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner_mitre_train_02560", "source": "cyner_mitre_train"}}
+{"text": "Mitigations XLoader will not download malicious apps if the Android device uses a mobile data connection .", "spans": {"Malware: XLoader": [[12, 19]]}, "info": {"id": "cyner_mitre_train_02561", "source": "cyner_mitre_train"}}
+{"text": "Nevertheless , users should practice proper security hygiene to mitigate threats that may take advantage of a home or business router ’ s security gaps .", "spans": {}, "info": {"id": "cyner_mitre_train_02562", "source": "cyner_mitre_train"}}
+{"text": "Employ stronger credentials , for instance , to make them less susceptible to unauthorized access .", "spans": {}, "info": {"id": "cyner_mitre_train_02563", "source": "cyner_mitre_train"}}
+{"text": "Regularly update and patch the router ’ s software and firmware to prevent exploits , and enable its built-in firewall .", "spans": {}, "info": {"id": "cyner_mitre_train_02564", "source": "cyner_mitre_train"}}
+{"text": "For system administrators and information security professionals , configuring the router to be more resistant to attacks like DNS cache poisoning can help mitigate similar threats .", "spans": {}, "info": {"id": "cyner_mitre_train_02565", "source": "cyner_mitre_train"}}
+{"text": "Everyday users can do the same by checking the router ’ s DNS settings if they ’ ve been modified .", "spans": {}, "info": {"id": "cyner_mitre_train_02566", "source": "cyner_mitre_train"}}
+{"text": "Even threats like DNS cache poisoning employ social engineering , so users should also be more prudent against suspicious or unknown messages that have telltale signs of malware .", "spans": {}, "info": {"id": "cyner_mitre_train_02567", "source": "cyner_mitre_train"}}
+{"text": "We have worked with Google and they ensure that Google Play Protect proactively catches apps of this nature .", "spans": {"Organization: Google": [[20, 26]], "System: Google Play Protect": [[48, 67]]}, "info": {"id": "cyner_mitre_train_02568", "source": "cyner_mitre_train"}}
+{"text": "No instances of these apps were found in Google Play .", "spans": {"System: Google Play": [[41, 52]]}, "info": {"id": "cyner_mitre_train_02569", "source": "cyner_mitre_train"}}
+{"text": "September 08 , 2020 TikTok Spyware A detailed analysis of spyware masquerading as TikTok A recent threat to ban TikTok in the United States has taken the internet by storm and received mixed reactions from social media and internet users .", "spans": {"System: TikTok": [[20, 26], [82, 88], [112, 118]]}, "info": {"id": "cyner_mitre_train_02570", "source": "cyner_mitre_train"}}
+{"text": "U.S. President Donald Trump has ordered ByteDance , the parent company of TikTok , to sell its U.S. TikTok assets and also issued executive orders that would ban the social media apps TikTok and WeChat from operating in the U.S. if the sale doesn ’ t happen in the next few weeks .", "spans": {"Organization: ByteDance": [[40, 49]], "System: TikTok": [[74, 80], [100, 106], [184, 190]], "System: WeChat": [[195, 201]]}, "info": {"id": "cyner_mitre_train_02571", "source": "cyner_mitre_train"}}
+{"text": "On the other side , ByteDance has filed a lawsuit suing the Trump administration .", "spans": {"Organization: ByteDance": [[20, 29]]}, "info": {"id": "cyner_mitre_train_02572", "source": "cyner_mitre_train"}}
+{"text": "When popular applications come under fire and are featured prominently in the news , hackers get excited as these newsworthy apps can become their latest target .", "spans": {}, "info": {"id": "cyner_mitre_train_02573", "source": "cyner_mitre_train"}}
+{"text": "And TikTok is no exception .", "spans": {"System: TikTok": [[4, 10]]}, "info": {"id": "cyner_mitre_train_02574", "source": "cyner_mitre_train"}}
+{"text": "Generally , after an application gets banned from an official app store , such as Google Play , users try to find alternative ways to download the app .", "spans": {"System: Google Play": [[82, 93]]}, "info": {"id": "cyner_mitre_train_02575", "source": "cyner_mitre_train"}}
+{"text": "In doing so , users can become victims to malicious apps portraying themselves as the original app .", "spans": {}, "info": {"id": "cyner_mitre_train_02576", "source": "cyner_mitre_train"}}
+{"text": "Recently there was a huge wave of SMS messages , as well as Whatsapp messages , making the rounds asking users to download the latest version of TikTok at hxxp : //tiny [ .", "spans": {"System: Whatsapp": [[60, 68]], "System: TikTok": [[145, 151]], "Indicator: hxxp : //tiny [ .": [[155, 172]]}, "info": {"id": "cyner_mitre_train_02577", "source": "cyner_mitre_train"}}
+{"text": "] cc/TiktokPro .", "spans": {}, "info": {"id": "cyner_mitre_train_02578", "source": "cyner_mitre_train"}}
+{"text": "In reality , this downloaded app is a fake app that asks for credentials and Android permissions ( including camera and phone permissions ) , resulting in the user being bombarded with advertisements .", "spans": {"System: Android": [[77, 84]]}, "info": {"id": "cyner_mitre_train_02579", "source": "cyner_mitre_train"}}
+{"text": "Recently , we have come across another variant of this app portraying itself as TikTok Pro , but this is a full-fledged spyware with premium features to spy on victim with ease .", "spans": {"System: TikTok Pro": [[80, 90]]}, "info": {"id": "cyner_mitre_train_02580", "source": "cyner_mitre_train"}}
+{"text": "( Please note this is a different app and not the same as the one being spread by hxxp : //tiny [ .", "spans": {"Indicator: hxxp : //tiny [ .": [[82, 99]]}, "info": {"id": "cyner_mitre_train_02581", "source": "cyner_mitre_train"}}
+{"text": "] cc/TiktokPro .", "spans": {}, "info": {"id": "cyner_mitre_train_02582", "source": "cyner_mitre_train"}}
+{"text": ") Technical Analysis App Name : TikTok Pro Hash : 9fed52ee7312e217bd10d6a156c8b988 Package Name : com.example.dat.a8andoserverx Upon installation , the spyware portrays itself as TikTok using the name TikTok Pro .", "spans": {"System: TikTok Pro": [[32, 42], [201, 211]], "Indicator: 9fed52ee7312e217bd10d6a156c8b988": [[50, 82]], "Indicator: com.example.dat.a8andoserverx": [[98, 127]], "System: TikTok": [[179, 185]]}, "info": {"id": "cyner_mitre_train_02583", "source": "cyner_mitre_train"}}
+{"text": "As soon as a user tries to open the app , it launches a fake notification and soon the notification as well as the app icon disappears .", "spans": {}, "info": {"id": "cyner_mitre_train_02584", "source": "cyner_mitre_train"}}
+{"text": "This fake notification tactic is used to redirect the user 's attention , meanwhile the app hides itself , making the user believe the app to be faulty .", "spans": {}, "info": {"id": "cyner_mitre_train_02585", "source": "cyner_mitre_train"}}
+{"text": "This functionality can be seen in Figure 1 .", "spans": {}, "info": {"id": "cyner_mitre_train_02586", "source": "cyner_mitre_train"}}
+{"text": "App Icon Figure 1 : App icon and fake notification .", "spans": {}, "info": {"id": "cyner_mitre_train_02587", "source": "cyner_mitre_train"}}
+{"text": "Behind the scenes , there are number of process occurring simultaneously .", "spans": {}, "info": {"id": "cyner_mitre_train_02588", "source": "cyner_mitre_train"}}
+{"text": "First , an activity named MainActivity fires up , taking care of hiding the icon and showing the fake notification .", "spans": {}, "info": {"id": "cyner_mitre_train_02589", "source": "cyner_mitre_train"}}
+{"text": "It also starts an Android service named MainService .", "spans": {"System: Android": [[18, 25]]}, "info": {"id": "cyner_mitre_train_02590", "source": "cyner_mitre_train"}}
+{"text": "The spyware also appears to have an additional payload stored under the /res/raw/ directory .", "spans": {}, "info": {"id": "cyner_mitre_train_02591", "source": "cyner_mitre_train"}}
+{"text": "This is a common technique used by malware developers to bundle the main payload inside the Android package to avoid easy detection .", "spans": {"System: Android": [[92, 99]]}, "info": {"id": "cyner_mitre_train_02592", "source": "cyner_mitre_train"}}
+{"text": "As seen in Figure 2 , the app tries to open the payload from the /res/raw/ directory and generate an additional Android Package Kit ( APK ) named .app.apk : Decoy Code Figure 2 : The decoy code for the fake TikTok .", "spans": {"System: Android Package Kit": [[112, 131]], "Indicator: .app.apk": [[146, 154]], "System: TikTok": [[207, 213]]}, "info": {"id": "cyner_mitre_train_02593", "source": "cyner_mitre_train"}}
+{"text": "Upon analysis , we discovered that this is a decoy functionality and no new payload is generated .", "spans": {}, "info": {"id": "cyner_mitre_train_02594", "source": "cyner_mitre_train"}}
+{"text": "The conditions to build an additional payload are never met .", "spans": {}, "info": {"id": "cyner_mitre_train_02595", "source": "cyner_mitre_train"}}
+{"text": "Going one step further , we rebuilt the malware to execute the apparent functionality of generating a payload , but discovered that the APK stored in the /res/raw/ directory is empty .", "spans": {}, "info": {"id": "cyner_mitre_train_02596", "source": "cyner_mitre_train"}}
+{"text": "The placement of the decoy functionality is likely designed to confuse the malware researchers .", "spans": {}, "info": {"id": "cyner_mitre_train_02597", "source": "cyner_mitre_train"}}
+{"text": "It is also possible that this functionality is under development , making this placeholder code incomplete .", "spans": {}, "info": {"id": "cyner_mitre_train_02598", "source": "cyner_mitre_train"}}
+{"text": "Coming back to the execution flow , once the spyware hides itself , it starts an Android service named MainService .", "spans": {"System: Android": [[81, 88]]}, "info": {"id": "cyner_mitre_train_02599", "source": "cyner_mitre_train"}}
+{"text": "Android services are components that can be made to execute independently in the background without the victim 's knowledge .", "spans": {"System: Android": [[0, 7]]}, "info": {"id": "cyner_mitre_train_02600", "source": "cyner_mitre_train"}}
+{"text": "MainService is the brain of this spyware and controls almost everything—from stealing the victim 's data to deleting it .", "spans": {}, "info": {"id": "cyner_mitre_train_02601", "source": "cyner_mitre_train"}}
+{"text": "All of its capabilities are discussed later in this blog .", "spans": {}, "info": {"id": "cyner_mitre_train_02602", "source": "cyner_mitre_train"}}
+{"text": "Hide Icon Figure 3 : Code showing the hiding icon and starting service .", "spans": {}, "info": {"id": "cyner_mitre_train_02603", "source": "cyner_mitre_train"}}
+{"text": "As MainService is the main controller , the developer has taken the appropriate actions to keep it functional and running at all times .", "spans": {}, "info": {"id": "cyner_mitre_train_02604", "source": "cyner_mitre_train"}}
+{"text": "The malware developer uses various tactics to do so , and one of them is using Android 's broadcast receivers .", "spans": {"System: Android": [[79, 86]]}, "info": {"id": "cyner_mitre_train_02605", "source": "cyner_mitre_train"}}
+{"text": "Broadcast receivers are components that allow you to register for various Android events .", "spans": {"System: Android": [[74, 81]]}, "info": {"id": "cyner_mitre_train_02606", "source": "cyner_mitre_train"}}
+{"text": "In this case , it registers three broadcast receivers : MyReceiver - Triggers when the device is booted .", "spans": {}, "info": {"id": "cyner_mitre_train_02607", "source": "cyner_mitre_train"}}
+{"text": "Intercept Call - Triggers on incoming and outgoing calls .", "spans": {}, "info": {"id": "cyner_mitre_train_02608", "source": "cyner_mitre_train"}}
+{"text": "AlarmReceiver - Triggers every three minutes .", "spans": {}, "info": {"id": "cyner_mitre_train_02609", "source": "cyner_mitre_train"}}
+{"text": "MyReceiver and AlarmReceiver start the MainService whenever appropriate events occur .", "spans": {}, "info": {"id": "cyner_mitre_train_02610", "source": "cyner_mitre_train"}}
+{"text": "This tactic is very common among malware developers to ensure the malware is not killed by the Android OS or by any other means .", "spans": {"System: Android": [[95, 102]]}, "info": {"id": "cyner_mitre_train_02611", "source": "cyner_mitre_train"}}
+{"text": "Figure 4 shows MyReceiver in action where it eventually calls the MainService service .", "spans": {}, "info": {"id": "cyner_mitre_train_02612", "source": "cyner_mitre_train"}}
+{"text": "Broadcast Receiver Figure 4 : MyReceiver broadcast receiver .", "spans": {}, "info": {"id": "cyner_mitre_train_02613", "source": "cyner_mitre_train"}}
+{"text": "The InterceptCall receiver is triggered whenever there is an incoming or outgoing call .", "spans": {}, "info": {"id": "cyner_mitre_train_02614", "source": "cyner_mitre_train"}}
+{"text": "It sets particular parameters in relation to call details and a further service named calls takes the control as seen in Figure 5 .", "spans": {}, "info": {"id": "cyner_mitre_train_02615", "source": "cyner_mitre_train"}}
+{"text": "Call Service Figure 5 : Code for the calls service As seen above , the calls service stores incoming call details in .mp3 format in the /sdcard/DCIM/.dat/ directory with file name appended with \" In_ '' for incoming calls and \" Out_ '' for outgoing calls .", "spans": {}, "info": {"id": "cyner_mitre_train_02616", "source": "cyner_mitre_train"}}
+{"text": "How these recorded calls are sent to the command and control server ( CnC ) is taken care of by MainService , which is discussed next .", "spans": {}, "info": {"id": "cyner_mitre_train_02617", "source": "cyner_mitre_train"}}
+{"text": "MainService is the central controller of this spyware .", "spans": {}, "info": {"id": "cyner_mitre_train_02618", "source": "cyner_mitre_train"}}
+{"text": "It controls each and every functionality based on the commands sent by the command and control ( C & C ) server .", "spans": {}, "info": {"id": "cyner_mitre_train_02619", "source": "cyner_mitre_train"}}
+{"text": "As soon as this service is started , it creates two processes that take care of connection and disconnection to the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_02620", "source": "cyner_mitre_train"}}
+{"text": "This functionality can be seen in Figure 6 .", "spans": {}, "info": {"id": "cyner_mitre_train_02621", "source": "cyner_mitre_train"}}
+{"text": "TimerTask Figure 6 : The timer task .", "spans": {}, "info": {"id": "cyner_mitre_train_02622", "source": "cyner_mitre_train"}}
+{"text": "MainService has the following capabilities : Steal SMS messages Send SMS messages Steal the victim 's location Capture photos Execute commands Capture screenshots Call phone numbers Initiate other apps Steal Facebook credentials , etc All of the above functionalities take place on the basis of commands sent by the attacker .", "spans": {"System: Facebook": [[208, 216]]}, "info": {"id": "cyner_mitre_train_02623", "source": "cyner_mitre_train"}}
+{"text": "Stolen data is stored in external storage under the /DCIM/ directory with a hidden sub-directory named \" .dat '' .", "spans": {}, "info": {"id": "cyner_mitre_train_02624", "source": "cyner_mitre_train"}}
+{"text": "Below is the list of all the commands catered by the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_02625", "source": "cyner_mitre_train"}}
+{"text": "Command Action Unistxcr Restart the app dowsizetr Send the file stored in the /sdcard/DCIM/.dat/ directory to the C & C server Caspylistx Get a list of all hidden files in the /DCIM/.dat/ directory spxcheck Check whether call details are collected by the spyware S8p8y0 Delete call details stored by the spyware screXmex Take screenshots of the device screen Batrxiops Check battery status L4oclOCMAWS Fetch the victim 's location GUIFXB Launch", "spans": {}, "info": {"id": "cyner_mitre_train_02626", "source": "cyner_mitre_train"}}
+{"text": "the fake Facebook login page IODBSSUEEZ Send a file containing stolen Facebook credentials to the C & C server FdelSRRT Delete files containing stolen Facebook credentials chkstzeaw Launch Facebook LUNAPXER Launch apps according to the package name sent by the C & C server Gapxplister Get a list of all installed applications DOTRall8xxe Zip all the stolen files and store in the /DCIM/.dat/ directory Acouxacour Get a list of accounts on the victim 's device Fimxmiisx Open the camera", "spans": {"System: Facebook": [[9, 17], [70, 78], [151, 159], [189, 197]]}, "info": {"id": "cyner_mitre_train_02627", "source": "cyner_mitre_train"}}
+{"text": "Scxreexcv4 Capture an image micmokmi8x Capture audio Yufsssp Get latitude and longitude GExCaalsss7 Get call logs PHOCAs7 Call phone numbers sent by the C & C server Gxextsxms Get a list of inbox SMS messages Msppossag Send SMS with message body sent by the C & C server Getconstactx Get a list of all contacts Rinxgosa Play a ringtone bithsssp64 Execute commands sent by the C & C server DOWdeletx Deletes", "spans": {}, "info": {"id": "cyner_mitre_train_02628", "source": "cyner_mitre_train"}}
+{"text": "the file specified by the C & C server Deldatall8 Delete all files stored in the /sdcard/DCIM/.dat/ directory We do n't have the space to cover all of the commands , but let 's take a look at some of the major ones .", "spans": {}, "info": {"id": "cyner_mitre_train_02629", "source": "cyner_mitre_train"}}
+{"text": "Facebook phishing One of the interesting features of this spyware is the ability to steal Facebook credentials using a fake login page , similar to phishing .", "spans": {"System: Facebook": [[0, 8], [90, 98]]}, "info": {"id": "cyner_mitre_train_02630", "source": "cyner_mitre_train"}}
+{"text": "Upon receiving the command GUIFXB , the spyware launches a fake Facebook login page .", "spans": {"System: Facebook": [[64, 72]]}, "info": {"id": "cyner_mitre_train_02631", "source": "cyner_mitre_train"}}
+{"text": "As soon as the victim tries to log in , it stores the victim 's credentials in /storage/0/DCIM/.fdat Facebook Login Figure 7 : Fake Facebook login The second command is IODBSSUEEZ , which further sends stolen credentials to the C & C server , as seen in Figure 8 .", "spans": {"System: Facebook": [[101, 109], [132, 140]]}, "info": {"id": "cyner_mitre_train_02632", "source": "cyner_mitre_train"}}
+{"text": "Stolen Data Figure 8 : Sending data to the attacker .", "spans": {}, "info": {"id": "cyner_mitre_train_02633", "source": "cyner_mitre_train"}}
+{"text": "This functionality can be easily further extended to steal other information , such as bank credentials , although we did not see any banks being targeted in this attack .", "spans": {}, "info": {"id": "cyner_mitre_train_02634", "source": "cyner_mitre_train"}}
+{"text": "Calling functionality Command PHOCAs7 initiates calling functionality .", "spans": {}, "info": {"id": "cyner_mitre_train_02635", "source": "cyner_mitre_train"}}
+{"text": "The number to call is received along with the command , as seen in Figure 9 .", "spans": {}, "info": {"id": "cyner_mitre_train_02636", "source": "cyner_mitre_train"}}
+{"text": "Call Command Figure 9 : The calling functionality .", "spans": {}, "info": {"id": "cyner_mitre_train_02637", "source": "cyner_mitre_train"}}
+{"text": "The phone number is fetched from a response from the C & C server and is stored in str3 variable , which further is utilized using the tel : function .", "spans": {}, "info": {"id": "cyner_mitre_train_02638", "source": "cyner_mitre_train"}}
+{"text": "Stealing SMS The Gxextsxms command is responsible for fetching all the SMS messages from the victim 's device and sending it over to the C & C server .", "spans": {}, "info": {"id": "cyner_mitre_train_02639", "source": "cyner_mitre_train"}}
+{"text": "Stealing SMS Figure 10 : Stealing SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_train_02640", "source": "cyner_mitre_train"}}
+{"text": "Similarly , there are many crucial commands that further allow this spyware to perform additional functionality , such as executing commands sent by the C & C , clicking photos , capturing screenshots , stealing location information , and more .", "spans": {}, "info": {"id": "cyner_mitre_train_02641", "source": "cyner_mitre_train"}}
+{"text": "Further analysis Upon further research , we found this spyware to be developed by a framework similar to Spynote and Spymax , meaning this could be an updated version of these Trojan builders , which allow anyone , even with limited knowledge , to develop full-fledged spyware .", "spans": {"Malware: Spynote": [[105, 112]], "Malware: Spymax": [[117, 123]]}, "info": {"id": "cyner_mitre_train_02642", "source": "cyner_mitre_train"}}
+{"text": "Many of the functionalities seen in this spyware are similar to Spynote and Spymax based on the samples we analyzed with some modifications .", "spans": {"Malware: Spynote": [[64, 71]], "Malware: Spymax": [[76, 82]]}, "info": {"id": "cyner_mitre_train_02643", "source": "cyner_mitre_train"}}
+{"text": "This spyware sample communicates over dynamic DNS .", "spans": {}, "info": {"id": "cyner_mitre_train_02644", "source": "cyner_mitre_train"}}
+{"text": "By doing so , attackers can easily set up the Trojan to communicate back to them without any need for high-end servers .", "spans": {}, "info": {"id": "cyner_mitre_train_02645", "source": "cyner_mitre_train"}}
+{"text": "Other common functionalities include executing commands received from the attacker , taking screenshots of the victim 's device , fetching locations , stealing SMS messages and most common features that every spyware may poses .", "spans": {}, "info": {"id": "cyner_mitre_train_02646", "source": "cyner_mitre_train"}}
+{"text": "Stealing Facebook credentials using fake Facebook activity is something we did n't observe in Spynote/Spymax versions but was seen in this spyware .", "spans": {"Organization: Facebook": [[9, 17], [41, 49]], "Malware: Spynote/Spymax": [[94, 108]]}, "info": {"id": "cyner_mitre_train_02647", "source": "cyner_mitre_train"}}
+{"text": "This framework allows anyone to develop a malicious app with the desired icon and communication address .", "spans": {}, "info": {"id": "cyner_mitre_train_02648", "source": "cyner_mitre_train"}}
+{"text": "Some of the icons used can be seen below .", "spans": {}, "info": {"id": "cyner_mitre_train_02649", "source": "cyner_mitre_train"}}
+{"text": "We found 280 such apps in the past three months .", "spans": {}, "info": {"id": "cyner_mitre_train_02650", "source": "cyner_mitre_train"}}
+{"text": "A complete list of hashes can be found here .", "spans": {}, "info": {"id": "cyner_mitre_train_02651", "source": "cyner_mitre_train"}}
+{"text": "icons Figure 11 : Icons used to pose as famous apps .", "spans": {}, "info": {"id": "cyner_mitre_train_02652", "source": "cyner_mitre_train"}}
+{"text": "All of these apps are developed by the same framework and hence have the same package name and certificate information as seen in Figure 12. certificate Figure 12 : Package name and certificate information .", "spans": {}, "info": {"id": "cyner_mitre_train_02653", "source": "cyner_mitre_train"}}
+{"text": "Conclusion Due to the ubiquitous nature of mobile devices and the widespread use of Android , it is very easy for attackers to victimize Android users .", "spans": {"System: Android": [[84, 91], [137, 144]]}, "info": {"id": "cyner_mitre_train_02654", "source": "cyner_mitre_train"}}
+{"text": "In such situations , mobile users should always take the utmost precautions while downloading any applications from the internet .", "spans": {}, "info": {"id": "cyner_mitre_train_02655", "source": "cyner_mitre_train"}}
+{"text": "It is very easy to trick victims to fall for such attacks .", "spans": {}, "info": {"id": "cyner_mitre_train_02656", "source": "cyner_mitre_train"}}
+{"text": "Users looking forward to using the TikTok app amidst the ban might look for alternative methods to download the app .", "spans": {"System: TikTok": [[35, 41]]}, "info": {"id": "cyner_mitre_train_02657", "source": "cyner_mitre_train"}}
+{"text": "In doing so , users can mistakenly install malicious apps , such as the spyware mentioned in this blog .", "spans": {}, "info": {"id": "cyner_mitre_train_02658", "source": "cyner_mitre_train"}}
+{"text": "The precautions you take online have been covered extensively in almost all of our blogs ; even so , we believe this information bears repeating .", "spans": {}, "info": {"id": "cyner_mitre_train_02659", "source": "cyner_mitre_train"}}
+{"text": "Please follow these basic precautions during the current crisis—and at all times : Install apps only from official stores , such as Google Play .", "spans": {"System: Google Play": [[132, 143]]}, "info": {"id": "cyner_mitre_train_02660", "source": "cyner_mitre_train"}}
+{"text": "Never click on unknown links received through ads , SMS messages , emails , or the like .", "spans": {}, "info": {"id": "cyner_mitre_train_02661", "source": "cyner_mitre_train"}}
+{"text": "Always keep the \" Unknown Sources '' option disabled in the Android device .", "spans": {"System: Android": [[60, 67]]}, "info": {"id": "cyner_mitre_train_02662", "source": "cyner_mitre_train"}}
+{"text": "This disallows apps to be installed on your device from unknown sources .", "spans": {}, "info": {"id": "cyner_mitre_train_02663", "source": "cyner_mitre_train"}}
+{"text": "We would also like to mention that if you come across an app hiding it 's icon , always try to search for the app in your device settings ( by going to Settings - > Apps - > Search for icon that was hidden ) .", "spans": {}, "info": {"id": "cyner_mitre_train_02664", "source": "cyner_mitre_train"}}
+{"text": "In the case of this spyware , search for app named TikTok Pro .", "spans": {"System: TikTok Pro": [[51, 61]]}, "info": {"id": "cyner_mitre_train_02665", "source": "cyner_mitre_train"}}
+{"text": "MITRE TAGS Action Tag ID App auto-start at device boot T1402 Input prompt T1411 Capture SMS messages T1412 Application discovery T1418 Capture audio T1429 Location tracking T1430 Access contact list T1432 Access call log T1433 Commonly used port T1436 Standard application layer protocol T1437 Masquerage as legitimate application T1444 Suppress application icon T1508 Capture camera T1512 Screen capture T1513 Foreground persistence T1541 DualToy : New Windows Trojan Sideloads Risky Apps to Android and iOS Devices", "spans": {"Organization: MITRE": [[0, 5]], "Malware: DualToy": [[440, 447]], "System: Windows": [[454, 461]], "System: Android": [[493, 500]], "System: iOS": [[505, 508]]}, "info": {"id": "cyner_mitre_train_02666", "source": "cyner_mitre_train"}}
+{"text": "By Claud Xiao September 13 , 2016 at 5:00 AM Over the past two years , we ’ ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices .", "spans": {"System: Microsoft Windows": [[102, 119]], "System: Apple iOS": [[124, 133]]}, "info": {"id": "cyner_mitre_train_02667", "source": "cyner_mitre_train"}}
+{"text": "This attack vector is increasingly popular with malicious actors as almost everyone on the planet carries at least one mobile device they interact with throughout any given day .", "spans": {}, "info": {"id": "cyner_mitre_train_02668", "source": "cyner_mitre_train"}}
+{"text": "Thanks to a relative lack of security controls applied to mobile devices , these devices have become very attractive targets for a broad range of malicious actors .", "spans": {}, "info": {"id": "cyner_mitre_train_02669", "source": "cyner_mitre_train"}}
+{"text": "For example : WireLurker installed malicious apps on non-jailbroken iPhones Six different Trojan , Adware and HackTool families launched “ BackStab ” attacks to steal backup archives of iOS and BlackBerry devices The HackingTeam ’ s RCS delivered its Spyware from infected PCs and Macs to jailbroken iOS devices and BlackBerry phones Recently , we discovered another Windows Trojan we named “ DualToy ” which side loads malicious or risky apps to both Android and iOS devices via a USB connection .", "spans": {"Malware: WireLurker": [[14, 24]], "Malware: HackTool families": [[110, 127]], "System: iOS": [[186, 189], [300, 303], [464, 467]], "System: BlackBerry": [[194, 204], [316, 326]], "Malware: HackingTeam": [[217, 228]], "Malware: RCS": [[233, 236]], "System: Windows": [[367, 374]], "Malware: DualToy": [[393, 400]], "System: Android": [[452, 459]], "System: USB": [[482, 485]]}, "info": {"id": "cyner_mitre_train_02670", "source": "cyner_mitre_train"}}
+{"text": "When DualToy began to spread in January 2015 , it was only capable of infecting Android devices .", "spans": {"Malware: DualToy": [[5, 12]], "System: Android": [[80, 87]]}, "info": {"id": "cyner_mitre_train_02671", "source": "cyner_mitre_train"}}
+{"text": "However , within six months the malicious actors added the capability to infect iOS devices .", "spans": {"System: iOS": [[80, 83]]}, "info": {"id": "cyner_mitre_train_02672", "source": "cyner_mitre_train"}}
+{"text": "DualToy is still active and we have detected over 8,000 unique samples belonging to this Trojan family to date .", "spans": {"Malware: DualToy": [[0, 7]]}, "info": {"id": "cyner_mitre_train_02673", "source": "cyner_mitre_train"}}
+{"text": "It mainly targets Chinese users , but has also successfully affected people and organizations in the United States , United Kingdom , Thailand , Spain , and Ireland .", "spans": {}, "info": {"id": "cyner_mitre_train_02674", "source": "cyner_mitre_train"}}
+{"text": "Credential phishing and an Android banking Trojan combine in Austrian mobile attacks NOVEMBER 03 , 2017 Overview Credential phishing , banking Trojans , and credit card phishing schemes are common threats that we regularly observe both at scale and in more targeted attacks .", "spans": {"System: Android": [[27, 34]]}, "info": {"id": "cyner_mitre_train_02675", "source": "cyner_mitre_train"}}
+{"text": "However , Proofpoint researchers have recently observed phishing attacks that incorporate all of these elements in a single , multistep scheme involving the Marcher Android banking Trojan targeting customers of large Austrian banks .", "spans": {"Organization: Proofpoint": [[10, 20]], "Malware: Marcher": [[157, 164]]}, "info": {"id": "cyner_mitre_train_02676", "source": "cyner_mitre_train"}}
+{"text": "Attacks involving Marcher have become increasingly sophisticated , with documented cases involving multiple attack vectors and a variety of targeted financial services and communication platforms [ 1 ] [ 2 ] .", "spans": {"Malware: Marcher": [[18, 25]]}, "info": {"id": "cyner_mitre_train_02677", "source": "cyner_mitre_train"}}
+{"text": "In this case , a threat actor has been targeting customers of Bank Austria , Raiffeisen Meine Bank , and Sparkasse since at least January 2017 .", "spans": {}, "info": {"id": "cyner_mitre_train_02678", "source": "cyner_mitre_train"}}
+{"text": "The attacks described here begin with a banking credential phishing scheme , followed by an attempt to trick the victim into installing Marcher , and finally with attempts to steal credit card information by the banking Trojan itself .", "spans": {"Malware: Marcher": [[136, 143]]}, "info": {"id": "cyner_mitre_train_02679", "source": "cyner_mitre_train"}}
+{"text": "Analysis Marcher is frequently distributed via SMS , but in this case , victims are presented with a link in an email .", "spans": {"Malware: Marcher": [[9, 16]]}, "info": {"id": "cyner_mitre_train_02680", "source": "cyner_mitre_train"}}
+{"text": "Oftentimes , the emailed link is a bit.ly shortened link , used to potentially evade detection .", "spans": {}, "info": {"id": "cyner_mitre_train_02681", "source": "cyner_mitre_train"}}
+{"text": "The link leads to a phishing page that asks for banking login credentials or an account number and PIN .", "spans": {}, "info": {"id": "cyner_mitre_train_02682", "source": "cyner_mitre_train"}}
+{"text": "Figure 1 shows one such landing page using stolen branding from Bank Austria .", "spans": {}, "info": {"id": "cyner_mitre_train_02683", "source": "cyner_mitre_train"}}
+{"text": "Figure 1 : Landing page for phishing scheme asking for the victim ’ s signatory number and PIN using stolen branding from Bank Austria Because the actor delivered phishing links using the bit.ly URL shortener , we can access delivery statistics for this particular campaign .", "spans": {"System: Bank Austria": [[122, 134]], "Indicator: bit.ly": [[188, 194]]}, "info": {"id": "cyner_mitre_train_02684", "source": "cyner_mitre_train"}}
+{"text": "The link resolves to a URL designed to appear legitimate , with a canonical domain of sicher97140 [ .", "spans": {"Indicator: sicher97140 [ .": [[86, 101]]}, "info": {"id": "cyner_mitre_train_02685", "source": "cyner_mitre_train"}}
+{"text": "] info including the “ bankaustria ” brand .", "spans": {}, "info": {"id": "cyner_mitre_train_02686", "source": "cyner_mitre_train"}}
+{"text": "Figure 2 : Bit.ly statistics for a phishing landing page targeting Bank Austria customers The actor appears to have recently begun using “ .top ” top-level domains ( TLDs ) for their phishing landing pages and have implemented a consistent naming structure as shown below .", "spans": {"Indicator: Bit.ly": [[11, 17]], "System: Bank Austria": [[67, 79]]}, "info": {"id": "cyner_mitre_train_02687", "source": "cyner_mitre_train"}}
+{"text": "Earlier this year , the actor used “ .pw ” TLDs while the Bank Austria scheme highlighted above used “ .info ” .", "spans": {"System: Bank Austria": [[58, 70]]}, "info": {"id": "cyner_mitre_train_02688", "source": "cyner_mitre_train"}}
+{"text": "Some recent campaigns against other bank customers also used “ .gdn ” TLDs .", "spans": {}, "info": {"id": "cyner_mitre_train_02689", "source": "cyner_mitre_train"}}
+{"text": "Other attacks on Bank Austria customers that we observed resolved to the following .top domains : Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817062 [ .", "spans": {"System: Bank Austria": [[17, 29]], "Indicator: hxxp : //online.bankaustria.at.id8817062 [ .": [[112, 156]]}, "info": {"id": "cyner_mitre_train_02690", "source": "cyner_mitre_train"}}
+{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817461 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id8817461 [ .": [[21, 65]]}, "info": {"id": "cyner_mitre_train_02691", "source": "cyner_mitre_train"}}
+{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817465 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id8817465 [ .": [[21, 65]]}, "info": {"id": "cyner_mitre_train_02692", "source": "cyner_mitre_train"}}
+{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817466 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id8817466 [ .": [[21, 65]]}, "info": {"id": "cyner_mitre_train_02693", "source": "cyner_mitre_train"}}
+{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817469 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id8817469 [ .": [[21, 65]]}, "info": {"id": "cyner_mitre_train_02694", "source": "cyner_mitre_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58712 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id58712 [ .": [[21, 63]]}, "info": {"id": "cyner_mitre_train_02695", "source": "cyner_mitre_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58717 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id58717 [ .": [[21, 63]]}, "info": {"id": "cyner_mitre_train_02696", "source": "cyner_mitre_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58729 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id58729 [ .": [[21, 63]]}, "info": {"id": "cyner_mitre_train_02697", "source": "cyner_mitre_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58729 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id58729 [ .": [[21, 63]]}, "info": {"id": "cyner_mitre_train_02698", "source": "cyner_mitre_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id87721 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id87721 [ .": [[21, 63]]}, "info": {"id": "cyner_mitre_train_02699", "source": "cyner_mitre_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id87726 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id87726 [ .": [[21, 63]]}, "info": {"id": "cyner_mitre_train_02700", "source": "cyner_mitre_train"}}
+{"text": "] top/ These permutations of TLDs and canonical domains incorporating the legitimate domain expected by the targeted banking customers exemplifies recent trends in social engineering by threat actors .", "spans": {}, "info": {"id": "cyner_mitre_train_02701", "source": "cyner_mitre_train"}}
+{"text": "Just as threat actors may use stolen branding in their email lures to trick potential victims , they reproduce a legitimate domain name in a fraudulent domain that is not controlled by the bank .", "spans": {}, "info": {"id": "cyner_mitre_train_02702", "source": "cyner_mitre_train"}}
+{"text": "Once the victim enters their account information on the landing page , the phishing attack then requests that the user log in with their email address and phone number .", "spans": {}, "info": {"id": "cyner_mitre_train_02703", "source": "cyner_mitre_train"}}
+{"text": "Figure 3 : Step two of the credential phish asking for the victim ’ s email address and phone number Having stolen the victim ’ s account and personal information , the scammer introduces a social engineering scheme , informing users that they currently do not have the “ Bank Austria Security App ” installed on their smartphone and must download it to proceed .", "spans": {"System: Bank Austria Security App": [[272, 297]]}, "info": {"id": "cyner_mitre_train_02704", "source": "cyner_mitre_train"}}
+{"text": "Figure 4 shows the download prompt for this fake app ; an English translation follows .", "spans": {}, "info": {"id": "cyner_mitre_train_02705", "source": "cyner_mitre_train"}}
+{"text": "Figure 4 : Alert prompting the victim to download an Android banking app ( English translation below ) , with stolen branding and fraudulent copy * * * Translation * * * Dear Customer , The system has detected that the Bank Austria Security App is not installed on your smartphone .", "spans": {"System: Android banking app": [[53, 72]], "System: Bank Austria Security App": [[219, 244]]}, "info": {"id": "cyner_mitre_train_02706", "source": "cyner_mitre_train"}}
+{"text": "Due to new EU money laundering guidelines , the new Bank Austria security app is mandatory for all customers who have a mobile phone number in our system .", "spans": {"Organization: EU": [[11, 13]], "System: Bank Austria security app": [[52, 77]]}, "info": {"id": "cyner_mitre_train_02707", "source": "cyner_mitre_train"}}
+{"text": "Please install the app immediately to avoid blocking your account .", "spans": {}, "info": {"id": "cyner_mitre_train_02708", "source": "cyner_mitre_train"}}
+{"text": "Follow the instructions at the bottom of this page .", "spans": {}, "info": {"id": "cyner_mitre_train_02709", "source": "cyner_mitre_train"}}
+{"text": "Why you need the Bank Austria Security App : Due to outdated technology of the mobile network important data such as mTan SMS and online banking connections are transmitted unencrypted .", "spans": {"System: Bank Austria Security App": [[17, 42]]}, "info": {"id": "cyner_mitre_train_02710", "source": "cyner_mitre_train"}}
+{"text": "Our security app allows us to transmit this sensitive data encrypted to you , thus increasing the security that you will not suffer any financial loss .", "spans": {}, "info": {"id": "cyner_mitre_train_02711", "source": "cyner_mitre_train"}}
+{"text": "Step 1 : Download Bank Austria Security App Download the Bank Austria security app to your Android device .", "spans": {"System: Bank Austria Security App": [[18, 43]]}, "info": {"id": "cyner_mitre_train_02712", "source": "cyner_mitre_train"}}
+{"text": "To do this , open the displayed link on your mobile phone by typing in the URL field of your browser or scan the displayed QR code .", "spans": {}, "info": {"id": "cyner_mitre_train_02713", "source": "cyner_mitre_train"}}
+{"text": "* * * End translation * * * The phishing template then presents additional instructions for installing the fake security application ( Figure 5 ) : Figure 5 : Additional instructions telling the victim to give the app the requested permissions ( English translation below ) , with stolen branding and fraudulent copy * * * Translation * * * Step 2 : Allow installation Open your device 's settings , select Security or Applications ( depending on the device ) , and check Unknown sources .", "spans": {}, "info": {"id": "cyner_mitre_train_02714", "source": "cyner_mitre_train"}}
+{"text": "Step 3 : Run installation Start the Bank Austria security app from the notifications or your download folder , tap Install .", "spans": {"System: Bank Austria security app": [[36, 61]]}, "info": {"id": "cyner_mitre_train_02715", "source": "cyner_mitre_train"}}
+{"text": "After successful installation , tap Open and enable the device administrator .", "spans": {}, "info": {"id": "cyner_mitre_train_02716", "source": "cyner_mitre_train"}}
+{"text": "Finished !", "spans": {}, "info": {"id": "cyner_mitre_train_02717", "source": "cyner_mitre_train"}}
+{"text": "* * * End translation * * * Referring again to bit.ly , we can see click statistics for this campaign ( Figure 6 ) .", "spans": {"Indicator: bit.ly": [[47, 53]]}, "info": {"id": "cyner_mitre_train_02718", "source": "cyner_mitre_train"}}
+{"text": "Figure 6 : bit.ly statistics for the fake Bank Austria Android app download link From this small sample , we see that 7 % of visitors clicked through to download the application , which is actually a version of the Marcher banking Trojan named “ BankAustria.apk ” , continuing the fraudulent use of the bank ’ s branding to fool potential victims .", "spans": {"Indicator: bit.ly": [[11, 17]], "System: Bank Austria Android app": [[42, 66]], "Malware: Marcher banking Trojan": [[215, 237]], "Indicator: BankAustria.apk": [[246, 261]]}, "info": {"id": "cyner_mitre_train_02719", "source": "cyner_mitre_train"}}
+{"text": "This sample is similar to those presented in other recent Marcher analyses [ 1 ] [ 2 ] .", "spans": {"Malware: Marcher": [[58, 65]]}, "info": {"id": "cyner_mitre_train_02720", "source": "cyner_mitre_train"}}
+{"text": "This particular application is signed with a fake certificate : Owner : CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Issuer CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Serial : 1c9157d7 Validity : 11/02/2017 00:16:46 03/20/2045 00:16:46 MD5 Hash : A8:55:46:32:15", "spans": {"Indicator: A8:55:46:32:15": [[305, 319]]}, "info": {"id": "cyner_mitre_train_02721", "source": "cyner_mitre_train"}}
+{"text": ": A9 : D5:95 : A9:91 : C2:91:77:5D:30 : F6 SHA1 Hash : 32:17 : E9:7E:06 : FE:5D:84 : BE:7C:14:0C : C6:2B:12:85 : E7:03:9A:5F The app requests extensive permissions during installation that enable a range of activities supported by the malware .", "spans": {"Indicator: 32:17 : E9:7E:06 : FE:5D:84 : BE:7C:14:0C : C6:2B:12:85 : E7:03:9A:5F": [[55, 124]]}, "info": {"id": "cyner_mitre_train_02722", "source": "cyner_mitre_train"}}
+{"text": "Those permission shown in bold below are the most problematic : Allows an application to write to external storage .", "spans": {}, "info": {"id": "cyner_mitre_train_02723", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to read from external storage .", "spans": {}, "info": {"id": "cyner_mitre_train_02724", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to use SIP service .", "spans": {}, "info": {"id": "cyner_mitre_train_02725", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to collect battery statistics Allows an app to access precise location .", "spans": {}, "info": {"id": "cyner_mitre_train_02726", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to receive SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_train_02727", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to send SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_train_02728", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to read SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_train_02729", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to write SMS messages .", "spans": {}, "info": {"id": "cyner_mitre_train_02730", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call .", "spans": {}, "info": {"id": "cyner_mitre_train_02731", "source": "cyner_mitre_train"}}
+{"text": "Allows applications to access information about networks .", "spans": {}, "info": {"id": "cyner_mitre_train_02732", "source": "cyner_mitre_train"}}
+{"text": "Allows applications to open network sockets .", "spans": {}, "info": {"id": "cyner_mitre_train_02733", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to read the user 's contacts data .", "spans": {}, "info": {"id": "cyner_mitre_train_02734", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to read or write the system settings .", "spans": {}, "info": {"id": "cyner_mitre_train_02735", "source": "cyner_mitre_train"}}
+{"text": "Allows an application to force the device to lock Allows applications to access information about Wi-Fi networks .", "spans": {}, "info": {"id": "cyner_mitre_train_02736", "source": "cyner_mitre_train"}}
+{"text": "Allows applications to change Wi-Fi connectivity state .", "spans": {}, "info": {"id": "cyner_mitre_train_02737", "source": "cyner_mitre_train"}}
+{"text": "Allows applications to change network connectivity state .", "spans": {}, "info": {"id": "cyner_mitre_train_02738", "source": "cyner_mitre_train"}}
+{"text": "Analysis of the malware shows that it uses the common string obfuscation of character replacement ( Figure 7 ) : Figure 7 : Encoded Marcher Strings Figure 8 : Decoded Marcher Strings As noted , the application requests extensive permissions during installation ; Figure 9 shows the request to act as device administrator , a particular permission that should very rarely be granted to an app .", "spans": {"Malware: Marcher": [[132, 139], [167, 174]]}, "info": {"id": "cyner_mitre_train_02739", "source": "cyner_mitre_train"}}
+{"text": "Figure 9 : Prompt for application permissions upon installation Figures 10 and 11 show the other permission screens for the app : Figure 10 Figure 10 : Part 1 of the permission screen for the app Figure 11 : Part 2 of the permission screen for the app Once installed the app will place a legitimate looking icon on the phone ’ s home screen , again using branding stolen from the bank .", "spans": {}, "info": {"id": "cyner_mitre_train_02740", "source": "cyner_mitre_train"}}
+{"text": "Figure 12 : Fake Bank Austria Security application icon In addition to operating as a banking Trojan , overlaying a legitimate banking app with an indistinguishable credential theft page , the malware also asks for credit card information from the user when they open applications such as the Google Play store .", "spans": {"System: Fake Bank Austria Security application": [[12, 50]], "System: Google Play": [[293, 304]]}, "info": {"id": "cyner_mitre_train_02741", "source": "cyner_mitre_train"}}
+{"text": "Figure 13 : Popup asking for a credit card number The application also supports stealing credit card verification information ( Figures 14 and 15 ) .", "spans": {}, "info": {"id": "cyner_mitre_train_02742", "source": "cyner_mitre_train"}}
+{"text": "Figure 14 : Information theft via fake credit card verification using stolen branding Figure 15 : Information theft via fake credit card verification using stolen branding Some of the campaigns appear to have a wider reach based on bit.ly statistics like this one from October 13 , 2017 : Figure 16 : bit.ly statistics for an October 13 , 2017 campaign Over several days during the last three months , Proofpoint researchers observed campaigns using similar techniques targeting the banking customers of Raffeisen and Sparkasse .", "spans": {"Indicator: bit.ly": [[232, 238], [301, 307]], "Organization: Proofpoint": [[402, 412]]}, "info": {"id": "cyner_mitre_train_02743", "source": "cyner_mitre_train"}}
+{"text": "A review of the bit.ly statistics for these campaigns shows that they were at least as effective in driving end-user clicks as the Bank Austria campaign analyzed above .", "spans": {"Indicator: bit.ly": [[16, 22]], "System: Bank Austria": [[131, 143]]}, "info": {"id": "cyner_mitre_train_02744", "source": "cyner_mitre_train"}}
+{"text": "Conclusion As our computing increasingly crosses multiple screens , we should expect to see threats extending across mobile and desktop environments .", "spans": {}, "info": {"id": "cyner_mitre_train_02745", "source": "cyner_mitre_train"}}
+{"text": "Moreover , as we use mobile devices to access the web and phishing templates extend to mobile environments , we should expect to see a greater variety of integrated threats like the scheme we detail here .", "spans": {}, "info": {"id": "cyner_mitre_train_02746", "source": "cyner_mitre_train"}}
+{"text": "As on the desktop , mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites .", "spans": {}, "info": {"id": "cyner_mitre_train_02747", "source": "cyner_mitre_train"}}
+{"text": "Unusual domains , the use of URL shorteners , and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware .", "spans": {}, "info": {"id": "cyner_mitre_train_02748", "source": "cyner_mitre_train"}}
+{"text": "Ginp - A malware patchwork borrowing from Anubis November 2019 Intro ThreatFabric analysts have recently investigated an interesting new strain of banking malware .", "spans": {"Malware: Ginp": [[0, 4]], "Malware: Anubis": [[42, 48]], "System: ThreatFabric": [[69, 81]]}, "info": {"id": "cyner_mitre_train_02749", "source": "cyner_mitre_train"}}
+{"text": "The malware was first spotted by Tatyana Shishkova from Kaspersky by end October 2019 , but actually dates back to June 2019 .", "spans": {"Organization: Kaspersky": [[56, 65]]}, "info": {"id": "cyner_mitre_train_02750", "source": "cyner_mitre_train"}}
+{"text": "It is still under active development , with at least 5 different versions of the Trojan released within the last 5 months ( June - November 2019 ) .", "spans": {}, "info": {"id": "cyner_mitre_train_02751", "source": "cyner_mitre_train"}}
+{"text": "What makes Ginp stand out is that it was built from scratch being expanded through regular updates , the last of which including code copied from the infamous Anubis banking Trojan , indicating that its author is cherry-picking the most relevant functionality for its malware .", "spans": {"Malware: Ginp": [[11, 15]], "Malware: Anubis": [[159, 165]]}, "info": {"id": "cyner_mitre_train_02752", "source": "cyner_mitre_train"}}
+{"text": "In addition , its original target list is extremely narrow and seems to be focused on Spanish banks .", "spans": {}, "info": {"id": "cyner_mitre_train_02753", "source": "cyner_mitre_train"}}
+{"text": "Last but not least , all the overlay screens ( injects ) for the banks include two steps ; first stealing the victim ’ s login credentials , then their credit card details .", "spans": {}, "info": {"id": "cyner_mitre_train_02754", "source": "cyner_mitre_train"}}
+{"text": "Although multi-step overlays are not something new , their usage is generally limited to avoid raising suspicion .", "spans": {}, "info": {"id": "cyner_mitre_train_02755", "source": "cyner_mitre_train"}}
+{"text": "Evolution The initial version of the malware dates back to early June 2019 , masquerading as a “ Google Play Verificator ” app .", "spans": {"System: Google Play Verificator": [[97, 120]]}, "info": {"id": "cyner_mitre_train_02756", "source": "cyner_mitre_train"}}
+{"text": "At that time , Ginp was a simple SMS stealer whose purpose was only to send a copy of incoming and outgoing SMS messages to the C2 server .", "spans": {"Malware: Ginp": [[15, 19]]}, "info": {"id": "cyner_mitre_train_02757", "source": "cyner_mitre_train"}}
+{"text": "A couple of months later , in August 2019 , a new version was released with additional banking-specific features .", "spans": {}, "info": {"id": "cyner_mitre_train_02758", "source": "cyner_mitre_train"}}
+{"text": "This and following versions were masquerading as fake “ Adobe Flash Player ” apps .", "spans": {"System: Adobe Flash Player": [[56, 74]]}, "info": {"id": "cyner_mitre_train_02759", "source": "cyner_mitre_train"}}
+{"text": "The malware was able to perform overlay attacks and become the default SMS app through the abuse of the Accessibility Service .", "spans": {}, "info": {"id": "cyner_mitre_train_02760", "source": "cyner_mitre_train"}}
+{"text": "The overlay consisted of a generic credit card grabber targeting social and utility apps , such as Google Play , Facebook , WhatsApp , Chrome , Skype , Instagram and Twitter .", "spans": {"System: Google Play": [[99, 110]], "System: Facebook": [[113, 121]], "System: WhatsApp": [[124, 132]], "System: Chrome": [[135, 141]], "System: Skype": [[144, 149]], "System: Instagram": [[152, 161]], "System: Twitter": [[166, 173]]}, "info": {"id": "cyner_mitre_train_02761", "source": "cyner_mitre_train"}}
+{"text": "Although early versions had some basic code and string obfuscation , protection of the third version of the malware was enhanced with the use of payload obfuscation .", "spans": {}, "info": {"id": "cyner_mitre_train_02762", "source": "cyner_mitre_train"}}
+{"text": "The capabilities remained unchanged , but a new endpoint was added to the Trojan C2 allowing it to handle the generic card grabber overlay and specific target overlays ( banking apps ) separately .", "spans": {}, "info": {"id": "cyner_mitre_train_02763", "source": "cyner_mitre_train"}}
+{"text": "In addition , the credit card grabber target list was expanded with Snapchat and Viber .", "spans": {"System: Snapchat": [[68, 76]], "System: Viber": [[81, 86]]}, "info": {"id": "cyner_mitre_train_02764", "source": "cyner_mitre_train"}}
+{"text": "In the third version spotted in the wild , the author introduced parts of the source code of the infamous Anubis Trojan ( which was leaked earlier in 2019 ) .", "spans": {"Malware: Anubis": [[106, 112]]}, "info": {"id": "cyner_mitre_train_02765", "source": "cyner_mitre_train"}}
+{"text": "This change came hand in hand with a new overlay target list , no longer targeting social apps , but focusing on banking instead .", "spans": {}, "info": {"id": "cyner_mitre_train_02766", "source": "cyner_mitre_train"}}
+{"text": "A remarkable fact is that all the targeted apps relate to Spanish banks , including targets never seen before in any other Android banking Trojan .", "spans": {"System: Android": [[123, 130]]}, "info": {"id": "cyner_mitre_train_02767", "source": "cyner_mitre_train"}}
+{"text": "The 24 target apps belong to 7 different Spanish banks : Caixa bank , Bankinter , Bankia , BBVA , EVO Banco , Kutxabank and Santander .", "spans": {"System: Caixa bank": [[57, 67]], "System: Bankinter": [[70, 79]], "System: Bankia": [[82, 88]], "System: BBVA": [[91, 95]], "System: EVO Banco": [[98, 107]], "System: Kutxabank": [[110, 119]], "System: Santander": [[124, 133]]}, "info": {"id": "cyner_mitre_train_02768", "source": "cyner_mitre_train"}}
+{"text": "The specific apps can be found in the target list in the appendix .", "spans": {}, "info": {"id": "cyner_mitre_train_02769", "source": "cyner_mitre_train"}}
+{"text": "The most recent version of Ginp ( at the time of writing ) was detected at the end of November 2019 .", "spans": {"Malware: Ginp": [[27, 31]]}, "info": {"id": "cyner_mitre_train_02770", "source": "cyner_mitre_train"}}
+{"text": "This version has some small modifications which seems to be unused , as the malware behaviour is the same as the previous version .", "spans": {}, "info": {"id": "cyner_mitre_train_02771", "source": "cyner_mitre_train"}}
+{"text": "The author has introduced the capability to grant the app the device admin permission .", "spans": {}, "info": {"id": "cyner_mitre_train_02772", "source": "cyner_mitre_train"}}
+{"text": "Additionally new endpoint was added that seems related to downloading a module for the malware , probably with new features or configuration .", "spans": {}, "info": {"id": "cyner_mitre_train_02773", "source": "cyner_mitre_train"}}
+{"text": "How it works When the malware is first started on the device it will begin by removing its icon from the app drawer , hiding from the end user .", "spans": {}, "info": {"id": "cyner_mitre_train_02774", "source": "cyner_mitre_train"}}
+{"text": "In the second step it asks the victim for the Accessibility Service privilege as visible in following screenshot : Ginp Accessibility request Once the user grants the requested Accessibility Service privilege , Ginp starts by granting itself additional permissions , such as ( dynamic ) permissions required in order to be able to send messages and make calls , without requiring any further action from the victim .", "spans": {"Malware: Ginp": [[115, 119], [211, 215]]}, "info": {"id": "cyner_mitre_train_02775", "source": "cyner_mitre_train"}}
+{"text": "When done , the bot is functional and ready to receive commands and perform overlay attacks .", "spans": {}, "info": {"id": "cyner_mitre_train_02776", "source": "cyner_mitre_train"}}
+{"text": "The commands supported by the most recent version of the bot are listed below .", "spans": {}, "info": {"id": "cyner_mitre_train_02777", "source": "cyner_mitre_train"}}
+{"text": "As can be observed , the possibilities offered by the bot are pretty common .", "spans": {}, "info": {"id": "cyner_mitre_train_02778", "source": "cyner_mitre_train"}}
+{"text": "Command Description SEND_SMS Send an SMS from the bot to a specific number NEW_URL Update the C2 URL KILL Disable the bot PING_DELAY Update interval between each ping request CLEAN_IGNORE_PKG Empty list of overlayed apps WRITE_INJECTS Update target list READ_INJECTS Get current target list START_ADMIN Request Device Admin privileges ALL_SMS Get all SMS messages DISABLE_ACCESSIBILITY Stop preventing user from disabling the accessibility service ENABLE_ACCESSIBILITY Prevent user from disabling", "spans": {}, "info": {"id": "cyner_mitre_train_02779", "source": "cyner_mitre_train"}}
+{"text": "the accessibility service ENABLE_HIDDEN_SMS Set malware as default SMS app DISABLE_HIDDEN_SMS Remove malware as default SMS app ENABLE_EXTENDED_INJECT Enable overlay attacks DISABLE_EXTENDED_INJECT Disable overlay attacks ENABLE_CC_GRABBER Enable the Google Play overlay DISABLE_CC_GRABBER Disable the Google Play overlay START_DEBUG Enable debugging GET_LOGCAT Get logs from the device STOP_DEBUG Disable debugging GET_APPS", "spans": {"System: Google Play": [[251, 262], [302, 313]]}, "info": {"id": "cyner_mitre_train_02780", "source": "cyner_mitre_train"}}
+{"text": "Get installed applications GET_CONTACTS Get contacts SEND_BULK_SMS Send SMS to multiple numbers UPDATE_APK Not implemented INJECT_PACKAGE Add new overlay target CALL_FORWARD Enable/disable call forwarding START_PERMISSIONS Starts request for additional permissions ( Accessibility privileges , battery optimizations bypass , dynamic permissions ) Features The most recent version of Ginp has the same capabilities as most other Android banking Trojans , such as the use of overlay attacks , SMS control and contact", "spans": {"System: Android": [[428, 435]]}, "info": {"id": "cyner_mitre_train_02781", "source": "cyner_mitre_train"}}
+{"text": "list harvesting .", "spans": {}, "info": {"id": "cyner_mitre_train_02782", "source": "cyner_mitre_train"}}
+{"text": "Overall , it has a fairly common feature list , but it is expected to expand in future updates .", "spans": {}, "info": {"id": "cyner_mitre_train_02783", "source": "cyner_mitre_train"}}
+{"text": "Since Ginp is already using some code from the Anubis Trojan , it is quite likely that other , more advanced features from Anubis or other malware , such as a back-connect proxy , screen-streaming and RAT will also be added in the future .", "spans": {"Malware: Anubis": [[47, 53]], "System: Anubis": [[123, 129]]}, "info": {"id": "cyner_mitre_train_02784", "source": "cyner_mitre_train"}}
+{"text": "Ginp embeds the following set of features , allowing it to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( local overlays obtained from the C2 ) SMS harvesting : SMS listing SMS harvesting : SMS forwarding Contact list collection Application listing Overlaying : Targets list update SMS : Sending Calls : Call forwarding C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Update", "spans": {"Malware: Ginp": [[0, 4]]}, "info": {"id": "cyner_mitre_train_02785", "source": "cyner_mitre_train"}}
+{"text": "10/03/2020 At the end of February the actors behind Ginp added screen capture capabilities to their Trojan .", "spans": {"Malware: Ginp": [[52, 56]]}, "info": {"id": "cyner_mitre_train_02786", "source": "cyner_mitre_train"}}
+{"text": "Like previously added functionality , the code is borrowed from the leaked Anubis Trojan source code .", "spans": {"Malware: Anubis": [[75, 81]]}, "info": {"id": "cyner_mitre_train_02787", "source": "cyner_mitre_train"}}
+{"text": "It enables the bot to stream screenshots and send them to the C2 so that actors can see what is happening on the screen of the infected device .", "spans": {}, "info": {"id": "cyner_mitre_train_02788", "source": "cyner_mitre_train"}}
+{"text": "Overlay attack Ginp uses the Accessibility Service to check which application runs is the foreground .", "spans": {}, "info": {"id": "cyner_mitre_train_02789", "source": "cyner_mitre_train"}}
+{"text": "If the package name of the foreground app is included in the target list , an overlay is shown .", "spans": {}, "info": {"id": "cyner_mitre_train_02790", "source": "cyner_mitre_train"}}
+{"text": "The WebView-based overlay is loading an HTML page provided by the C2 in response to the package name provided by the bot .", "spans": {}, "info": {"id": "cyner_mitre_train_02791", "source": "cyner_mitre_train"}}
+{"text": "Something that makes Ginp special is that all of its overlay screens for banking apps are consist of multiple steps , first stealing the victim ’ s login credentials , then stealing the credit card details ( to “ validate ” the user identity ) , as shown in the screenshots hereafter : The following code snippet shows that after the second overlay is filled-in and validated , it disappears and the targeted application is added to the list of packages names to be ignored for future overlays attacks .", "spans": {"Malware: Ginp": [[21, 25]]}, "info": {"id": "cyner_mitre_train_02792", "source": "cyner_mitre_train"}}
+{"text": "Targets The initial version of Ginp had a generic credit card grabber overlay screen used for all targeted applications .", "spans": {"Malware: Ginp": [[31, 35]]}, "info": {"id": "cyner_mitre_train_02793", "source": "cyner_mitre_train"}}
+{"text": "Still included in the last versions , this screen is only used to overlay the official Google Play Store app .", "spans": {"System: Google Play Store": [[87, 104]]}, "info": {"id": "cyner_mitre_train_02794", "source": "cyner_mitre_train"}}
+{"text": "More apps could be added to the grabber target list in the future , such as the ones that were targeted in older versions : Facebook WhatsApp Skype Twitter Chrome Instagram Snapchat Viber The following screenshot shows the generic card grabber overlay screen : Ginp generic grabber The current active target list is available in the appendix , containing a total of 24 unique targets .", "spans": {"System: Facebook": [[124, 132]], "System: WhatsApp": [[133, 141]], "System: Skype": [[142, 147]], "System: Twitter": [[148, 155]], "System: Chrome": [[156, 162]], "System: Instagram": [[163, 172]], "System: Snapchat": [[173, 181]], "System: Viber": [[182, 187]], "Malware: Ginp": [[261, 265]]}, "info": {"id": "cyner_mitre_train_02795", "source": "cyner_mitre_train"}}
+{"text": "The following screenshots show what type of information is collected in both steps of the overlay attack : Ginp overlaysGinp overlaysGinp overlaysGinp overlays Based on Anubis Once the Anubis bot code got leaked , it was just a matter of time before new banking Trojans based on Anubis would surface .", "spans": {"Malware: Ginp": [[107, 111]], "Malware: Anubis": [[169, 175], [185, 191], [279, 285]]}, "info": {"id": "cyner_mitre_train_02796", "source": "cyner_mitre_train"}}
+{"text": "When analyzing the Ginp ’ s recent samples , ThreatFabric analysts found some similarities with the famous Android banking Trojan .", "spans": {"Malware: Ginp": [[19, 23]], "System: ThreatFabric": [[45, 57]]}, "info": {"id": "cyner_mitre_train_02797", "source": "cyner_mitre_train"}}
+{"text": "Based on the evolution of Ginp it is clear that it isn ’ t based on Anubis , but rather reuses some of its code .", "spans": {"Malware: Ginp": [[26, 30]], "Malware: Anubis": [[68, 74]]}, "info": {"id": "cyner_mitre_train_02798", "source": "cyner_mitre_train"}}
+{"text": "Below are some of the elements showing the relation .", "spans": {}, "info": {"id": "cyner_mitre_train_02799", "source": "cyner_mitre_train"}}
+{"text": "The names used for Android components are similar : Similarities with AnubisSimilarities with Anubis When analyzing these components , similarities were found in the code of both malware families : Similarities with Anubis Another major change that indicated that the actor copied code from the Anubis Trojan is the way of handling configuration values .", "spans": {"System: Android": [[19, 26]], "Malware: Anubis": [[94, 100], [295, 301]], "System: Anubis": [[216, 222]]}, "info": {"id": "cyner_mitre_train_02800", "source": "cyner_mitre_train"}}
+{"text": "Previous versions were storing config values within the variables of a class , while the latest version is using SharedPreferences with some of the keys being identical to those used by Anubis : isAccessibility time_work time_start_permission url_inj Conclusion Ginp is a simple but rather efficient banking Trojan providing the basic functionality to be able to trick victims into delivering personal information .", "spans": {"System: Anubis": [[186, 192]], "Malware: Ginp": [[262, 266]]}, "info": {"id": "cyner_mitre_train_02801", "source": "cyner_mitre_train"}}
+{"text": "In a 5-month timespan , actor managed to create a Trojan from scratch which will presumably continue evolving offering new features such as keylogging , back-connect proxy or RAT capabilities .", "spans": {}, "info": {"id": "cyner_mitre_train_02802", "source": "cyner_mitre_train"}}
+{"text": "Ginp ’ s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank .", "spans": {"Malware: Ginp": [[0, 4]]}, "info": {"id": "cyner_mitre_train_02803", "source": "cyner_mitre_train"}}
+{"text": "The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language .", "spans": {}, "info": {"id": "cyner_mitre_train_02804", "source": "cyner_mitre_train"}}
+{"text": "Although the current target list is limited to Spanish apps , it seems that the actor is taking into account that the bot should also be able to target other countries , seeing that the path used in the inject requests contains the country code of the targeted institution .", "spans": {}, "info": {"id": "cyner_mitre_train_02805", "source": "cyner_mitre_train"}}
+{"text": "This could indicate that actor already has plans in expanding the targets to applications from different countries and regions .", "spans": {}, "info": {"id": "cyner_mitre_train_02806", "source": "cyner_mitre_train"}}
+{"text": "Appendix Samples Some of the latest Ginp samples found in the wild : App name Package name SHA-256 hash Google Play Verificator sing.guide.false 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5 Google Play Verificator park.rather.dance 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7 Adobe Flash Player ethics.unknown.during", "spans": {"Malware: Ginp": [[36, 40]], "System: Google Play Verificator": [[104, 127], [210, 233]], "Indicator: sing.guide.false": [[128, 144]], "Indicator: 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5": [[145, 209]], "System: park.rather.dance": [[234, 251]], "Indicator: 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7": [[252, 316]], "System: Adobe Flash Player": [[317, 335]], "Indicator: ethics.unknown.during": [[336, 357]]}, "info": {"id": "cyner_mitre_train_02807", "source": "cyner_mitre_train"}}
+{"text": "5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f Adobe Flash Player solution.rail.forward 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea Adobe Flash Player com.pubhny.hekzhgjty 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c", "spans": {"Indicator: 5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f": [[0, 64]], "System: Adobe Flash Player": [[65, 83], [171, 189]], "Indicator: solution.rail.forward": [[84, 105]], "Indicator: 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea": [[106, 170]], "Indicator: com.pubhny.hekzhgjty": [[190, 210]], "Indicator: 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c": [[211, 275]]}, "info": {"id": "cyner_mitre_train_02808", "source": "cyner_mitre_train"}}
+{"text": "Adobe Flash Player sentence.fancy.humble 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212 Target list The current list of apps observed to be targeted by Ginp contains a total of 24 unique applications as seen below .", "spans": {"System: Adobe Flash Player": [[0, 18]], "Indicator: sentence.fancy.humble": [[19, 40]], "Indicator: 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212": [[41, 105]], "Malware: Ginp": [[170, 174]]}, "info": {"id": "cyner_mitre_train_02809", "source": "cyner_mitre_train"}}
+{"text": "This list is expected to grow in the future .", "spans": {}, "info": {"id": "cyner_mitre_train_02810", "source": "cyner_mitre_train"}}