Friday, August 25, 2017

More hiding Trojans on Google Play

Last few weeks Google Play Store has been fighting with dozens of fake apps impersonating - mostly video players or downloaders - such as Tube Mate, Vid Mate, Snap Tube or their different name variations. In the beginning of the August, in a short video, I informed users about this threat by demonstrating this app and show how to uninstall it.



Today, I reported more of these apps on Google Play again, eleven particularly. These apps have similar functionality as the one I mentioned in the video above.




Functionality

After install one of these apps from Play Store, app with different name and icon will be installed on the device such as File Storage, Data Manage, Support Assist, Network Filter, Device Analysis, not the one users intended to download. Install demonstration in the following video:



Once launched it will request the user to activate device administrator rights and hide itself from user's view. In the background application can perform clicks and display, out of app, full screen advertisement in particular intervals.

Figure 1. First versions with unencrypted URL

Figure 2. Latest version with encryption of contacted URL

Figure 3. Clicking functionality obtained from contacted server

Figure 4. After couple of minutes, investigated app created dozens of request to porn webs

How to get rid of it

Victim can't uninstall these apps without deactivating administrator rights first. This could be done by going to Settings -> Security -> Device administrators and deactivating device administrator for specific apps. When this is done, user can uninstall these apps from Settings -> Application/Application manager.



IOC

[updated on September 7, 2017]


Package Name
Hash
com.fdcpzdgc.app
698EDE119E7B7A2263FE8BF3EC7BD0147B80AB3D
com.fnisbhkn.app
D89F00D48B1277964AE50F4817105C2551D72553
com.fzitnbub.app
D93429C81D76EF8D91A39A8D39C4EFB6A0B7A618
com.guiefjlo.app
2E6382DA3C45B3697D4D1A29146793D6598C3C5F
com.kmmdsatm.app
A1B65FDD95ECC880DDAD9CD604C8D5022053F1E7
com.masjg.okalgan
BBF8A0AD27C35C0DA42765932EBC88BEEFBF8988
com.masjg.okalgan2
5623263BE0FB9B5642118D9BD9B79D5EE47AD648
com.masjg.okalgan5
EB020403A55B02CE3C56183C0A66900446FEA40E
com.masjg.okalgan6
C75336327A4E12BFC14A080C437829D02BB7BD2C
com.masjg.okalgan7
359FEACECBA9C4CFF5A940FB359DAFD1B54CC465
com.masjg.okalgan8
9D8C454EB2B378459A8C994F8B191DF94A5F2E89
com.knfjncjv.app
334DBF58855A843D6E7ACABAFB953371E9044413
com.nahezylr.app
1D16781C5DF57CBE271A73D0919648AE36AE8D83
com.npydfgnj.app
4C8241EF4ECAF297ED6A7EA03F2314CB5DB2052E
com.ypdxhvbo.app
37EBD56F3E434428373E5FAEF66A892B5C927D78
com.okalgman.glmgnak
09206FE3C5D496B867F3DFC3BF45272386666B1C
com.okalgman.glmgnak3
4642CAB7A8D7664C967D02CD201820A2732583FB
com.okalgman.glmgnak4
93AA21E8D46DEDEC87CC0C311F2DFBE61A9AAC29
com.okalgman.glmgnak5
4D6C442567DDC862019376F9E5C0B4B780B565EF

Monday, August 21, 2017

Phishing attack at Raiffeisen Bank by MazarBot

Yesterday I discovered phishing campaign targeting clients of Raiffeisen Bank by popular and still active Android banking Trojan - MazarBot. This infiltration targets German speaking users and makes them download fake Raiffeisen Security App.

 

Last time I wrote about MazarBot it was year and a half ago, however it is still spreading using different methods. MazarBot has been distributed via SMS, fake webpages or email spam.


How it works

[UPDATE]
Thanks to insights from NI@FI@70, who specified distribution vector for this particular infiltration, which is email spam. This phishing email could be received from raiffeisen@elba-service.team.info

Figure 1. Distribution vector - email

This campaign of MazarBot is spread through email spam, where potential victim ends up with email and link to bogus webpage. In this case, it is exact copy of Raiffeisen Bank web.

Figure 2. Fake phishing webpage

Figure 3. Legit Raiffeisen web

Once victim fills in login credentials, and basically sends them to the attacker, is redirected to another webpage where he allegedly needs to download and install Raiffeisenbank Security app due to new EU money laundering regulation which is mandatory for all customers with phone number.
On the webpage are also instructions how to download and install the app, even with QR code.

Figure 4. Install instructions for fake Raiffeisen Security App

How is attack performed



Potential victims


For downloading this app is used URL shortener, so we can check link statistics. Fortunately, only 37 clicks (14 desktop clicks + 23 mobile clicks ) were done in two days.

Figure 5. Raiffeisen Security app download link statistics

However, most of the downloads were done from Austria.

Figure 6. Detail of each link access

Functionality

Core functionality of this banking Trojan is to create overlay activity and lure user's credit card details from fake login forms.

Figure 7. Request of MazarBot to activate device administrator

IOC (updated 12.09.2017)

Phishing URLs
http://banking.raiffeisen.at.updateid090867.top
http://banking.raiffeisen.at.updateid090866.top
http://banking.raiffeisen.at.updateid090865.top
http://banking.raiffeisen.at.updateid090864.top
http://banking.raiffeisen.at.updateid090863.top
http://banking.raiffeisen.at.updateid090862.top
http://banking.raiffeisen.at.updateid090861.top
http://banking.raiffeisen.at.updateid090860.top
http://banking.raiffeisen.at.updateid090859.top
http://banking.raiffeisen.at.updateid090858.top
http://banking.raiffeisen.at.updateid090857.top
http://banking.raiffeisen.at.updateid090856.top
http://banking.raiffeisen.at.updateid090855.top
http://banking.raiffeisen.at.updateid090854.top
http://banking.raiffeisen.at.updateid090853.top
http://banking.raiffeisen.at.updateid090852.top
http://banking.raiffeisen.at.updateid090851.top
http://banking.raiffeisen.at.updateid090850.top
http://banking.raiffeisen.at.updateid0891201.pw
http://banking.raiffeisen.at.updateid0891202.pw
http://banking.raiffeisen.at.updateid0891203.pw
http://banking.raiffeisen.at.updateid0891204.pw
http://banking.raiffeisen.at.updateid0891206.pw
http://banking.raiffeisen.at.updateid0891207.pw
http://banking.raiffeisen.at.updateid0891208.pw
http://banking.raiffeisen.at.updateid0891209.pw

Hashes
872521EAD4C74CB178921A8D122589C6C06559DB
624195D0777BAC438C9372A1DB43324B107D78ED
D71A5C032AA08DEE55F8F19A607EF10DCF9FE326

C&C
https://sacstfwascas.pw/becall
https://hioczuzsadaz.biz/becall
https://joloutzuzut.biz/becall
https://huiioasdagc.pw/becall
https://hsuchasdgzauc.biz/becall
http://hoploiuc.biz/index.php?action=command

Tuesday, August 8, 2017

Android Banking Trojan misuses accessibility services


Accessibility services can be used not only by disabled users but by malware as well. Infiltration by misusing accessibility services can read text from display activity, set itself as default messaging app and click on behalf of user.


I decided to put together quick (non) technical blog post with insights from SfyLabs. This particular infiltration was discovered few weeks ago, you can read about it here and here. So why another blog? In this post, I would like to bring more details on this Trojan such as distribution vector, samples, C&C server, functionality, targeted banks, video demonstration etc.


Distribution vector

For now, it is mostly spread using fake web pages impersonating legit software such as Adobe Flash Player, WhatsApp, sKlasse Antivirus or SkyScanner.




Spread via malicious links such as:
hxxp://xxxvideos.place/flash-update/Adobe_Flash_2017.apk
hxxp://mgmtiming.com/internal-app/sklasse-antivirus.apk


For rent or sale

Due to investigation of SenseCy, this banking Trojan is currently for sale on a Russian underground forum. From July 2017 it is offered for rent as well.



Example of infection

Once user gets infected, Trojan will persistently ask user to activate "Google services" until user does. After victim activates this fake accessibility service, Banking Trojan will set itself on user behalf as default messaging app (to bypass 2FA), activates device administrator rights and hides icon from user's view. Infection is demonstrated in following video.



Functionality

Decompiled code is obfuscated for static analysis with lot of junk, probably using automated tool.


Infiltration is capable of :
  • send SMS
  • intercept received SMS
  • keylog
  • display phishing dialogs
  • block operation of AV software
  • open URL
  • collect information about contacts, installed apps, call logs

Targets

This Trojan targets more than 50 financial institutions apps from different countries around the world (UK, France, Austria, Germany, Polish, Turkey).




Malware will dynamically obtain encrypted configuration file containing targeted banking apps. SfyLabs team decrypted configuration file and found out targeted apps with phishing links.

For more details, here is config file.
Tool to decrypt the C2 config file via SfyLabs.

Yara Rules 

I decided to create public Yara rules for Koodous project, that could help increase detection and raise awareness of this particular Android banking threat.
For those, who are now aware of Koodous, it is a place for Android security researchers with lot of samples of Android malware for free to download.

You can find my rule set in here: Banker_misusing_accessibility_services


IOC

All of these hashes are on VirusTotal.

b7ef9daafcf1f43397e84ec856a1cd802d5f61e2
5268e82713a0a810e552acb86a6474d186269949
1af5e6ec43f9ca1f4e367fabd55265759751909d
409adb132f18d82d0b450c4985d6149ac700e19b
68a381aab056e1965564673c6e7739d22b552db6
04f97d1dffb518232e465a8c977f384cedbceaac
ccccb88c13e072ea39c25d087ebcd25e2c97fd2d
2517b2fea3caf382a2609578d009649e8c727a28
e89213ec06e9f06530b61ecb8c1622623c36c145
bbfc5b5c8bb1d37b791594872b283fc1b5a4060b
18f013d7641bf3ce3209dbfe0c3ee7600ccb85ac
dc37eb7299beb3b2509a514d471271a91f47596e
8ac3a4477ac576def60935ec568a79d1c9686df8
d2dfe94ea7ab51bdfd89c44cfc4e3ceb7c15d7e4
e2d138384714cbc0649d5920ba510dd7019ded18
5b50db5115918b2a6c5fe3763cf876799dd30f59
17357f5c7c4ca09f5cfa28762f9ca6aa0fe1bf33
27e419cc6b3c0095728f777eded88fdcc2d0d019
5fe18b55be462bc5249af282c5837c09ab372676
ef181584c93fc109c015138c6af071ac6cf1c78a
28a024dd33169ac60b80de97ad5f4311a3fe2d47
2c36f79e4fd34f1044c2a8c6c65badd70c07e503
136c14ae0976095bec0a94efe4c6665a1c3c4422
082af750a859714ce6d559f2a60aa40718436bb0
a8ef632ce4dc99b3fbe54c3c0ecac12f85aee4f7
287dae1bac54a74eebc98b6fce2072c8249c33a3
09722cdbc1693c12d36f3c857cad659b0b2eef8f
6cd5ec30466db01a781531bd5e6280d502345d70
b389f71644e4f7d08406d66e667857bc50468a30
44c64b06d93983cbdeae8c2f4debde0ae32cd40d
3b0781a1c94a3a2c83f76f6288bded7ab8b07e47
36e0507888f6eb79ce21ba22094fc7ecbed6c51d
11e8f4d2f1b98f5b4de7ac6982f7128c0b831ae0
a4545e0f6dbf5f416512fe5e5a882c64072a59cc
38d56f73e8c47a1c65fb3d21a6a3ff4528f71326
02836706d8d7ed0a6c6aa4aef127815867f29df5
21065f4437c3ca4444d42cb7be42a514ab2eee77
b9ed5a5f0387d03040aa526d9365da3d53025190

Tuesday, July 4, 2017

Petya Ransomware picture collection from infected countries around the world

On June 27, 2017 Petya ransomware infected computer in more than 65 countries around the world such as Belgium, Brazil, Germany, Denmark, Netherlands, France, Italy, Russia or the United States. Based on Microsoft report, Petya infected more than 12,500 machines only in Ukraine.
This breach comes just few weeks after WannaCry ransomware that infected computer in more than 150 countries. 


Petya ransomware affected variety of companies and institutions such as Ukraine central bank, Ukraine cabinet of ministers, state telecom, municipal metro, Kiev's airport, Ukraine electricity supplier, Chernobyl nuclear power plant, point-of-sale terminals, ATMs, transport and logistics company from Denmark, Russian oil company, pharmaceutical company, Pittsburgh-area hospital, Media companies etc.

Number of Bitcoins Ransomware collected: http://wannabucks.xyz






ATM








Supermarket in Kharkiv, east Ukraine - point-of-sale terminals

ATM






Wednesday, May 17, 2017

WannaCry Ransomware picture collection from infected countries around the world

The biggest cyberattack in history infected more than 200,000 computers in 150 countries and paralyzed computers and networks around the world, including the ones that run Britain's hospital network, Germany's national railway, Ministry of Internal Affairs in Russia, telecommunications giant Telefonica, Nissan, Renault, FedEx and many of other companies and government agencies worldwide.


Without any introduction, because it has been said a lot about this Ransomware, I just jump right into the main point of this blog post where I have put together collection of pictures taken during WannaCry Ransomware rampage. Feel free to post more pictures in the comments.

For those interested here is map of infections: https://www.youtube.com/watch?v=kG8E15WFM6E
Number of Bitcoins Ransomware collected: http://wannabucks.xyz/

[Update]



Somewhere in Japan

Taiwan


Chinese University. Student theses were locked. Some may face delay of graduation.

Indonesia

Vietnam

Somewhere in Vietnam

In Vietnam WannaCry infected ~1,900 computers

Indian bank ATM

Operator control and monitoring system in Italy

National Police Bureau, Thailand

ATM in Jawa, Indonesia





ATM in Indonesia

ATM's in Indonesia are offline due to WannaCry

Store in Japan


Somewhere in Vietnam

Somewhere in Vietnam

Tirumala Tirupati Devasthanam

Queue system of a hospital in Jakarta

Somewhere in the world





Under Wine you can infect your Linux desktop too



A Bayer MedRad device used to assist in MRI scans infected with the WannaCry ransomware.

WBSEDCL OFFICE at Malbazar in Dooars, India

This is a CJ CGV screen in Seoul that has been crippled by Wanna Cry ransomware

General practice surgery in Preston the north of England. Credits to @fendifille

Somewhere in Italy

Somewhere in Germany

Saudi Telecom Company (STC)

Somewhere in Russia



Let's start with one of the first infected countries, England and Spain.
Figure 1 NHS hospital in England

Figure 2 London GP sees when trying to connect to the NHS network

Figure 3 Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware




Figure 4 Germany's national railway



Figure 6 Ministry of Internal Affairs in Russia

Figure 7 Russian telecommunications company Megafon

Figure 8 Somewhere in Russia

Figure 9 Russian Railways center

Figure 10 Probably Nissan product line


Figure 11 The University  of Milano-Bicocca, Italia




Figure 12 Saudi Telecom Company


Figure 13 Thailand

Figure 14 Bank of China ATMs
Figure 15 Chinese traffic police


Figure 16 Chinese University

Figure 17 Somewhere in Nordic parking lot

Figure 18 Store in Singapore thanks to Goi

Figure 19 Local mall in Singapure - Tiong Bahru Plaza

Figure 20 Building lobby

Figure 21 Chile Moviestar


Figure 22 Pakistan

 

Still not enough?


Few pictures for those who are already fed up with WannaCry.



















Patriarch of Russian Orthodox church making sure that the Ministry of Internal Affairs computers won't get affected by WannaCry virus attack