Aggressive in-app advertising in Android – 10 minute mail

Recently, we’ve been noticing ever more dubious advertising libraries in popular apps on Google Play. The monetization methods used in such SDKs can pose a threat to users, yet they pull in more revenue for developers than whitelisted ad modules due to the greater number of views. In this post we will look into a few examples of suspicious-looking ad modules that we discovered in popular apps earlier this year.

One of the applications we researched was a popular app that allows users to ask questions anonymously. Integrated into the code of an earlier version of the app was the module com.haskfm.h5mob. Its task was to show intrusive advertising (in breach of the Google Play rules) when the user unlocked the phone.

Code for displaying ads when the screen is unlocked

In other words, the module can show ads whether the app is running or not. The ad can simply pop up on the main screen all on its own, causing a nuisance for the user. We passed our findings to the app developers, who promptly removed com.haskfm.h5mob. However, this module remains interesting from technical point of view.

In this application to receive advertising offers, the module connects to the C&C servers, whose addresses are encrypted in the app code.

Decrypting the C&C addresses

The C&C response contains the display parameters and the platforms used to receive ads.

The most interesting parameter here is appintset, which specifies the delay before displaying the first ad after installation of the app. In our example, it was set to 43.2 million milliseconds, or 12 hours. This delay makes it much harder for the user to find the culprit for all the ads that suddenly appear on the screen. Also, this technique is frequently used by cybercriminals to trick automatic protection mechanisms, such as sandboxes in app stores. The main parameters are followed by an extensive list of addresses of advertising providers with request parameters for receiving offers.

Earlier we detected a similar ad module in apps without a payload. For example, the code in the app com.android.ggtoolkit_tw_xd, which we detect as not-a-virus:AdWare.AndroidOS.Magic.a, contains the same features and is managed from the same C&C as the com.haskfm.h5mob module. However, this adware app has no graphical interface to speak of, is not displayed in the device’s app menu, and serves only to display intrusive ads as described above. It looks something like this: adware_in-app_video.mp4

While, as previously mentioned, the creators of the application described in the first example, promptly removed the ad module, not all Android developers are so conscientious. For example, the Cut – CutOut & Photo Background Editor app does not hesitate to treat users to a half-screen ad as soon as the smartphone is unlocked, regardless of whether the app is running or not.

Likewise the Fast Cleaner — Speed​Booster & Cleaner app.

In both apps, the library com.vision.lib handles the display of advertising.

Display of advertising

At the time of writing this article, the developers of both apps had not responded to our requests.

Note, however, that adware is not always about greed. Often, app developers are not versed in advertising SDKs and lack the necessary skills to test an integrated advertising library, and therefore may not fully understand what they are adding to their code. The danger for users here is that a dubious library could unexpectedly make its way into an app as part of a rank-and-file update. And it becomes extremely difficult to figure out which of a dozen recently updated apps is the source of intrusive advertising.

IOCs

MD5

1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd
134283b8efedc3d7244ba1b3a52e4a92  – com.xprodev.cutcam
3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner

С&C

ti.domainforlite[.]com/st/hg
uu.domainforlite[.]com


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT threat evolution Q1 2020. Statistics – 10 minute mail

These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network,

  • Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.
  • A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.
  • Ransomware attacks were defeated on the computers of 178,922 unique users.
  • Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.
  • Kaspersky products for mobile devices detected:
    • 1,152,662 malicious installation packages
    • 42,115 installation packages for mobile banking trojans
    • 4339 installation packages for mobile ransomware trojans

Mobile threats

Quarter events

Q1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals’ exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for €0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim’s knowledge.

Another interesting find this quarter was Cookiethief, a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim’s account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.

The third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to help cybercriminals to leave fake reviews and drive up ratings on Google Play. The attackers’ goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.

Mobile threat statistics

In Q1 2020, Kaspersky’s mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.

Number of malicious installation packages detected, Q1 2019 – Q1 2020 (download)

Starting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.

Distribution of detected mobile apps by type

Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 (download)

Of all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).

Potentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.

In third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1’s leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and Hqwar (8%) far behind.

It is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.

Top 20 mobile malware programs

Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware.

Verdict %*
1 DangerousObject.Multi.Generic 44.89
2 Trojan.AndroidOS.Boogr.gsh 9.09
3 DangerousObject.AndroidOS.GenericML 7.08
4 Trojan-Downloader.AndroidOS.Necro.d 4.52
5 Trojan.AndroidOS.Hiddapp.ch 2.73
6 Trojan-Downloader.AndroidOS.Helper.a 2.45
7 Trojan.AndroidOS.Handda.san 2.31
8 Trojan-Dropper.AndroidOS.Necro.z 2.30
9 Trojan.AndroidOS.Necro.a 2.19
10 Trojan-Downloader.AndroidOS.Necro.b 1.94
11 Trojan-Dropper.AndroidOS.Hqwar.gen 1.82
12 Trojan-Dropper.AndroidOS.Helper.l 1.50
13 Exploit.AndroidOS.Lotoor.be 1.46
14 Trojan-Dropper.AndroidOS.Lezok.p 1.46
15 Trojan-Banker.AndroidOS.Rotexy.e 1.43
16 Trojan-Dropper.AndroidOS.Penguin.e 1.42
17 Trojan-SMS.AndroidOS.Prizmes.a 1.39
18 Trojan.AndroidOS.Dvmap.a 1.24
19 Trojan.AndroidOS.Agent.rt 1.21
20 Trojan.AndroidOS.Vdloader.a 1.18

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked.

First place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected using cloud technology. They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our machine-learning systems.

In fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim’s name.

Trojan.AndroidOS.Hiddapp.ch (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan’s payload can be other trojan programs or adware apps.

Sixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals’ server and running it.

The verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.

Trojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.

Geography of mobile threats

 

Map of infection attempts by mobile malware, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile threats

Country* %**
1 Iran 39.56
2 Algeria 21.44
3 Bangladesh 18.58
4 Nigeria 15.58
5 Lebanon 15.28
6 Tunisia 14.94
7 Pakistan 13.99
8 Kuwait 13.91
9 Indonesia 13.81
10 Cuba 13.62

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, the leader by share of attacked users was Iran (39.56%). Inhabitants of this country most frequently encountered adware apps from the Notifyer family, as well as Telegram clone apps. In second place was Algeria (21.44%), where adware apps were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place was taken by Bangladesh (18.58%), where half of the top 10 mobile threats consisted of adware in the HiddenAd family.

Mobile banking trojans

During the reporting period, we detected 42,115 installation packages of mobile banking trojans. This is the highest value in the past 18 months, and more than 2.5 times higher than in Q4 2019. The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Agent (42.79% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (16.61%), and Trojan-Banker.AndroidOS.Svpeng (13.66%) families.

Number of installation packages of mobile banking trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile banking trojans

  Verdict %*
1 Trojan-Banker.AndroidOS.Rotexy.e 13.11
2 Trojan-Banker.AndroidOS.Svpeng.q 10.25
3 Trojan-Banker.AndroidOS.Asacub.snt 7.64
4 Trojan-Banker.AndroidOS.Asacub.ce 6.31
5 Trojan-Banker.AndroidOS.Agent.eq 5.70
6 Trojan-Banker.AndroidOS.Anubis.san 4.68
7 Trojan-Banker.AndroidOS.Agent.ep 3.65
8 Trojan-Banker.AndroidOS.Asacub.a 3.50
9 Trojan-Banker.AndroidOS.Asacub.ar 3.00
10 Trojan-Banker.AndroidOS.Agent.cf 2.70

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by banking threats.

First and second places in our top 10 were claimed by trojans targeted at Russian-speaking mobile users: Trojan-Banker.AndroidOS.Rotexy.e (13.11%) and Trojan-Banker.AndroidOS.Svpeng.q (10.25%).

Third, fourth, eighth, and ninth positions in the top 10 mobile banking threats went to members of the Asacub family. The cybercriminals behind this trojan stopped creating new samples, but its distribution channels were still active in Q1.

Geography of mobile banking threats, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile banking trojans

Country* %**
1 Japan 0.57
2 Spain 0.48
3 Italy 0.26
4 Bolivia 0.18
5 Russia 0.17
6 Turkey 0.13
7 Tajikistan 0.13
8 Brazil 0.11
9 Cuba 0.11
10 China 0.10

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile banking trojans as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, Japan (0.57%) had the largest share of users attacked by mobile bankers; the vast majority of cases involved Trojan-Banker.AndroidOS.Agent.eq.

In second place came Spain (0.48%), where in more than half of all cases, we detected malware from the Trojan-Banker.AndroidOS.Cebruser family, and another quarter of detections were members of the Trojan-Banker.AndroidOS.Ginp family.

Third place belonged to Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family was the most widespread with almost two-thirds of detections.

It is worth saying a bit more about the Cebruser family. Its creators were among the first to exploit the coronavirus topic to spread the malware.

When it runs, the trojan immediately gets down to business: it requests access to Accessibility Services to obtain Device Admin permissions, and then tries to get hold of card details.

The malware is distributed under the Malware-as-a-Service model; its set of functions is standard for such threats, but with one interesting detail — the use of a step-counter for activation so as to bypass dynamic analysis tools (sandbox). Cebruser targets the mobile apps of banks in various countries and popular non-financial apps; its main weapons are phishing windows and interception of two-factor authorization. In addition, the malware can block the screen using a ransomware tool and intercept keystrokes on the virtual keyboard.

Mobile ransomware trojans

In Q2 2020, we detected 4,339 installation packages of mobile trojan ransomware, 1,067 fewer than in the previous quarter.

Number of installation packages of mobile ransomware trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile ransomware trojans

Verdict %*
1 Trojan-Ransom.AndroidOS.Svpeng.aj 17.08
2 Trojan-Ransom.AndroidOS.Congur.e 12.70
3 Trojan-Ransom.AndroidOS.Small.as 11.41
4 Trojan-Ransom.AndroidOS.Rkor.k 9.88
5 Trojan-Ransom.AndroidOS.Small.as 7.32
6 Trojan-Ransom.AndroidOS.Small.o 4.79
7 Trojan-Ransom.AndroidOS.Svpeng.aj 3.62
8 Trojan-Ransom.AndroidOS.Svpeng.ah 3.55
9 Trojan-Ransom.AndroidOS.Congur.e 3.32
10 Trojan-Ransom.AndroidOS.Fusob.h 3.17

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by ransomware trojans.

Over the past few quarters, the number of ransomware trojans detected has been gradually decreasing; all the same, we continue to detect quite a few infection attempts by this class of threats. The main contributors to the statistics were the Svpeng, Congur, and Small ransomware families.

Geography of mobile ransomware trojans, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile ransomware trojans:

Country* %**
1 USA 0.26
2 Kazakhstan 0.25
3 Iran 0.16
4 China 0.09
5 Saudi Arabia 0.08
6 Italy 0.03
7 Mexico 0.03
8 Canada 0.03
9 Indonesia 0.03
10 Switzerland 0.03

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile ransomware trojans as a percentage of all users of Kaspersky mobile products in the country.

The leaders by number of users attacked by mobile ransomware trojans are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%)

Attacks on Apple macOS

In Q1 2020, we detected not only new versions of common threats, but one new backdoor family, whose first member was Backdoor.OSX.Capip.a. The malware’s operating principle is simple: it calls the C&C for a shell script, which it then downloads and executes.

Top 20 threats to macOS

Verdict %*
1 Trojan-Downloader.OSX.Shlayer.a 19.27
2 AdWare.OSX.Pirrit.j 10.34
3 AdWare.OSX.Cimpli.k 6.69
4 AdWare.OSX.Ketin.h 6.27
5 AdWare.OSX.Pirrit.aa 5.75
6 AdWare.OSX.Pirrit.o 5.74
7 AdWare.OSX.Pirrit.x 5.18
8 AdWare.OSX.Spc.a 4.56
9 AdWare.OSX.Cimpli.f 4.25
10 AdWare.OSX.Bnodlero.t 4.08
11 AdWare.OSX.Bnodlero.x 3.74
12 Hoax.OSX.SuperClean.gen 3.71
13 AdWare.OSX.Cimpli.h 3.37
14 AdWare.OSX.Pirrit.v 3.30
15 AdWare.OSX.Amc.c 2.98
16 AdWare.OSX.MacSearch.d 2.85
17 RiskTool.OSX.Spigot.a 2.84
18 AdWare.OSX.Pirrit.s 2.80
19 AdWare.OSX.Ketin.d 2.76
20 AdWare.OSX.Bnodlero.aq 2.70

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked

The top 20 threats for macOS did not undergo any major changes in Q1 2020. The adware trojan Shlayer.a (19.27%) still tops the leaderboard, followed by objects that Shlayer itself loads into the infected system, in particular, numerous adware apps from the Pirrit family.

Interestingly, the unwanted program Hoax.OSX.SuperClean.gen landed in 12th place on the list. Like other Hoax-type programs, it is distributed under the guise of a system cleanup app, and immediately after installation, scares the user with problems purportedly found in the system, such as gigabytes of trash on the hard drive.

Threat geography

Country* %**
1 Spain 7.14
2 France 6.94
3 Italy 5.94
4 Canada 5.58
5 USA 5.49
6 Russia 5.10
7 India 4.88
8 Mexico 4.78
9 Brazil 4.65
10 Belgium 4.65

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 5,000)
** Unique users who encountered macOS threats as a percentage of all users of Kaspersky security solutions for macOS in the country.

The leading countries, as in previous quarters, were Spain (7.14%), France (6.94%) and Italy (5.94%). The main contributors to the number of detections in these countries were the familiar Shlayer trojan and adware apps from the Pirrit family.

IoT attacks

IoT threat statistics

In Q1 2020, the share of IP addresses from which attempts were made to attack Kaspersky telnet traps increased significantly. Their share amounted to 81.1% of all IP addresses from which attacks were carried out, while SSH traps accounted for slightly less than 19%.

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2020

It was a similar situation with control sessions: attackers often controlled infected traps via telnet.

Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2020

Telnet-based attacks

 

Geography of device IP addresses where attacks at Kaspersky telnet traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were carried out on Kaspersky telnet traps.

Country* %
China 13.04
Egypt 11.65
Brazil 11.33
Vietnam 7.38
Taiwan 6.18
Russia 4.38
Iran 3.96
India 3.14
Turkey 3.00
USA 2.57

 
For several quarters in a row, the leading country by number of attacking bots has been China: in Q1 2020 its share stood at 13.04%. As before, it is followed by Egypt (11.65%) and Brazil (11.33%).

SSH-based attacks

 

Geography of device IP addresses where attacks at Kaspersky SSH traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps.

Country* %
China 14.87
Vietnam 11.58
USA 7.03
Egypt 6.82
Brazil 5.79
Russia 4.66
India 4.16
Germany 3.64
Thailand 3.44
France 2.83

In Q1 2020, China (14.87%), Vietnam (11.58%) and the US (7.03%) made up the top three countries by number of unique IPs from which attacks on SSH traps originated.

Threats loaded into honeypots

Verdict %*
Trojan-Downloader.Linux.NyaDrop.b 64.35
Backdoor.Linux.Mirai.b 16.75
Backdoor.Linux.Mirai.ba 6.47
Backdoor.Linux.Gafgyt.a 4.36
Backdoor.Linux.Gafgyt.bj 1.30
Trojan-Downloader.Shell.Agent.p 0.68
Backdoor.Linux.Mirai.c 0.64
Backdoor.Linux.Hajime.b 0.46
Backdoor.Linux.Mirai.h 0.40
Backdoor.Linux.Gafgyt.av 0.35

* Share of malware type in the total amount of malware downloaded to IoT devices following a successful attack.

In Q1 2020, attackers most often downloaded the minimalistic trojan loader NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family traditionally dominated: its members claimed four places in our top 10. These malicious programs will continue to rule the world of IoT threats for a long time to come, at least until the appearance of a more advanced (and publicly available) DDoS bot.

Financial threats

Financial threat statistics

In Q1 2020, Kaspersky solutions blocked attempts to launch one or several types of malware designed to steal money from bank accounts on the computers of 249,748 users.

Number of unique users attacked by financial malware, Q1 2020 (download)

Attack geography

To assess and compare the risk of being infected by banking trojans and ATM/POS malware in various countries, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

Geography of banking malware attacks, Q1 2020 (download)

Top 10 countries by share of attacked users

Country* %**
1 Uzbekistan 10.5
2 Tajikistan 6.9
3 Turkmenistan 5.5
4 Afghanistan 5.1
5 Yemen 3.1
6 Kazakhstan 3.0
7 Guatemala 2.8
8 Syria 2.4
9 Sudan 2.1
10 Kyrgyzstan 2.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Top 10 banking malware families

Name Verdicts %*
1 Emotet Backdoor.Win32.Emotet 21.3
2 Zbot Trojan.Win32.Zbot 20.8
3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 17.2
4 RTM Trojan-Banker.Win32.RTM 12.3
5 Nimnul Virus.Win32.Nimnul 3.6
6 Trickster Trojan.Win32.Trickster 3.6
7 Neurevt Trojan.Win32.Neurevt 3.3
8 SpyEye Trojan-Spy.Win32.SpyEye 2.3
9 Danabot Trojan-Banker.Win32.Danabot 2.0
10 Nymaim Trojan.Win32.Nymaim 1.9

** Unique users attacked by this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Quarterly highlights

Ransomware attacks on organizations, as well as on city and municipal networks, did not ease off. Given how lucrative they are for cybercriminals, there is no reason why this trend of several years should cease.

More and more ransomware is starting to supplement encryption with data theft. To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup copy), the attackers threaten to put the stolen confidential information in the public domain. Such threats are sometimes empty, but not always: the authors of several ransomware programs have set up websites that do indeed publish the data of victim organizations.

Number of new modifications

In Q1 2020, we detected five new ransomware families and 5,225 new modifications of these malware programs.

Number of new ransomware modifications detected, Q1 2019 – Q1 2020 (download)

Number of users attacked by ransomware trojans

In Q1 2020, Kaspersky products and technologies protected 178,922 users from ransomware attacks.

Number of unique users attacked by ransomware trojans, Q1 2020 (download)

Attack geography

 

Geography of attacks by ransomware trojans, Q1 2020 (download)

Top 10 countries attacked by ransomware trojans

Country* %**
1 Bangladesh 6.64
2 Uzbekistan 1.98
3 Mozambique 1.77
4 Ethiopia 1.67
5 Nepal 1.34
6 Afghanistan 1.31
7 Egypt 1.21
8 Ghana 0.83
9 Azerbaijan 0.81
10 Serbia 0.74

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware trojans

Name Verdicts %*
1 WannaCry Trojan-Ransom.Win32.Wanna 19.03
2 (generic verdict) Trojan-Ransom.Win32.Gen 16.71
3 (generic verdict) Trojan-Ransom.Win32.Phny 16.22
4 GandCrab Trojan-Ransom.Win32.GandCrypt 7.73
5 Stop Trojan-Ransom.Win32.Stop 6.62
6 (generic verdict) Trojan-Ransom.Win32.Encoder 4.28
7 (generic verdict) Trojan-Ransom.Win32.Crypren 4.15
8 PolyRansom/VirLock Virus.Win32.PolyRansom,

Trojan-Ransom.Win32.PolyRansom

2.96
9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.02
10 (generic verdict) Trojan-Ransom.Win32.Generic 1.56

* Unique Kaspersky users attacked by the specified family of ransomware trojans as a percentage of all users attacked by ransomware trojans.

Miners

Number of new modifications

In Q1 2020, Kaspersky solutions detected 192,036 new miner modifications.

Number of new miner modifications, Q1 2020 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 518,857 unique users of Kaspersky Lab products worldwide.

Number of unique users attacked by miners, Q1 2020 (download)

Attack geography

 

Geography of miner attacks, Q1 2020 (download)

Top 10 countries attacked by miners

Country* %**
1 Afghanistan 6.72
2 Ethiopia 4.90
3 Tanzania 3.26
4 Sri Lanka 3.22
5 Uzbekistan 3.10
6 Rwanda 2.56
7 Vietnam 2.54
8 Kazakhstan 2.45
9 Mozambique 1.96
10 Pakistan 1.67

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

We already noted that Microsoft Office vulnerabilities are the most common ones. Q1 2020 was no exception: the share of exploits for these vulnerabilities grew to 74.83%. The most popular vulnerability in Microsoft Office was CVE-2017-11882, which is related to a stack overflow error in the Equation Editor component. Hard on its heels was CVE-2017-8570, which is used to embed a malicious script in an OLE object inside an Office document. Several other vulnerabilities, such as CVE-2018-0802 and CVE-2017-8759, were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user’s system becomes infected.

In second place were exploits for vulnerabilities in Internet browsers (11.06%). In Q1, cybercriminals attacked a whole host of browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. What’s more, some of the vulnerabilities were used in APT attacks, such as CVE-2020-0674, which is associated with the incorrect handling of objects in memory in an outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified CVE-2019-17026, a data type mismatch vulnerability in Mozilla Firefox’s JIT compiler, which also leads to remote code execution. In the event of a successful attack, both browser exploits cause a malware infection. The researchers also detected a targeted attack against Google Chrome exploiting the RCE vulnerability CVE-2020-6418 in the JavaScript engine; in addition, the dangerous RCE vulnerability CVE-2020-0767 was detected in a component of the ChakraCore scripting engine used by Microsoft Edge. Although modern browsers have their own protection mechanisms, cybercriminals are forever finding ways around them, very often using chains of exploits to do so. Therefore, it is vital to keep the operating system and software up to date at all times.

Distribution of exploits used in attacks by type of application attacked, Q1 2020 (download)

This quarter, a wide range of critical vulnerabilities were detected in operating systems and their components.

  • CVE-2020-0601 is a vulnerability that exploits an error in the core cryptographic library of Windows, in a certificate validation algorithm that uses elliptic curves. This vulnerability enables the use of fake certificates that the system recognizes as legitimate.
  • CVE-2020-0729 is a vulnerability in processing LNK files in Windows, which allows remote code execution if the user opens a malicious shortcut.
  • CVE-2020-0688 is the result of a default configuration error in Microsoft Exchange Server, whereby the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data, enabling attackers to execute their own code on the server side with system rights.

Various network attacks on system services and network protocols were as popular as ever with attackers. We continue to detect attempts at exploiting vulnerabilities in the SMB protocol using EternalBlue, EternalRomance and similar sets of exploits. In Q1 2020, the new vulnerability CVE-2020-0796 (SMBGhost) was detected in the SMBv3 network protocol, leading to remote code execution, in which regard the attacker does not even need to know the username/password combination (since the error occurs before the authentication stage); however, it is present only in Windows 10. In Remote Desktop Gateway there were found two critical vulnerabilities (CVE-2020-0609 and CVE-2020-0610) enabling an unauthorized user to execute remote code in the target system. In addition, there were more frequent attempts to brute-force passwords to Remote Desktop Services and Microsoft SQL Server via the SMB protocol as well.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2020, Kaspersky solutions defeated 726,536,269 attacks launched from online resources located in 203 countries worldwide. As many as 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-based attack sources by country, Q1 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Bulgaria 13.89
2 Tunisia 13.63
3 Algeria 13.15
4 Libya 12.05
5 Bangladesh 9.79
6 Greece 9.66
7 Latvia 9.64
8 Somalia 9.20
9 Philippines 9.11
10 Morocco 9.10
11 Albania 9.09
12 Taiwan, Province of China 9.04
13 Mongolia 9.02
14 Nepal 8.69
15 Indonesia 8.62
16 Egypt 8.61
17 Georgia 8.47
18 France 8.44
19 Palestine 8.34
20 Qatar 8.30

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data.

On average, 6.56% of Internet user’ computers worldwide experienced at least one Malware-class attack.

Geography of malicious web-based attacks, Q1 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q1 2020, our File Anti-Virus registered 164,653,290 malicious and potentially unwanted objects. 

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal-computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users**
1 Afghanistan 52.20
2 Tajikistan 47.14
3 Uzbekistan 45.16
4 Ethiopia 45.06
5 Myanmar 43.14
6 Bangladesh 42.14
7 Kyrgyzstan 41.52
8 Yemen 40.88
9 China 40.67
10 Benin 40.21
11 Mongolia 39.58
12 Algeria 39.55
13 Laos 39.21
14 Burkina Faso 39.09
15 Malawi 38.42
16 Sudan 38.34
17 Rwanda 37.84
18 Iraq 37.82
19 Vietnam 37.42
20 Mauritania 37.26

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q1 2020 (download)

Overall, 19.16% of user computers globally faced at least one Malware-class local threat during Q1.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT threat evolution Q1 2020 – 10 minute mail

Targeted attacks and malware campaigns

Operation AppleJeus: the sequel

In 2018, we published a report on Operation AppleJeus, one of the more notable campaigns of the threat actor Lazarus, currently one of the most active and prolific APT groups. One notable feature of this campaign was that it marked the first time Lazarus had targeted macOS targets, with the group inventing a fake company in order to deliver its manipulated application and exploit the high level of trust among potential victims.

Our follow-up research revealed significant changes to the group’s attack methodology. To attack macOS victims, Lazarus has developed homemade macOS malware and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows victims, the group has elaborated a multi-stage infection procedure and made significant changes to the final payload. We believe Lazarus has been more careful in its attacks since the release of Operation AppleJeus and has employed a number of methods to avoid detection.

We identified several victims as part of our ongoing research, in the UK, Poland, Russia and China. Moreover, we were able to confirm that several of the victims are linked to cryptocurrency business organizations.

Roaming Mantis turns to SMiShing and enhances anti-researcher techniques

Kaspersky continues to track the Roaming Mantis campaign. This threat actor was first reported in 2017, when it used SMS to distribute its malware to Android devices in just one country – South Korea. Since then, the scope of the group’s activities has widened considerably. Roaming Mantis now supports 27 languages, targets iOS as well as Android and includes cryptocurrency mining for PCs in its arsenal.

Roaming Mantis is strongly motivated by financial gain and is continuously looking for new targets. The group has also put a lot of effort into evading tracking by researchers, including implementing obfuscation techniques and using whitelisting to avoid infecting researchers who navigate to the malicious landing page. While the group is currently applying whitelisting only to Korean pages, we think it is only a matter of time before Roaming Mantis implements this for other languages.

Roaming Mantis has also added new malware families, including Fakecop and Wroba.j. The actor is still very active in using ‘SMiShing‘ for Android malware distribution. This is particularly alarming, because it means that the attackers could combine infected mobile devices into a botnet for malware delivery, SMiShing, and so on. In one of the more recent methods used by the group, a downloaded malicious APK file contains an icon that impersonates a major courier company brand: the spoofed brand icon is customized for the country it targets – for example, Sagawa Express for Japan, Yamato Transport and FedEx for Taiwan, CJ Logistics for South Korea and Econt Express for Russia.

WildPressure on industrial networks in the Middle East

In March, we reported a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. We detected the first signs of this operation, which we have dubbed WildPressure, in August 2019; and the campaign remains active.

The Milum samples that we have seen so far do not share any code similarities with any known APT campaigns. All of them allow the attackers to control infected devices remotely: letting them download and execute commands, collect information from the compromised computer and send it to the C2 server and install upgrades to the malware.

Attacks on industrial targets can be particularly devastating. So far, we haven’t seen evidence that the threat actor behind WildPressure is trying to do anything beyond gathering data from infected networks. However, the campaign is still in development, so we don’t yet know what other functionality might be added.

To avoid becoming a victim of this and other targeted attacks, organizations should do the following.

  • Update all software regularly, especially when a new patch becomes available.
  • Deploy a security solution with a proven track record, such as Kaspersky Endpoint Security, that is equipped with behavior-based protection against known and unknown threats, including exploits.
  • On top of endpoint protection, implement a corporate-grade security solution designed to detect advanced threats against the network, such as Kaspersky Anti Targeted Attack Platform.
  • Ensure staff understand social engineering and other methods used by attackers and develop a security culture within in the organization.
  • Provide your security team with access to comprehensive cyberthreat intelligence, such as Kaspersky APT Intelligence Reporting.

TwoSail Junk

On January 10, we discovered a watering-hole attack that utilized a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. Judging by the content of the landing page, the site appears to have been designed to target users in Hong Kong.

Since then, we have released two private reports on LightSpy, available to customers of Kaspersky Intelligence Reporting (please contact [email protected] for further information).

We are temporarily calling the APT group behind this implant TwoSail Junk. Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity. We are also working with fellow researchers to tie LightSpy to prior activity from a well-established Chinese-speaking APT group, previously reported (here and here) as Spring Dragon (aka Lotus Blossom and Billburg(Thrip)), known for its Lotus Elise and Evora backdoors.

As this LightSpy activity was disclosed publicly by fellow researchers from Trend Micro, we wanted to contribute missing information to the story without duplicating content. In addition, in our quest to secure technologies for a better future, we have reported this malware and activity to Apple and other relevant companies.

Our report includes information about the Android implant, including its deployment, spread and support infrastructure.

A sprinkling of Holy Water in Asia

In December, we discovered watering-hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings.

This campaign, which has been active since at least May 2019, targets an Asian religious and ethnic group. The threat actor’s unsophisticated but creative toolset, which has evolved greatly and may still be in development, makes use of Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language and Google Drive-based C2 channels.

The threat actor’s operational target is unclear because we haven’t been able to observe many live operations. We have also been unable to identify any overlap with known APT groups.

Threat hunting with Bitscout

In February, Vitaly Kamluk, from the Global Research and Analysis Team at Kaspersky, reported on a new version of Bitscout, based on the upcoming release of Ubuntu 20.04 (scheduled for release in April 2020).

Bitscout is a remote digital forensics tool that we open-sourced about two and a half years ago, when Vitaly was located in the Digital Forensics Lab at INTERPOL. Bitscout has helped us in many cyber-investigations. Based on the widely popular Ubuntu Linux distribution, it incorporates forensics and malware analysis tools created by a large number of excellent developers around the world.

Here’s a summary of the approach we use in Bitscout

  • Bitscout is completely FREE, thereby reducing your forensics budget.
  • It is designed to work remotely, saving time and money that would otherwise be spent on travel. Of course, you can use the same techniques locally.
  • The true value lies not in the toolkit itself, but in the power of all the forensic tools that are included.
  • There’s a steep learning curve involved in mastering Bitscout, which ultimately reinforces the technical foundations of your experts.
  • Bitscout records remote forensics sessions internally, making it perfect for replaying and learning from more experienced practitioners or using as evidential proof of discovery.
  • It is fully open source, so you don’t need to wait for the vendor to implement a patch or feature for you: you are free to reverse-engineer and modify any part of it.

We have launched a project website, bitscout-forensics.info, as the go-to destination for those looking for tips and tricks on remote forensics using Bitscout.

Hunting APTs with YARA

In recent years, we have shared our knowledge and experience of using YARA as a threat hunting tool, mainly through our training course, ‘Hunting APTs with YARA like a GReAT ninja’, delivered during our Security Analyst Summit. However, the COVID-19 pandemic has forced us to postpone the forthcoming SAS.

Meanwhile, we have received many requests to make our YARA hands-on training available to more people. This is something we are working on and hope to be able to provide soon as an online training experience. Look out for updates on this by following us on Twitter – @craiu, @kaspersky.

With so many people working from home, and spending even more time online, it is also likely the number of threats and attacks will increase. Therefore, we decided to share some of the YARA experience we have accumulated in recent years, in the hope that all of you will find it useful for keeping threats at bay.

If you weren’t able to join the live presentation, on March 31, you can find the recording here.

We track the activities of hundreds of APT threat actors and regularly highlight the more interesting findings here. However, if you want to know more, please reach out to us at [email protected]

Other security news

Shlayer Trojan attacks macOS users

Although many people consider macOS to be safe, there are cybercriminals who seek to exploit those who use this operating system. One malicious program stands out – the Shlayer Trojan. In 2019, Kaspersky macOS products blocked this Trojan on every tenth device, making this the most widespread threat to people who use macOS.

Shlayer is a smart malware distribution system that spreads via a partner network, entertainment websites and even Wikipedia. This Trojan specializes in the installation of adware – programs that feed victims illicit ads, intercepting and gathering their browser queries and modifying search results to distribute even more advertising messages.

Shlayer accounted for almost one-third of all attacks on macOS devices registered by Kaspersky products between January and November last year – and nearly all other top 10 macOS threats were adware programs that Shlayer installs.

The infection starts with an unwitting victim downloading the malicious program. The criminals behind Shlayer set up a malware distribution system with a number of channels leading their victims to download the malware. Shlayer is offered as a way to monetize websites in a number of file partner programs, with relatively high payment for each malware installation made by users in the US, prompting over 1,000 ‘partner sites’ to distribute Shlayer. This scheme works as follows: a user looks for a TV series episode or a football match, and advertising landing pages redirect them to fake Flash Player update pages. From here, the victim downloads the malware; and for each installation, the partner who distributed links to the malware receives a pay-per-install payment.

Other schemes that we saw led to a fake Adobe Flash update page that redirected victims from various large online services with multi-million audiences, including YouTube, where links to the malicious website were included in video descriptions, and Wikipedia, where such links were hidden in article references. People that clicked on these links would also be redirected to the Shlayer download landing pages. Kaspersky researchers found 700 domains containing malicious content, with links to them on a variety of legitimate websites.

Almost all the websites that led to a fake Flash Player contained content in English. This corresponds to the countries where we have seen most infections – the US (31%), Germany (14%), France (10%) and the UK (10%).

Blast from the past

Although many people still use the term “virus” to mean any malicious program, it actually refers specifically to self-replicating code, i.e., malicious code that copies itself from file to file on the same computer. Viruses, which used to dominate the threat landscape, are now rare. However, there are some interesting exceptions to this trend and we came across one recently – the first real virus we’ve seen in the wild for some time.

The virus, called KBOT, infects the victim’s computer via the internet, a local network, or infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. KBOT can also download additional stealer modules that harvest and send to the Command-and-Control (C2) server comprehensive information about the victim, including passwords/logins, crypto-wallet data, lists of files and installed applications, and so on. The malware stores all its files and stolen data in a virtual file system, encrypted using the RC6 algorithm, making it hard to detect.

Cybercriminals exploiting fears about data breaches

Phishers are always on the lookout for hot topics that they can use to hook their victims, including sport, politics, romance, shopping, banking, natural disasters and anything else that might entice someone into clicking on a link or malicious file attachment.

Recently, cybercriminals have exploited the theme of data leaks to try to defraud people. Data breaches, and the fines imposed for failing to safeguard data, are now a staple feature of the news. The scammers posed as an organization called the “Personal Data Protection Fund” and claim that the “US Trading Commission” had set up a fund to compensate people whose personal data had been exposed.

However, in order to get the compensation, the victims are asked to provide a social security number. The scammers offer to sell a temporary SSN to those who don’t have one.

Even if the potential victim enters a valid SSN, they are still directed to a page asking them to purchase a temporary SSN.

You can read the full story here.

… and coronavirus

The bigger the hook, the bigger the pool of potential victims. So it’s no surprise that cybercriminals are exploiting the COVID-19 pandemic. We have found malicious PDF, MP4 and DOCX files disguised as information about the coronavirus. The names of the files suggest they contain video instructions on how to protect yourself, updates on the threat and even virus detection procedures. In fact, these files are capable of destroying, blocking, modifying or copying data, as well as interfering with the operation of the computer.

The cybercriminals behind the Ginp banking Trojan recently developed a new campaign related to COVID-19. After receiving a special command, the Trojan opens a web page called Coronavirus Finder. This provides a simple interface that claims to show the number of people nearby who are infected with the virus and asks you to pay a small sum to see their location.

The Trojan then provides a payment form.

Then … nothing else happens – apart from the criminals taking your money. Data from the Kaspersky Security Network suggests that most users who have encountered Ginp are located in Spain. However, this is a new version of Ginp that is tagged “flash-2”, while previous versions were tagged “flash-es12”. So perhaps the lack of “es” in the tag of the newer version means the cybercriminals are planning to expand their campaign beyond Spain.

We have also seen a number of phishing scams where cybercriminals pose as bona fide organizations to trick people into clicking on links to fake sites where the scammers capture their personal information, or even ask them to donate money.

If you’ve ever wanted to know why it’s so easy for phishers to create spoof emails, and what efforts have been made to make it harder for them, you can find a good overview of the problems and potential solutions here.

Cybercriminals are also taking the opportunity to attack the information infrastructure of medical facilities, clearly hoping that the overload on IT services will provide them with an opportunity to break into hospital networks, or are attempting to extort money from clinical research companies. In an effort to ensure that IT security isn’t something that medical teams have to worry about, we’re offering medical institutions free six-month licenses for our core solutions.

In February, we reported an unusual malware campaign in which cybercriminals were spreading the AZORult Trojan as a fake installer for ProtonVPN.

The aim of the campaign is to steal personal information and crypto-currency from the victims.

The attackers created a spoof copy a VPN service’s website, which looks like the original but has a different domain name. The criminals spread links to the domain through advertisements using different banner networks – a practice known as malvertizing. When someone visits a phishing website, they are prompted to download a free VPN installer for Windows. Once launched, this drops a copy of the AZORult botnet implant. This collects the infected device’s environment information and reports it to the server. Finally, the attackers steal crypto-currency from locally available wallets (Electrum, Bitcoin, Etherium and others), FTP logins, and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials from WinSCP, Pidgin messenger and others.

AZORult is one of the most commonly bought and sold stealers on Russian forums due to its wide range of capabilities. The Trojan is able to harvest a good deal of data, including browser history, login credentials, cookies, files and crypto-wallet files; and can also be used as a loader to download other malware.

Distributing malware under the guise of security certificates

Distributing malware under the guise of legitimate software updates is not new. Typically, cybercriminals invite potential victims to install a new version of a browser or Adobe Flash Player. However, we recently discovered a new approach: visitors to infected sites were informed that some kind of security certificate had expired.

They were offered an update that infected them with malware – specifically the Buerak downloader and Mokes backdoor.

We detected the infection on variously themed websites – from a zoo to a store selling auto parts. The earliest infections that we found date back to January 16.

Mobile malware sending offensive messages

We have seen many mobile malware apps re-invent themselves, adding new layers of functionality over time. The Faketoken Trojan offers a good example of this. Over the last six years, it has developed from an app designed to capture one-time passcodes, to a fully-fledged mobile banking Trojan, to ransomware. By 2017, Faketoken was able to mimic many different apps, including mobile banking apps, e-wallets, taxi service apps and apps used to pay fines and penalties – all in order to steal bank account data.

Recently, we observed 5,000 Android smartphones infected by Faketoken sending offensive text messages. SMS capability is a standard feature of many mobile malware apps, many of which spread by sending links to their victims’ contacts; and banking Trojans typically try to make themselves the default SMS application, in order to intercept one-time passcodes. However, we had not seen one become a mass texting tool.

The messages sent by Faketoken are charged to the owner of the device; and since many of the infected smartphones we saw were texting a foreign number, the cost was quite high. Before sending any messages, the Trojan checks to see if there are sufficient funds in the victim’s bank account. If there are, Faketoken tops up the mobile account sending any messages.

We don’t yet know whether this is a one-off campaign or the start of a trend. To avoid becoming a victim of Faketoken, download apps only from Google Play, disable the downloading of apps from other sources, don’t follow links from messages and protect your device with a reputable mobile security product.

The use and abuse of the Android AccessibilityService

In January, we reported that cybercriminals were using malware to boost the rating of specific apps, to increase the number of installations.

The Shopper.a Trojan also displays advertising messages on infected devices, creates shortcuts to advertising sites and more.

The Trojan opens Google Play (or other app store), installs several programs and writes fake user reviews about them. To prevent the victim noticing, the Trojan conceals the installation window behind an ‘invisible’ window. Shopper.a gives itself the necessary permissions using the Android AccessibilityService. This service is intended to help people with disabilities use a smartphone, but if a malicious app obtains permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps – including intercepting data displayed on the screen, clicking buttons and emulating user gestures.

Shopper.a was most widespread in Russia, Brazil and India.

You should be wary if an app requests access to the AccessibilityService but doesn’t need it. Even if the only danger posed by such apps comes from automatically written reviews, there is no guarantee that its creators will not change the payload later.

Everyone loves cookies – including cybercriminals

We recently discovered a new malicious Android Trojan, dubbed Cookiethief, designed to acquire root permissions on the victim’s device and transfer cookies used by the browser and the Facebook app to the cybercriminals’ C2 server. Using the stolen cookies, the criminals can gain access to the unique session IDs that websites and online services use to identify someone, thereby allowing the criminals to assume someone’s identity and gain access to online accounts without the need for a login and password.

On the C2 server, we found a page advertising services for distributing spam on social networks and messengers, which we think is the underlying motive in stealing cookies.

From the C2 server addresses and encryption keys used, we were able to link Cookiethief to widespread Trojans such as Sivu, Triada, and Ztorg. Usually, such malware is either planted in the device firmware before purchase, or it gets into system folders through vulnerabilities in the operating system and then downloads various applications onto the system.

Stalkerware: no place to hide

We recently discovered a new sample of stalkerware – commercial software typically used by those who want to monitor a partner, colleague or others – that contains functionality beyond anything we have seen before. You can find more information on stalkerware here and here.

MonitorMinor, goes beyond other stalkerware programs. Primitive stalkerware uses geo-fencing technology, enabling the operator to track the victim’s location, and in most cases intercept SMS and call data. MonitorMinor goes a few steps further: recognizing the importance of messengers as a means of data collection, this app aims to get access to data from all the popular modern communication tools.

Normally, the Android sandbox prevents direct communication between apps. However, if a superuser app has been installed, which grants root access to the system, it overrides the security mechanisms of the device. The developers of MonitorMinor use this to enable full access to data on a variety of popular social media and messaging applications, including Hangouts, Instagram, Skype and Snapchat. They also use root privileges to access screen unlock patterns, enabling the stalkerware operator to unlock the device when it is nearby or when they next have physical access to the device. Kaspersky has not previously seen this feature in any other mobile threat.

Even without root access, the stalkerware can operate effectively by abusing the AccessibilityService API, which is designed to make devices friendly for users with disabilities. Using this API, the stalkerware is able to intercept any events in the applications and broadcast live audio.

Our telemetry indicates that the countries with the largest share of installations of MonitorMinor are India, Mexico, Germany, Saudi Arabia and the UK.

We recommend the following tips to reduce the risk of falling victim to a stalker:

  • Block the installation of apps from unknown sources in your smartphone settings.
  • Never disclose the password or passcode to your mobile device, even with someone you trust.
  • If you are ending a relationship, change security settings on your mobile device, such as passwords and app location access settings.
  • Keep a check on the apps installed on your device, to see if any suspicious apps have been installed without your consent
  • Use a reliable security solution that notifies you about the presence of commercial spyware programs aimed at invading your privacy, such as Kaspersky Internet Security.
  • If you think you are being stalked, reach out to a professional organization for advice.
  • For further guidance, contact the Coalition against Stalkerware
  • There are resources that can assist victims of domestic violence, dating violence, stalking and sexual violence. If you need further help, please contact the Coalition against Stalkerware.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hiding in plain sight: PhantomLance walks into a market – 10 minute mail

In July 2019, Dr. Web reported about a backdoor trojan in Google Play, which appeared to be sophisticated and unlike common malware often uploaded for stealing victims’ money or displaying ads. So, we conducted an inquiry of our own, discovering a long-term campaign, which we dubbed “PhantomLance”, its earliest registered domain dating back to December 2015. We found dozens of related samples that had been appearing in the wild since 2016 and had been deployed in various application marketplaces including Google Play. One of the latest samples was published on the official Android market on November 6, 2019. We informed Google of the malware, and it was removed from the market shortly after.

The latest example of spyware in Google Play disguised as a browser cleaner

During our investigation, we discovered various overlaps with reported OceanLotus APT campaigns. Thus, we found multiple code similarities with the previous Android campaign, as well as macOS backdoors, infrastructure overlaps with Windows backdoors and a few cross-platform resemblances.

Besides the attribution details, this document describes the actors’ spreading strategy, their techniques for bypassing app market filters, malware version diversity and the latest sample deployed in 2020, which uses Firebase to decrypt the malicious payload.

Our report is broken down into several sections.

  1. Malware versions – technical description of versions found, their features and relationships between them.
  2. Spread – information on specific tactics used by the threat actors for distributing their malware.
  3. Infrastructure – further details on uncovered infrastructure pieces as well as overlaps found.
  4. Victimology – thoughts on the actors’ interests in choosing their targets.
  5. Overlaps with previous campaigns – details of similarities with all related campaigns that we have identified.

More information on PhantomLance is available to customers of Kaspersky Intelligence Reporting. For more information, contact [email protected]

Malware versions

For the purposes of the research, we divided samples we found into a series of “versions” based on technical complexity: from the basic Version 1 to the highly sophisticated Version 3. Note that they do not fully correlate with the chronological order of their appearance ITW: for example, we observed Version 1 samples in late 2019 and in 2017, the year that we also saw Version 3.

Functionality of all samples are similar – the main purpose of spyware was to gather sensitive information. While the basic functionality was not very broad, and included geolocation, call logs, contact access and SMS access, the application could also gather a list of installed applications, as well as device information, such as model and OS version. Furthermore, the threat actor was able to download and execute various malicious payloads, thus, adapting the payload that would be suitable to the specific device environment, such as Android version and installed apps. This way the actor is able to avoid overloading the application with unnecessary features and at the same time gather information needed.

Version 1

We attribute the latest Google Play sample (MD5: 2e06bbc26611305b28b40349a600f95c) to this version. This is a clear payload, and unlike the other versions, it does not drop an additional executable file. Our main theory about the reasons for all these versioning maneuvers is that the attackers are trying to use diverse techniques to achieve their key goal, to bypass the official Google marketplace filters. And achieve it they did, as even this version passed Google’s filters and was uploaded to Google Play Store in 2019 (see Spreading for details).

No suspicious permissions are mentioned in the manifest file; instead, they are requested dynamically and hidden inside the dex executable. This seems to be a further attempt at circumventing security filtering. In addition to that, there is a feature that we have not seen before: if the root privileges are accessible on the device, the malware can use a reflection call to the undocumented API function “setUidMode” to get permissions it needs without user involvement.

Note that this trick only works with Android SDK version 19 or higher.

Most of the aforementioned operations naturally require root access, but we believe that the root exploit may be delivered as payload in a server response to collected device info. Also, some of the applications that the malware mimics will have notified the user that they only work on rooted devices. For instance, Browser Cleaner can only clean up the browser cache if it is given root permissions.

Version 2

Specimens of this version were also detected in 2019 and earlier. One of the samples was located in Google Play Store in November 2019 and described in the Dr. Web blog. Based on our detection statistics and spotted version stamps, we believe that this version is a replacement for Version 3, which we did not observe in 2019.

Below are the most valuable points and main differences from the Version 1.

The malicious payload APK is now packed in an encrypted file in the assets directory and is decrypted by the first stage using an AES algorithm. A decryption key and initialization vector (IV) are located in the first 32 + 16 bytes of the encrypted payload.

After decryption, the asset file will look like this.

As you can see, before the APK magic, the file header contains strings that are used for making further reflection calls to payload methods. Here is the first-stage code fragment with explanations regarding the payload loading process.

All Version 2 payloads use the same package name, “com.android.play.games”, which probably mimics the official Google Play Games package, “com.google.android.play.games”.

Moreover, we spotted developer version stamps in decrypted payloads.

MD5 Developer version stamp
65d399e6a77acf7e63ba771877f96f8e 5.10.6084
6bf9b834d841b13348851f2dc033773e 5.10.6090
8d5c64fdaae76bb74831c0543a7865c3 5.10.9018
3285ae59877c6241200f784b62531694 5.10.9018
e648a2cc826707aec33208408b882e31 5.10.9018

It is worth mentioning payload manifests, which do not contain any permission requests. As stated in the description of Version 1, permissions required by the malicious features are granted via an undocumented Android API.

We have found two different certificates used for signing Version 2 payloads.

MD5 Certificate
6bf9b834d841b13348851f2dc033773e Serial Number: 0xa4ed88e620b8262e

Issuer: CN=Lotvolron

Validity: from = Wed Jan 20 11:30:49 MSK 2010

65d399e6a77acf7e63ba771877f96f8e
8d5c64fdaae76bb74831c0543a7865c3 Serial Number: 0xd47c08706d440384

Issuer: CN=Ventoplex

Validity: from = Wed Apr 13 05:21:26 MSK 2011

3285ae59877c6241200f784b62531694
e648a2cc826707aec33208408b882e31

Although validity dates look spoofed in both cases and do not point to any real deployment times, by analyzing all payload certificates, we discovered that the second one (Ventoplex) was used to sign Version 3 payloads as well.

Version 2.1

The latest samples of PhantomLance discovered in the early 2020 introduced a new technique for decrypting payloads: the malicious payload was shipped with its dropper, encrypted with AES. The key is not stored anywhere in the dropper itself but sent to the device using Google’s Firebase remote config system. The other technical features are very similar to the ones we observed in Version 2, so we tagged this generation as Version 2.1.

We were able to make a valid request to PhantomLance’s Firebase API. The response consisted of a JSON struct containing the AES decryption key, where the “code_disable” value is the decryption key for payload.

What is important, the dropper expects that the AES decryption key will be stored in a parameter named “code”, so this specific variant should not function properly. Besides, we noticed that Firebase previously returned one more field, named “conf_disable”, which has the same value as the “code_disable”, so we assume that the actors are still tinkering with this new feature.

Another interesting technique that the actors are trying to implement is a third-stage payload implant. The second-stage payload (MD5: 83cd59e3ed1ba15f7a8cadfe9183e156) contains an APK file named “data” (MD5: 7048d56d923e049ca7f3d97fb5ba9812) with a corrupted header in the assets path.

The second stage reads this APK file, decrypts it and rewrites its first 27 bytes as described below.

This results in an APK file (MD5: c399d93146f3d12feb32da23b75304ba) that appears to be a typical PhantomLance payload configured with already known C2 servers (cloud.anofrio[.]com, video.viodger[.]com, api.anaehler[.]com). This third-stage APK is deployed with a custom native library named “data.raw”, also stored at the assets path. This library is used for achieving persistence on the infected device and appears to be a custom daemonized ELF executable based on the open-source “daemon.c” Superuser tool component, while in previous samples, we saw MarsDaemon used for this purpose.

Code comparison of the library used to daemonize the third stage payload with daemon.c source code hosted on Github

Version 3

While we have found that Version 2 has been used as a replacement for this one, as we have not observed any new deployments of Version 3 in 2019, it still looks more advanced in terms of technical details than Version 2. According to our detection statistics and deployment dates on application markets, Version 3 was active at least from 2016 to 2018.

Below are the most valuable points and main differences between Version 3 and Version 2.

The first-stage dropper appears even more obfuscated than that in Version 2; it uses a similar way of decrypting the payload, but it has minor differences. The encrypted content is split into multiple asset files under 10256 bytes in size plus an encrypted config file, and contains payload decryption details.

Below is the payload decryption sequence.

  1. Decrypt the payload config file from the assets with both a hardcoded name and AES key.
  2. Read the following values from the decrypted payload config file in this order:
    • AES key for APK payload decryption
    • Class and method names for reflection calls to the payload
    • MD5 for APK payload integrity check
    • Number and names of the split APK payload parts
  3. Decrypt the APK payload header hardcoded in the first stage with the AES key from the payload config. Write it to the APK payload file.
  4. Using decrypted names of the split payload parts, decrypt their content and append them to the APK payload file one by one.
  5. Check the integrity of the resulting APK payload file by comparing with the MD5 value decrypted from the payload config.
  6. Load and run the APK payload.

The following reversed code fragment represents the actual payload decryption process.

Each Version 3 payload has the same package name, “com.android.process.gpsp”, and is signed with the same certificate (CN=Ventoplex), used to sign some of the Version 2 payloads.

The only developer version stamp that we have found in Version 3 payloads is “10.2.98”.

Another notable finding is the 243e2c6433815f2ecc204ada4821e7d6 sample, which we believe belongs to a Version 3 payload. However, no related dropper has been spotted in the wild, and unlike the other payloads, it is signed with a debug certificate and not obfuscated at all, revealing all variable/class/method names and even BuildConfig values. Our guess that this is a debug developer version that somehow got leaked.

As a conclusion to this technical review, it is worth saying that all payloads across the different versions, even Version 1, which is in fact a clear payload without a dropper, share a code structure and locations where sensitive strings, such as С2 addresses, are stored.

Spread

The main spreading vector used by the threat actors is distribution through application marketplaces. Apart from the com.zimice.browserturbo, which we have reported to Google, and  com.physlane.opengl, reported by Dr. Web, we have observed tracks indicating that many malicious applications were deployed to Google Play in the past and have now been removed.

These search results contain a link to already-removed malware in Google Play

Some of the applications whose appearance in Google Play we can confirm.

Package name Google Play persistence date (at least)
com.zimice.browserturbo 2019-11-06
com.physlane.opengl 2019-07-10
com.unianin.adsskipper 2018-12-26
com.codedexon.prayerbook 2018-08-20
com.luxury.BeerAddress 2018-08-20
com.luxury.BiFinBall 2018-08-20
com.zonjob.browsercleaner 2018-08-20
com.linevialab.ffont 2018-08-20

Besides, we have identified multiple third-party marketplaces that, unlike Google Play, still host the malicious applications, such as https://apkcombo[.]com, https://apk[.]support/, https://apkpure[.]com, https://apkpourandroid[.]com and many others.

Example of a malicious application with a description in Vietnamese that is still available in a third-party marketplace (hxxps://androidappsapk[.]co/detail-cham-soc-be-yeu-babycare/)

In nearly every case of malware deployment, the threat actors try to build a fake developer profile by creating a Github account that contains only a fake end-user license agreement (EULA). An example is the one below, reported by us to Google.

This Google Play page contains a fake developer email

 Here is a related Github account with the same handle, registered on October 17, 2019.

A Github profile that is part of the fake developer identity

The account contains only one report with one file described as some type of EULA.

During our extensive investigation, we spotted a certain tactic often used by the threat actors for distributing their malware. The initial versions of applications uploaded to app marketplaces did not contain any malicious payloads or code for dropping a payload. These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads. We were able to confirm this behavior in all of the samples, and we were able to find two versions of the applications, with and without a payload.

An example of this behavior can be seen in Ads Skipper (https://apkpure[.]ai/ads-skipper), in ApkPure.

Versions of Ads Skipper with (v. 2.0) and without (v. 1.0) a malicious payload in ApkPure

Third-party marketplaces like those mentioned in the table above often serve as a mirror for Google Play: they simply copy applications and metadata from Google Play to their own servers. Therefore, it is safe to assume that the samples listed in the table were copied from Google Play as well.

Infrastructure

While analyzing the С2 server infrastructure, we quickly identified multiple domains that shared similarities with previous ones but were not linked to any known malware samples. This allowed us to uncover more pieces of the attackers’ infrastructure.

Example of related infrastructure

Tracking PhantomLance’s old infrastructure, which dated back four years, we noticed that the expired domain names had been extended. The maintenance suggested that the infrastructure might be used again in the future.

Domain Registered Last updated
osloger[.]biz 2015-12-09 2019-12-01
log4jv[.]info 2015-12-09 2019-11-26
sqllitlever[.]info 2015-12-09 2019-11-26
anofrio[.]com 2017-05-16 2020-03-30
anaehler[.]com 2017-05-16 2020-03-30
viodger[.]com 2017-05-16 2020-04-07

The PhantomLance TTPs indicate that samples are configured only with subdomains as C2 servers, while most, but not all, parent domains do not have their own IP resolution. We checked the ones that did have a valid resolution and found that they all resolved to the same IP address: 188.166.203[.]57. It belongs to the DigitalOcean cloud infrastructure provider and, according to Domaintools, hosts a total of 129 websites.

Looking up records for this IP address in our passive DNS database suggests that a few dozen of these websites are legitimate, as well as the aforementioned PhantomLance domains and two more interesting overlaps with OceanLotus infrastructure:

  • browsersyn[.]com: known domain used as a C2 in a previously publicly reported sample (MD5: b1990e19efaf88206f7bffe9df0d9419) considered by the industry to be the OceanLotus APT.
  • cerisecaird[.]com: privately received information indicates that this domain is related to OceanLotus as well.

Victimology

We have observed around 300 infection attacks on Android devices in India, Vietnam, Bangladesh, Indonesia, etc. starting in 2016. Below is a rough cartographic representation of countries with top attempted attacks.

We have also seen a number of detections in Nepal, Myanmar and Malaysia. As you can see, this part of South Asia seems to be targeted by the actors the most.

Note that due to the chosen distribution vector (publication of malicious samples on publicly available application stores), there should be secondary infection of random victims not directly related to the actors’ interests.

To get more details on targeted victims, we looked at the types of applications that the malware mimicked. Apart from common luring applications, such as Flash plugins, cleaners and updaters, there were those that specifically targeted Vietnam.

  • luxury.BeerAddress – “Tim quan nhau | Tìm quán nhậu” (“Find each other | Find pubs” in Vietnamese). An application for finding the nearest pub in Vietnam.
  • codedexon.churchaddress – “Địa Điểm Nhà Thờ” (“Church Place”)

    Publisher description (hxxps://apk.support/app-en/com.codedexon.churchaddress) translated from Vietnamese:
    Information about churches near you or the whole of Vietnam, information about patronies, priests, phone numbers, websites, email, activities, holidays…

  • bulknewsexpress.news – “Tin 247 – Đọc Báo Hàng Ngày” (“Read Daily Newspaper”)

Mimics the Vietnamese www.tin247.com mobile news application.

Overlaps with previous campaigns

In this section, we provide a correlation of PhantomLance’s activity with previously reported campaigns related to the OceanLotus APT.

OceanLotus Android campaign in 2014-2017

In May 2019, Antiy Labs published a report in which they described an Android malware campaign, claiming that it was related to OceanLotus APT. We checked the provided indicators using information from our telemetry and found that the very first tracks of these samples date back to December 2014.

It is important to note that according to our detection statistics, the majority of users affected by this campaign were located in Vietnam, with the exception of a small number of individuals located in China.

The main infection vector seems to be links to malicious applications hosted on third-party websites, possibly distributed via SMS or email spearphishing attacks. Examples below.

Referring URL for victim Malware URL First request Last request
hxxp://download.com[.]vn/android/download/nhaccuatui-downloader/31798 hxxp://113.171.224.175/videoplayer/NhacCuaTuiDownloader[.]apk 2015-03-03 2015-03-22
hxxp://nhaccuatui.android.zyngacdn.com/NhacCuaTuiDownloader[.]apk 2014-12-29 2015-03-19
hxxp://www.mediafire.com/file/1elber8zl34tag4/framaroot-xpro[.]apk hxxp://download1825.mediafire.com/tyxddh46orzg/1elber8zl34tag4/framaroot-xpro[.]apk 2015-04-07 2017-01-04

 

The latest registered malware download event occurred in December 2017. We observed a small amount of activity in 2018, but judging by the volume of hosted malware and the number of detections we observed, the main campaign took place from late 2014 to 2017.

To best visualize the similarities we discovered, we made a code structure comparison of the sample from the old reported OceanLotus Android campaign (MD5: 0e7c2adda3bc65242a365ef72b91f3a8) and the only unobfuscated (probably a developer version) PhantomLance payload v3 (MD5: 243e2c6433815f2ecc204ada4821e7d6).

Code structure comparison of a sample linked to OceanLotus and PhantomLance payload v3.

 Despite the multiple differences, we observed a similar pattern used in malware implementation. It seems that the developers have renamed “module” to “plugin”, but the meaning remains the same. Overlapping classes look quite similar and have the same functionality. For example, here is a comparison of the methods contained in the Parser classes.

Parser from 0e7c2adda3bc65242a365ef72b91f3a8 ParserWriter/Reader from 243e2c6433815f2ecc204ada4821e7d6
public void appendBoolean(boolean f) public void appendBoolean(boolean value)
public void appendByte(byte data) public void appendByte(byte value)
public void appendBytes(byte[] data) public void appendBytes(byte[] value)
public void appendDouble(double val) public void appendDouble(double value)
public void appendInt(int val) public void appendInt(int value)
public void appendLong(long val) public void appendLong(long value)
private void appendNumber(Object value)
public void appendShort(short val) public void appendShort(short value)
public void appendString(String str) public void appendString(String value)
 public byte[] getContents() public byte[] getContents()
public void appendFloat(float val)
public boolean getBoolean() public boolean getBoolean()
public byte getByte() public byte getByte()
public byte[] getBytes() public byte[] getBytes()
public double getDouble() public double getDouble()
public float getFloat()
public int getInt() public int getInt()
public long getLong() public long getLong()
public short getShort() public short getShort()
byte getSignal()
public String getString() public String getString()
getStringOfNumber()

Using our malware attribution technology, we can see that the PhantomLance payloads are at least 20% similar to the ones from the old OceanLotus Android campaign.

OceanLotus macOS backdoors

There are multiple public reports of macOS backdoors linked by the industry to OceanLotus. We examined these in order to find possible overlaps, with the caveat that it was really difficult to compare malware implemented for two completely different platforms, since two different programming languages were obviously used for the implementation process. However, during the analysis of the macOS payload (MD5: 306d3ed0a7c899b5ef9d0e3c91f05193) dated early 2018, we were able to catch a few minor tracks of the code pattern used in the Android malware implementation described above. In particular, three out of seven main classes had the same names and similar functionality: “Converter”, “Packet” and “Parser”.

Summary of overlaps

Another notable attribution token that applies to most of OceanLotus malware across platforms is usage of three redundant, different C2 servers by each sample, mostly subdomains. Below is an example of this from the samples examined above and OceanLotus Windows malware described in our private report.

MD5 C2 servers Description
0d5c03da348dce513bf575545493f3e3 mine.remaariegarcia[.]com

egg.stralisemariegar[.]com

api.anaehler[.]com

PhantomLance Android
d1eb52ef6c2445c848157beaba54044f sadma.knrowz[.]com

ckoen.dmkatti[.]com

itpk.mostmkru[.]com

OceanLotus Android campaign 2014-2017
306d3ed0a7c899b5ef9d0e3c91f05193 ssl.arkouthrie[.]com

s3.hiahornber[.]com

widget.shoreoa[.]com

OceanLotus MacOS backdoor
51f9a7d4263b3a565dec7083ca00340f ps.andreagahuvrauvin[.]com

paste.christienollmache[.]xyz

att.illagedrivestralia[.]xyz

OceanLotus Windows backdoor

Based on the complete analysis of previous campaigns, with the actors’ interests in victims located in Vietnam, infrastructure overlaps between PhantomLance and OceanLotus for Windows, multiple code similarities between an old Android campaign and MacOS backdoors, we attribute the set of the Android activity (campaign 2014-2017 and PhantomLance) to OceanLotus with medium confidence.

Considering the timeline of the Android campaigns, we believe that the activity reported by Antiy Labs is a previous campaign that was conducted by OceanLotus until 2017, and PhantomLance is a successor, active since 2016.

In summarizing the results of this research, we are able to assess the scope and evolution of the actors’ Android set of activity, operating for almost six years.

IOC

Kaspersky Lab products verdicts

PhantomLance

HEUR:Backdoor.AndroidOS.PhantomLance.*
HEUR:Trojan-Dropper.AndroidOS.Dnolder.*

Android campaign linked to OceanLotus (2014-2017)

HEUR:Trojan.AndroidOS.Agent.eu
HEUR:Trojan.AndroidOS.Agent.vg
HEUR:Trojan-Downloader.AndroidOS.Agent.gv

macOS campaign linked to OceanLotus

HEUR:Backdoor.OSX.OceanLotus.*

MD5

PhantomLance malware

2e06bbc26611305b28b40349a600f95c
b1990e19efaf88206f7bffe9df0d9419
7048d56d923e049ca7f3d97fb5ba9812
e648a2cc826707aec33208408b882e31
3285ae59877c6241200f784b62531694
8d5c64fdaae76bb74831c0543a7865c3
6bf9b834d841b13348851f2dc033773e
0d5c03da348dce513bf575545493f3e3
0e7c2adda3bc65242a365ef72b91f3a8
a795f662d10040728e916e1fd7570c1d
d23472f47833049034011cad68958b46
8b35b3956078fc28e5709c5439e4dcb0
af44bb0dd464680395230ade0d6414cd
65d399e6a77acf7e63ba771877f96f8e
79f06cb9281177a51278b2a33090c867
b107c35b4ca3e549bdf102de918749ba
83cd59e3ed1ba15f7a8cadfe9183e156
c399d93146f3d12feb32da23b75304ba
83c423c36ecda310375e8a1f4348a35e
94a3ca93f1500b5bd7fd020569e46589
54777021c34b0aed226145fde8424991
872a3dd2cd5e01633b57fa5b9ac4648d
243e2c6433815f2ecc204ada4821e7d6

PhantomLance payload-free versions

a330456d7ca25c88060dc158049f3298
a097b8d49386c8aab0bb38bbfdf315b2
7285f44fa75c3c7a27bbb4870fc0cdca
b4706f171cf98742413d642b6ae728dc
8008bedaaebc1284b1b834c5fd9a7a71
0e7b59b601a1c7ecd6f2f54b5cd8416a

Android campaign 2014-2017

0e7c2adda3bc65242a365ef72b91f3a8
50bfd62721b4f3813c2d20b59642f022
5079cb166df41233a1017d5e0150c17a
810ef71bb52ea5c3cfe58b8e003520dc
c630ab7b51f0c0fa38a4a0f45c793e24
ce5bae8714ddfca9eb3bb24ee60f042d
d61c18e577cfc046a6252775da12294f
fe15c0eacdbf5a46bc9b2af9c551f86a
07e01c2fa020724887fc39e5c97eccee
2e49775599942815ab84d9de13e338b3
315f8e3da94920248676b095786e26ad
641f0cc057e2ab43f5444c5547e80976

Domains and IP addresses

PhantomLance

mine.remaariegarcia[.]com
egg.stralisemariegar[.]com
api.anaehler[.]com
cloud.anofrio[.]com
video.viodger[.]com
term.ursulapaulet[.]com
inc.graceneufville[.]com
log.osloger[.]biz
file.log4jv[.]info
news.sqllitlever[.]info
us.jaxonsorensen[.]club
staff.kristianfiedler[.]club
bit.catalinabonami[.]com
hr.halettebiermann[.]com
cyn.ettebiermahalet[.]com

Android campaign 2014-2017

mtk.baimind[.]com
ming.chujong[.]com
mokkha.goongnam[.]com
ckoen.dmkatti[.]com
sadma.knrowz[.]com
itpk.mostmkru[.]com
aki.viperse[.]com
game2015[.]net
taiphanmemfacebookmoi[.]info
nhaccuatui.android.zyngacdn[.]com
quam.viperse[.]com
jang.goongnam[.]com


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Financial Cyberthreats in 2019 | Securelist – 10 minute mail

Methodology

Financial cyberthreats are malicious programs that target users of services such as online banking, e-money, and cryptocurrency, or that attempt to gain access to financial organizations and their infrastructure. These threats are usually accompanied by spam and phishing activities, with malicious users creating fake financial-themed pages and emails to steal victims’ credentials.

In order to study the threat landscape of the financial sector, our researchers analyzed malicious activity on the devices of individual users of Kaspersky’s security solutions. Statistics for corporate users were collected from corporate security solutions, after the customers agreed to share their data with Kaspersky.

The information obtained was compared with data for the same period in 2018 to monitor the trends in malware development.

Introduction and key findings

In 2019, we witnessed a number of significant changes in the cyberthreat landscape. Cybercriminals started to lose interest in malicious cryptocurrency mining and turned their attention to the broader topic of digital trust and privacy issues.

How did all those changes affect financial security around the world? As our report for the first half of 2019 demonstrated, there is no room for complacency – cyberthreats that aim to steal money are still out there.

Although the financial industry did not witness any major cases in 2019, the statistics show that particular categories of users and businesses are still being targeted by criminals. We have prepared this report to provide a more detailed picture of the situation.

This publication continues our series of Kaspersky reports (see here, here, and here) providing an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-based and Android-based financial malware.

Phishing:

  • In 2019, the share of financial phishing increased from 44.7% of all phishing detections to 51.4%.
  • Almost every third attempt to visit a phishing page blocked by Kaspersky products is related to banking phishing (27% share).
  • The share of phishing-related attacks on payment systems and online stores accounted for almost 17% and over 7.5% respectively in 2019. This is more or less the same as 2018 levels.
  • The share of financial phishing encountered by Mac users fell slightly from 57.6%, accounting for 54%.

Banking malware (Windows):

  • In 2019, the number of users attacked with banking Trojans was 773,943 – a decrease compared to the 889,452 attacked in 2018.
  • 1% of users attacked with banking malware were corporate users – an increase from 24.1% in 2018.
  • Users in Russia, Germany, and China were attacked most frequently by banking malware.
  • Just four banking malware (ZBot, RTM, Emotet, CliptoShuffler) families accounted for attacks on the vast majority of users (around 87%).

Android banking malware:

  • In 2019, the number of users that encountered Android banking malware dropped to just over 675,000 from around 1.8 million.
  • Russia, South Africa, and Australia were the countries with the highest percentage of users attacked by Android banking malware.

Financial phishing

Financial phishing is one of the most popular ways for criminals to make money. It doesn’t require a lot of investment but if the criminals get the victim’s credentials, they can either be used to steal money or sold.

As our telemetry systems show, this type of activity has accounted for around half of all phishing attacks on Windows users in recent years.

The percentage of financial phishing attacks (from overall phishing attacks) detected by Kaspersky, 2014-2019 (download)

In 2019, the overall number of phishing detections stood at 467,188,119. 51.4% of those were finance-related attacks. That is the second-highest share ever registered by Kaspersky; the highest proportion of financial phishing was 53.8% in 2017.

The distribution of different types of financial phishing detected by Kaspersky in 2019 (download)

Compared to the previous year, bank-related phishing grew from a share of 21.7% to almost 30% in 2019. The other two main finance categories remained more or less at the same level.

Financial phishing on Mac

As is now customary, we also compare the above statistics with those for MacOS: while the latter has traditionally been considered a relatively secure platform when it comes to cybersecurity, nobody knows where the latest threats may strike. Moreover, phishing is an OS-agnostic activity – it is all about social engineering.

In 2018, 57.6% of phishing attacks against Mac users attempted to steal financial data. A third of those were bank-related attacks. In 2019, the overall level was slightly less – just over 54%.

In 2019, the breakdown of categories was as follows:

The distribution of different types of financial phishing detected by Kaspersky on Macs in 2019 (download)

The share of bank phishing actually grew by around 6% compared to 2018. At the same, the E-shop category’s share dropped from around 18% to around 8%. The Payment systems category remained more or less unchanged. Overall, our data shows that the financial share of phishing attacks on Macs is also quite substantial – like that for Windows. Let’s take a closer look at both categories.

Mac vs Windows

In 2017, we discovered an interesting twist when Apple became the most frequently used brand name in the online shopping category both in the MacOS and Windows statistics, pushing Amazon down to second place for the latter platform. Even more interesting is that in 2018 Apple maintained its position in the Windows statistics, but Amazon led the MacOS statistics for the first time since we started tracking this activity. In 2019, the situation was as follows:

  Mac Windows
1 Apple Apple
2 Amazon.com: Online Shopping Amazon.com: Online Shopping
3 eBay eBay
4 groupon Steam
5 Steam Americanas
6 ASOS groupon
7 Americanas MercadoLibre
8 Shopify Alibaba Group
9 Alibaba Group Allegro

The most frequently used brands in the E-shop category of financial phishing activity, 2019

What is most interesting in the table above is that the top three places appear to be OS agnostic and are the same for both Mac and Windows.

When it comes to attacks on users of payment systems, the situation is as follows:

  Mac Windows
1 PayPal Visa Inc.
2 MasterCard International PayPal
3 American Express MasterCard International
4 Visa Inc. American Express
5 Authorize.Net Cielo S.A.
6 Stripe Stripe
7 Cielo S.A. Authorize.Net
8 adyen payment system adyen payment system
9 Neteller Alipay

The most frequently used brands in the Payment systems category of financial phishing activity, 2019

The data above can be viewed as a warning to users of the corresponding systems: they illustrate to what extent malicious users exploit these well-known names to fraudulently obtain payment card details as well as online banking and payment system credentials.

Phishing campaign themes

The list of 2019 phishing campaigns covered below includes the usual suspects: fake versions of online banking and payment systems or web pages mimicking internet stores.

A phishing page masquerading as a payment service

 Phishing pages masquerading as payment service pages

Phishing pages masquerading as an e-store pages

Of course, by clicking a link or entering credentials on pages like these, a user will not be accessing their account – they will be passing on important personal information to the fraudsters.

Some of the most common scams used to trick users include messages that refer to the hacking or blocking of an account or offers of incredible bargains.

Banking malware on PCs

For clarity, when discussing financial malware in this paper we mean typical banking Trojans designed to steal the credentials used to access online banking or payment system accounts and to intercept one-time passwords. Kaspersky has been monitoring this particular type of malware for a number of years:

The number of users attacked with banking malware, 2016-2018 (download)

As we can see, throughout 2016 there was a steady growth in the number of users attacked with bankers – following downward trends in 2014 and 2015. 2017 and the first half of 2018 saw a return to a downward trend. The number of attacked users worldwide fell from 1,088,933 in 2016 to 767,072 in 2017 – a decline of almost 30%.

Below are the figures for 2019.

The number of users attacked with banking malware 2019 (download)

In 2019, the number of users attacked with banking Trojans stood at 773,943 – a slight decrease compared to 889,452 in 2018.

The geography of attacked users

As shown in the charts below, more than half of all users attacked with banking malware in 2018 and 2019 were located in just 10 countries.

The geographic distribution of users attacked with banking malware in 2018 (download)

The geographic distribution of users attacked with banking malware in 2019 (download)

In 2019, Russia’s share increased and accounted for over one-third of attacks. Germany remained in second place, while China ended the year in third place.

The type of users attacked

It is also interesting to look at the consumer/corporate split in victimology.

The distribution of attacked users by type in 2018-2019 (download)

The main actors and developments

For years, the banking malware landscape has been dominated by several major players.

The distribution of the most widespread banking malware families in 2018 (download)

In 2018, we saw the major players decreasing their attacks – Zbot fell to 26.4% and Gozi to a little over 20%.  2019 produced the following situation.

The distribution of the most widespread banking malware families in 2019 (download)

Zbot is still the most widespread malware, while second and the third places are occupied by RTM and Emotet. Gozi dropped out of the top three, ending the year in sixth place.

Mobile banking malware

In 2018, we reviewed the methodology behind the mobile section of this report. We had previously analyzed Android banking malware statistics using KSN data sent by the Kaspersky Internet Security for Android solution. But as Kaspersky developed new mobile security solutions and technologies, the statistics gathered from one product alone became less relevant. That is why we decided to shift to expanded data, gathered from multiple mobile solutions. The data for 2016 and 2017 in this report was recalculated using the new methodology.

The change in the number of users attacked with Android banking malware, 2016-2019 (download)

In 2019 the number of users that encountered Android banking malware dropped to 675,000 from around 1.8 million in 2018.

To get a clearer picture of what is behind these dramatic changes we took a closer look at the landscape and reviewed the most widespread families across the year. In 2018, the situation was as follows:

The most widespread Android banking malware in 2018 (download)

Asacub’s share more than doubled YoY to almost 60%, followed by Agent (14.28%) and Svpeng (13.31%). All three experienced explosive growth in 2018, especially Asacub as it peaked from 146,532 attacked users in 2017 to 1,125,258.

The most widespread Android banking malware in 2019 (download)

In 2019, there was almost no change among the most widespread families. The Asacub family was the only exception – it conceded some of its share to its nearest competitors. However, it still accounted for almost half of all attacks.

Geography of attacked users

In previous reports, we calculated the distribution of users attacked with Android banking Trojans by comparing the overall number of unique users attacked by this type of malware with the overall number of users in a region. There was always one problem – the majority of detections in Russia traditionally came from this malicious software due to the prevalence of SMS banking in the region, which allowed attackers to steal money with a simple text message if an infection was successful. Previously, the same was true for SMS Trojans, but after regulative measures, criminals found a new way to capitalize on victims in Russia.

In 2018, we decided to change the methodology and replaced the overall number of attacked unique users with the share of unique users that faced this threat from the overall number of users registered in the respective region.

The picture for 2018 was as follows:

Percentage of Android users who encountered banking malware by country, 2018 (download)

The top 10 countries with the highest percentage of users that encountered Android banking malware in 2018:

Russia 2.32%
South Africa 1.27%
US 0.82%
Australia 0.71%
Armenia 0.51%
Poland 0.46%
Moldova 0.44%
Kyrgyzstan 0.43%
Azerbaijan 0.43%
Georgia 0.42%

In 2019 it changed to:

Percentage of Android users who encountered banking malware by country, 2019 (download)

The top 10 countries with the highest percentage of users that encountered Android banking malware in 2019:

Russian Federation 0.72%
South Africa 0.66%
Australia 0.59%
Spain 0.29%
Tajikistan 0.21%
Turkey 0.20%
US 0.18%
Italy 0.17%
Ukraine 0.17%
Armenia 0.16%

Australia replaced the US in the top three. Also of interest is the fact that the average percentage fell for all countries – sometimes 2-digit decrease can be seen.

Major changes to the Android banking malware landscape

While the figures tell their own story, there are many more ways to explore the changes and developments in the threat landscape. Our key method is the analysis of actual malware found in the wild.

As this analysis shows, 2019 was a relatively stable year when it comes to malicious mobile software. One point of interest, however, may be a new technique that we recently observed with Ginp and Cerberus Trojans.

At the very beginning of 2020, we found a new version of the Ginp banking Trojan that was first discovered by a Kaspersky analyst in 2019. Apart from the standard functions of an Android banker – the ability to intercept and send text messages, and perform window overlays – the new version involves a highly unconventional function to insert fake text messages in the inbox of a standard SMS app.

These messages are made to look like notifications from reputable app vendors informing users about an undesirable event (blocked account access, for example). In order to resolve the issue, the user is requested to open the application. Once the victim does that, the Trojan overlays the original window and asks the user to enter their credit card or bank account details, which then end up in the hands of cybercriminals.

We subsequently detected a rise in a technique used by the infamous Cerberus banker on Android devices. This malware increasingly produces fake push notifications to users on behalf of several banking applications. The detected messages urge Polish-speaking targets to open applications and check their cards and bank accounts by entering their login credentials. This technique is on the rise with more fake notifications being produced on behalf of more and more banking applications.

Conclusion and advice

2019 has demonstrated that cybercriminals continue to update their malware with new features, investing resources in new distribution methods and techniques to avoid detection. The increase in banking Trojan activity targeting corporate users is also of concern as such attacks could bring more problems than attacks on ordinary users.

This all means that malicious users are still gaining financially from their activities.

As the above threat data shows, there is still plenty of motivation for financial fraud operations involving phishing and specialized banking malware. At the same time, mobile malware regained its ability to jeopardize users across the world.

To avoid losing money as a result of a cyberattack, Kaspersky experts advise the following.

To protect against financial threats, Kaspersky recommends that users:

  • Only install applications from trusted sources such as official stores;
  • Check what access rights and permissions the application requests – if they do not correspond to what the program is designed to do, then it should be questioned;
  • Do not follow links in spam messages and do not open documents attached to them;
  • Install a reliable security solution – such as Kaspersky Security Cloud – that protects against a wide range of threats. The service also incorporates the Permission Checker feature for Android that allows users to see which applications have access to a device’s camera, microphone, location and other private information and restrict them if necessary.

To protect your business from financial malware, Kaspersky security specialists recommend:

  • Introducing cybersecurity awareness training for your employees, particularly those who are responsible for accounting, to teach them how to distinguish phishing attacks: do not open attachments or click on links from unknown or suspicious addresses;
  • Explaining to users the risk of installing programs from unknown sources. For critical user profiles, such as those in financial departments, switch on default-deny mode for web resources to ensure they can only access legitimate sites;
  • Installing the latest updates and patches for all the software you use;
  • Enabling protection at the level of internet gateways as it shields from many financial and other threats even before they reach employee endpoints. Kaspersky Security for Internet Gateways protects all devices in the corporate network from phishing, banking Trojans and other malicious payloads;
  • Using mobile protection solutions or corporate internet traffic protection to ensure employee devices are not exposed to financial and other threats. The latter helps protect even those devices for which antivirus is unavailable;
  • Implementing an EDR solution such as Kaspersky Endpoint Detection and Response for endpoint level detection, investigation and timely remediation of incidents. It can even catch unknown banking malware;
  • Integrating Threat Intelligence into your SIEM and security controls in order to access the most relevant and up-to-date threat data.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

iOS exploit chain deploys “LightSpy” feature-rich malware – 10 minute mail

A watering hole was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong based on the content of the landing page. Since the initial activity, we released two private reports exhaustively detailing spread, exploits, infrastructure and LightSpy implants.

Landing page of watering hole site

We are temporarily calling this APT group “TwoSail Junk”. Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity. And we are working with colleagues to tie LightSpy with prior activity from a long running Chinese-speaking APT group, previously reported on as Spring Dragon/Lotus Blossom/Billbug(Thrip), known for their Lotus Elise and Evora backdoor malware. Considering this LightSpy activity has been disclosed publicly by our colleagues from TrendMicro, we would like to further contribute missing information to the story without duplicating content. And, in our quest to secure technologies for a better future, we reported the malware and activity to Apple and other relevant companies.

This supplemental information can be difficult to organize to make for easy reading. In light of this, this document is broken down into several sections.

  1. Deployment timeline – additional information clarifying LightSpy deployment milestone events, including both exploit releases and individual LightSpy iOS implant component updates.
  2. Spreading – supplemental technical details on various techniques used to deliver malicious links to targets
  3. Infrastructure – supplemental description of a TwoSail Junk RDP server, the LightSpy admin panel, and some related server-side javascript
  4. Android implant and a pivot into evora – additional information on an Android implant and related infrastructure. After pivoting from the infrastructure in the previous section, we find related implants and backdoor malware, helping to connect this activity to previously known SpringDragon APT with low confidence.

More information about LightSpy is available to customers of Kaspersky Intelligence Reporting. Contact: [email protected]

Deployment timeline

During our investigation, we observed the actor modifying some components involved in the exploit chain on February 7, 2020 with major changes, and on March 5, 2020 with minor ones.

Figure 1. Brief LightSpy event timeline

The first observed version of the WebKit exploit dated January 10, 2020 closely resembled a proof of concept (PoC), containing elements such as buttons, alert messages, and many log statements throughout. The second version commented out or removed many of the log statements, changed alert() to print() statements, and also introduced some language errors such as “your device is not support…” and “stab not find…”.

By analyzing the changes in the first stage WebKit exploit, we discovered the list of supported devices was also significantly extended:
Table 1. iOS version exploit support expansion

Device iOS version Supported as of Jan 10 Supported as of Feb 7
iPhone 6 11.03 +
iPhone 6S 12.01 + commented
12.2 +
iPhone 7 12.1 +
12.11 + +
12.12 + +
12.14 +
12.2 +
iPhone 7+ 12.2 +
iPhone 8 12.2 +
iPhone 8+ 12.2 +
iPhone X 12.2 +

As seen above, the actor was actively changing implant components, which is why we are providing a full list of historical hashes in the IoC section at the end of this report. There were many minor changes that did not directly affect the functionality of each component, but there were also some exceptions to this that will be expanded on below. Based on our observations of these changes over a relatively short time frame, we can assess that the actor implemented a fairly agile development process, with time seemingly more important than stealthiness or quality.

One interesting observation involved the “EnvironmentalRecording” plugin (MD5: ae439a31b8c5487840f9ad530c5db391), which was a dynamically linked shared library responsible for recording surrounding audio and phone calls. On February 7, 2020, we noticed a new binary (MD5: f70d6b3b44d855c2fb7c662c5334d1d5) with the same name with no similarities to the earlier one. This new file did not contain any environment paths, version stamps, or any other traces from the parent plugin pattern. Its sole purpose was to clean up the implant components by erasing all files located in “/var/iolight/”, “/bin/light/”, and “/bin/irc_loader/”. We’re currently unsure whether the actor intended to replace the original plugin with an uninstall package or if this was a result of carelessness or confusion from the rapid development process.

Another example of a possible mistake involved the “Screenaaa” plugin. The first version (MD5: 35fd8a6eac382bfc95071d56d4086945) that was deployed on January 10, 2020 did what we expected: It was a small plugin designed to capture a screenshot, create a directory, and save the capture file in JPEG format. However, the plugin (MD5: 7b69a20920d3b0e6f0bffeefdce7aa6c) with the same name that was packaged on February 7 had a completely different functionality. This binary was actually a LAN scanner based on MMLanScan, an open source project for iOS that helps scan a network to show available devices along with their MAC addresses, hostname, and manufacturer. Most likely, this plugin was mistakenly bundled up in the February 7 payload with the same name as the screenshot plugin.

Figure 2. LightSpy iOS implant component layout and communications

Spreading

We cannot say definitively that we have visibility into all of their spreading mechanisms. We do know that in past campaigns, precise targeting of individuals was performed over various social network platforms with direct messaging. And, both ours and previous reporting from others have documented TwoSail Junk’s less precise and broad use of forum posts and replies. These forum posts direct individuals frequenting these sites to pages hosting iframes served from their exploit servers. We add Telegram channels and instagram posts to the list of communication channels abused by these attackers.

These sites and communication medium are known to be frequented by some activist groups.

Figure 3. LightSpy iPhone infection steps

The initial watering hole site (hxxps://appledaily.googlephoto[.]vip/news[.]html) on January 10, 2020 was designed to mimic a well known Hong Kong based newspaper “Apple Daily” by copy-pasting HTML content from the original:

Figure 4. Source of html page mimicking newspaper “Apple Daily”

However, at that time, we had not observed any indications of the site being purposely distributed in the wild. Based on our KSN detection statistics, we began seeing a massive distribution campaign beginning on February 18, 2020.

Table 2. LightSpy related iframe domains, urls, and first seen timestamps

Starting on February 18, the actors began utilizing a series of invisible iframes to redirect potential victims to the exploit site as well as the intended legitimate news site from the lure.

Figure 5. Source of html page with lure and exploit

Infrastructure

RDP Clues

The domain used for the initial watering hole page (googlephoto[.]vip) was registered through GoDaddy on September 24, 2019. No unmasked registration information was able to be obtained for this domain. The subdomain (appledaily.googlephoto[.]vip) began resolving to a non-parked IP address (103.19.9[.]185) on January 10, 2020 and has not moved since. The server is located in Singapore and is hosted by Beyotta Network, LLP.

At the time of our initial investigation, the server was listening on ports 80 (HTTP) and 3389 (RDP with SSL/TLS enabled). The certificate for the server was self-signed and created on December 16, 2019. Based on Shodan data as early as December 21, 2019, there was a currently logged in user detected who’s name was “SeinandColt”.

Figure 6. Screenshot of RDP login page for the server 103.19.9[.]185

Admin Panel

The C2 server for the iOS payload (45.134.1[.]180) also appeared to have an admin panel on TCP port 50001.

The admin panel seems to be a Vue.js application bundled with Webpack. It contains two language packs: English and Chinese. A cursory analysis provides us the impression of actual scale of the framework:

If we take a closer look at the index.js file for the panel, some interesting configurations are visible, to include a user config, an application list, log list, and other interesting settings.

The “userConfig” variable indicates other possible platforms that may have been targeted by the same actors, such as linux, windows, and routers.

Another interesting setting includes the “app_list” variable which is commented out. This lists two common applications used for streaming and chat mostly in China (QQ and Miapoi). Looking further, we can also see that the default map coordinates in the config point directly to the Tian’anmen Gate in Beijing, however, most likely this is just a common and symbolic mapping application default for the center of Beijing.

Android implants and a pivot into “evora”

During analysis of the infrastructure related to iOS implant distribution we also found a link directing to Android malware – hxxp://app.hkrevolution[.]club/HKcalander[.]apk (MD5: 77ebb4207835c4f5c4d5dfe8ac4c764d).

According to artefacts found in google cache, this link was distributed through Telegram channels “winuxhk” and “brothersisterfacebookclub”, and Instagram posts in late November 2019 with a message lure in Chinese translated as “The Hong Kong People Calendar APP is online ~~~ Follow the latest Hong Kong Democracy and Freedom Movement. Click to download and support the frontline. Currently only Android version is available.”

Further technical analysis of the packed APK reveals the timestamp of its actual build – 2019-11-04 18:12:33. Also it uses the subdomain, sharing an iOS implant distribution domain, as its c2 server – hxxp://svr.hkrevolution[.]club:8002.

Its code contains a link to another related domain:

Checking this server we found it hosted another related APK:

MD5 fadff5b601f6fca588007660934129eb
URL hxxp://movie.poorgoddaay[.]com/MovieCal[.]apk
C2 hxxp://app.poorgoddaay[.]com:8002
Build timestamp 2019-07-25 21:57:47

The distribution vector remains the same – Telegram channels:

The latest observed APK sample is hosted on a server that is unusual for the campaign context – xxinc-media[.]oss-cn-shenzhen.aliyuncs[.]com. We assume that the actors are taking steps to split the iOS and Android activities between different infrastructure pieces.

MD5 5d2b65790b305c186ef7590e5a1f2d6b
URL hxxps://xxinc-media.oss-cn-shenzhen.aliyuncs[.]com/calendar-release-1.0.1.apk
C2 hxxp://45.134.0[.]123:8002
Build timestamp 2020-01-14 18:30:30

We had not observed any indications of this URL being distributed in the wild yet.

If we take a look closer at the domain poorgoddaay[.]com that not only hosted the malicious APK but also was a C2 for them, we can note that there are two subzones of particular interest to us:

  • zg.poorgoddaay[.]com
  • ns1.poorgoddaay[.]com

We were able to work with partners to pivot into a handful of “evora” samples that use the above two subzones as their C2. Taking that a step further, using our Kaspersky Threat Attribution Engine (KTAE), we can see that the partner samples using those subzones are 99% similar to previous backdoors deployed by SpringDragon.

We are aware of other related and recent “evora” malware samples calling back to these same subnets while targeting organizations in Hong Kong as well. These additional factors help lend at least low confidence to clustering this activity with SpringDragon/LotusBlossom/Billbug.

Conclusion

This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia. This innovative approach is something we have seen before from SpringDragon, and LightSpy targeting geolocation at least falls within previous regional targeting of SpringDragon/LotusBlossom/Billbug APT, as does infrastructure and “evora” backdoor use.

Indicators of Compromise

File hashes

payload.dylib
9b248d91d2e1d1b9cd45eb28d8adff71 (Jan 10, 2020)
4fe3ca4a2526088721c5bdf96ae636f4 (Feb 7, 2020)

ircbin.plist
e48c1c6fb1aa6c3ff6720e336c62b278 (Jan 10, 2020)

irc_loader
53acd56ca69a04e13e32f7787a021bb5 (Jan 10, 2020)

light
184fbbdb8111d76d3b1377b2768599c9 (Jan 10, 2020)
bfa6bc2cf28065cfea711154a3204483 (Feb 7, 2020)
ff0f66b7089e06702ffaae6025b227f0 (Mar 5, 2020)

baseinfoaaa.dylib
a981a42fb740d05346d1b32ce3d2fd53 (Jan 10, 2020)
5c69082bd522f91955a6274ba0cf10b2 (Feb 7, 2020)

browser
7b263f1649dd56994a3da03799611950 (Jan 10, 2020)

EnvironmentalRecording
ae439a31b8c5487840f9ad530c5db391 (Jan 10, 2020)
f70d6b3b44d855c2fb7c662c5334d1d5 (Feb 7, 2020)

FileManage
f1c899e7dd1f721265cc3e3b172c7e90 (Jan 10, 2020)
ea9295d8409ea0f1d894d99fe302070e (Feb 7, 2020)

ios_qq
c450e53a122c899ba451838ee5250ea5 (Jan 10, 2020)
f761560ace765913695ffc04dfb36ca7 (Feb 7, 2020)

ios_telegram
1e12e9756b344293352c112ba84533ea (Jan 10, 2020)
5e295307e4429353e78e70c9a0529d7d (Feb 7, 2020)

ios_wechat
187a4c343ff4eebd8a3382317cfe5a95 (Jan 10, 2020)
66d2379318ce8f74cfbd0fb26afc2084 (Feb 7, 2020)

KeyChain
db202531c6439012c681328c3f8df60c (Jan 10, 2020)

locationaaa.dylib
3e7094eec0e99b17c5c531d16450cfda (Jan 10, 2020)
06ff47c8108f7557bb8f195d7b910882 (Feb 7, 2020)

Screenaaa
35fd8a6eac382bfc95071d56d4086945 (Jan 10, 2020)
7b69a20920d3b0e6f0bffeefdce7aa6c (Feb 7, 2020)

ShellCommandaaa
a8b0c99f20a303ee410e460730959d4e (Jan 10, 2020)

SoftInfoaaa
8cdf29e9c6cca6bf8f02690d8c733c7b (Jan 10, 2020)

WifiList
c400d41dd1d3aaca651734d4d565997c (Jan 10, 2020)

Android malware
77ebb4207835c4f5c4d5dfe8ac4c764d
fadff5b601f6fca588007660934129eb
5d2b65790b305c186ef7590e5a1f2d6b

Past similar SpringDragon evora
1126f8af2249406820c78626a64d12bb
33782e5ba9067b38d42f7ecb8f2acdc8

Domains and IPs

Implant c2
45.134.1[.]180 (iOS)
45.134.0[.]123 (Android)
app.poorgoddaay[.]com (Android)
svr[.]hkrevolution[.]club (Android)

WebKit exploit landing
45.83.237[.]13
messager[.]cloud

Spreading
appledaily.googlephoto[.]vip
www[.]googlephoto[.]vip
news2.hkrevolution[.]club
news.hkrevolution[.]club
www[.]facebooktoday[.]cc
www[.]hkrevolt[.]com
news.hkrevolt[.]com
movie.poorgoddaay[.]com
xxinc-media[.]oss-cn-shenzhen.aliyuncs[.]com

Related subdomains
app.hkrevolution[.]club
news.poorgoddaay[.]com
zg.poorgoddaay[.]com
ns1.poorgoddaay[.]com

Full Mobile Device Command List

change_config
exe_cmd
stop_cmd
get_phoneinfo
get_contacts
get_call_history
get_sms
delete_sms
send_sms
get_wechat_account
get_wechat_contacts
get_wechat_group
get_wechat_msg
get_wechat_file
get_location
get_location_coninuing
get_browser_history
get_dir
upload_file
download_file
delete_file
get_picture
get_video
get_audio
create_dir
rename_file
move_file
copy_file
get_app
get_process
get_wifi_history
get_wifi_nearby
call_record
call_photo
get_qq_account
get_qq_contacts
get_qq_group
get_qq_msg
get_qq_file
get_keychain
screenshot


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

MonitorMinor: vicious stalkerware? | Securelist – 10 minute mail

Updated March 17th, 2020

The other day, our Android traps ensnared an interesting specimen of commercial software that is positioned as a parental control app, but may also be used to secretly monitor family members or colleagues – or, in other words, for stalking. Such apps are often called stalkerware. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality. Let’s take a look one step at a time.

Modern stalkerware

What is the usual functionality of stalkerware? The most basic thing is to transmit the victim’s current geolocation. There are many such “stalkers”, since various special web resources are used to display coordinates, and they only contain a few lines of code.

Often, their creators use geofencing technology, whereby a notification about the victim’s movements is sent only if they go beyond (or enter) a particular area. In some cases, functions to intercept SMS and call data (spyware that’s able to log them is much less common) are added to the geolocation transmission.

But today, SMS are used mainly for receiving one-time passwords and not much else — their niche has been captured almost entirely by messengers, which these days even facilitate business negotiations. Moreover, they claim to be an alternative to “traditional” voice communication. So any software with tracking/spying functionality worth its salt must be able to intercept data from messengers. The sample we found (assigned the verdict Monitor.AndroidOS.MonitorMinor.c) is a rare piece of monitoring software that could be used for stalking purposes that can do this.

MonitorMinor features

In a “clean” Android operating system, direct communication between apps is prevented by the sandbox, so stalkerware cannot simply turn up and gain access to, say, WhatsApp messages. This access model is called DAC (Discretionary Access Control). When an app is installed on the system, a new account and app directory are created, the latter being accessible only to this account. For example, WhatsApp stores the user’s chat history in the file /data/data/com.whatsapp/databases/msgstore.db, which only the user and WhatsApp itself have access to. Other messengers work in a similar way.

The situation changes if a SuperUser-type app (SU utility) is installed, which grants root access to the system. Exactly how they get on the device — installed at the factory, by a user, or even by malware — is not so important. The main point is that they cause one of the system’s key security mechanisms to cease to exist (in fact, all security systems cease to exist, but it is DAC that we are interested in right now).

It is the presence of this utility that the creators of MonitorMinor are perhaps counting on. By escalating privileges (running the SU utility), it gains full access to data in the following apps:

  • LINE: Free Calls & Messages
  • Gmail
  • Zalo – Video Call
  • Instagram
  • Facebook
  • Kik
  • Hangouts
  • Viber
  • Hike News & Content
  • Skype
  • Snapchat
  • JusTalk
  • BOTIM

In other words, all the most popular modern communication tools.

Intercepting the device unlock code

MonitorMinor’s functionality is not limited to intercepting data from social networking apps and messengers: using root privileges, it extracts the file /data/system/gesture.key from the device, which contains the hash sum for the screen unlock pattern or the password. This lets the MonitorMinor operator unlock the device, when it’s nearby or when the operator will have physical access to the device the next time. This is the first time we have registered such a function in all our experience of monitoring mobile platform threats.

Persistence

When MonitorMinor acquires root access, it remounts the system partition from read-only to read/write mode, then copies itself to it, deletes itself from the user partition, and remounts it back to read-only mode. After this “castling” move, the application cannot be removed using regular OS tools. Sure, the option to escalate privileges is not available on all devices, and without root one might assume that the software would be less effective. But not if it’s MonitorMinor.

MonitorMinor features without root

Android is a very user-friendly operating system. It is especially friendly to users with disabilities: with the Accessibility Services API, the phone can read aloud incoming messages and any other text in app windows. What’s more, with the help of Accessibility Services, it is possible to obtain in real time the structure of the app window currently displayed on the smartphone screen: input fields, buttons, their names, etc.

It is this API that the stalkerware uses to intercept events in the above-listed apps. Put simply, even without root, MonitorMinor is able to operate effectively on all devices with Accessibility Services (which means most of them).

WhatsApp chat intercepted using Accessibility Services

A keylogger function is also implemented in this app through this same API. That is, MonitorMinor’s reach is not limited to social networks and messengers: everything entered by the victim is automatically sent to the MonitorMinor servers. The app also monitors the clipboard and forwards the contents. The app also allows its owner to:

  • Control the device using SMS commands
  • View real-time video from the device’s cameras
  • Record sound from the device’s microphone
  • View browsing history in Chrome
  • View usage statistics for certain apps
  • View the contents of the device’s internal storage
  • View the contacts list
  • View the system log

Fragment of an operator web interface demonstrating MonitorMinor’s capabilities

Propagation

According to KSN statistics, India currently has the largest share of installations of this application (14.71%). In addition, a Gmail account with an Indian name is stitched into the body of MonitorMinor, which hints at its country of origin. That said, we also discovered control panels in Turkish and English.

The second country in terms of usage is Mexico (11.76%), followed by Germany, Saudi Arabia, and the UK (5.88%), separated by only a few thousandths of one percent.

Map of users attacked by MonitorMinor (all attacks), November – December 2019

Conclusion

MonitorMinor is superior to other tracking apps that can be used for stalking purposes in many aspects. It implements all kinds of tracking features, some of which are unique and is almost impossible to detect on the victim’s device. If the device has root access, its operator has even more options available. For example, they can retrospectively view what the victim has been doing on social networks. Note too that the Monitor.AndroidOS.MonitorMinor.c is obfuscated, which means that its creators may be aware of the existence of anti-stalkerware tools and try to counter them.

Yet we should note that the License agreement available on the website, from which the application is distributed, clearly states that users of the application are not allowed to use it for silent monitoring of another person without written consent. Moreover, the authors of the agreement warn that in some countries such actions may be subject to investigation by law enforcement agencies. So, formally, it is hard to deny that the developers of this application took steps to provide information about the potential consequences of unlawful usage of the app.

On the other hand, we can’t see how this information can help potential targets of stalkers that would decide to use this app. It is very intrusive and is able to exist on the target’s device without being visible to its owner, and it can silently harvest practically every bit of the target’s personal communications. Due to the powerful characteristics of this app, we decided to draw attention to it and inform those who defend people from stalkerware of the potential threat it poses. This is not just another parental control application.

The market has plenty of Parental Control solutions that do their job properly without providing the “Parent” with a super set of instruments to track their “kids’” personal life. We are not in the position to teach other developers how to create parental control applications, however, it is our job to let our clients and other parties know when there is something out there that could be used to significantly impede on their privacy.

IOCs

ECAC763FEFF38144E2834C43DE813216


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

MonitorMinor: vicious stalkerware | Securelist – 10 minute mail

The other day, our Android traps ensnared an interesting specimen of stalkerware — commercial software that is usually used to secretly monitor family members or colleagues. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality. Let’s take a look one step at a time.

Modern stalkerware

What is the usual functionality of a stalkerware? The most basic thing is to transmit the victim’s current geolocation. There are many such “stalkers”, since various special web resources are used to display coordinates, and they only contain a few lines of code.

Often, their creators use geofencing technology, whereby a notification about the victim’s movements is sent only if they go beyond (or enter) a particular area. In some cases, functions to intercept SMS and call data (spyware able to log them is much less common) are added to the geolocation transmission.

But today, SMS are used mainly for receiving one-time passwords and not much else — their niche has been captured almost entirely by messengers, which these days even facilitate business negotiations. Moreover, they claim to be an alternative to “traditional” voice communication. So any software with tracking/spying functionality worth its salt must be able to intercept data from messengers. The sample we found (assigned the verdict Monitor.AndroidOS.MonitorMinor.c) is a rare piece of stalkerware that can do this.

MonitorMinor features

In a “clean” Android operating system, direct communication between apps is prevented by the sandbox, so stalkerware cannot simply turn up and gain access to, say, WhatsApp messages. This access model is called DAC (Discretionary Access Control). When an app is installed in the system, a new account and app directory are created, the latter being accessible only to this account. For example, WhatsApp stores the user’s chat history in the file /data/data/com.whatsapp/databases/msgstore.db, which only the user and WhatsApp itself have access to. Other messengers work in a similar way.

The situation changes if a SuperUser-type app (SU utility) is installed, which grants root access to the system. Exactly how they get on the device — installed at the factory, by a user, or even by malware — is not so important. The main point is that they cause one of the system’s key security mechanisms to cease to exist (in fact, all security systems cease to exist, but it is DAC that we are interested in right now).

It is the presence of this utility that the creators of MonitorMinor are counting on. By escalating privileges (running the SU utility), it gains full access to data in the following apps:

  • LINE: Free Calls & Messages
  • Gmail
  • Zalo – Video Call
  • Instagram
  • Facebook
  • Kik
  • Hangouts
  • Viber
  • Hike News & Content
  • Skype
  • Snapchat
  • JusTalk
  • BOTIM

In other words, all the most popular modern communication tools.

Stealing the device unlock code

MonitorMinor’s functionality is not limited to intercepting data from social networking apps and messengers: using root privileges, it extracts the file /data/system/gesture.key from the device, which contains the hash sum for the screen unlock pattern or the password. This lets the MonitorMinor operator unlock the device, when it’s nearby or when operator will have physical access to device next time. This is the first time we have registered such a function in all our experience of monitoring mobile platform threats.

Persistence

When MonitorMinor acquires root access, it remounts the system partition from read-only to read/write mode, then copies itself to it, deletes itself from the user partition, and remounts it back to read-only mode. After this “castling” move, the stalkerware cannot be removed using regular OS tools. Sure, the option to escalate privileges is not available on all devices, and without root one might assume that the software would be less effective. But not if it’s MonitorMinor.

MonitorMinor features without root

Android is a very user-friendly operating system. It is especially friendly to users with disabilities: with the Accessibility Services API, the phone can read aloud incoming messages and any other text in app windows. What’s more, with the help of Accessibility Services, it is possible to obtain in real time the structure of the app window currently displayed on the smartphone screen: input fields, buttons, their names, etc.

It is this API that the stalkerware uses to intercept events in the above-listed apps. Put simply, even without root, MonitorMinor is able to operate effectively on all devices with Accessibility Services (which means most of them).

WhatsApp chat intercepted using Accessibility Services

A keylogger function is also implemented in the stalkerware through this same API. That is, MonitorMinor’s reach is not limited to social networks and messengers: everything entered by the victim is automatically sent to the MonitorMinor servers. The app also monitors the clipboard and forwards the contents. The stalkerware also allows its owner to:

  • Control the device using SMS commands
  • View real-time video from the device’s cameras
  • Record sound from the device’s microphone
  • View browsing history in Chrome
  • View usage statistics for certain apps
  • View the contents of the device’s internal storage
  • View the contacts list
  • View the system log

Fragment of an operator web interface demonstrating MonitorMinor capabilities

Propagation

According to KSN statistics, India currently has the largest share of installations of this stalkerware (14.71%). In addition, a Gmail account with an Indian name is stitched into the body of MonitorMinor, which hints at its country of origin. That said, we also discovered control panels in Turkish and English.

The second country in terms of usage is Mexico (11.76%), followed by Germany, Saudi Arabia, and the UK (5.88%), separated by only a few thousandths of one percent.

Map of users attacked by MonitorMinor (all attacks), November – December 2019

Conclusion

MonitorMinor is superior to other stalkerware in many aspects. It implements all kinds of tracking features, some of which are unique, and is almost impossible to detect on the victim’s device. If the device has root access, its operator has even more options available. For example, they can retrospectively view what the victim has been doing on social networks.

Note too that the Monitor.AndroidOS.MonitorMinor.c is obfuscated, which means that its creators are aware of the existence of anti-stalkerware tools and try to counter them.

IOCs

ECAC763FEFF38144E2834C43DE813216


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Roaming Mantis, part V | Securelist – 10 minute mail

Kaspersky has continued to track the Roaming Mantis campaign. The group’s attack methods have improved and new targets continuously added in order to steal more funds. The attackers’ focus has also shifted to techniques that avoid tracking and research: whitelist for distribution, analysis environment detection and so on. We’ve also observed new malware families: Fakecop (also known as SpyAgent by McAfee) and Wroba.j (also known as Funkybot by Fortinet).

Distribution of Wroba.g via SMiShing with impersonated brands

In 2018, the group added a distribution method for Wroba.g (aliases: Moqhao and XLoader), in addition to the original method of DNS hijacking. It was SMiShing using a spoofed delivery notice from a logistics company. In 2019, we confirmed another new method where a downloaded malicious APK file has an icon that impersonates a major courier company brand. The spoofed brand icon is customized for the country it targets, for example, Sagawa Express for Japan; Yamato Transport and FedEx for Taiwan; CJ Logistics for South Korea and Econt Express for Russia.

Examples of SMiShing with Android malware icons impersonating brands

In February 2020, the attacker modified a SMiShing message from a spoofed absence notification to “delivering free masks for the coronavirus issue” in Japan, according to a warning by Japan Cybercrime Control Center (JC3). This once again shows that criminals always make use of hot topics in their activities.

Whitelist feature of Wroba.g landing page for Korea only

The Roaming Mantis actor also employed a new feature in their Wroba.g landing page – currently only on the Korean page. It’s a whitelist feature to evade security researchers. When a user visits the landing page, they have to enter their phone number for confirmation. If the phone number is on the whitelist, the landing page distributes a malicious app.apk:

The fake CJ Logistics landing page includes a whitelist

The actor has a habit of trying out their new methods in Korean first. It means the method described above may be applied later on landing pages in other languages as well. If that happens, it would make it almost impossible for researchers to obtain a sample, because it would require a specific phone number in the actor’s whitelist database.

Multidex obfuscation trick in a loader module of Wroba.g

A single Dalvik Executable (DEX) has a 64K reference limit. As a workaround, a configuration of Mutidex allows the application to build and read multiple DEX files. In 2019, the actor used Multidex in an APK file to hide a malicious loader module as an obfuscation trick. Our analysis shows that it has been modified little by little:

Transition of obfuscation using Multidex

The classes${num}.dex marked with a red square is the actual malicious loader module. All the other DEX files are simply junk code. However, the encrypted payload of Wroba.g is still under the assets directory and can be decrypted by the simple python script described in our previous blogpost.

Wroba.g is targeting carrier billing and online banks in Japan

The actor has a strong financial motivation. They are targeting carrier billing and online bank accounts. They have implemented redirection to phishing sites to steal credentials in the decrypted payload of Wroba.g:

Hardcoded pkg name, URL of pinterest.com and pop-up message

When the malware detects a specific package of a Japanese online bank or specific mobile carriers on the infected device, it connects in the background to a hardcoded malicious account of pinterest.com to fetch a phishing site with an alert message. The message claims that it has blocked unauthorized access from a third party and asks the user to click on a button to confirm they want to proceed. If the user clicks the button, they will be redirected to a phishing site:

Redirecting to a phishing site via malicious account on pinterest.com

The targeted packages for online banks and mobile carriers correspond to the relevant accounts on pinterest.com that lead to phishing sites:

Pkgs or mobile carrier Accounts on pinterest.com Phishing site in Dec 2019 Phishing site in Jan 2020
jp.co.japannetbank.smtapp.balance nor********** jnb.jp-bankq[.]com N/A
jp.co.jibunbank.jibunmain abi******** jibun.jp-bankq[.]com N/A
jp.co.netbk.smartkey.SSNBSmartkey sin************* sbi.jp-bankq[.]com N/A
jp.co.rakuten_bank.rakutenbank kel*************** rakuten.jp-bankq[.]com N/A
jp.co.sevenbank.AppPassbook gh6****** seven.jp-bankq[.]com N/A
jp.co.smbc.direct eme************* smbc.jp-bankq[.]com smbc.bk-securityo[.]com
jp.japanpost.jp_bank.FIDOapp fel*************** jppost.jp-bankq[.]com N/A
jp.mufg.bk.applisp.app sho************* mufg.jp-bankq[.]com N/A
Docomo ami*********** nttdocomo-uh[.]com nttdocomo-xm[.]com
au pos*********** au-ul[.]com au-xm[.]com
Softbank ash************ epos-ua[.]com N/A

As can be seen in the table above, all the accounts have corresponding phishing sites as of December 2019 (data provided by @ninoseki on Twitter). These destination URLs are continuously changed by the attackers. In January 2020, only three of these accounts were enabled for some reason. However, as it’s easy for the criminals to modify the phishing page address, apps without corresponding phishing sites are also likely to be attacked again in the near future.

Wroba.j and Fakecop discovered in 2019

Roaming Mantis has been using Wroba.g and Wroba.f as its main Android malware. In April 2019, we observed two more malware families, Wroba.j and Fakecop. These two malware families have some similarities with the other families in terms of infrastructure, distribution channel, etc. We have created some slides, Roaming Mantis: A melting pot of Android bots in Botconf2019, showing the timeline, impersonated brands, malware features and money laundering method.

Based on our telemetry data, detection rates of both malicious programs were very low. We believe that this was a test by the attacker. However, the most alarming thing we discovered was the following SMS spamming function in Wroba.j:

Generating feedback for SMS spamming results

The function automatically creates a sophisticated list of phone numbers from the feedback for SMS spamming results. This malware also has another function that checks the International Mobile Subscriber Identifier (IMSI) to identify mobile carriers in Japan and add the phone number to a relevant spamming list.

Checking the IMSI of mobile carrier Docomo

According to the hardcoded IMSIs and strings shown below, the attacker seems to be targeting Docomo and Softbank mobile carriers.

IMSI of Docomo:

44001 4401 44058
44002 4402 4406
44003 4403 44087
44009 44049 44099

IMSI of Softbank:

Conclusion

The Roaming Mantis actor is strongly motivated by financial gain and is eager to evade tracking by researchers. It is now employing yet another method – whitelisting – to achieve this. This new method is currently only being applied for Korean pages, but it’s only a matter of time before it’s implemented for other languages.

The actor is still very active in using SMiShing for Android malware distribution. This is particularly alarming, because it means all infected mobile devices could form a botnet for malware delivery, SMiShing, and so on. ISPs, together with security companies, need to keep a close eye on the Roaming Mantis campaign to understand how to combat it.

Further reading

Further information about the Fakecop and Wroba.j families has also appeared in the following blogs published by McAfee and Fortinet respectively:

These blogposts provide some interesting updates on Roaming Mantis activities during 2019.

Example of md5 hashes for each APK

e6ae4277418323810505c28d2b6b3647 Wroba.g
939770e5a14129740dc57c440afbf558 Wroba.f
521312a8b5a76519f9237ec500afd534 Wroba.j
6d29caaa8b30cc8b454e74a75d33c902 Fakecop


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Roaming Mantis, part V | Securelist – 10 minute mail

Kaspersky has continued to track the Roaming Mantis campaign. The group’s attack methods have improved and new targets continuously added in order to steal more funds. The attackers’ focus has also shifted to techniques that avoid tracking and research: whitelist for distribution, analysis environment detection and so on. We’ve also observed new malware families: Fakecop (also known as SpyAgent by McAfee) and Wroba.j (also known as Funkybot by Fortinet).

Distribution of Wroba.g via SMiShing with impersonated brands

In 2018, the group added a distribution method for Wroba.g (aliases: Moqhao and XLoader), in addition to the original method of DNS hijacking. It was SMiShing using a spoofed delivery notice from a logistics company. In 2019, we confirmed another new method where a downloaded malicious APK file has an icon that impersonates a major courier company brand. The spoofed brand icon is customized for the country it targets, for example, Sagawa Express for Japan; Yamato Transport and FedEx for Taiwan; CJ Logistics for South Korea and Econt Express for Russia.

Examples of SMiShing with Android malware icons impersonating brands

In February 2020, the attacker modified a SMiShing message from a spoofed absence notification to “delivering free masks for the coronavirus issue” in Japan, according to a warning by Japan Cybercrime Control Center (JC3). This once again shows that criminals always make use of hot topics in their activities.

Whitelist feature of Wroba.g landing page for Korea only

The Roaming Mantis actor also employed a new feature in their Wroba.g landing page – currently only on the Korean page. It’s a whitelist feature to evade security researchers. When a user visits the landing page, they have to enter their phone number for confirmation. If the phone number is on the whitelist, the landing page distributes a malicious app.apk:

The fake CJ Logistics landing page includes a whitelist

The actor has a habit of trying out their new methods in Korean first. It means the method described above may be applied later on landing pages in other languages as well. If that happens, it would make it almost impossible for researchers to obtain a sample, because it would require a specific phone number in the actor’s whitelist database.

Multidex obfuscation trick in a loader module of Wroba.g

A single Dalvik Executable (DEX) has a 64K reference limit. As a workaround, a configuration of Mutidex allows the application to build and read multiple DEX files. In 2019, the actor used Multidex in an APK file to hide a malicious loader module as an obfuscation trick. Our analysis shows that it has been modified little by little:

Transition of obfuscation using Multidex

The classes${num}.dex marked with a red square is the actual malicious loader module. All the other DEX files are simply junk code. However, the encrypted payload of Wroba.g is still under the assets directory and can be decrypted by the simple python script described in our previous blogpost.

Wroba.g is targeting carrier billing and online banks in Japan

The actor has a strong financial motivation. They are targeting carrier billing and online bank accounts. They have implemented redirection to phishing sites to steal credentials in the decrypted payload of Wroba.g:

Hardcoded pkg name, URL of pinterest.com and pop-up message

When the malware detects a specific package of a Japanese online bank or specific mobile carriers on the infected device, it connects in the background to a hardcoded malicious account of pinterest.com to fetch a phishing site with an alert message. The message claims that it has blocked unauthorized access from a third party and asks the user to click on a button to confirm they want to proceed. If the user clicks the button, they will be redirected to a phishing site:

Redirecting to a phishing site via malicious account on pinterest.com

The targeted packages for online banks and mobile carriers correspond to the relevant accounts on pinterest.com that lead to phishing sites:

Pkgs or mobile carrier Accounts on pinterest.com Phishing site in Dec 2019 Phishing site in Jan 2020
jp.co.japannetbank.smtapp.balance nor********** jnb.jp-bankq[.]com N/A
jp.co.jibunbank.jibunmain abi******** jibun.jp-bankq[.]com N/A
jp.co.netbk.smartkey.SSNBSmartkey sin************* sbi.jp-bankq[.]com N/A
jp.co.rakuten_bank.rakutenbank kel*************** rakuten.jp-bankq[.]com N/A
jp.co.sevenbank.AppPassbook gh6****** seven.jp-bankq[.]com N/A
jp.co.smbc.direct eme************* smbc.jp-bankq[.]com smbc.bk-securityo[.]com
jp.japanpost.jp_bank.FIDOapp fel*************** jppost.jp-bankq[.]com N/A
jp.mufg.bk.applisp.app sho************* mufg.jp-bankq[.]com N/A
Docomo ami*********** nttdocomo-uh[.]com nttdocomo-xm[.]com
au pos*********** au-ul[.]com au-xm[.]com
Softbank ash************ epos-ua[.]com N/A

As can be seen in the table above, all the accounts have corresponding phishing sites as of December 2019 (data provided by @ninoseki on Twitter). These destination URLs are continuously changed by the attackers. In January 2020, only three of these accounts were enabled for some reason. However, as it’s easy for the criminals to modify the phishing page address, apps without corresponding phishing sites are also likely to be attacked again in the near future.

Wroba.j and Fakecop discovered in 2019

Roaming Mantis has been using Wroba.g and Wroba.f as its main Android malware. In April 2019, we observed two more malware families, Wroba.j and Fakecop. These two malware families have some similarities with the other families in terms of infrastructure, distribution channel, etc. We have created some slides, Roaming Mantis: A melting pot of Android bots in Botconf2019, showing the timeline, impersonated brands, malware features and money laundering method.

Based on our telemetry data, detection rates of both malicious programs were very low. We believe that this was a test by the attacker. However, the most alarming thing we discovered was the following SMS spamming function in Wroba.j:

Generating feedback for SMS spamming results

The function automatically creates a sophisticated list of phone numbers from the feedback for SMS spamming results. This malware also has another function that checks the International Mobile Subscriber Identifier (IMSI) to identify mobile carriers in Japan and add the phone number to a relevant spamming list.

Checking the IMSI of mobile carrier Docomo

According to the hardcoded IMSIs and strings shown below, the attacker seems to be targeting Docomo and Softbank mobile carriers.

IMSI of Docomo:

44001 4401 44058
44002 4402 4406
44003 4403 44087
44009 44049 44099

IMSI of Softbank:

Conclusion

The Roaming Mantis actor is strongly motivated by financial gain and is eager to evade tracking by researchers. It is now employing yet another method – whitelisting – to achieve this. This new method is currently only being applied for Korean pages, but it’s only a matter of time before it’s implemented for other languages.

The actor is still very active in using SMiShing for Android malware distribution. This is particularly alarming, because it means all infected mobile devices could form a botnet for malware delivery, SMiShing, and so on. ISPs, together with security companies, need to keep a close eye on the Roaming Mantis campaign to understand how to combat it.

Further reading

Further information about the Fakecop and Wroba.j families has also appeared in the following blogs published by McAfee and Fortinet respectively:

These blogposts provide some interesting updates on Roaming Mantis activities during 2019.

Example of md5 hashes for each APK

e6ae4277418323810505c28d2b6b3647 Wroba.g
939770e5a14129740dc57c440afbf558 Wroba.f
521312a8b5a76519f9237ec500afd534 Wroba.j
6d29caaa8b30cc8b454e74a75d33c902 Fakecop


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.