Redirect auction | Securelist – 10 minute mail

We’ve already looked at links under old YouTube videos or in Wikipedia articles which at some point turned bad and began pointing to partner program pages, phishing sites, or even malware. It was as if the attackers were purposely buying up domains, but such a scenario always seemed to us too complicated. Recently, while examining the behavior of one not-so-new program, we discovered how links get converted into malicious ones.

Razor Enhanced, a legitimate assistant tool for Ultima Online, caught our eye when it started trying to access a malicious URL.

C# program code for installing an update

Since we didn’t find anything suspicious in the program code, it was clear that the problem was on the other side. Going to the site that the program had tried to access, we found a stub for a popular domain auction stating that the domain was up for sale. The WHOIS data told us that its owner had stopped paying for the domain name, and that it had been purchased using a service for tracking released domains, and then put up for sale on the auction site.

To sell a domain at auction, it must first be parked on the DNS servers of the trading platform, where it remains until being transferred to the new owner. Anyone who visits the site sees that stub.

Stub on the domain up for sale

Having observed this page for a while, we noticed that from time to time visitors who initially went to the now inactive website of the app developer did not land on the auction stub, but on a malicious resource (which is basically what happened with Razor Enhanced when it decided to check for updates). Next, we learned that the stub site redirects visitors not to a specific resource, but to different websites, including ones on partner networks. What’s more, the type of redirect can vary depending on the country and user agent: when accessing from a macOS device, the victim might land on a page that downloads the Shlayer Trojan.

We checked the list of addresses from which Shlayer was downloaded, and found that the vast majority of domain names had been put up for auction on the same trading platform. Then we decided to check the requests to the resource that Razor Enhanced users got redirected to, and found that around 100 other stubs on this trading platform sent their visitors to the same address. During the study, we found about 1,000 of these pages in total, but the real figure is probably much higher.

According to data for March 2019–February 2020, 89% of the sites to which requests from stub pages got redirected were ad-related. The remaining 11% posed a far more serious threat: they prompt the user to install malware or download malicious MS Office or PDF documents with links to fake websites and the like.

We can assume that one source of income for the cybercriminals comes from generating traffic to partner program pages, both advertising and malicious (malvertising). For instance, one such resource in ten days receives (on average) around 600 redirect requests from programs which, like Razor Enhanced, were trying to access a developer site.

Who’s behind it?

There are various hypotheses. More likely: the malicious redirects are the work of a module that displays the content of a third-party ad network. Malicious traffic can appear due to the lack of ad filtering or because the attackers use vulnerabilities in the advertising module (or the trading platform itself) to change settings and substitute redirects.

It’s too early to draw any definite conclusions, but based on the data collected so far, it can be assumed that we are dealing with a well-organized (and presumably managed) network that can divert traffic flows to cybercriminal sites, using redirects from legitimate domain names and the resources of one of the largest and oldest domain auctions.

The main problem for visitors to legitimate resources is that without a security solution they will not be able to prevent getting redirected to a malicious site. Moreover, some visitors of such sites might go there by typing in the address from memory, clicking a link in the About window of an app they are using, or finding them in search engines.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Pig in a poke: smartphone adware – 10 minute mail

Our support team continues to receive more and more requests from users complaining about intrusive ads on their smartphones from unknown sources. In some cases, the solution is quite simple. In others, the task is far harder: the adware plants itself in the system partition, and trying to get rid of it can lead to device failure. In addition, ads can be embedded in undeletable system apps and libraries at the code level. According to our data, 14.8% of all users attacked by malware or adware in the past year suffered an infection of the system partition.

Why is that? We observe two main strategies for introducing undeletable adware onto a device:

  • The malware gains root access on the device and installs adware in the system partition.
  • The code for displaying ads (or its loader) gets into the firmware of the device even before it ends up in the hands of the consumer.

The Android security model assumes that an antivirus is a normal app, and according to this concept, it physically can not do anything with adware or malware in system directories. This makes adware a problem. The cybercriminals behind it stop at nothing that will earn them money from advertising (or rather, the forced installation of apps). As a result, malware can end up on the user’s device, such as CookieStealer.

As a rule, 1–5% of the total number of users of our security solutions encounter adware (depending on the particular device brand). In the main, these are owners of smartphones and tablets of certain brands in the lower price segment. However, for some popular vendors offering low-cost devices, this figure can reach up to 27%.

Users who encountered malware or adware in the system partition as a percentage of the total number of Kaspersky users in the country, May 2019 — May 2020

Who’s there?

Among the most common types of malware installed in the system partition of smartphones are the Lezok and Triada Trojans. The latter is notable for its ad code embedded not just anywhere, but directly in libandroid_runtime — a key library used by almost all apps on the device. Although these threats were identified several years ago, users continue to run into them.

But Lezok and Triada are just the tip of the cyber iceberg. Below, we examine what else users face today and which system apps were found to contain “additional” code.

Trojan-Dropper.AndroidOS.Agent.pe

This obfuscated Trojan usually hides in the app that handles the graphical interface of the system, or in the Settings utility, without which the smartphone cannot function properly. The malware delivers its payload, which in turn can download and run arbitrary files on the device.

Trojan-Dropper.AndroidOS.Agent.pe payload functions

It’s interesting to note that sometimes there is no payload, and the Trojan is unable to perform its task.

Trojan.AndroidOS.Sivu.c

The Sivu Trojan is a dropper masquerading as an HTMLViewer app. The malware consists of two modules and can use root permissions on the device. The first module displays ads on top of other windows, and in notifications.

The Trojan checks if it can show ads on top of an on-screen app

The second module is a backdoor allowing remote control of the smartphone. Its capabilities include installing, uninstalling, and running apps, which can be used to covertly install both legitimate and malicious apps, depending on the intruder’s goals.

Downloading, installing, and running apps

AdWare.AndroidOS.Plague.f

This adware app pretends to be a system service, calling itself Android Services (com.android.syscore). It can download and install apps behind the user’s back, as well as display ads in notifications.

Secretly installing apps after the screen turns off

What’s more, Plague.f can display ads in SYSTEM_ALERT_WINDOW — a pop-up window that sits on top of all apps.

Trojan.AndroidOS.Agent.pac

Agent.pac can imitate the CIT TEST app, which checks the correct operation of device components. At C&C’s command, it can run apps, open URLs, download and run arbitrary DEX files, install/uninstall apps, show notifications, and start services.

Running a downloaded DEX file

Trojan-Dropper.AndroidOS.Penguin.e

This Trojan dropper hides in an app called STS, which has no functions other than displaying ads. The downloaded code is obfuscated. It can deploy the ToastWindow function, which in this context is analogous to SYSTEM_ALERT_WINDOW — a window that sits on top of all apps.

It can also download and run code.

ToastWindow and launching third-party code

Trojan-Downloader.AndroidOS.Necro.d

Unlike the previous Trojans, Necro.d is a native library located in the system directory. Its launch mechanism is built into another system library, libandroid_servers.so, which handles the operation of Android Services.

Launching the Trojan

At the command of C&C, Necro.d can download, install, uninstall, and run apps. In addition, the developers decided to leave themselves a backdoor for executing arbitrary shell commands.

Executing received commands

On top of that, Necro.d can download Kingroot superuser rights — seemingly so that the OS security system does not interfere with delivering “critically important” content for the user.

Downloading Kingroot

Trojan-Downloader.AndroidOS.Facmod.a

We came across the malware Facmod.a in apps required for the smartphone to operate normally: Settings, Factory Mode, SystemUI. Our eye was caught by devices with not one, but two malicious modules embedded in SystemUI.

Decrypting the C&C address

The first module (com.android.systemui.assis) receives an address from the server ufz.doesxyz[.]com for downloading and running arbitrary code under the name DynamicPack:

Downloading and running third-party code

The second (com.cash) loads the payload from the encrypted file in the app’s resources. The payload solves the usual tasks (for this type of threat) of installing and running apps:

Stealthy installation of apps

In addition, Facmod.a has functions for periodically starting the browser and opening a page in it with advertising.

Trojan-Dropper.AndroidOS.Guerrilla.i

The Guerrilla.i Trojan is found in the Launcher system app, responsible for the functioning of the smartphone “desktop.” The Trojan is tasked with periodically displaying ads and opening advertising pages in the browser. Guerrilla.i receives the configuration file by calling htapi.getapiv8[.]com/api.php?rq=plug. This file can also contain an address for downloading an additional module extending the functionality.

Trojan-Dropper.AndroidOS.Guerrilla.i periodically displaying ads

Trojan-Dropper.AndroidOS.Virtualinst.c

This dropper can take cover in the Theme app (com.nbc.willcloud.themestore). Its features are not original: downloading, installing, and running apps without the user’s knowledge.

Trojan-Dropper.AndroidOS.Virtualinst.c installing apps

AdWare.AndroidOS.Secretad.c

Another piece of adware that we discovered was built into the wallpaper folder. The payload of Secretad.c is contained in the file kgallery.c1ass. It gets unpacked and launched, for example, when the screen is turned on or apps are installed:

Unpacking the payload

Secretad.c can display ads in full screen mode, open pages in the browser, or launch the advertised app itself. Like many other adware programs, Secretad.c can install apps without the user knowing about it.

Secretly installing apps

The app also has one more ad module:

Its payload is encrypted in the file assets/1498203975110.dat. Among other things, it can cause the advertised app’s page on Google Play to unexpectedly open, installed apps to start, or the browser to open.

Adware from the manufacturer

Some smartphones contain adware modules pre-installed by the developers themselves. A few vendors openly admit to embedding adware under the hood of their smartphones; some allow it to be disabled, while others do not, describing it as part of their business model to reduce the cost of the device for the end user.

The user generally has no choice between buying the device at the full price, or a little cheaper with lifetime advertising. What’s more, we did not find any electronics store offering a clear warning to users that they would be forced to watch ads. In other words, buyers might not suspect that they are spending their cash on a pocket-sized billboard.

Meizu

Meizu devices make no secret that they display ads in apps. The advertising is fairly unobtrusive, and you can even turn it off in the settings. However, in the preinstalled AppStore app, we uncovered hidden adware able to load under the radar and display itself in invisible windows (usually used to boost the number of showings), which eats up data and battery power:

Loading ads on the quiet

But that’s not all. The app can download and execute third-party JavaScript code:

Downloading and executing JS code

Furthermore, the pre-installed AppStore app can mute the sound, access text messages, and cut and paste their contents into loaded pages.

Reading text messages and using their contents in a web page

This approach is often used in outright malicious apps which, unbeknown to the user, sign up to paid subscriptions. One can only trust in the decency of the adware controllers, and hope that third parties do not gain access to it.

But AppStore is not the only suspicious app on Meizu devices. In Meizu Music (com.meizu.media.music), we found an encrypted executable file used to download and execute a certain Ginkgo SDK:

Downloading Ginkgo SDK

What this SDK does can only be guessed at: not all Meizu devices download it, and we were unable to get hold of the latest version. However, the versions of Ginkgo SDK that we obtained from other sources display ads and install apps without the user’s knowledge.

The com.vlife.mxlock.wallpaper app also contains an encrypted executable file, and basically offers standard functions for gray-market adware modules, including the ability to install apps on the sly.

Secretly installing apps

We contacted Meizu to report our findings, but did not receive a response.

Fotabinder

In addition to dubious files in devices from particular vendors, we found a problem affecting a huge number of smartphones. The memory of many devices contains the file /bin/fotabinder, which can download files to user devices and execute code on them received from one of the following remote servers: adsunflower[.]com, adfuture[.]cn, or mayitek[.]com.

This file is most likely part of the update or testing system, but the encrypted C&C addresses and functions providing remote access to the device raise a red flag.

What does it all mean?

The examples in our investigation show that the focus of some mobile device suppliers is on maximizing profits through all kinds of advertising tools, even if those tools cause inconvenience to the device owners. If advertising networks are ready to pay for views, clicks, and installations regardless of their source, it makes sense to embed ad modules into devices to increase the profit from each device sold.

Unfortunately, if a user purchases a device with such pre-installed advertising, it is often impossible to remove it without risking damage to the system.

In this case, all hopes rest on enthusiasts who are busy creating alternative firmware for devices. But it’s important to understand that reflashing can void the warranty and even damage the device.

As for ad modules yet to do anything malicious, the user can only hope that the developers do not tack on ads from a malicious partner network without even realizing it themselves.

 

IoC

MD5

42c97a5da141b9cfd7696583875bcef5a

0065d7177dfd65cebb1e2e788dce0082

fc0824678f582b0bdf65856e90cf0a01

520b50eee2f9dc522a87398f3bd5be94

cf808957da17f6a0b5d266b0e301bf63

04705df0913ccc0a12abddbcb757bac4

5d05e62fb18c6e1128522fe3371d2c91

5a2e5a1f768e4f33bd007f9acd2a9d0d

6c0d83e9e0eeed44ab1a1e5affb68b85

28119119d19fc3d986df63517dee465e

c81d66f5206193ce76b7f4f0b813f705

00c62413845fba1d9ddfd0e8d99f167b

d7b13e3f54ff5b8ff3e2c78e67e665eb

c4296581148a1a1a008f233d75f71821

19e481d60c139af3d9881927a213ed88

04fe069d7d638d55c796d7ec7ed794a6

3fdd84b7136d5871afd170ab6dfde6ca

 

C&C

www.ywupscsff[.]com/fud.do

www.mzeibiyr[.]com/7ve5.do

i151125.infourl[.]net:9080

www.jueoxdr[.]com/ea.do

ufz.doesxyz[.]com

htapi.getapiv8[.]com/api.php?rq=plug

stable.icecyber[.]org

404mobi[.]com

51ginkgo[.]com

lbjg7[.]com

bigdata800[.]com

apd1.warnlog[.]com

apd1.thunup.com.

adsunflower[.]com

adfuture[.]cn

mayitek[.]com

 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Aggressive in-app advertising in Android – 10 minute mail

Recently, we’ve been noticing ever more dubious advertising libraries in popular apps on Google Play. The monetization methods used in such SDKs can pose a threat to users, yet they pull in more revenue for developers than whitelisted ad modules due to the greater number of views. In this post we will look into a few examples of suspicious-looking ad modules that we discovered in popular apps earlier this year.

One of the applications we researched was a popular app that allows users to ask questions anonymously. Integrated into the code of an earlier version of the app was the module com.haskfm.h5mob. Its task was to show intrusive advertising (in breach of the Google Play rules) when the user unlocked the phone.

Code for displaying ads when the screen is unlocked

In other words, the module can show ads whether the app is running or not. The ad can simply pop up on the main screen all on its own, causing a nuisance for the user. We passed our findings to the app developers, who promptly removed com.haskfm.h5mob. However, this module remains interesting from technical point of view.

In this application to receive advertising offers, the module connects to the C&C servers, whose addresses are encrypted in the app code.

Decrypting the C&C addresses

The C&C response contains the display parameters and the platforms used to receive ads.

The most interesting parameter here is appintset, which specifies the delay before displaying the first ad after installation of the app. In our example, it was set to 43.2 million milliseconds, or 12 hours. This delay makes it much harder for the user to find the culprit for all the ads that suddenly appear on the screen. Also, this technique is frequently used by cybercriminals to trick automatic protection mechanisms, such as sandboxes in app stores. The main parameters are followed by an extensive list of addresses of advertising providers with request parameters for receiving offers.

Earlier we detected a similar ad module in apps without a payload. For example, the code in the app com.android.ggtoolkit_tw_xd, which we detect as not-a-virus:AdWare.AndroidOS.Magic.a, contains the same features and is managed from the same C&C as the com.haskfm.h5mob module. However, this adware app has no graphical interface to speak of, is not displayed in the device’s app menu, and serves only to display intrusive ads as described above. It looks something like this: adware_in-app_video.mp4

While, as previously mentioned, the creators of the application described in the first example, promptly removed the ad module, not all Android developers are so conscientious. For example, the Cut – CutOut & Photo Background Editor app does not hesitate to treat users to a half-screen ad as soon as the smartphone is unlocked, regardless of whether the app is running or not.

Likewise the Fast Cleaner — Speed​Booster & Cleaner app.

In both apps, the library com.vision.lib handles the display of advertising.

Display of advertising

At the time of writing this article, the developers of both apps had not responded to our requests.

Note, however, that adware is not always about greed. Often, app developers are not versed in advertising SDKs and lack the necessary skills to test an integrated advertising library, and therefore may not fully understand what they are adding to their code. The danger for users here is that a dubious library could unexpectedly make its way into an app as part of a rank-and-file update. And it becomes extremely difficult to figure out which of a dozen recently updated apps is the source of intrusive advertising.

IOCs

MD5

1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd
134283b8efedc3d7244ba1b3a52e4a92  – com.xprodev.cutcam
3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner

С&C

ti.domainforlite[.]com/st/hg
uu.domainforlite[.]com


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Cyberthreats on lockdown | Securelist – 10 minute mail

Every year, our anti-malware research team releases a series of reports on various cyberthreats: financial malware, web attacks, exploits, etc. As we monitor the increase, or decrease, in the number of certain threats, we do not usually associate these changes with concurrent world events – unless these events have a direct relation to the cyberthreats, that is: for example, the closure of a large botnet and arrest of its owners result in a decrease in web attacks.

However, the COVID-19 pandemic has affected us all in some way, so it would be surprising if cybercriminals were an exception. Spammers and phishers were naturally the trailblazers in this – look for details in the next quarterly report – but the entire cybercrime landscape has changed in the last few months. Before we discuss the subject, let us get something out of the way: it would be farfetched to attribute all of the changes mentioned below to the pandemic. However, certain connections can be traced.

Remote work

The first thing that caught our attention was remote work. From an information security standpoint, an employee within the office network and an employee connecting to the same network from home are two completely different users. It seems cybercriminals share this view, as the number of attacks on servers and remote access tools has increased as their usage has grown. In particular, the average daily number of bruteforce attacks on database servers in April 2020 was up by 23% from January.

Distribution of botnet C&C servers by country, Q1 2020 (download)

Unique computers subjected to bruteforce attacks, January through April 2020

Cybercriminals use brute force to penetrate a company’s network and subsequently launch malware inside its infrastructure. We are monitoring several cybercrime groups that rely on the scheme. The payload is usually ransomware, mostly from the Trojan-Ransom.Win32.Crusis, Trojan-Ransom.Win32.Phobos and Trojan-Ransom.Win32.Cryakl families.

RDP-attacks and ways to counter these were recently covered in detail by Dmitry Galov in his blog post, “Remote spring: the rise of RDP bruteforce attacks“.

Remote entertainment

Online entertainment activity increased as users transitioned to a “remote” lifestyle. The increase was so pronounced that some video streaming services, such as YouTube, announced that they were changing their default video quality to help with reducing traffic. The cybercriminal world responded by stepping up web threats: the average daily number of attacks blocked by Kaspersky Web Anti-Virus increased by 25% from January 2020.

Web-based attacks blocked, January through April 2020 (download)

It is hard to single out one specific web threat as the driver – all of the threats grew more or less proportionally. Most web attacks that were blocked originated with resources that redirected users to all kinds of malicious websites. Some of these were phishing resources and websites that subscribed visitors to unsolicited push notifications or tried to scare them with fake system error warnings.
We also noticed an increase in Trojan-PSW browser script modifications that could be found on various infected sites. Their main task was to capture bank card credentials entered by users while shopping online and transfer these to cybercriminals.
Websites capable of silently installing cookie files on users’ computers (cookie stuffing) and resources that injected advertising scripts into users’ traffic together accounted for a significant share of the web threats.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Remote spring: the rise of RDP bruteforce attacks – 10 minute mail

With the spread of COVID-19, organizations worldwide have introduced remote working, which is having a direct impact on cybersecurity and the threat landscape.

Alongside the higher volume of corporate traffic, the use of third-party services for data exchange, and employees working on home computers (and potentially insecure Wi-Fi networks), another headache for infosec teams is the increased number of people using remote-access tools.

One of the most popular application-level protocols for accessing Windows workstations or servers is Microsoft’s proprietary protocol — RDP. The lockdown has seen the appearance of a great many computers and servers able to be connected remotely, and right now we are witnessing an increase in cybercriminal activity with a view to exploiting the situation to attack corporate resources that have now been made available (sometimes in a hurry) to remote workers.

Since the beginning of March, the number of Bruteforce.Generic.RDP attacks has rocketed across almost the entire planet:

Growth in the number of attacks by the Bruteforce.Generic.RDP family, February–April 2019

Attacks of this type are attempts to brute-force a username and password for RDP by systematically trying all possible options until the correct one is found. The search can be based on combinations of random characters or a dictionary of popular or compromised passwords. A successful attack gives the cybercriminal remote access to the target computer in the network.

Brute-force attackers are not surgical in their approach, but operate by area. As far as we can tell, following the mass transition to home working, they logically concluded that the number of poorly configured RDP servers would increase, hence the rise in the number of attacks.

Attacks on remote-access infrastructure (as well as collaboration tools) are unlikely to stop any time soon. So if you use RDP in your work, be sure to take all possible protection measures:

  • At the very least, use strong passwords.
  • Make RDP available only through a corporate VPN.
  • Use Network Level Authentication (NLA).
  • If possible, enable two-factor authentication.
  • If you don’t use RDP, disable it and close port 3389.
  • Use a reliable security solution.

If you use a different remote-access protocol, you still cannot relax:  at the end of last year, Kaspersky experts found 37 vulnerabilities in various clients that connected via the VNC protocol, which, like RDP, is used for remote access.

Companies need to closely monitor programs in use and update them on all corporate devices in a timely manner. This is no easy task for many companies at present, because the hasty transition to remote working has forced many to allow employees to work with or connect to company resources from their home computers, which often fall short of corporate cybersecurity standards. Our advice is as follows:

  • Give employees training in the basics of digital security.
  • Use different strong passwords to access different corporate resources.
  • Update all software on employee devices to the latest version.
  • Where possible, use encryption on devices used for work purposes.
  • Make backup copies of critical data.
  • Install security solutions on all employee devices, as well as solutions for tracking equipment in case of loss.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Unkillable xHelper and a Trojan matryoshka – 10 minute mail

It was the middle of last year that we detected the start of mass attacks by the xHelper Trojan on Android smartphones, but even now the malware remains as active as ever. The main feature of xHelper is entrenchment — once it gets into the phone, it somehow remains there even after the user deletes it and restores the factory settings. We conducted a thorough study to determine how xHelper’s creators furnished it with such survivability.

Share of Kaspersky users attacked by the xHelper Trojan in the total number of attacks, 2019-2020

How does xHelper work?

Let’s analyze the family’s logic based on the currently active sample Trojan-Dropper.AndroidOS.Helper.h. The malware disguises itself as a popular cleaner and speed-up app for smartphones, but in reality there is nothing useful about it: after installation, the “cleaner” simply disappears and is nowhere to be seen either on the main screen or in the program menu. You can see it only by inspecting the list of installed apps in the system settings.

The Trojan’s payload is encrypted in the file /assets/firehelper.jar (since its encryption is practically unchanged from earlier versions, it was not difficult to decrypt). Its main task is to send information about the victim’s phone (android_id, manufacturer, model, firmware version, etc.) to https://lp.cooktracking[.]com/v1/ls/get…

Decrypting the URL for sending device information

…and downloading the next malicious module — Trojan-Dropper.AndroidOS.Agent.of.

This malware in turn decrypts and launches its payload using a bundled native library; this approach makes it difficult to analyze the module. At this stage, the next dropper, Trojan-Dropper.AndroidOS.Helper.b, is decrypted and launched. This in turn runs the malware Trojan-Downloader.AndroidOS.Leech.p, which further infects the device.

Leech.p is tasked with downloading our old friend HEUR:Trojan.AndroidOS.Triada.dd with a set of exploits for obtaining root privileges on the victim’s device.

Decoding the URL of the Leech.p C&C

Downloading the Triada Trojan

Malicious files are stored sequentially in the app’s data folder, which other programs do not have access to. This matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions. The malware can gain root access mainly on devices running Android versions 6 and 7 from Chinese manufacturers (including ODMs). After obtaining privileges, xHelper can install malicious files directly in the system partition.

Note here that the system partition is mounted at system startup in read-only mode. Armed with root rights, the Trojan remounts it in write mode and proceeds to the main job of starting the tellingly named script forever.sh. Triada employs its best-known tricks, including remounting the system partition to install its programs there. In our case, the package com.diag.patches.vm8u is installed, which we detect as Trojan-Dropper.AndroidOS.Tiny.d.

And several executable files get copied to the /system/bin folder:

  • patches_mu8v_oemlogo — Trojan.AndroidOS.Triada.dd
  • debuggerd_hulu —AndroidOS.Triada.dy
  • kcol_ysy — HEUR:Trojan.AndroidOS.Triada.dx
  • /.luser/bkdiag_vm8u_date — HEUR:Trojan.AndroidOS.Agent.rt

A few more files are copied to the /system/xbin folder:

  • diag_vm8u_date
  • patches_mu8v_oemlogo

A call to files from the xbin folder is added to the file install-recovery.sh, which allows Triada to run at system startup. All files in the target folders are assigned the immutable attribute, which makes it difficult to delete the malware, because the system does not allow even superusers to delete files with this attribute. However, this self-defense mechanism employed by the Trojan can be countered by deleting this attribute using the chattr command.

The question arises: if the malware is able to remount the system partition in write mode in order to copy itself there, can the user adopt the same strategy to delete it? Triada’s creators also contemplated this question, and duly applied another protection technique that involved modifying the system library /system/lib/libc.so. This library contains common code used by almost all executable files on the device. Triada substitutes its own code for the mount function (used to mount file systems) in libc, thereby preventing the user from mounting the /system partition in write mode.

On top of that, the Trojan downloads and installs several more malicious programs (for example, HEUR:Trojan-Dropper.AndroidOS.Necro.z), and deletes root access control applications, such as Superuser.

How to get rid of xHelper?

As follows from the above, simply removing xHelper does not entirely disinfect the system. The program com.diag.patches.vm8u, installed in the system partition, reinstalls xHelper and other malware at the first opportunity.

Installing programs without user participation

But if you have Recovery mode set up on your Android smartphone, you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it’s simpler and more reliable to completely reflash the phone.

Bear in mind too that the firmware of smartphones attacked by xHelper sometimes contains preinstalled malware that independently downloads and installs programs (including xHelper). In this case, reflashing is pointless, so it would be worth considering alternative firmwares for your device. If you do use a different firmware, remember that some of the device’s components might not operate properly.

In any event, using a smartphone infected with xHelper is extremely dangerous. The malware installs a backdoor with the ability to execute commands as a superuser. It provides the attackers with full access to all app data and can be used by other malware too, for example, CookieThief.

C&C

lp.cooktracking[.]com/v1/ls/get
www.koapkmobi[.]com:8081
45.79.110.191
45.33.9.178
23.239.4.169
172.104.215.170

Trojan-Dropper.AndroidOS.Helper.h — 59acb21b05a16c08ade1ec50571ba5d4
Trojan-Dropper.AndroidOS.Agent.of — 57cb18969dfccfd3e22e33ed5c8c66ce
Trojan-Dropper.AndroidOS.Helper.b — b5ccbfd13078a341ee3d5f6e35a54b0a
Trojan-Downloader.AndroidOS.Leech.p — 5fdfb02b94055d035e38a994e1f420ae
Trojan.AndroidOS.Triada.dd — 617f5508dd3066de7ec647bdd1497118
Trojan-Dropper.AndroidOS.Tiny.d — 21ae93aa54156d0c6913243cb45700ec
Trojan.AndroidOS.Triada.dd —  105265b01bac8e224e34a700662ffc4c8
Trojan.AndroidOS.Agent.rt — 95e2817a37c317b17de42e565475f40f
Trojan.AndroidOS.Triada.dy — cfe7d8c9c1e43ca02a4b1852cb34d5a5
Trojan.AndroidOS.Triada.dx — e778d4cc1a7901689b59e9abebc925e1
Trojan-Dropper.AndroidOS.Necro.z — 2887ab410356ea06d99286327e2bc36b


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

MonitorMinor: vicious stalkerware? | Securelist – 10 minute mail

Updated March 17th, 2020

The other day, our Android traps ensnared an interesting specimen of commercial software that is positioned as a parental control app, but may also be used to secretly monitor family members or colleagues – or, in other words, for stalking. Such apps are often called stalkerware. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality. Let’s take a look one step at a time.

Modern stalkerware

What is the usual functionality of stalkerware? The most basic thing is to transmit the victim’s current geolocation. There are many such “stalkers”, since various special web resources are used to display coordinates, and they only contain a few lines of code.

Often, their creators use geofencing technology, whereby a notification about the victim’s movements is sent only if they go beyond (or enter) a particular area. In some cases, functions to intercept SMS and call data (spyware that’s able to log them is much less common) are added to the geolocation transmission.

But today, SMS are used mainly for receiving one-time passwords and not much else — their niche has been captured almost entirely by messengers, which these days even facilitate business negotiations. Moreover, they claim to be an alternative to “traditional” voice communication. So any software with tracking/spying functionality worth its salt must be able to intercept data from messengers. The sample we found (assigned the verdict Monitor.AndroidOS.MonitorMinor.c) is a rare piece of monitoring software that could be used for stalking purposes that can do this.

MonitorMinor features

In a “clean” Android operating system, direct communication between apps is prevented by the sandbox, so stalkerware cannot simply turn up and gain access to, say, WhatsApp messages. This access model is called DAC (Discretionary Access Control). When an app is installed on the system, a new account and app directory are created, the latter being accessible only to this account. For example, WhatsApp stores the user’s chat history in the file /data/data/com.whatsapp/databases/msgstore.db, which only the user and WhatsApp itself have access to. Other messengers work in a similar way.

The situation changes if a SuperUser-type app (SU utility) is installed, which grants root access to the system. Exactly how they get on the device — installed at the factory, by a user, or even by malware — is not so important. The main point is that they cause one of the system’s key security mechanisms to cease to exist (in fact, all security systems cease to exist, but it is DAC that we are interested in right now).

It is the presence of this utility that the creators of MonitorMinor are perhaps counting on. By escalating privileges (running the SU utility), it gains full access to data in the following apps:

  • LINE: Free Calls & Messages
  • Gmail
  • Zalo – Video Call
  • Instagram
  • Facebook
  • Kik
  • Hangouts
  • Viber
  • Hike News & Content
  • Skype
  • Snapchat
  • JusTalk
  • BOTIM

In other words, all the most popular modern communication tools.

Intercepting the device unlock code

MonitorMinor’s functionality is not limited to intercepting data from social networking apps and messengers: using root privileges, it extracts the file /data/system/gesture.key from the device, which contains the hash sum for the screen unlock pattern or the password. This lets the MonitorMinor operator unlock the device, when it’s nearby or when the operator will have physical access to the device the next time. This is the first time we have registered such a function in all our experience of monitoring mobile platform threats.

Persistence

When MonitorMinor acquires root access, it remounts the system partition from read-only to read/write mode, then copies itself to it, deletes itself from the user partition, and remounts it back to read-only mode. After this “castling” move, the application cannot be removed using regular OS tools. Sure, the option to escalate privileges is not available on all devices, and without root one might assume that the software would be less effective. But not if it’s MonitorMinor.

MonitorMinor features without root

Android is a very user-friendly operating system. It is especially friendly to users with disabilities: with the Accessibility Services API, the phone can read aloud incoming messages and any other text in app windows. What’s more, with the help of Accessibility Services, it is possible to obtain in real time the structure of the app window currently displayed on the smartphone screen: input fields, buttons, their names, etc.

It is this API that the stalkerware uses to intercept events in the above-listed apps. Put simply, even without root, MonitorMinor is able to operate effectively on all devices with Accessibility Services (which means most of them).

WhatsApp chat intercepted using Accessibility Services

A keylogger function is also implemented in this app through this same API. That is, MonitorMinor’s reach is not limited to social networks and messengers: everything entered by the victim is automatically sent to the MonitorMinor servers. The app also monitors the clipboard and forwards the contents. The app also allows its owner to:

  • Control the device using SMS commands
  • View real-time video from the device’s cameras
  • Record sound from the device’s microphone
  • View browsing history in Chrome
  • View usage statistics for certain apps
  • View the contents of the device’s internal storage
  • View the contacts list
  • View the system log

Fragment of an operator web interface demonstrating MonitorMinor’s capabilities

Propagation

According to KSN statistics, India currently has the largest share of installations of this application (14.71%). In addition, a Gmail account with an Indian name is stitched into the body of MonitorMinor, which hints at its country of origin. That said, we also discovered control panels in Turkish and English.

The second country in terms of usage is Mexico (11.76%), followed by Germany, Saudi Arabia, and the UK (5.88%), separated by only a few thousandths of one percent.

Map of users attacked by MonitorMinor (all attacks), November – December 2019

Conclusion

MonitorMinor is superior to other tracking apps that can be used for stalking purposes in many aspects. It implements all kinds of tracking features, some of which are unique and is almost impossible to detect on the victim’s device. If the device has root access, its operator has even more options available. For example, they can retrospectively view what the victim has been doing on social networks. Note too that the Monitor.AndroidOS.MonitorMinor.c is obfuscated, which means that its creators may be aware of the existence of anti-stalkerware tools and try to counter them.

Yet we should note that the License agreement available on the website, from which the application is distributed, clearly states that users of the application are not allowed to use it for silent monitoring of another person without written consent. Moreover, the authors of the agreement warn that in some countries such actions may be subject to investigation by law enforcement agencies. So, formally, it is hard to deny that the developers of this application took steps to provide information about the potential consequences of unlawful usage of the app.

On the other hand, we can’t see how this information can help potential targets of stalkers that would decide to use this app. It is very intrusive and is able to exist on the target’s device without being visible to its owner, and it can silently harvest practically every bit of the target’s personal communications. Due to the powerful characteristics of this app, we decided to draw attention to it and inform those who defend people from stalkerware of the potential threat it poses. This is not just another parental control application.

The market has plenty of Parental Control solutions that do their job properly without providing the “Parent” with a super set of instruments to track their “kids’” personal life. We are not in the position to teach other developers how to create parental control applications, however, it is our job to let our clients and other parties know when there is something out there that could be used to significantly impede on their privacy.

IOCs

ECAC763FEFF38144E2834C43DE813216


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Shlayer Trojan attacks one in ten macOS users – 10 minute mail

For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS. The first specimens of this family fell into our hands back in February 2018, and we have since collected almost 32,000 different malicious samples of the Trojan and identified 143 C&C server domains.

TOP 10 threats for macOS by share of users attacked, as detected by Kaspersky security solutions for macOS, January– November 2019 (download)

The operation algorithm has changed little since Shlayer was first discovered, nor has its activity decreased much: the number of detections remains at the same level as in the first months after the malware was uncovered.

Shlayer malware detections by Kaspersky security solutions for macOS, February 2018 – November 2019 (download)

Technical details

Despite its prevalence, from a technical viewpoint Shlayer is a rather ordinary piece of malware. Of all its modifications, only the recent Trojan-Downloader.OSX.Shlayer.e stands apart. Unlike its Bash-based cousins, this variant of the malware is written in Python, and its operation algorithm is also somewhat different. Let’s demonstrate this using a DMG file with MD5 4d86ae25913374cfcb80a8d798b9016e.

First stage of infection

After mounting this DMG image, the user is prompted to run an “installation” file. However, the seemingly standard installer turns out to be a Python script, which is already atypical of macOS installation software.

Shlayer user guide

The directory with executable files inside the application package contains two Python scripts: gjpWvvuUD847DzQPyBI (main) and goQWAJdbnuv6 (auxiliary). The latter implements data encryption functions by means of a byte shift on the key key:

  • The encryptText/decryptText pair of functions encrypt and decrypt strings;
  • encryptList encrypts the contents of the list passed in the arguments; decryptList performs the inverse operation;
  • The getKey() function generates an encryption key based on the time in the operating system.

Main script of the Trojan

Auxiliary script of the Trojan

Next, the main script generates a unique user and system ID, and also collects information about the version of macOS in use. Based on this data, the GET query parameters are generated to download the ZIP file:

The ZIP archive downloaded to the /tmp/%(sessionID) directory is unpacked to the /tmp/tmp directory using the unzip function:

The ZIP archive was found to contain an application package with the executable file 84cd5bba3870:

After unpacking the archive, the main python script uses the chmod tool to assign the file 84cd5bba3870 permission to run in the system:

For added effect, the sample copies the icon of the original mounted DMG image to the directory with the newly downloaded application package using the moveIcon and findVolumePath functions:

After that, the Trojan runs the downloaded and unpacked application package using the built-in open tool, and deletes the downloaded archive and its unpacked contents:

Second stage of infection

Shlayer itself performs only the initial stage of the attack — it penetrates the system, loads the main payload, and runs it. The negative consequences for the user can be seen by investigating the AdWare.OSX.Cimpli family, which was being actively downloaded by the Trojan at the time of writing.

At first glance, the Cimpli installer looks harmless enough, simply offering to install a partner application (for example, Any Search):

But in actual fact, Cimpli performs several actions unseen by the user. First, it installs a malicious extension in Safari, hiding the OS security notification behind a malware fake window. By clicking on the buttons in the notification, the user in effect agrees to install the extension.

Left: what the user sees; right: what’s really going on

One of these extensions is called ManagementMark, which we detect as not-a-virus:HEUR:AdWare.Script.SearchExt.gen. It monitors user searches and redirects them to the address hxxp://lkysearchex41343-a.akamaihd[.]net/as?q=c by injecting the script script.js in the browser pages:

The sample also loads the mitmdump tool, which is packed using PyInstaller. To allow mitmdump to view HTTPS traffic, a special trusted certificate is added to the system. This is likewise done by superimposing a fake window over the installation confirmation box. After that, all user traffic is redirected to the SOCKS5 proxy launched using mitmdump.

Arguments for running the packed mitmdump run arguments

From the screenshot, it can be seen that all traffic passing through mitmdump (SearchSkilledData) is processed by the script SearchSkilledData.py (-s option):

This script redirects all user search queries to hxxp://lkysearchds3822-a.akamaihd[.]net. Kaspersky solutions detect this script as not-a-virus:AdWare.Python.CimpliAds.a.

Cimpli adware thus becomes firmly anchored in the system; in the event that traffic does not pass through the proxy server, the JS code of the extension injected in the page handles the redirection of queries. The attacker gains access to the user’s search queries and can modify the search engine results to display advertising. As a result, the user is inundated with unsolicited ads.

Note that Cimpli is not the only family of adware apps that Shlayer can download. The list also includes AdWare.OSX.Bnodlero, AdWare.OSX.Geonei, and AdWare.OSX.Pirrit, which made up almost all the remaining positions in the Top 10 threats for macOS in 2019.

Family ties

The behavioral similarities between the Python version of Shlayer and earlier modifications of the family written in Bash are not hard to spot: harvesting IDs and system versions, downloading an archive to a temporary directory, executing the downloaded file, deleting traces of downloading — we’ve seen this course of actions before. Moreover, both modifications use curl with the combination of options -f0L, which is basically the calling card of the entire family:

Top: an old modification of the Trojan; bottom: the latest version

Finding legitimate use for curl with options –f0L is not an easy task

Distribution

Distribution is a vital part of any malware’s life cycle, and the creators of Shlayer have taken this issue to heart. Looking for the latest episode of your favorite TV show? Want to watch a live broadcast of a soccer match? Then take extra care, since the chances of a run-in with Shlayer are high.

Examples of Shlayer landing pages

We noticed at once several file partner programs in which Shlayer was offered as a monetization tool. Having analyzed various offers, we identified a general trend: Shlayer stands out from the field for the relatively high installation fee (though only installations performed by U.S.-based users count). The prospect of a juicy profit likely contributed to the popularity of the offer (we counted more than 1000 partner sites distributing Shlayer).

Description of the offer on a partner program website

In most cases, it was advertising landing pages that brought users to the next stage of the distribution chain — nicely crafted fake pages prompting to install the malware under the veil of a Flash Player update. This is primarily how the Trojan-Downloader.OSX.Shlayer.a modification was distributed.

Fake Flash Player download page

The version of Trojan-Downloader.OSX.Shlayer.e discussed above was propagated in a slightly different way. Similar to the previous scheme, users ended up on a page seemingly offering an Adobe Flash update. But they were redirected there from large online services boasting a multimillion-dollar audience. Time and again, we have uncovered links pointing to malware downloads in the descriptions of YouTube videos:

Another example is links to Shlayer distribution pages contained in the footnotes to Wikipedia articles:

These links were not added by the cybercriminals themselves: we found that all those malicious domains had recently expired, and, judging by the WHOIS data, they now belong to a single individual. On the websites, the newly minted owner posted a malicious script that redirects users to Shlayer download landing pages. There are already over 700 such domains in total.

Our statistics show that the majority of Shlayer attacks are against users in the U.S. (31%), followed by Germany (14%), France (10%), and the UK (10%). This is wholly consistent with the terms and conditions of partner programs that deliver the malware, and with the fact that almost all sites with fake Flash Player download pages had English-language content.

Geographic distribution of users attacked by the Shlayer Trojan, February 2018 – October 2019 (download)

Conclusion

Having studied the Shlayer family, we can conclude that the macOS platform is a good source of revenue for cybercriminals. The Trojan links even reside on legitimate resources — attackers are adept in the art of social engineering, and it is hard to predict how sophisticated the next deception technique will be.

Kaspersky solutions detect Shlayer and its artifacts and download pages with the following verdicts:

  • HEUR:Trojan-Downloader.OSX.Shlayer.*
  • not-a-virus:HEUR:AdWare.OSX.Cimpli.*
  • not-a-virus:AdWare.Script.SearchExt.*
  • not-a-virus:AdWare.Python.CimpliAds.*
  • not-a-virus:HEUR:AdWare.Script.MacGenerator.gen

IOCS:

  • 4d86ae25913374cfcb80a8d798b9016e
  • fa124ed3905a9075517f497531779f92
  • 594aa050742406db04a8e07b5d247cdd

Malicious links:

  • hxxp://80.82.77.84/.dmg
  • hxxp://sci-hub[.]tv
  • hxxp://kodak-world[.]com

C&C Urls:

  • hxxp://api.typicalarchive[.]com
  • hxxp://api.entrycache[.]com
  • hxxp://api.macsmoments[.]com


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Shlayer Trojan attacks one in ten macOS users – 10 minute mail

For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS. The first specimens of this family fell into our hands back in February 2018, and we have since collected almost 32,000 different malicious samples of the Trojan and identified 143 C&C server domains.

TOP 10 threats for macOS by share of users attacked, as detected by Kaspersky security solutions for macOS, January– November 2019 (download)

The operation algorithm has changed little since Shlayer was first discovered, nor has its activity decreased much: the number of detections remains at the same level as in the first months after the malware was uncovered.

Shlayer malware detections by Kaspersky security solutions for macOS, February 2018 – October 2019 (download)

Technical details

Despite its prevalence, from a technical viewpoint Shlayer is a rather ordinary piece of malware. Of all its modifications, only the recent Trojan-Downloader.OSX.Shlayer.e stands apart. Unlike its Bash-based cousins, this variant of the malware is written in Python, and its operation algorithm is also somewhat different. Let’s demonstrate this using a DMG file with MD5 4d86ae25913374cfcb80a8d798b9016e.

First stage of infection

After mounting this DMG image, the user is prompted to run an “installation” file. However, the seemingly standard installer turns out to be a Python script, which is already atypical of macOS installation software.

Shlayer user guide

The directory with executable files inside the application package contains two Python scripts: gjpWvvuUD847DzQPyBI (main) and goQWAJdbnuv6 (auxiliary). The latter implements data encryption functions by means of a byte shift on the key key:

  • The encryptText/decryptText pair of functions encrypt and decrypt strings;
  • encryptList encrypts the contents of the list passed in the arguments; decryptList performs the inverse operation;
  • The getKey() function generates an encryption key based on the time in the operating system.

Main script of the Trojan

Auxiliary script of the Trojan

Next, the main script generates a unique user and system ID, and also collects information about the version of macOS in use. Based on this data, the GET query parameters are generated to download the ZIP file:

The ZIP archive downloaded to the /tmp/%(sessionID) directory is unpacked to the /tmp/tmp directory using the unzip function:

The ZIP archive was found to contain an application package with the executable file 84cd5bba3870:

After unpacking the archive, the main python script uses the chmod tool to assign the file 84cd5bba3870 permission to run in the system:

For added effect, the sample copies the icon of the original mounted DMG image to the directory with the newly downloaded application package using the moveIcon and findVolumePath functions:

After that, the Trojan runs the downloaded and unpacked application package using the built-in open tool, and deletes the downloaded archive and its unpacked contents:

Second stage of infection

Shlayer itself performs only the initial stage of the attack — it penetrates the system, loads the main payload, and runs it. The negative consequences for the user can be seen by investigating the AdWare.OSX.Cimpli family, which was being actively downloaded by the Trojan at the time of writing.

At first glance, the Cimpli installer looks harmless enough, simply offering to install a partner application (for example, Any Search):

But in actual fact, Cimpli performs several actions unseen by the user. First, it installs a malicious extension in Safari, hiding the malware window behind a fake OS security notification. By clicking on the buttons in the notification, the user in effect agrees to install the extension.

Left: what the user sees; right: what’s really going on

One of these extensions is called ManagementMark, which we detect as not-a-virus:HEUR:AdWare.Script.SearchExt.gen. It monitors user searches and redirects them to the address hxxp://lkysearchex41343-a.akamaihd[.]net/as?q=c by injecting the script script.js in the browser pages:

The sample also loads the mitmdump tool, which is packed using PyInstaller. To allow mitmdump to view HTTPS traffic, a special trusted certificate is added to the system. This is likewise done by superimposing a fake window over the installation confirmation box. After that, all user traffic is redirected to the SOCKS5 proxy launched using mitmdump.

Arguments for running the packed mitmdump run arguments

From the screenshot, it can be seen that all traffic passing through mitmdump (SearchSkilledData) is processed by the script SearchSkilledData.py (-s option):

This script redirects all user search queries to hxxp://lkysearchds3822-a.akamaihd[.]net. Kaspersky solutions detect this script as not-a-virus:AdWare.Python.CimpliAds.a.

Cimpli adware thus becomes firmly anchored in the system; in the event that traffic does not pass through the proxy server, the JS code of the extension injected in the page handles the redirection of queries. The attacker gains access to the user’s search queries and can modify the search engine results to display advertising. As a result, the user is inundated with unsolicited ads.

Note that Cimpli is not the only family of adware apps that Shlayer can download. The list also includes AdWare.OSX.Bnodlero, AdWare.OSX.Geonei, and AdWare.OSX.Pirrit, which made up almost all the remaining positions in the Top 10 threats for macOS in 2019.

Family ties

The behavioral similarities between the Python version of Shlayer and earlier modifications of the family written in Bash are not hard to spot: harvesting IDs and system versions, downloading an archive to a temporary directory, executing the downloaded file, deleting traces of downloading — we’ve seen this course of actions before. Moreover, both modifications use curl with the combination of options -f0L, which is basically the calling card of the entire family:

Top: an old modification of the Trojan; bottom: the latest version

Finding legitimate use for curl with options –f0L is not an easy task

Distribution

Distribution is a vital part of any malware’s life cycle, and the creators of Shlayer have taken this issue to heart. Looking for the latest episode of your favorite TV show? Want to watch a live broadcast of a soccer match? Then take extra care, since the chances of a run-in with Shlayer are high.

Examples of Shlayer landing pages

We noticed at once several file partner programs in which Shlayer was offered as a monetization tool. Having analyzed various offers, we identified a general trend: Shlayer stands out from the field for the relatively high installation fee (though only installations performed by U.S.-based users count). The prospect of a juicy profit likely contributed to the popularity of the offer (we counted more than 1000 partner sites distributing Shlayer).

Description of the offer on a partner program website

In most cases, it was advertising landing pages that brought users to the next stage of the distribution chain — nicely crafted fake pages prompting to install the malware under the veil of a Flash Player update. This is primarily how the Trojan-Downloader.OSX.Shlayer.a modification was distributed.

Fake Flash Player download page

The version of Trojan-Downloader.OSX.Shlayer.e discussed above was propagated in a slightly different way. Similar to the previous scheme, users ended up on a page seemingly offering an Adobe Flash update. But they were redirected there from large online services boasting a multimillion-dollar audience. Time and again, we have uncovered links pointing to malware downloads in the descriptions of YouTube videos:

Another example is links to Shlayer distribution pages contained in the footnotes to Wikipedia articles:

These links were not added by the cybercriminals themselves: we found that all those malicious domains had recently expired, and, judging by the WHOIS data, they now belong to a single individual. On the websites, the newly minted owner posted a malicious script that redirects users to Shlayer download landing pages. There are already over 700 such domains in total.

Our statistics show that the majority of Shlayer attacks are against users in the U.S. (31%), followed by Germany (14%), France (10%), and the UK (10%). This is wholly consistent with the terms and conditions of partner programs that deliver the malware, and with the fact that almost all sites with fake Flash Player download pages had English-language content.

Geographic distribution of users attacked by the Shlayer Trojan, February 2018 – October 2019 (download)

Conclusion

Having studied the Shlayer family, we can conclude that the macOS platform is a good source of revenue for cybercriminals. The Trojan links even reside on legitimate resources — attackers are adept in the art of social engineering, and it is hard to predict how sophisticated the next deception technique will be.

Kaspersky solutions detect Shlayer and its artifacts and download pages with the following verdicts:

  • HEUR:Trojan-Downloader.OSX.Shlayer.*
  • not-a-virus:HEUR:AdWare.OSX.Cimpli.*
  • not-a-virus:AdWare.Script.SearchExt.*
  • not-a-virus:AdWare.Python.CimpliAds.*
  • not-a-virus:HEUR:AdWare.Script.MacGenerator.gen

IOCS:

  • 4d86ae25913374cfcb80a8d798b9016e
  • fa124ed3905a9075517f497531779f92
  • 594aa050742406db04a8e07b5d247cdd

Malicious links:

  • hxxp://80.82.77.84/.dmg
  • hxxp://sci-hub[.]tv
  • hxxp://kodak-world[.]com

C&C Urls:

  • hxxp://api.typicalarchive[.]com
  • hxxp://api.entrycache[.]com
  • hxxp://api.macsmoments[.]com


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

SPF Record Research | Disposable mail Blog – 10 minute mail

To prevent email spoofing, it is important to manually configure email authentication systems to the highest standard. This is a complicated process that often results in misconfigured email servers or companies simply skipping authentication and leaving their domain at risk of being spoofed. Here you can find our SPF research as well as a guide to help you configure your email server’s authentication.

We have researched the email authentication configuration of the top 500 Alexa sites and discovered that less than half of the domains had proper email authentication in place.

After looking into the SPF records of the world’s top domains, we checked the configurations of Finland’s largest companies and found that the majority lacked security measures preventing email spoofing.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.