Security-X

Forum Security-X => News => Discussion démarrée par: igor51 le février 10, 2018, 01:00:41

Titre: [FireEye]The Service You Can’t Refuse: A Secluded HijackRAT
Posté par: igor51 le février 10, 2018, 01:00:41
The Service You Can’t Refuse: A Secluded HijackRAT

In Android world, sometimes you can’t stop malware from “serving”
  you, especially when the “service” is actually a malicious Android
  class running in the background and controlled by a remote access tool
  (RAT). Recently, FireEye mobile security researchers have discovered
  such a malware that pretends to be a “Google Service Framework” and
  kills an anti-virus application as well as takes other malicious actions.


In the past, we’ve seen Android malware that execute privacy leakage,
  banking credential theft, or remote access separately, but this sample
  takes Android malware to a new level by combining all of those
  activities into one app. In addition, we found the hacker has designed
  a framework to conduct bank hijacking and is actively developing
  towards this goal. We suspect in the near future there will be a batch
  of bank hijacking malware once the framework is completed. Right now,
  eight Korean banks are recognized by the attacker, yet the hacker can
  quickly expand to new banks with just 30 minutes of work.


Although the IP addresses we have captured don’t reveal who the
  attacker is, as the computer of the IP might be a victim as well, we
  have found from the UI that both the malware developer and the victims
  are Korean speakers.


[caption id="attachment_5810" align="alignnone"
    width="545"]      href="/content/dam/legacy/blog/2014/06/structure.png">      class=" wp-image-5810 landscape-med"
      alt="Fig. 1. The structure of the HijackRAT malware."
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/structure.png"
      width="545" height="349" /> Fig. 1. The structure of the
  HijackRAT malware.[/caption]


The package name of this new RAT malware is “com.ll” and appears as
  “Google Service Framework” with the default Android icon. Android
  users can’t remove the app unless they deactivate its administrative
  privileges in “Settings.” So far, the Virus Total score of the sample
  is only five positive detections out of 54 AV vendors [1]. Such new
  malware is published quickly partly because the CNC server, which the
  hacker uses, changes so rapidly.


[caption id="attachment_5812" align="alignnone"
    width="548"]      href="/content/dam/legacy/blog/2014/06/VT5.png">      class=" wp-image-5812 landscape-med"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/VT5.png"
      width="548" height="187" /> Fig. 2. The Virus Total detection
  of the malware sample. [1][/caption] 


[caption id="attachment_5813" align="alignnone"
    width="549"]      href="/content/dam/legacy/blog/2014/06/removeicon.png">      class="size-full wp-image-5813 landscape-med"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/removeicon.png"
      width="549" height="326" /> Fig. 3. The fake “Google Service
  Framework” icon in home screen.[/caption]


A few seconds after the malicious app is installed, the “Google
  Services” icon appears on the home screen. When the icon is clicked,
  the app asks for administrative privilege. Once activated, the
  uninstallation option is disabled and a new service named “GS” is
  started as shown below. The icon will show "App isn't
  installed." when the user tries to click it again and removes
  itself from the home screen.


[caption id="attachment_5815" align="alignnone"
    width="548"]      href="/content/dam/legacy/blog/2014/06/service.png">      class=" wp-image-5815 landscape-med"
      alt="Fig. 4. The background service of the malware. "
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/service.png"
      width="548" height="326" /> Fig. 4. The background service of
  the malware.[/caption]


The malware has plenty of malicious actions, which the RAT can
  command, as shown below.



        class="alignnone  wp-image-5816 landscape-sm" alt="8commands"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/8commands.png"
      width="235" height="166" />


Within a few minutes, the app connects with the CNC server and begins
  to receive a task list from it:



        class="alignnone  wp-image-5818 landscape-med" alt="get"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/get.png"
      width="582" height="170" />


The content is encoded by Base64 RFC 2045. It is a JSONObject with
  content: {"task": {"0": 0}}, when decoded. The
  server IP, 103.228.65.101, is located in Hong Kong. We cannot tell if
  it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL
  is named after the device ID and the UUID generated by the CNC server.


The code below shows how the URL of the HTTP GET request is constructed:



        class="alignnone  wp-image-5817 landscape-med" alt="code-get"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/code-get.png"
      width="565" height="92" />


- "UPLOAD PRIVACY DETAILS"


The task list shown above will trigger the first malicious action of
  “Upload Phone Detail.” When executed, the user’s private information
  will be uploaded to the server using HTTP POST request. The
  information contains phone number, device ID, and contact lists as
  shown below in the network packet of the request:



        class="alignnone  wp-image-5819 landscape-med" alt="post"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/post.png"
      width="581" height="271" />


When decoded, the content in the red and blue part of the PCap are
  shown below respectively:


1. The red part:



        class="alignnone  wp-image-5820 landscape-med"
      alt="post-pcap-decrypt1"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/post-pcap-decrypt1.png"
      width="581" height="243" />


2. The blue part:



        class="alignnone  wp-image-5821 landscape-sm"
      alt="post-pcap-decrypt2"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/post-pcap-decrypt2.png"
      width="477" height="34" />





  The contact list shown above is already highly sensitive, yet,
    if the user has installed some banking applications, the malware
    will scan for them too.





  In a testing device, we installed the eight Korean bank apps as
    shown below:


[caption id="attachment_5822" align="alignnone"
    width="274"]      href="/content/dam/legacy/blog/2014/06/8banks.png">      class=" wp-image-5822 portrait-sm"
      alt="Fig. 5. The eight banking apps. "
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/8banks.png"
      width="274" height="487" /> Fig. 5. The eight banking apps.[/caption]



  When this was done,  we found the value of
    “banklist” in the PCap is no longer listed as N/A anymore:



        class="alignnone  wp-image-5823 landscape-med" alt="8banks-pcap"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/8banks-pcap.png"
      width="574" height="364" />





  The “banklist” entry in the PCap is filled with the short names
    of the banks that we installed. There is a map of the short names
    and package names of the eight banking apps installed on the phone:



        class="alignnone  wp-image-5824 landscape-med" alt="table"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/table.png"
      width="583" height="232" />





  The map of the banks is stored in a database and used in another
    malicious action controlled by the CNC server too.


- "POP WINDOW"





  In this malicious action, the CNC server sends a command to
    replace the existing bank apps. The eight banking apps require the
    installation of “com.ahnlab.v3mobileplus,” which is a popular
    anti-virus application available on Google Play. In order evade any
    detections, the malware kills the anti-virus application before
    manipulating the bank apps. In the code as shown below, Conf.LV is
    the “com.ahnlab.v3mobileplus” being killed.



        class="alignnone size-full wp-image-5825 landscape-med"
      alt="killav"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/killav.png"
      width="565" height="126" />





  Then, the malware app parses the banking apps that the user has
    installed on the Android device and stores them in the database
    under /data/data/com.ll/database/simple_pref. The red block below
    shows the bank list stored in the database:



        class="alignnone  wp-image-5826 landscape-med" alt="db8banks"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/db8banks.png"
      width="577" height="264" />





  Once the corresponding command is sent from the RAT, the
    resolvePopWindow() method will be called and the device will pop a
    Window with the message: “The new version has been released. Please
    use after reinstallation.”



        class="alignnone  wp-image-5827 landscape-med"
      alt="code-popwindow"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/code-popwindow.png"
      width="582" height="378" />




The malware will then try to download an app, named after
    “update” and the bank’s short name from the CNC server,
    simultaneously uninstalling the real, original bank app.



        class="alignnone  wp-image-5828 landscape-med" alt="code-install"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/code-install.png"
      width="583" height="52" />




In the code shown above, “mpath” contains the CNC server IP
  (103.228.65.101) and path (determined by the RAT); “mbkname” is the
  bank name retrieved from the SQL lite database. The fake APK (e.g.
  "updateBH.apk") is downloaded from the CNC server, however
  we don’t know what the fake apps look like because during the research
  the command for this malicious action was not executed from the RAT.
  Yet the source of the “update*.apk” is definitely not certified by the
  banks and might be harmful to the Android user.


- "UPDATE"


When the command to “update” is sent from the RAT, a similar app –
  “update.apk” is downloaded from the CNC server and installed in the
  Android phone:



        class="alignnone size-full wp-image-5830 landscape-med"
      alt="code-update"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/code-update.png"
      width="584" height="140" />


- "UPLOAD SMS"


When the command to upload SMS is received from the RAT, the SMS of
  the Android phone will be uploaded to the CNC server. The SMS has been
  stored in the database once received:



        class="alignnone  wp-image-5831 landscape-med"
      alt="code-uploadsms"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/code-uploadsms.png"
      width="543" height="511" />



        class="alignnone  wp-image-5834 landscape-sm" alt="code-savesms"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/code-savesms.png"
      width="409" height="339" />


Then the SMS is read from the database and uploaded to the CNC server
  once the command is received:



        class="alignnone  wp-image-5832 landscape-med"
      alt="code-uploadsmscnc"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/code-uploadsmscnc.png"
      width="581" height="229" />


- "SEND SMS"


Similarly, when the sending SMS command is received, the contact list
  is sent through SMS.



        class="alignnone  wp-image-5835 landscape-med" alt="code-sendsms"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/code-sendsms.png"
      width="586" height="195" />


- "BANK HIJACK"


Interesting enough, we found a partially finished method called “Bank
  Hijack.” The code below partially shows how the BankHijack method
  works. The malware reads the short bank name, e.g. “NH”, and then
  keeps installing the updateNH.apk from the CNC server until it’s of
  the newest version.



        class="alignnone  wp-image-5836 landscape-med" alt="code-hijack"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/code-hijack.png"
      width="596" height="283" />


So far the part after the installation of the fake app is not
  finished yet. We believe the hacker is having some problems finishing
  the function temporarily.



        class="alignnone  wp-image-5837 landscape-sm"
      alt="code-hijack-half"
      src="https://www.fireeye.com/content/dam/legacy/blog/2014/06/code-hijack-half.png"
      width="442" height="150" />


As shown above, the hacker has designed and prepared for the
  framework of a more malicious command from the CNC server once the
  hijack methods are finished. Given the unique nature of how this app
  works, including its ability to pull down multiple levels of personal
  information and impersonate banking apps, a more robust mobile banking
  threat could be on the horizon.


REFERENCE


__________________________________________________


[1] https://www.virustotal.com/intelligence


 


 


 



 


Source: The Service You Can’t Refuse: A Secluded HijackRAT (http://)