Tuesday, November 24, 2015

This Thanksgiving deals on your private data too

In a matter of years, we’ve seen Black Friday and Cyber Monday become two of the most anticipated days of the calendar year. While consumers eagerly await the chance to buy this season’s hottest gifts, what they don’t realize is that hackers are also anticipating a holiday treat: their personal data. This weekend, Zscaler uncovered a campaign where malware turning the holiday shopping season into an opportunity to scam large number of people by creating fake apps offering early access to Amazon.com Black Friday and Cyber Monday offers and deals.

The Zscaler research team recently came across one such fake amazon app which was masked as an Amazon.com Black Friday deals app, but actually intended to collect victim's personal data. The URL from where this fake app is downloaded is as shown below:
  • URL :  http[:]//amazon[.]de[.]offer47263[.]cc/amazon[.]apk
From the URL it can be observed that the malware authors are using cyber squatting to fool the victim and portraying itself as a legitimate Amazon site.

Once the application gets installed it disguises itself as a legit Amazon app.
When the user starts this installed fake Amazon app, it loads another app named "com.android.engine" as seen below.

Loading application dynamically
This newly loaded child application asks for administrative privileges and other risky permissions like sending SMS and dialing phone numbers.
This newly loaded app will first register itself as a service. Even if we remove the fake Amazon app, the "com.android.engine" app will stay persistent and keep doing its activity in the background. Once this malicious app is installed on the victim's phone, the fake Amazon application will start giving the error message: "Device not supported with App". This forces the victim to delete the fake amazon app thinking that there were some errors while installing it. As the malicious child app does not have any icon, it is quite difficult for the common users to remove the app.

The presence of this app can be seen in Settings>Apps>Running Applications section of device as shown below. 
Silently working in backgroud

Administrative access
This loaded malicious application has code for harvesting user's personal data.
The following code routine present in the app is used to collect victim's browser history and bookmarks.
Browser data
It is also able to harvest the call logs, received inbox messages and segregate it into sender's numbers, SMS body, received incoming call number and contact name etc as shown below.
Call logs
Inbox messages
The malicious app also gathers victims contact details.
This particular piece of malware was also found to be communicating with an IP address in Canada, "198[.]50[.]169[.]251" on port 4467 probably sending the harvest data through network socket.

Hard coded IP
The following packet capture shows the malware communication with its C&C(Command and Control Center).

Packet Capture

Data being sent
Especially during this holiday season, consumers need to be aware of the applications they’re downloading and stay away from such fake apps. Always install applications from legitimate app stores and websites. Be aware of the permissions asked by the application during installation. Shopping apps should not be asking for access to your contacts or SMS. Keeping an eye on the permissions used by the app can save you from installing such fake apps.

Happy Thanksgiving to all !!

Monday, November 23, 2015

Pornography - A Favorite Costume For Android Malware

30% of Internet traffic is in some way related to pornography and this is the primary reason why malware authors are using porn apps to infect large numbers of users. During recent data mining, we noticed an increasing volume of mobile malware using pornography (disguised as porn apps) to lure victims into different scams and stealing personal data or locking phones and demanding ransom payments. We recently wrote about Android Ransomware and an SMS Trojan leveraging pornography to scam victims. In this blog we share the analysis of two adult themed malicious apps - SMS and Infostealer Trojans that we recently spotted.

Case 1: SMS Trojan

Here we look at a Chinese SMS Trojan disguised as porn app. Upon installation, the malware fools the victim by displaying random adult sites, steals sensitive information and sends SMS to predetermined Chinese numbers in the background.
  • Name : 浴室自拍
  • URL:  http://yg-file.91wapbang[.]com/apk/appad/14461771841467103.apk?uid=ef2592f22af8c568f2b2993467a1e21a
  • Package Name : com.uryioen.lkhgonsd
  • Flagged by 6/53 AVs on VirusTotal at the time of analysis.
The malware installs the app with a lewd icon as shown below.
Once a user clicks on the icon, the user will be directed to a random URL from an array defined in the main code module. Interestingly, all the URLs are encoded in base64 format. 

Base64 URLs
List of URLs:
  •  http://www.4493[.]com/star/sifang/(aHR0cDovL3d3dy40NDkzLmNvbS9zdGFyL3NpZmFuZy8=)
  •  http://m.mnsfz[.]com/h/meihuo/(aHR0cDovL20ubW5zZnouY29tL2gvbWVpaHVvLw==)
  •  http://m.4493[.]com/gaoqingmeinv/(aHR0cDovL20uNDQ5My5jb20vZ2FvcWluZ21laW52Lw==)
  •  http://www.mm131[.]com/xinggan/(aHR0cDovL3d3dy5tbTEzMS5jb20veGluZ2dhbi8=)
  • http://www.5542[.]cc/xingganmeinv/(aHR0cDovL3d3dy41NTQyLmNjL3hpbmdnYW5tZWludi8=)
  • http://www.100mz[.]com/a/xingganmeinv/(aHR0cDovL3d3dy4xMDBtei5jb20vYS94aW5nZ2FubWVpbnYv)
  • http://m.xgmtu[.]com/( aHR0cDovL20ueGdtdHUuY29tLw==)
The malware is collecting all the device information in the background and sending it to a remote Command & Control (C&C) server as seen below.
Post Request
The C&C server responds back to the bot with further instructions as seen below.
The C&C response in screenshot shows the malware receiving a phone number with content that needs to be sent to that number via SMS. The following code shows how the malware will parse this response and start sending SMS messages.

Send SMS code
After sending the message, the malware sends another POST request notifying the C&C server about the sent SMS activity.

Post Request
  • C&C server - http[:]//www[.]mscdea[.]com:7981

This activity occurs once a day at a random time interval where the malware sends a post request to the C&C server and receives phone numbers with SMS content to be sent out. 

The continuous SMS activity can lead to a significant financial loss for the victim. 

Case 2: Fake Ransomware stealing personal data

The malware in this case is trying to scare the user with a warning screen accusing them of watching child porn. The malware steals victim's personal data in background and send it to C&C server.
  • URL: http://maturefuckporn[.]info/download/kyvcuwc/diper/video.apk (down as of now)
  • App Name :  video
  • Package Name : com.gi.to
  • Flagged by 12/53 AV vendors on VirusTotal.

Upon installing the app on device, the user will see a video player icon on the screen.
Once the user clicks on the icon, the malware displays a fake warning page as seen below. The warning page pretends to be from the Industrial Control Systems - Cyber Emergency Response Team (ICS-CERT) but is different from the classic FBI/Police Ransomware pages.
Warning page
The malicious app does not ask for administrative privileges to lock the device and is fairly easy to remove. We did not find any code for locking the device. The malware harvests inbox messages, contacts & e-mail addresses, which are then relayed to a remote C&C server in the background.

Collecting data
The malware logs the harvested SMS messages & sender's phone number in a specific format to a temporary file as seen in the code snippet above.

C&C construction.
The screenshot above shows the C&C URI construction code. The file containing the stolen data is then sent to the remote C&C server as seen in the network capture below.

Post capture.
The stolen SMS messages being sent to the C&C server in a file.
Inbox messages
The stolen contacts & e-mail addresses being sent to the C&C in a file
  • C&C server - http[:]//maturefucklist[.]com


We are seeing an increasing number of adult themed Android malware apps using pornography to lure victims. To avoid being  a victim of such malware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the "Unknown Sources" option under the "Security" settings of your device.

Friday, November 6, 2015

International Council of Women site leading to Nuclear & Kelihos


We recently wrote about a compromised Chinese government site leading to an Angler Exploit Kit (EK) infection cycle. Nuclear EK operators are on par with their Angler EK peers in terms of the activity we are seeing in the wild. During our course of EK hunting, we came across a popular multinational organization, the International Council of Women (ICW), being compromised and leading users to a Nuclear EK landing site. The end user will get infected with the information stealing Kelihos bot if the exploit cycle is successful.

Compromised site - ICW

The following screenshot shows the malicious iframe injected on the compromised website.

Compromised ICW web page

The malicious iframe leads users to a Nuclear EK landing site as seen below.

Nuclear EK redirection

The Nuclear EK landing page is heavily obfuscated to evade security software detection as shown below.

Nuclear EK landing page

Upon successful execution of the obfuscated JavaScript, a malicious Flash file is downloaded on the victim's machine as seen below.

Flash Exploit Download

Kelihos Payload Analysis

Upon successful exploitation, a new variant of the Kelihos bot is downloaded and installed on the victim machine. Here are some of the download locations for the Kelihos bot that we have seen in this campaign:


Final Payload Download

Kelihos is a Trojan family that distributes spam email messages. The malware communicates with remote servers to exchange information that is used to execute various tasks, including sending spam email, capturing sensitive information or downloading and executing arbitrary files.

The malware executable file is a Microsoft Visual C++ 6.0 compiled binary with custom packed content stored in the executable's overlay section. Kelihos installs WinPcap, a legitimate and commonly used Windows packet capture library at the following locations:
  • %system32%\winpcap.dll
  • %system32%\Packet.dll
  • %system32%\drivers\npf.sys
Note: %system32% is c:\windows\system32

It uses hard coded User-Agents from the following list when communicating with the remote host:

Crafted User-Agent
Kelihos tries to steal the login credentials of FTP and POP3 applications by monitoring the network traffic of the victim's machine using the installed WinPcap libraries. The bot checks for the presence of the following applications on the victim machine and attempts to steal login credentials, digital currency and other information:
  • 3D-FTP
  • Bitcoin
  • BitKinex
  • BlazeFtp
  • Bullet Proof FTP
  • Classic FTP
  • Core FTP
  • CuteFTP
  • Cyberduck
  • Directory Opus
  • FileZilla
  • Frigate3
  • FTPGetter
  • LeapFTP
  • FTPRush
  • xterm
  • PuTTY
  • SecureFX
  • SmartFTP
  • Bitcoin
  • BitKinex
The malware extracts stored information such as usernames, passwords and host names from the following browsers:
  • Google\Chrome
  • Chromium
  • ChromePlus
  • Bromium
  • Nichrome
  • Comodo
  • RockMelt
  • CoolNovo
  • MapleStudio\ChromePlus
  • Yandex
Kelihos communicates to Command & Control (C&C) servers using HTTP via messages encrypted using the Blowfish symmetric-key algorithm.

Post Infection Communication


Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads. The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection.

ThreatLabZ is actively monitoring new Nuclear EK infections in the wild and ensuring that Zscaler customers are protected.

Research by Dhanalakshmi PK and Rubin Azad

Tuesday, November 3, 2015

Chinese Government Website Compromised, Leads to Angler


Despite a recent takedown targeting the Angler Exploit Kit (EK), it's back to business as usual for kit operators. On 30-October-2015, ThreatLabZ noticed a compromised Chinese government website that led to the Angler Exploit Kit with an end payload of Cryptowall 3.0. This compromise does not appear targeted and the compromised site was cleaned up within 24 hours. We have noticed some recent changes to Angler, as well as the inclusion of newer Flash exploits. A set of indicators for this compromise is at the end of this post.

Compromised Site

The "Chuxiong Archives" website, www.cxda[.]gov.cn, was compromised with injected code. The site has a similar look and feel to both the Chuxiong Yi Prefecture and Chuxiong City websites and appears somewhat inactive, but surprisingly the site was remediated in less than 24 hours. The full infection cycle from compromised site to encrypted payload is shown in the fiddler session below.

Fig 1. Infection cycle
The injected code was before the opening HTML tag and was heavily obfuscated. The code, shown below, is very similar to other recent compromises we've observed and was present on every page of the site, suggesting a complete site compromise.

Fig 2. Injected script
Consistent with other recent examples, the injected code appears to target Internet Explorer (IE) since Firefox and Chrome consistently throw errors when attempting to execute the code and no redirection occurs. IE has no issues executing the code, however, which unsurprisingly decodes to an iframe leading to an Angler EK landing page:

Fig 3. Decoded injected code
While we did not have access to the server-side code, it likely retrieves landing page URLs from a remote server since we observed iframes leading to multiple different Angler domains within a brief period of time.

Landing Page

The landing page for Angler is immediately recognizable, but with some notable recent changes. For example, instead of using a long block of around seven-character long strings inside divs tag, the newer landing pages use 'li' tags and most of the strings are only about two characters long. Additionally, there's a conspicuous 'triggerApi' function toward the top of the main script block:

Fig 4: Short strings and triggerApi function
Outside of these changes, the functionality of the landing page appears unchanged, and the goal is naturally to serve up a malicious SWF:

Fig 5. Decoded landing page SWF objects

Malicious SWF - CVE-2015-7645

Kafeine already broke the news that Angler is exploiting Flash, and we can corroborate that with the samples we've observed.
Fig 6. Flash being exploited
In fact, we compared the sample from his recent post with one obtained from this infection and the structure is identical, with very few changes in the actionscript. The biggest change we saw was in the embedded binary data.

Fig 7. SWF structure, 30-Oct sample on the left, Kafeine's sample on the right

Fig 8. Comparison of binary data, 30-Oct sample on the left, Kafeine's sample on the right
Upon successful exploit cycle, a new CryptoWall 3.0 variant from the crypt13 campaign is downloaded and installed on the target machine. The image below shows a decrypted Command & Control (C&C) communication message from the CryptoWall variant which also contains the total number of files encrypted on the target system:

Fig 9. CryptoWall 3.0 C&C message reporting encrypted file count

Final Thoughts

As stated, this seems to be business as usual for Angler EK operators. While these attacks were not targeted in nature, this is the first instance where we saw EK operators leveraging a government site to target end users. One interesting observation is that we no longer see any Diffie-Helman POST exchange to prevent replaying captured sessions for offline analysis. Additionally, there was a much larger number of C&C servers than we've previously observed, and some of the domain names seem to suggest multi-use hosts (e.g.: spam, bitcoin mining, etc). Note that none of the C&C servers are pseudo-randomly generated domains. ThreatLabZ will continue to track new developments with the Angler Exploit Kit.

Indicators of Compromise

Domain IP Address Description
cxda.gov[.]cn118.123.7.122Chinese government site
erteilend-taendelt.sewnydine[.]com104.129.192.32Angler Domain
repersuasionboldoblique.classactoutlet[.]com104.129.192.32Angler Domain
ayh2m57ruxjtwyd5.stopmigrationss[.]com95.128.181.195Payment Server
ayh2m57ruxjtwyd5.starswarsspecs[.]comfailedPayment Server
ayh2m57ruxjtwyd5.malerstoniska[.]com109.70.26.37, Server
ayh2m57ruxjtwyd5.blindpayallfor[.]com95.128.181.195Payment Server
flat.splo1t[.]ru188.127.239.164C&C connections
sanliurfapastanesi[.]com95.173.190.210C&C connections
wesalerx[.]xyz46.148.18.100C&C connections
urfakaplanticaret[.]com95.173.190.210C&C connections
taigastyle[.]ru37.140.192.180C&C connections
flickstudio[.]com103.21.59.22C&C connections
mydaycarewebsite[.]com104.24.102.98, connections
sampiyonvitamin[.]com95.173.190.210C&C connections
xmest.web-zolotareva[.]ru82.146.36.185C&C connections
aandwrentalspm[.]com142.4.6.13C&C connections
orucogluelektronik[.]com95.173.190.210C&C connections
gaja24[.]pl91.234.146.241C&C connections
developmysuccess[.]com50.30.46.201C&C connections
20dollarhomebusiness[.]com50.30.46.201C&C connections
rizvanogluhafriyat[.]com95.173.190.210C&C connections
sanliurfapastanesi[.]com95.173.190.210C&C connections
newatena[.]com95.173.190.210C&C connections
stalkerbanget[.]com68.65.120.182C&C connections
primevisionstudio[.]com192.185.206.97C&C connections
i-tem[.]ru62.173.143.242C&C connections
localuzzweb[.]com143.95.32.179C&C connections
getpostivemind[.]com158.85.170.253C&C connections
zemli72.chaukakau[.]ru62.173.143.242C&C connections
grandmedianetwork[.]com111.118.215.77C&C connections
karakoprudugunsalonu[.]com95.173.190.210C&C connections
sanliurfaparke[.]com95.173.190.210C&C connections
nsdstudio[.]net192.185.206.97C&C connections
meble-simone[.]eu91.234.146.241C&C connections
vsedveri33[.]ru81.177.165.33C&C connections
osk-wojcikiewicz[.]pl91.234.146.241C&C connections
love-deep[.]com111.118.215.77C&C connections
turizmkirov[.]ru82.146.36.185C&C connections
new.turizmkirov[.]ru82.146.36.185C&C connections
avtoreliv[.]com.ua91.234.34.80C&C connections
localwebsitepro[.]com192.185.41.191C&C connections
makrol[.]net91.234.146.241C&C connections
altopics[.]com111.118.215.77C&C connections
burnfatquicky[.]com184.168.221.57C&C connections
mediaopt33[.]ru81.177.165.33C&C connections
otmanad[.]com91.234.146.241C&C connections
markossolomon[.]com104.27.181.171, connections
kominki-gorlice[.]pl91.234.146.241C&C connections
chaukakau[.]ru62.173.143.242C&C connections
crm.ruhtech[.]com202.160.165.21C&C connections
takas3aya.xsrv[.]jp183.90.232.25C&C connections
famouswhiskybrands[.]com103.21.59.21C&C connections
edwardbrownjr[.]com50.30.46.201C&C connections
avatar77[.]ru62.173.143.242C&C connections
bollywoodupdate[.]net95.173.190.210C&C connections
asiaroyaldeveloper[.]com103.21.59.22C&C connections
asattyres[.]com192.185.206.97C&C connections
records.karika[.]in.ua91.234.34.80C&C connections
ppcprofitz[.]com143.95.32.180C&C connections
ecodeva[.]ru62.173.143.242C&C connections
btcdoubler[.]bizfailedC&C connections
18dollars1time[.]info50.30.46.201C&C connections
urfaeleganceoptik[.]com95.173.190.210C&C connections

Thursday, October 29, 2015

Infostealer APK Posing as Microsoft Word Document

Recently, we came across a piece of Android malware which was neither a porn app nor a battery status app, but was instead designed to look like a Microsoft Word document. This malicious app portrays itself as a document with an icon resembling Microsoft Word.

Due to the ubiquitous nature of mobile devices, its no wonder that PC based malware techniques are appearing in mobile domains. In early Windows malware attacks, attackers would often name the malicious files with eye-catching titles and use common icons to entice victims to open the file. We're seeing this same practice used for Android based malware.

The malware portrays itself as a data file with an icon similar to that used by Microsoft Word documents and is entitled '资料' (Data). It runs with Administrative access and hence cannot be easily uninstalled. Once installed, the malware scans the device for SMS messages and other personally identifiable information such as the IMEI number, SIM card number, Device ID, victim's contact information,  etc. and sends this to the attacker via email.

Malicious APK posing as Microsoft Word File

Technical Details:
Once the malware is installed, it appears on the Android home screen as shown below:

Microsoft Word Icon

As soon as victim tries to start the app, it shows an explicit error stating "Installation errors, this software is not compatible with the phone" and the icon then disappears from the device screen.

Fake Error Message

When this error is being displayed, the app executes a few major functions as noted below:
  • Sends SMS messages to a hard-coded number.
  • Starts an Android service, named MyService.
  • Starts an asynchronous thread (SmsTask) which runs in background.
  • Starts another thread named MailTask, which also operates in background.
  • Calls phone numbers specified by Attacker.

Sends SMS
Initially malware tries to send the victim's device IMEI code in a message body to a hardcoded number.

Calling SendMsg function

Assets.getInstallFlag gets the IMEI (or ESN number in case of CDMA devices)

IMEI code fetching
And finally sends the message. 

Sending Message

MyService Service:
The main task performed by MyService is to collect all the SMS messages from inbox of the victim's device.  Once that is done, it stores all the messages in its local logs.

Service fetching inbox messages

SmsTask Thread:
Apart from logging SMS messages, MyService was not sending these messages anywhere. This functionality is exhibited in the SmsTask thread.

SmsTask will also read the SMS messages and exfiltrates them.

Fetching inbox messages

Once the messages are collected, the app then sends them to attacker via email.
Calling SendMail method

A username and password for an email id were found hard-coded in the malware.

SendMail functionality

MailTask Thread:
MailTask's main role is to collect contact information from the victim's device and send it to attacker via the same functionality explained in case of SmsTask.

SmsTask Thread

Sending Mail:
The app sets up an SMTP host on port 465 for sending email.

Sending Mail

localMimeMessage contains the necessary data to be sent to attacker via email. In the case of SmsTask as mentioned above, localMimeMessage's body contains an SMS message list and in the MailTask instance, it contains contact numbers from victim's device.

Calling Functionality:
The malware was also designed to call phone numbers provided by an attacker via SMS.
It has a broadcast receiver registered to trigger whenever a new SMS is delivered.
The malware reads the SMS received from the attacker and acts accordingly.

In one instance, malware was trying to fetch phone numbers received in SMS messages and then calling them, as shown in screenshot below:

Broadcast Receiver

We were able to confirm that the campaign was initiated on October 10, 2015 and almost 300+ users had fallen prey to this malware. The attacker was able to successfully retrieve message details and contact lists from the infected users.

The following screenshots shows the list of emails received by the attacker:


Further, each email titled "Message list" consists of full SMS conversations from the victims phones and email with subject "Contact list" contains a list of all the phone numbers fetched from victims contact diaries.

Messages from victim's device

Contacts from victim's phone
There were 300+ such emails found in the C&C admin panel. Such malware creates a significant privacy & financial risk as it obtains contact information and private SMS messages.

It is recommended that users download apps only from official Android stores like the Google Play store. If you are infected with malware, you can follow the steps mentioned in our previous blog for removing the malicious app.