Cybersecurity News & Trends – 06-05-20

/0 Comments/in /by

This week, cybercriminals took a more hands-on approach, a new breed of ransomware bided its time, and computers got too hot to handle.

SonicWall Spotlight

Test Platform Leaks Bank Of America Clients’ Covid-19 PPP Loan Applications — SC Magazine

  • Bank of America has disclosed that its third-party test platform briefly exposed Paycheck Protection Program applications to outside parties. According to SonicWall’s Dmitriy Ayrapetov, the leak was due to a rushed effort by the bank to finish the data platform, resulting in holes in its security.

Boundless Cybersecurity For The New Work Reality — SC Magazine

  • The adoption of work-from-home has moved us into a hyper-distributed IT landscape. With 100-percent-remote employees conducting online meetings and connecting via email, mobile and cloud, the perimeter has vanished into a multitude of endpoints spread across the globe.

Cybersecurity News

New Tycoon ransomware targets both Windows and Linux systems — Bleeping Computer

  • A new human-operated ransomware strain is being deployed in highly targeted attacks on small- to medium-size organizations in the software and education industries.

Large-scale attack tries to steal configuration files from WordPress sites — ZDNet

  • In an attempt to steal database credentials, attackers tried to download configuration files from WordPress via old vulnerabilities in unpatched plugins.

‘Scorching-hot hacked computer burned my hand’ — BBC

  • At least a dozen supercomputers across Europe had to be shut down last week due to cryptojacking attacks. One individual found out the hard way that his was one of them.

USBCulprit malware targets air-gapped systems to steal govt info — Bleeping Computer

  • The newly revealed USBCulprit malware is designed for compromising air-gapped devices via USB.

Cybersecurity warning: Hackers are targeting your smartphone as way into the company network — ZDNet

  • Campaigns targeting smartphones have risen by a third in just a few months, many with the end goal of opening a portal to corporate networks.

Denial of service attacks against advocacy groups skyrocket — Cyberscoop

  • A new report suggests that advocacy sites are being targeted at a rate more than four times that of U.S. government websites such as police and military organizations.

Ransomware gang says it breached one of NASA’s IT contractors — ZDNet

  • DopplePaymer ransomware gang claims to have breached DMI, a major U.S. IT and cybersecurity provider and a NASA IT contractor.

Anonymous, aiming for relevance, spins old data as new hacks — Cyberscoop

  • The group is trying to use the nationwide protests to draw attention to data that was stolen years ago.

Apple fixes bug that could have given hackers full access to user accounts — Ars Technica

  • Sign In With Apple — a privacy-enhancing tool that lets users log in to third-party apps without revealing their email addresses — just fixed a bug that made it possible for attackers to gain unauthorized access to those same accounts.

Suspected Hacker Faces Money Laundering, Conspiracy Charges — Bank Info Security

  • According to the U.S. Department of Justice, a New York City man is facing federal charges after being arrested at John F. Kennedy Airport with a PC allegedly containing thousands of stolen credit card numbers.

An advanced and unconventional hack is targeting industrial firms — Ars Technica

  • Attackers are putting considerable skill and effort into penetrating industrial companies in multiple countries, with hacks that use multiple evasion mechanisms, an innovative encryption scheme, and exploits that are customized for each target.

PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time — Threat Post

  • Microsoft has warned of a new breed of “patient” ransomware that lurks in networks for weeks before striking.

In Case You Missed It

A Message from our CEO: Listening, Learning and Standing Together

/0 Comments/in /by

On June 5, 2020, the below message was sent from SonicWall CEO Bill Conner to all employees.

SonicWall Team,

We’ve all been watching over the past week as a tragic event in the United States touched off outcries and calls for justice and reform, not only around the United States, but also around the world.

After thoughtfully considering how to address this important topic, I am convinced that we should not just be asking what the right words are for expressing our rejection of all forms of discrimination. Rather, we should also be asking how we can make our communities more safe and more equitable for everyone, and, perhaps more importantly, how we can take action.

I want to be clear that I stand with other business and community leaders in condemning racial injustice and discrimination in any form and calling on our leaders, organizations and neighbors to listen and learn from all voices, and to take action.  We can and must stand together to create positive change wherever we are able to.

Listen and Learn: Knowledge is our Best Defense

Too often, the injustices and attacks we see are a product of ignorance and a lack of open communication and exposure. What that tells me is that our best defense against being part of the problem is knowledge and transparency. We need to take time to listen, communicate openly and respectfully and be willing to change when change is called for.  We must also accept that we cannot truly understand the struggles of another person if we have not walked a few miles in their shoes.

Our SonicWall family is a diverse, global team made up of almost all cultural backgrounds, ethnicities and colors. That diversity is a fundamental strength. I have been fortunate to have spent nearly four decades working at SonicWall and other multi-national and multi-cultural organizations.  During that time, I have learned that when we listen with the objective to understand, engage with each other on our merits and work together toward a common cause, differences in our appearances and backgrounds fade.  We become one team.

I urge all of us to take a step back and seriously consider how we can better listen and learn from the people who don’t look like us or share our beliefs, backgrounds or cultures. Lasting change starts with an individual accountability for how we treat each other and, ultimately, how we will choose to act.

Standing Together for Change

At this time, I want to issue a challenge to our entire SonicWall family. There are dedicated individuals and organizations who have been working for years to combat the issues that are at the forefront of the news headlines.  I urge each of us to find causes in our communities that need our time and talents, and to volunteer our services. I also encourage each of us to support organizations that are promoting these changes: Please consider making a donation to organizations such as the NAACP Legal Defense Fund, Color of Change or the Black Lives Matter Foundation within the next few weeks.

To demonstrate our commitment as a company and an executive team at SonicWall, we will match your donations made to one of these organization or a similar organization advocating for equality during the month of June.  We also make additional donations to similar causes in the coming months. The HR team will be sending details on each the organizations mentioned above, and how to record your donation for matching purposes.

I’m proud to work each day with a diverse and talented group of employees around the world. Let’s continue to be ONE team and make a difference in our homes and communities.

Listen, learn and stand together for positive change.

Sincerely,

Custom Build Your Security Strategy with the SonicWall Boundless Cybersecurity Bundle

/0 Comments/in /by

“One size fits all.” It’s a nice idea, isn’t it?

For ties and wristwatches, maybe.

For just about everything else, “one size fits all” is simply a nice way of saying “tailored for no one” — especially when it comes to cybersecurity bundles. With all the different tools, services, options and solutions that can go into a bundle, what are the odds that the bundles being offered will fit your particular business needs?

In the end, you often wind up with something you hadn’t planned to buy, or maybe didn’t even need, just to get a good deal. But if you’re forced to buy something you can’t use, are you actually saving money?

Imagine if you had the option to specify what you’d like to bundle together. How often would you opt for the pre-packaged bundle, if you had the option not to?

Traditional bundles offer two options: Take it, or leave it. But business needs — and use cases — are more complex than ever before. Organizations are now protecting a boundless workforce, with boundless exposure points. So why should your cybersecurity packages box you in?

That’s why SonicWall is introducing the limited-time Boundless Cybersecurity Bundle promotion. What’s in it? Whatever you’d like, with just a couple of conditions. Regardless of your use case, you can take only what you need, and none of what you don’t.

Best of all, the more you buy, the more you save. Purchase a qualifying product, including any firewall (or virtual firewall) with Advanced Gateway Security Services (AGSS), any Secure Mobile Access (SMA/SMAv), or a four- or eight-pack of wireless access points, and receive incremental discounts on each different solution added to that transaction, up to five total.

By leveraging SonicWall’s disruptive economics, you’ll get security tailored to your needs, all at a lower price than if you’d purchased each solution separately.

Whether you’re trying to comply with HIPAA, PCI-DSS, FIPS or other regulations; extend wireless across a construction site; protect a utility from ransomware; give remote employees access to key business data; or implement web filtering (CIPA) for elementary students, there’s a set of SonicWall products, services and solutions to fit your needs.

Your Boundless Cybersecurity Bundle is specific to you, and specific to your business use cases, because you built it from the ground up. And each is backed by SonicWall’s nearly three decades of experience securing businesses of all sizes against the most advanced and sophisticated cyberattacks.

So you get a customized solution and lower total cost of ownership, all from a company that nearly 500,000 organizations already trust with their cybersecurity needs.

To start building your Boundless Bundle, contact SonicWall or your partner.

Promotion begins June 3, 2020, and ends July 31, 2020, and is only available for purchases in NOAM and EMEA. In EMEA, only registered deals qualify for this promotion. This promotional offering may not be combined with any other sale, promotion, discount, rebate, coupon, or offering nor may it be used in conjunction with stock rotations. Discounts may vary depending on participation in programs offered by SonicWall and will be applied to only one solution per purchase transaction per end user customer during the promotion period. SonicWall’s MSRP will be used to calculate the final purchase price. A qualifying product must be purchased with one of the additional products listed. The qualifying product chosen must be different from the additional products chosen. The solution must be created to meet an end user customer’s request and must be reasonable for the end users intended use (e.g. meet the end customer’s intended licensed seat usage). Incremental discounts increase only as qualifying products that are different from each other are added to the solution. Proposed solutions and discounts granted are at SonicWall’s sole discretion. Only purchases of products that the end customer has not previously purchased qualify for the promotion. The purchase of qualifying physical or virtual firewalls must include one (1) year of the SonicWall Advanced Gateway Security Suite (AGSS). Additional terms and conditions may apply. All end user customer purchases are subject to the term and condition located at: www.sonicwall.com/legal. SonicWall is not responsible errors or omissions nor for the acts or omissions of any third party. This offer may be modified, discontinued or terminated by SonicWall at any time without notice.

Oracle WebLogic insecure deserialization vulnerability actively being exploited in the wild

/in /by

An insecure deserialization vulnerability has been reported in Oracle Weblogic. This vulnerability is due to
insufficient validation of user requests. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to a vulnerable server. Successful exploitation can result in arbitrary code execution under the security context of the affected server.

Oracle WebLogic is one of the widely used Java application servers. It helps to build and deploy large enterprise Java applications.

Serialization is the process of translating application data such as objects into a binary format that can be stored and reused by the same application or transmitted over the network to be used by another application.

Deserialization is the reverse of that process that takes data structured from some format, and rebuilding it into an object. By running deserialization, we should be able to fully reconstruct the serialized object.

Insecure Deserialization is a vulnerability that occurs when user input data is not sanitized or validated properly. This untrusted user data can be used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary remote code execution upon it being deserialized. Hence attackers craft the serialized data and the attack depends on what the application code does with the data.

CVE-2020-2883:

The vulnerable class is ReflectionExtractor in the Coherence library coherence.jar.

This vulnerability is due to a lack of filtering on deserialization of the ReflectionExtractor class from the Coherence library bundled with WebLogic. It ensures that dangerous classes are not deserialized by checking against the blacklisted ones implemented by WebLogic. However, if a class is not in the blacklist, it allows deserialization. In this case, the Coherence library ReflectionExtractor class includes a potentially dangerous method, extract() which accepts an arbitrary object as a parameter and calls the method, allowing the invocation of an arbitrary method. A remote, unauthenticated attacker can exploit this vulnerability by sending a serialized request which contains a ReflectionExtractor Java object.

A quick search on Shodan reveals a little over 4,600 Oracle WebLogic servers available online. These servers are mostly present in U.S, China, Iran, Germany, and India. The majority of these servers use unpatched versions that can be exploited by unauthenticated attackers.

Oracle WebLogic Server versions 10.3.6, 12.1.3, 12.2.1.3, and 12.2.1.4 are affected by this vulnerability.

Fix:
This issue is addressed in the Oracle’s April 2020 critical patch update.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15000 Oracle WebLogic Server Insecure Deserialization 19
IPS: 15025 Oracle WebLogic Server Insecure Deserialization 20

Cybersecurity News & Trends – 05-29-20

/0 Comments/in /by

This week, a lot’s been up—including data loss, ransom demands, white-hat bounties, VPN sales and more.

SonicWall Spotlight

Test Platform Leaks Bank of America Clients’ COVID-19 PPP Loan Applications — SC Magazine

  • BoA said the platform was designed to test application submissions of to the Small Business Administration — but the company soon realized client docs could be viewed by other lenders and third parties.

SonicWall’s Labs Threat Research Team Spot fake Aarogya Setu App Carrying Spyware Components — CRN India

  • After the Covid-19 tracking app reached five million downloads within its first three days, it became a target for malware creators. According to SonicWall Labs Threats research team, fake Aarogya Setu apps containing spyware are now in circulation.

New Ransomware Is Spreading That Charges $1,300 In Bitcoin — Decrypt

  • SonicWall researchers have discovered a new ransomware called Instabot that asks for ransom in bitcoin—and includes video instructions and a step-by-step manual to “help” victims comply.

Cybersecurity News

Israeli cyber chief: Major attack on water systems thwarted – The Washington Times

  • According to Israel’s national cyber chief, the country has thwarted a major cyberattack against its water systems, and it’s believed that Iran is behind it.

Ransomware’s big jump: ransoms grew 14 times in one year – Bleeping Computer

  • Ransomware has become one of the most insidious threats in the past few years, and the demands continue to climb: According to Bleeping Computer, ransom demands for more than $1 million are no longer rare.

Data Loss Spikes Under COVID-19 Lockdowns – Dark Reading

  • Two new reports suggest a massive gap between how organizations have prepared their cybersecurity defenses and the reality of their effectiveness.

DHS’s cyber division has stepped up protections for coronavirus research, official says – Cyberscoop

  • “I just want you to know that we have stepped up our protections of HHS and CDC,” Bryan Ware told industry representatives Friday.

New Octopus Scanner malware spreads via GitHub supply chain attack – Bleeping Computer

  • Security researchers have found a new malware that finds and backdoors open-source NetBeans projects hosted on the GitHub web-based code hosting platform to spread to Windows, Linux, and macOS systems.

Hong Kong demand for VPNs surges on heels of China’s plan for national security laws – Reuters

  • Demand for virtual private networks in Hong Kong surged more than six-fold last Thursday as Beijing proposed tough new national security laws that some say could impact internet privacy.

States plead for cybersecurity funds as hacking threat surges – The Hill

  • Cash-short state and local governments are pleading with Congress to send them funds to shore up their cybersecurity as hackers look to exploit the crisis by targeting overwhelmed government offices.

$100 million in bounties paid by HackerOne to ethical hackers – Bleeping Computer

  • Bug bounty platform HackerOne announced that it has paid out $100,000,000 in rewards to white-hat hackers around the world.

‘Turla’ spies have been stealing documents from foreign ministries in Eastern Europe, researchers find – Cyberscoop

  • According to researchers, a notorious group of suspected Russian hackers have used a revamped tool to spy on governments in Eastern Europe and quietly steal sensitive documents from their networks.

Ransomware deploys virtual machines to hide itself from antivirus software – ZDNet

  • The operators of the RagnarLocker ransomware are running Oracle VirtualBox to hide their presence on infected computers inside a Windows XP virtual machine.

In Case You Missed It

DragonCyber ransomware actively spreading in the wild

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of DragonCyber ransomware [DRAGON.RSM] actively spreading in the wild.

The DragonCyber ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <dc>

 

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [dc] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signature:

  • GAV: DRAGON.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Coinminer employing LOLBins and distributed with multiple unstained components

/in /by

SonicWall Capture Labs Threat Research team has observed a Coin Miner using multi-component approach.

 

Infection Cycle

Malware is delivered to victims as a self-extracting archive file which drops following two files:

    • nur.bat
    • wmine.exe (GNU wget tool)

nur.bat starts initially and makes provision for additional malware download and execution besides removing infection footprints. It uses wmine.exe to download OS specific additional malware file from remote location:

  • noloadXP.exe (Windows XP)
  • noloadnof.cab (OSes above XP)

noloadnof.cab contains a Base64 encoded executable file named “noloadn.crt” which is decrypted onto local storage as noloadn.exe, then executed.

 

Following command used to decrypt noloadn.exe :

  • certutil.exe -decode noloadn.crt noloadn.exe

Here noloadn.exe is an archive file packed using UPX 3.95. This noloadn.exe contains files such as, grim20.ime, grim40.ime, inst.bat, intl.bat, intlu.exe, mnzk12.dat, msletni.ime, nirco.exe, Resmin.exe, restr.exe, Ring, vget.exe.

 

Additional file information:

  • Resmin.exe and restr.exe are archive files, while grim20.ime, grim40.ime , msletni.ime are encoded cab files which later will be decoded by certutil tool and spawns executable out of it.
  • Vget.exe is a non-interactive network retriever Wget tool same as wmine.exe , malware author simply renamed Wget tool as wmine.exe and Vget.exe.
  • Nirco.exe is nothing but nircmd tool.
    By running NirCmd with simple command-line option, you can write and delete values and keys in the Registry, write values into INI file, dial to your internet account or connect to a VPN network, restart windows or shut down the computer, create shortcut to a file, change the created/modified date of a file, change your display settings, turn off your monitor, open the door of your CD-ROM drive, and more.
  • Ring is a .sys file which is later moved to system32 folder by renaming it as “WinRing0x64.sys”

 

 

                                            Fig1: commands present in nur.bat

 

 

                Fig2: Relationship between coin miner’s multiple components


System modifications

Following modifications are observed on the system after execution:

Files added:

 

Registries added:

 

SonicWall Capture Labs provides protection against this threat with the following signature:

  • GAV: Cheetah.MNR

 

Indicators of Compromise (IOC):  

  • MD5: 12154f30058cbdf167ed9d7eb1438ebe
  • SHA256: 4845254ed0e2d162d0e3bb95323ef106bd75bf24dc6d7b2371bab6704ae1c13c

Following are multiple components dropped by malware:

FileName Md5
nur.bat 8eefcaeed48be4eb4d6470330ccc24bf
wmine.exe a9ff569c7cc92998180b0a5f9acac852
intelrp.exe 11831c3dc5941b909a86d83211f0d591
renim.exe ( 32 bit ) 34611952dbbac503d1f1bdda5f5e5522
renim.exe ( 64 bit ) 4f0fca816bedb8f99ce764c1bff2e7df
grim20.ime 5dcbf2fb0043e0e7432f916ecbdd11e0
grim40.ime 425c2312cc45d22a187ee433a09f4179
inst.bat 95e74880eb068314055507540b25a0a0
intl.bat a322567b0553638fc9b9bd8d74e112c5
intlu.exe f3ca8234f60eba24604b5a9390d2fed5
mnzk12.dat 7829cb080d780f419ade0f031a66a985
msletni.ime b3bf512ffa11df457ed8c0c9b3c8133d
nirco.exe ba07f81d94c84bfbae096b304a3a9206
Resmin.exe e88cd2ecd091f6170e70eb73e90f8900
restr.exe b5cacef347a785d9cabbf0385a3c2717
Ring 0c0195c48b6b8582fa6f6373032118da
vget.exe 8eba146792a8a68c6e6992fee2071e23
dskdgnostbat.key 4ac6e2af5db82b97717c4f1ab45bd1c5
dwdiag.cat 6745b4829fa9f0195c730d849f6500ba
dwdiag32.cat b9c240251c245f8e0ca7c1f54a6cdb5d
instll.bat d3033eb75ff326cf03bcde41a75b3c7d
stp.bat 79eb6c6f34ebc5c73fffea30cdcd7af2
subinacl.exe 53cdbb093b0aee9fd6cf1cbd25a95077
zada4a.xml 306d973bf0751c337e6239a58e35ff36
zada4a_descr.xml e0d29c37965bf8e40363113d02c3dd3d
hddsmart.bat 31c029b19aa8b23223319e0f01a12545
hddsvc.exe f3ca8234f60eba24604b5a9390d2fed5
ins.bat ded0a61a14b906b69fd9dc5fc46110a2
instsrv.exe 7bc1928cd1d6ea2bce5fdb1fdeac0b3d
smarthdd.exe 6eddcf70df22cd65b1cfa26de2513f32
DskDiag32.exe ( 32 bit) cbfdfcf530147abb18d9af84bb1736ae
DskDiag.exe ( 64 bit ) 7c74c7e6f478e28453e085adf6c2b298

Cybersecurity News & Trends – 05-22-20

/0 Comments/in /by

This week, cybersecurity news was thrust into the fray, with clashes between scammers and vigilante hackers, between conspiracy theorists and cell-phone towers, and between REvil and a number of high-profile celebrities.

SonicWall Spotlight

DeskFlix: SonicWall channel director on COVID-19 cybersecurity challenges — CRN UK

  • Mike Awford discusses the ways SonicWall has supported partners through the migration to remote working.

EasyJet Hack: Passenger Data Could be Sold on Dark Web After Major Cyber Attack, Experts Warn — The Independent

  • Based on similar attacks in the past, SonicWall’s VP EMEA Terry Greer-King discusses what could happen to customers’ data once it hits the Dark Web.

SonicWall Capture Labs Threat Research Teams Uncovers New Variant of Raccoon Stealer — CXO Today

  • SonicWall has reported a new variant of Raccoon stealer malware, version 1.5, which has been used in a malicious COVID-19 campaign.

Cybersecurity News

ShinyHunters Is a Hacking Group on a Data Breach Spree — Wired

  • In May, ShinyHunters began selling 200 million stolen records from over a dozen companies … and they claim this is just Stage 1.

Beware of phishing emails urging for a LogMeIn security update — Help-Net Security

  • The email appears to be legitimate correspondence from LogMeIn, including company logo, spoofed sender identity and a link that appears legitimate.

Vigilante hackers target scammers with ransomware, DDoS attacks — Bleeping Computer

  • A hacker has been taking justice into their own hands by targeting “scam” companies with ransomware and denial of service attacks.

Tech Chiefs Press Cloud Suppliers for Consistency on Security Data — The Wall Street Journal

  • Each cloud company offers its own process on cybersecurity and governance, creating added work for customers.

Cell-tower attacks by idiots who claim 5G spreads COVID-19 reportedly hit US — Ars Technica

  • Wireless telecom providers are being warned to boost security as 5G conspiracy theorists ramp up attacks on cell towers and telecommunications workers.

Microsoft warns of ‘massive’ phishing attack pushing legit RAT — Bleeping Computer

  • Microsoft is warning of an ongoing COVID-19 themed phishing campaign that spreads via malicious Excel attachments.

Supercomputers hacked across Europe to mine cryptocurrency — ZDNet

  • Multiple supercomputers across Europe have been shut down to investigate cryptocurrency mining malware infections.

Microsoft opens up coronavirus threat data to the public — Cyberscoop

  • Microsoft has announced plans to make threat intelligence it collected on COVID-19-related hacking campaigns public.

NetWalker adjusts ransomware operation to only target enterprise — Bleeping Computer

  • NetWalker ransomware group is moving away from phishing for malware distribution and has adopted a network-intrusion model focusing on huge businesses only.

REvil Ransomware found buyer for Trump data, now targeting Madonna — Bleeping Computer

  • After breaching a prominent law firm, the REvil ransomware group is holding the personal information of high-profile celebrities for ransom.

In Case You Missed It

Infostealer Trojan hides in Covid-19 related email attachments

/in /by

Infostealer Trojan hides in Covid-19 related email attachments.Attackers are taking advantage of COVID-19 fear and spreading malware through COVID-19 informational emails attachments.As many states are still under shelter-at-home orders,people usually try to read any information regarding new guidelines from medical authorities.
This particular trojan is delivered through an email posing to have come from CDC(CENTER FOR DISEASE CONTROL)

Infection cycle :

The malicious attachment is 32 bit PE file. Upon execution it sets itself to gather information from the affected system.

It creates file and process dllhost.exe

It collects system information

  • Tries to read sensitive data of:  Mozilla Firefox, Google Chrome, QtWeb Internet Browser, Internet Explorer / Edge.
  • Reads installed programs by enumerating the SOFTWARE registry key.
  • Trying to read sensitive data of web browsers like Firefox, Google Chrome, Internet Explorer

 

Following are some of the files it tried to access:

C:\Program Files (x86)\Automize7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize7\encPwd.jsd
C:\Program Files (x86)\Automize8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize8\encPwd.jsd
C:\Program Files (x86)\Automize9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize9\encPwd.jsd
C:\Program Files (x86)\DeluxeFTP\sites.xml
C:\Program Files (x86)\EasyFTP\data
C:\Program Files (x86)\FTP Now\sites.xml
C:\Program Files (x86)\FTPGetter\Profile\servers.xml
C:\Program Files (x86)\FTPShell\ftpshell.fsi
C:\Program Files (x86)\Fastream NETFile\My FTP Links
C:\Program Files (x86)\FileZilla\Filezilla.xml
C:\Program Files (x86)\Foxmail\mail
C:\Program Files (x86)\FreshWebmaster\FreshFTP\FtpSites.SMF
C:\Program Files (x86)\GoFTP\settings\Connections.txt
C:\Program Files (x86)\JaSFtp10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\encPwd.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\encPwd.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\encPwd.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\encPwd.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\encPwd.jsd
C:\Program Files (x86)\oZone3D\MyFTP\myftp.ini
C:\Program Files\NETGATE\Black Hawk
C:\ProgramData\NetDrive2\drives.dat
C:\ProgramData\Syncovery
C:\Softwarenetz\Mailing\Daten\mailing.vdt
C:\Users\IEUser\.config\fullsync\profiles.xml
C:\Users\IEUser\AppData\Local360Browser\Browser\Default\Login Data
C:\Users\IEUser\AppData\Local360Browser\Browser\Login Data
C:\Users\IEUser\AppData\LocalCatalinaGroup\Citrio\Default\Login Data
C:\Users\IEUser\AppData\LocalCatalinaGroup\Citrio\Login Data
C:\Users\IEUser\AppData\LocalChromium\Default\Login Data
C:\Users\IEUser\AppData\LocalChromium\Login Data
C:\Users\IEUser\AppData\LocalCocCoc\Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalCocCoc\Browser\Login Data
C:\Users\IEUser\AppData\LocalComodo\Chromodo\Default\Login Data
C:\Users\IEUser\AppData\LocalComodo\Chromodo\Login Data
C:\Users\IEUser\AppData\LocalComodo\Dragon\Default\Login Data
C:\Users\IEUser\AppData\LocalComodo\Dragon\Login Data
C:\Users\IEUser\AppData\LocalCoowon\Coowon\Default\Login Data
C:\Users\IEUser\AppData\LocalCoowon\Coowon\Login Data
C:\Users\IEUser\AppData\LocalEpic Privacy Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalEpic Privacy Browser\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome SxS\Default\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome SxS\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome\Default\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome\Login Data
C:\Users\IEUser\AppData\LocalIridium\Default\Login Data
C:\Users\IEUser\AppData\LocalIridium\Login Data
C:\Users\IEUser\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
C:\Users\IEUser\AppData\LocalMapleStudio\ChromePlus\Login Data
C:\Users\IEUser\AppData\LocalMustang Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalMustang Browser\Login Data
C:\Users\IEUser\AppData\LocalNichrome\Default\Login Data
C:\Users\IEUser\AppData\LocalNichrome\Login Data
C:\Users\IEUser\AppData\LocalOrbitum\Default\Login Data
C:\Users\IEUser\AppData\LocalOrbitum\Login Data
C:\Users\IEUser\AppData\LocalRockMelt\Default\Login Data
C:\Users\IEUser\AppData\LocalRockMelt\Login Data
C:\Users\IEUser\AppData\LocalSpark\Default\Login Data
C:\Users\IEUser\AppData\LocalSpark\Login Data
C:\Users\IEUser\AppData\LocalSuperbird\Default\Login Data
C:\Users\IEUser\AppData\LocalSuperbird\Login Data
C:\Users\IEUser\AppData\LocalTitan Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalTitan Browser\Login Data
C:\Users\IEUser\AppData\LocalTorch\Default\Login Data
C:\Users\IEUser\AppData\LocalTorch\Login Data
C:\Users\IEUser\AppData\LocalVivaldi\Default\Login Data
C:\Users\IEUser\AppData\LocalVivaldi\Login Data
C:\Users\IEUser\AppData\LocalYandex\YandexBrowser\Default\Login Data
C:\Users\IEUser\AppData\LocalYandex\YandexBrowser\Login Data
C:\Users\IEUser\AppData\Local\360Browser\Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\360Browser\Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Chromium\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Chromium\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\CocCoc\Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Comodo\Chromodo\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Comodo\Chromodo\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Comodo\Dragon\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Coowon\Coowon\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Coowon\Coowon\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Epic Privacy Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\INSoftware\NovaFTP\NovaFTP.db
C:\Users\IEUser\AppData\Local\Iridium\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Iridium\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Mustang Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Mustang Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Nichrome\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Nichrome\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Orbitum\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Orbitum\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\PokerStars*
C:\Users\IEUser\AppData\Local\QupZilla\profiles\default\browsedata.db
C:\Users\IEUser\AppData\Local\RockMelt\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\RockMelt\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Spark\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Spark\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Superbird\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Superbird\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Titan Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Titan Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Torch\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Torch\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Vivaldi\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Vivaldi\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\.purple\accounts.xml
C:\Users\IEUser\AppData\Roaming\BitKinex\bitkinex.ds
C:\Users\IEUser\AppData\Roaming\BlazeFtp\site.dat
C:\Users\IEUser\AppData\Roaming\Conceptworld\Notezilla\Notes8.db
C:\Users\IEUser\AppData\Roaming\Cyberduck
C:\Users\IEUser\AppData\Roaming\DeskSoft\CheckMail
C:\Users\IEUser\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
C:\Users\IEUser\AppData\Roaming\FTP Now\sites.xml
C:\Users\IEUser\AppData\Roaming\FTPBox\profiles.conf
C:\Users\IEUser\AppData\Roaming\FTPGetter\servers.xml
C:\Users\IEUser\AppData\Roaming\FTPInfo\ServerList.cfg
C:\Users\IEUser\AppData\Roaming\FTPInfo\ServerList.xml
C:\Users\IEUser\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\FileZilla\filezilla.xml
C:\Users\IEUser\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\IEUser\AppData\Roaming\FileZilla\sitemanager.xml
C:\Users\IEUser\AppData\Roaming\GmailNotifierPro\ConfigData.xml
C:\Users\IEUser\AppData\Roaming\Ipswitch
C:\Users\IEUser\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
C:\Users\IEUser\AppData\Roaming\NetDrive2\drives.dat
C:\Users\IEUser\AppData\Roaming\NetDrive\NDSites.ini
C:\Users\IEUser\AppData\Roaming\NetSarang\Xftp\Sessions
C:\Users\IEUser\AppData\Roaming\NexusFile\ftpsite.ini
C:\Users\IEUser\AppData\Roaming\NoteFly\notes
C:\Users\IEUser\AppData\Roaming\Notepad++\plugins\config\NppFTP\NppFTP.xml
C:\Users\IEUser\AppData\Roaming\Opera
C:\Users\IEUser\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\Login Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\Pocomail\accounts.ini
C:\Users\IEUser\Documents\*.bscp
C:\Users\IEUser\Documents\*.kdb
C:\Users\IEUser\Documents\*.kdbx
C:\Users\IEUser\Documents\*.spn
C:\Users\IEUser\Documents\*.tlp
C:\Users\IEUser\Documents\*.vnc
C:\Users\IEUser\Documents\*Mailbox.ini
C:\Users\IEUser\Documents\1Password
C:\Users\IEUser\Documents\Enpass
C:\Users\IEUser\Documents\My RoboForm Data
C:\Users\IEUser\Documents\NetSarang\Xftp\Sessions
C:\Users\IEUser\Documents\Pocomail\accounts.ini
C:\Users\IEUser\Documents\SuperPutty
C:\Users\IEUser\Documents\mSecure
C:\Users\IEUser\Documents\yMail2\Accounts.xml
C:\Users\IEUser\Documents\yMail2\POP3.xml
C:\Users\IEUser\Documents\yMail2\SMTP.xml
C:\Users\IEUser\Documents\yMail\ymail.ini
C:\Users\IEUser\site.xml
C:\Windows\32BitFtp.TMP
C:\Windows\32BitFtp.ini
C:\Windows\Prefetch\DLLHOST.EXE-D6B64AC2.pf
C:\Windows\System32
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\apppatch\sysmain.sdb
C:\Windows\SysWOW64\apphelp.dll
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\winmmbase.dll
C:\Windows\SysWOW64\KernelBase.dll
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.765_none_42efd88044e1819c\comctl32.dll
C:\Windows\SysWOW64\uxtheme.dll
C:\Windows\SysWOW64\winmm.dll
C:\Windows\SysWOW64\IPHLPAPI.DLL
C:\Windows\SysWOW64\dwmapi.dll
C:\Windows\SysWOW64\mpr.dll
C:\Windows\SysWOW64\userenv.dll
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\wininet.dll
C:\Windows\SysWOW64\wsock32.dll
C:\Windows\SysWOW64\ole32.dll
C:\Windows\SysWOW64\oleaut32.dll
C:\Windows\SysWOW64\user32.dll
C:\Windows\SysWOW64\advapi32.dll
C:\Windows\SysWOW64\comdlg32.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\SysWOW64\ws2_32.dll
C:\Windows\WindowsShell.Manifest
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\SHCore.dll
C:\Windows\SysWOW64\bcryptprimitives.dll
C:\Windows\SysWOW64\cfgmgr32.dll
C:\Windows\SysWOW64\combase.dll
C:\Windows\SysWOW64\cryptbase.dll
C:\Windows\SysWOW64\fltLib.dll
C:\Windows\SysWOW64\gdi32.dll
C:\Windows\SysWOW64\gdi32full.dll
C:\Windows\SysWOW64\kernel.appcore.dll
C:\Windows\SysWOW64\msctf.dll
C:\Windows\SysWOW64\msvcp_win.dll
C:\Windows\SysWOW64\msvcrt.dll
C:\Windows\SysWOW64\powrprof.dll
C:\Windows\SysWOW64\profapi.dll
C:\Windows\SysWOW64\psapi.dll
C:\Windows\SysWOW64\rpcrt4.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\shlwapi.dll
C:\Windows\SysWOW64\sspicli.dll
C:\Windows\SysWOW64\ucrtbase.dll
C:\Windows\SysWOW64\win32u.dll
C:\Windows\SysWOW64\windows.storage.dll
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.765_none_42efd88044e1819c
C:\Users\IEUser\Desktop
C:\Windows\Prefetch\COVID_PDF.EXE-37D47B96.pf
C:\Windows\SysWOW64\UxTheme.dll.Config
C:\Windows\SysWOW64\rpcss.dll
C:\Windows\System32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64log.dll
C:\Windows\System32\wow64win.dll

Following are some of the regirstry key changes that it tried to make:

HKCU\Software\Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKCU\������О�����������҉�ќ��Й����М�����Й��я��
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe
HKLM\SOFTWARE\Policies\Microsoft\MUI\Settings
HKLM\SOFTWARE\Policies\Microsoft\Windows\Display
HKLM\Software\WOW6432Node\Policies\Microsoft\MUI\Settings
HKLM\Software\WOW6432Node\Policies\Microsoft\Windows\Display
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKLM\System\CurrentControlSet\Control\Lsa
HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKLM\System\CurrentControlSet\Control\NLS\Language
HKLM\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions
HKLM\System\CurrentControlSet\Control\Session Manager\ResourcePolicies
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKLM\System\CurrentControlSet\Services\afunix\Parameters\Winsock\Mapping
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\Mapping
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\WinSock_Registry_Version
HKLM\System\CurrentControlSet\Services\Winsock\Parameters\Transports
HKCR\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InProcServer32\(Default)
HKCR\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InProcServer32\(Default)
HKCU\Control Panel\Desktop\MuiCached
HKCU\Software\AppDataLow
HKCU\Software\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}
HKCU\Software\Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)
HKCU\Software\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}
HKCU\Software\Classes\Local Settings\Software\Microsoft\Ole
HKCU\Software\Clients

It then tries to post the sensitive information to attlogistics-vn.com

IoCs

  • 9e26d68332abb02fb2e80a924f83eb8614afe4e8b841f51c9f82fd0c986d4571
  • attlogistics-vn.com

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV : Autoit.Covid.D

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions

Fake Aarogya Setu Android apps harbor spyware capabilities

/in /by

 

A number of countries have taken the initiative of developing Covid-19 tracking apps over the last few months. Aarogya Setu is the Indian COVID-19 tracking mobile application. This app crossed five million downloads within the first three days from its launch making it widely popular in India. This popularity makes it a target for malware creators.

SonicWall Capture Labs threats research team observed fake Aarogya Setu apps containing spyware components in the wild. Here are few highlights from our findings:

 

CASE I

  • Md5: e5e44ac40123023eebd5caf9662f05d1, bfa19e91bb4b25d34ac10ad7b9fc5df2
  • App Name: Aarogya Setu
  • Package Name: cmf0.c3b5bm90zq.patch

There are a number of fake apps that have the package name – cmf0.c3b5bm90zq.patch:

The malware author uses the same code for a majority of these apps and spreads them by re-branding the icon and application name. In this case this app masquerades the legitimate Aarogya Setu app, however the copy is not perfect. The icon appears stretched and can be identified when kept side-by-side with the legitimate app:

Upon execution we do not see any activity on the screen, after some time the app icon disappears from the app drawer. The contains reference to a domain – johnnj2-37916.portmap.io – in the patch_preferences.xml file. During our analysis the malware did not try to communicate with this domain, however this domain is connected to malicious apps:

 

CASE II

  • Md5: bbe84ba545d652d9e06635a6e89d48b5
  • App Name: Aarogya Setu – AddOn
  • Package Name: yps.eton.application

Similar to Case I, there are a number of fake apps with the package name yps.eton.application:

 

This app masquerades itself as an Aarogya Setu Add-on app, even though there is no such official app. Upon installation and execution, this app requests for Device-Admin privileges and requests the victim to allow installation from this source. It installs the legitimate Aarogya Setu app from its resources folder (MD5: 4181352b37cd4ee809fa83390d3cc228 ) and thereby tries to appear less suspicious to the user.

 

CASE III

  • Md5: df5698d5aef850b217cbbfa9789bd347
  • App Name: Aarogya Setu
  • Package Name: com.android.tester

The malware writers have accurately copied the legitimate Aarogya Setu icon in this case. Installing the malicious and legitimate Aarogya Setu app and identifying the malicious app by looking at the icons is difficult:

We did not see network activity during our analysis session but there was a record of a domain – 204.48.26.131:29491 – within an xml file belonging to the app. This domain is connected with another malicious Android app:

 

Common Goals

All the three apps mentioned above contain spyware capabilities. Each app contains code that has similarity with the Android spyware SpyNote. We have blogged about SpyNote malware masquerading legitimate apps in the past. A recap of the capabilities of this spyware:

  • Make phone calls
  • Record audio
  • Send SMS
  • Take photos from the camera
  • Record videos from the camera
  • Record keystrokes (keylogger)
  • Check if the device is rooted
  • Start the spyware each time the device reboots

 

Deception

A common trend observed in some of these malicious apps is that the legitimate Aarogya Setu app is piggybacked in the resources folder as google.apk (MD5 – 4181352b37cd4ee809fa83390d3cc228).

Some of these malicious apps install the legitimate app in the background, this technique is used to fool the user into believing that the user installed the legitimate app. But in reality the malicious app executes its nefarious functions in the background.

If the user deletes Aarogya Setu app from the device by long pressing the icon > uninstall method, only the legitimate app is removed and the malicious app would still be present on the device. The only way to remove the malicious app is to remove it from settings > apps > uninstall. This trick has the potential to fool a number of users who are not vigilant.

 

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • AndroidOS.SpyNote.GN
  • AndroidOS.SpyNote.SP
  • AndroidOS.SpyNote.SC