Posts

test

The SonicWall Capture Labs threat research team have observed reports of spam inviting people to view an “image” in which they are supposedly present.  The “image”, which in our case was named IMG148150.jpg.js is actually a file containing malicious Javascript downloader code.  Once executed, Avaddon is downloaded and run in the background.

 

Infection Cycle:

 

IMG148150.jpg.js contains the following script:

 

Upon running the script, sava.exe is downloaded from hxxp://217.8.117.63/sava.exe and executed.  It displays the following message on the desktop background:

 

The following command is run to remove shadow copies on the system:

wmic.exe SHADOWCOPY /nointeractive and vssadmin.exe Delete Shadows /All /Quiet

 

Files on the system are then encrypted by the malware.  431680-readme.html is copied into all directories containing encrypted files. 431680-readme.html contains the following page:

 

avaddonbotrxmuyl.onion leads to the following page hosted on the tOr network:

 

After entering the ID provided in the html page, the following page is presented asking for $500 USD in Bitcoin to be paid to 32rmhhgJaCDEaB2RGv3joCc5K75niYtxZ5:

 

The site provides a chat interface in order to communicate with the operators and possibly negotiate.  We tried to reach out to the operators using this interface but received no response:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: BitsAdmin.N (Trojan)
  • GAV: Avaddon.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

New wave of malicious XLS files spreading Zloader

The SonicWall Capture Labs Threat Research Team has observed a new wave of malicious Excel files distributing Zloader.

From the onset of 2020, we have observed malware campaigns using the Macro 4 feature available in Microsoft Excel, which we have written about in our previous blog posts.

Thus far, malicious Excel files used for spreading Zloader have contained  the following characteristics:

  • Two Sheets: Some of them had one visible sheet  and one other sheet hidden whereas in others both the sheets are visible
  • Auto_Open name is not visible in the Name Manager dialog box; and
  • Excel in-built functions CHAR or MID were used to operate upon cell data which were later joined using concatenation operator ‘&’ to construct further instructions

Fig-1: Excel file used earlier by Zloader

Transformations observed in this new wave of MS-Excel files :

  • Excel has more than 2 sheets with one visible worksheet and remaining sheets, including a macro sheet, are hidden
  • Auto_Open is visible in the name manager dialog box;
  • Data is simply retrieved from cells, joined using a concatenation operator to construct further instructions; and

This re-modelling gives the file a more legitimate appearance.


Fig-2: Excel with visible and hidden sheets


Fig-3: Auto_Open name visible in Name Manager dialog box

 

Fig-4: Plain cell data reading and concatenation

 

These files were created either on 3rd or 4th June 2020 which indicates the freshness of samples and RTDMI detection effectiveness.

 


Fig-5: RTDMI Detection

Indicators Of Compromise:

SHA256 of Malicious MS-Excel files:

  • 41879c115ae2a85d0a136d62b6169e95756f0b9bd8f47e32238a4e2e26e0fc03
  • 5c264ad2647000a4e260ff5f60df04a2d9b24676dc7b4bc45e07e1b70c053b0c
  • cffef738b2ec86d56432f0a988cf4a8511bf813515edc91b2e1d6729d5f1cfef
  • 0c47d7fe4c8d6563fd4c616080703a974d04694658b23c2d36ecc03b03eeec32
  • b24019b7b02989bb5e02e5243d704d63bab71442613574a7d4a3a69a8b36541e
  • 9c1d837a523f86c8117be3a607f1910e248993e6e77c47bb86b17eec2503e627
  • 56a662fcfaa103edd1fc45ed24c7e974662136a95c2191e65f46702b4d98a7ea
  • 0e186d534befcd860e2618d4cf77af6180effe42b07cecde75164142e2090ff4
  • 2a0d637ff6bcdf1fd37905fb84926e7ef35190fc62e97f3305b1da65b9f15a8f
  • f83f7117ddab2be46f57000e3623a22f15f46da2c4878000bb8de87c9b2ebba9

Network Connectivity:

  • https://destgrena[.]at/3/tsk.dll

SHA256 of payload:

  • 444a977a2d0768f115fef0704a3f067d937823877a8202a4796425a58f49b6e0
  • 1526e62be6b34c6ea39220569f90e44cf04efccaa4b4ed75af8a4f669f10b2e9
  • 06a297b1c6b0b25ef3cc3ca6c77ad62e2ff5bd801c8cb9c081fbb4ea90d313fa
  • 363d8b43541e37ae9b25a5fd6b6eef5245fc667c449b3d37e45a3de15d60780b
  • 6c95e2eeeb98b0557a849e972ad26d2c77e7d9d8bfbd45ec680cfb6eb508667c
  • 8cbe7c61e8b1bd3d2187b9e7f10449dfcb4f20c309cf768433f164dc83149a1a
  • 327b41d9bcad614f2e62b3e838ae9a1237dc0bd3ed17c59e1290abf596e5f178
  • b22779f52daffae57465b8becfa4e19240304d6e835ffe4448fa4d5588a2e9cc
  • e27bcec6ccb48108abdf87328d0e260de1036df851af20317061da2419734d1f

 

Cybersecurity News & Trends – 06-05-20

This week, cybercriminals took a more hands-on approach, a new breed of ransomware bided its time, and computers got too hot to handle.


SonicWall Spotlight

Test Platform Leaks Bank Of America Clients’ Covid-19 PPP Loan Applications — SC Magazine

  • Bank of America has disclosed that its third-party test platform briefly exposed Paycheck Protection Program applications to outside parties. According to SonicWall’s Dmitriy Ayrapetov, the leak was due to a rushed effort by the bank to finish the data platform, resulting in holes in its security.

Boundless Cybersecurity For The New Work Reality — SC Magazine

  • The adoption of work-from-home has moved us into a hyper-distributed IT landscape. With 100-percent-remote employees conducting online meetings and connecting via email, mobile and cloud, the perimeter has vanished into a multitude of endpoints spread across the globe.

Cybersecurity News

New Tycoon ransomware targets both Windows and Linux systems — Bleeping Computer

  • A new human-operated ransomware strain is being deployed in highly targeted attacks on small- to medium-size organizations in the software and education industries.

Large-scale attack tries to steal configuration files from WordPress sites — ZDNet

  • In an attempt to steal database credentials, attackers tried to download configuration files from WordPress via old vulnerabilities in unpatched plugins.

‘Scorching-hot hacked computer burned my hand’ — BBC

  • At least a dozen supercomputers across Europe had to be shut down last week due to cryptojacking attacks. One individual found out the hard way that his was one of them.

USBCulprit malware targets air-gapped systems to steal govt info — Bleeping Computer

  • The newly revealed USBCulprit malware is designed for compromising air-gapped devices via USB.

Cybersecurity warning: Hackers are targeting your smartphone as way into the company network — ZDNet

  • Campaigns targeting smartphones have risen by a third in just a few months, many with the end goal of opening a portal to corporate networks.

Denial of service attacks against advocacy groups skyrocket — Cyberscoop

  • A new report suggests that advocacy sites are being targeted at a rate more than four times that of U.S. government websites such as police and military organizations.

Ransomware gang says it breached one of NASA’s IT contractors — ZDNet

  • DopplePaymer ransomware gang claims to have breached DMI, a major U.S. IT and cybersecurity provider and a NASA IT contractor.

Anonymous, aiming for relevance, spins old data as new hacks — Cyberscoop

  • The group is trying to use the nationwide protests to draw attention to data that was stolen years ago.

Apple fixes bug that could have given hackers full access to user accounts — Ars Technica

  • Sign In With Apple — a privacy-enhancing tool that lets users log in to third-party apps without revealing their email addresses — just fixed a bug that made it possible for attackers to gain unauthorized access to those same accounts.

Suspected Hacker Faces Money Laundering, Conspiracy Charges — Bank Info Security

  • According to the U.S. Department of Justice, a New York City man is facing federal charges after being arrested at John F. Kennedy Airport with a PC allegedly containing thousands of stolen credit card numbers.

An advanced and unconventional hack is targeting industrial firms — Ars Technica

  • Attackers are putting considerable skill and effort into penetrating industrial companies in multiple countries, with hacks that use multiple evasion mechanisms, an innovative encryption scheme, and exploits that are customized for each target.

PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time — Threat Post

  • Microsoft has warned of a new breed of “patient” ransomware that lurks in networks for weeks before striking.

In Case You Missed It

Oracle WebLogic insecure deserialization vulnerability actively being exploited in the wild

An insecure deserialization vulnerability has been reported in Oracle Weblogic. This vulnerability is due to
insufficient validation of user requests. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to a vulnerable server. Successful exploitation can result in arbitrary code execution under the security context of the affected server.

Oracle WebLogic is one of the widely used Java application servers. It helps to build and deploy large enterprise Java applications.

Serialization is the process of translating application data such as objects into a binary format that can be stored and reused by the same application or transmitted over the network to be used by another application.

Deserialization is the reverse of that process that takes data structured from some format, and rebuilding it into an object. By running deserialization, we should be able to fully reconstruct the serialized object.

Insecure Deserialization is a vulnerability that occurs when user input data is not sanitized or validated properly. This untrusted user data can be used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary remote code execution upon it being deserialized. Hence attackers craft the serialized data and the attack depends on what the application code does with the data.

CVE-2020-2883:

The vulnerable class is ReflectionExtractor in the Coherence library coherence.jar.

This vulnerability is due to a lack of filtering on deserialization of the ReflectionExtractor class from the Coherence library bundled with WebLogic. It ensures that dangerous classes are not deserialized by checking against the blacklisted ones implemented by WebLogic. However, if a class is not in the blacklist, it allows deserialization. In this case, the Coherence library ReflectionExtractor class includes a potentially dangerous method, extract() which accepts an arbitrary object as a parameter and calls the method, allowing the invocation of an arbitrary method. A remote, unauthenticated attacker can exploit this vulnerability by sending a serialized request which contains a ReflectionExtractor Java object.

A quick search on Shodan reveals a little over 4,600 Oracle WebLogic servers available online. These servers are mostly present in U.S, China, Iran, Germany, and India. The majority of these servers use unpatched versions that can be exploited by unauthenticated attackers.

Oracle WebLogic Server versions 10.3.6, 12.1.3, 12.2.1.3, and 12.2.1.4 are affected by this vulnerability.

Fix:
This issue is addressed in the Oracle’s April 2020 critical patch update.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15000 Oracle WebLogic Server Insecure Deserialization 19
IPS: 15025 Oracle WebLogic Server Insecure Deserialization 20

Cybersecurity News & Trends – 05-29-20

This week, a lot’s been up—including data loss, ransom demands, white-hat bounties, VPN sales and more.


SonicWall Spotlight

Test Platform Leaks Bank of America Clients’ COVID-19 PPP Loan Applications — SC Magazine

  • BoA said the platform was designed to test application submissions of to the Small Business Administration — but the company soon realized client docs could be viewed by other lenders and third parties.

SonicWall’s Labs Threat Research Team Spot fake Aarogya Setu App Carrying Spyware Components — CRN India

  • After the Covid-19 tracking app reached five million downloads within its first three days, it became a target for malware creators. According to SonicWall Labs Threats research team, fake Aarogya Setu apps containing spyware are now in circulation.

New Ransomware Is Spreading That Charges $1,300 In Bitcoin — Decrypt

  • SonicWall researchers have discovered a new ransomware called Instabot that asks for ransom in bitcoin—and includes video instructions and a step-by-step manual to “help” victims comply.

Cybersecurity News

Israeli cyber chief: Major attack on water systems thwarted – The Washington Times

  • According to Israel’s national cyber chief, the country has thwarted a major cyberattack against its water systems, and it’s believed that Iran is behind it.

Ransomware’s big jump: ransoms grew 14 times in one year – Bleeping Computer

  • Ransomware has become one of the most insidious threats in the past few years, and the demands continue to climb: According to Bleeping Computer, ransom demands for more than $1 million are no longer rare.

Data Loss Spikes Under COVID-19 Lockdowns – Dark Reading

  • Two new reports suggest a massive gap between how organizations have prepared their cybersecurity defenses and the reality of their effectiveness.

DHS’s cyber division has stepped up protections for coronavirus research, official says – Cyberscoop

  • “I just want you to know that we have stepped up our protections of HHS and CDC,” Bryan Ware told industry representatives Friday.

New Octopus Scanner malware spreads via GitHub supply chain attack – Bleeping Computer

  • Security researchers have found a new malware that finds and backdoors open-source NetBeans projects hosted on the GitHub web-based code hosting platform to spread to Windows, Linux, and macOS systems.

Hong Kong demand for VPNs surges on heels of China’s plan for national security laws – Reuters

  • Demand for virtual private networks in Hong Kong surged more than six-fold last Thursday as Beijing proposed tough new national security laws that some say could impact internet privacy.

States plead for cybersecurity funds as hacking threat surges – The Hill

  • Cash-short state and local governments are pleading with Congress to send them funds to shore up their cybersecurity as hackers look to exploit the crisis by targeting overwhelmed government offices.

$100 million in bounties paid by HackerOne to ethical hackers – Bleeping Computer

  • Bug bounty platform HackerOne announced that it has paid out $100,000,000 in rewards to white-hat hackers around the world.

‘Turla’ spies have been stealing documents from foreign ministries in Eastern Europe, researchers find – Cyberscoop

  • According to researchers, a notorious group of suspected Russian hackers have used a revamped tool to spy on governments in Eastern Europe and quietly steal sensitive documents from their networks.

Ransomware deploys virtual machines to hide itself from antivirus software – ZDNet

  • The operators of the RagnarLocker ransomware are running Oracle VirtualBox to hide their presence on infected computers inside a Windows XP virtual machine.

In Case You Missed It

DragonCyber ransomware actively spreading in the wild

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of DragonCyber ransomware [DRAGON.RSM] actively spreading in the wild.

The DragonCyber ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [Name]. <dc>

 

Once the computer is compromised, the ransomware runs the following commands:

The ransomware encrypts all the files and appends the [dc] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following picture containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Capture Labs threat research team provides protection against this threat via the following signature:

  • GAV: DRAGON.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Coinminer employing LOLBins and distributed with multiple unstained components

SonicWall Capture Labs Threat Research team has observed a Coin Miner using multi-component approach.

 

Infection Cycle

Malware is delivered to victims as a self-extracting archive file which drops following two files:

    • nur.bat
    • wmine.exe (GNU wget tool)

nur.bat starts initially and makes provision for additional malware download and execution besides removing infection footprints. It uses wmine.exe to download OS specific additional malware file from remote location:

  • noloadXP.exe (Windows XP)
  • noloadnof.cab (OSes above XP)

noloadnof.cab contains a Base64 encoded executable file named “noloadn.crt” which is decrypted onto local storage as noloadn.exe, then executed.

 

Following command used to decrypt noloadn.exe :

  • certutil.exe -decode noloadn.crt noloadn.exe

Here noloadn.exe is an archive file packed using UPX 3.95. This noloadn.exe contains files such as, grim20.ime, grim40.ime, inst.bat, intl.bat, intlu.exe, mnzk12.dat, msletni.ime, nirco.exe, Resmin.exe, restr.exe, Ring, vget.exe.

 

Additional file information:

  • Resmin.exe and restr.exe are archive files, while grim20.ime, grim40.ime , msletni.ime are encoded cab files which later will be decoded by certutil tool and spawns executable out of it.
  • Vget.exe is a non-interactive network retriever Wget tool same as wmine.exe , malware author simply renamed Wget tool as wmine.exe and Vget.exe.
  • Nirco.exe is nothing but nircmd tool.
    By running NirCmd with simple command-line option, you can write and delete values and keys in the Registry, write values into INI file, dial to your internet account or connect to a VPN network, restart windows or shut down the computer, create shortcut to a file, change the created/modified date of a file, change your display settings, turn off your monitor, open the door of your CD-ROM drive, and more.
  • Ring is a .sys file which is later moved to system32 folder by renaming it as “WinRing0x64.sys”

 

 

                                            Fig1: commands present in nur.bat

 

 

                Fig2: Relationship between coin miner’s multiple components


System modifications

Following modifications are observed on the system after execution:

Files added:

 

Registries added:

 

SonicWall Capture Labs provides protection against this threat with the following signature:

  • GAV: Cheetah.MNR

 

Indicators of Compromise (IOC):  

  • MD5: 12154f30058cbdf167ed9d7eb1438ebe
  • SHA256: 4845254ed0e2d162d0e3bb95323ef106bd75bf24dc6d7b2371bab6704ae1c13c

Following are multiple components dropped by malware:

FileName Md5
nur.bat 8eefcaeed48be4eb4d6470330ccc24bf
wmine.exe a9ff569c7cc92998180b0a5f9acac852
intelrp.exe 11831c3dc5941b909a86d83211f0d591
renim.exe ( 32 bit ) 34611952dbbac503d1f1bdda5f5e5522
renim.exe ( 64 bit ) 4f0fca816bedb8f99ce764c1bff2e7df
grim20.ime 5dcbf2fb0043e0e7432f916ecbdd11e0
grim40.ime 425c2312cc45d22a187ee433a09f4179
inst.bat 95e74880eb068314055507540b25a0a0
intl.bat a322567b0553638fc9b9bd8d74e112c5
intlu.exe f3ca8234f60eba24604b5a9390d2fed5
mnzk12.dat 7829cb080d780f419ade0f031a66a985
msletni.ime b3bf512ffa11df457ed8c0c9b3c8133d
nirco.exe ba07f81d94c84bfbae096b304a3a9206
Resmin.exe e88cd2ecd091f6170e70eb73e90f8900
restr.exe b5cacef347a785d9cabbf0385a3c2717
Ring 0c0195c48b6b8582fa6f6373032118da
vget.exe 8eba146792a8a68c6e6992fee2071e23
dskdgnostbat.key 4ac6e2af5db82b97717c4f1ab45bd1c5
dwdiag.cat 6745b4829fa9f0195c730d849f6500ba
dwdiag32.cat b9c240251c245f8e0ca7c1f54a6cdb5d
instll.bat d3033eb75ff326cf03bcde41a75b3c7d
stp.bat 79eb6c6f34ebc5c73fffea30cdcd7af2
subinacl.exe 53cdbb093b0aee9fd6cf1cbd25a95077
zada4a.xml 306d973bf0751c337e6239a58e35ff36
zada4a_descr.xml e0d29c37965bf8e40363113d02c3dd3d
hddsmart.bat 31c029b19aa8b23223319e0f01a12545
hddsvc.exe f3ca8234f60eba24604b5a9390d2fed5
ins.bat ded0a61a14b906b69fd9dc5fc46110a2
instsrv.exe 7bc1928cd1d6ea2bce5fdb1fdeac0b3d
smarthdd.exe 6eddcf70df22cd65b1cfa26de2513f32
DskDiag32.exe ( 32 bit) cbfdfcf530147abb18d9af84bb1736ae
DskDiag.exe ( 64 bit ) 7c74c7e6f478e28453e085adf6c2b298

Cybersecurity News & Trends – 05-22-20

This week, cybersecurity news was thrust into the fray, with clashes between scammers and vigilante hackers, between conspiracy theorists and cell-phone towers, and between REvil and a number of high-profile celebrities.


SonicWall Spotlight

DeskFlix: SonicWall channel director on COVID-19 cybersecurity challenges — CRN UK

  • Mike Awford discusses the ways SonicWall has supported partners through the migration to remote working.

EasyJet Hack: Passenger Data Could be Sold on Dark Web After Major Cyber Attack, Experts Warn — The Independent

  • Based on similar attacks in the past, SonicWall’s VP EMEA Terry Greer-King discusses what could happen to customers’ data once it hits the Dark Web.

SonicWall Capture Labs Threat Research Teams Uncovers New Variant of Raccoon Stealer — CXO Today

  • SonicWall has reported a new variant of Raccoon stealer malware, version 1.5, which has been used in a malicious COVID-19 campaign.

Cybersecurity News

ShinyHunters Is a Hacking Group on a Data Breach Spree — Wired

  • In May, ShinyHunters began selling 200 million stolen records from over a dozen companies … and they claim this is just Stage 1.

Beware of phishing emails urging for a LogMeIn security update — Help-Net Security

  • The email appears to be legitimate correspondence from LogMeIn, including company logo, spoofed sender identity and a link that appears legitimate.

Vigilante hackers target scammers with ransomware, DDoS attacks — Bleeping Computer

  • A hacker has been taking justice into their own hands by targeting “scam” companies with ransomware and denial of service attacks.

Tech Chiefs Press Cloud Suppliers for Consistency on Security Data — The Wall Street Journal

  • Each cloud company offers its own process on cybersecurity and governance, creating added work for customers.

Cell-tower attacks by idiots who claim 5G spreads COVID-19 reportedly hit US — Ars Technica

  • Wireless telecom providers are being warned to boost security as 5G conspiracy theorists ramp up attacks on cell towers and telecommunications workers.

Microsoft warns of ‘massive’ phishing attack pushing legit RAT — Bleeping Computer

  • Microsoft is warning of an ongoing COVID-19 themed phishing campaign that spreads via malicious Excel attachments.

Supercomputers hacked across Europe to mine cryptocurrency — ZDNet

  • Multiple supercomputers across Europe have been shut down to investigate cryptocurrency mining malware infections.

Microsoft opens up coronavirus threat data to the public — Cyberscoop

  • Microsoft has announced plans to make threat intelligence it collected on COVID-19-related hacking campaigns public.

NetWalker adjusts ransomware operation to only target enterprise — Bleeping Computer

  • NetWalker ransomware group is moving away from phishing for malware distribution and has adopted a network-intrusion model focusing on huge businesses only.

REvil Ransomware found buyer for Trump data, now targeting Madonna — Bleeping Computer

  • After breaching a prominent law firm, the REvil ransomware group is holding the personal information of high-profile celebrities for ransom.

In Case You Missed It

Infostealer Trojan hides in Covid-19 related email attachments

Infostealer Trojan hides in Covid-19 related email attachments.Attackers are taking advantage of COVID-19 fear and spreading malware through COVID-19 informational emails attachments.As many states are still under shelter-at-home orders,people usually try to read any information regarding new guidelines from medical authorities.
This particular trojan is delivered through an email posing to have come from CDC(CENTER FOR DISEASE CONTROL)

Infection cycle :

The malicious attachment is 32 bit PE file. Upon execution it sets itself to gather information from the affected system.

It creates file and process dllhost.exe

It collects system information

  • Tries to read sensitive data of:  Mozilla Firefox, Google Chrome, QtWeb Internet Browser, Internet Explorer / Edge.
  • Reads installed programs by enumerating the SOFTWARE registry key.
  • Trying to read sensitive data of web browsers like Firefox, Google Chrome, Internet Explorer

 

Following are some of the files it tried to access:

C:\Program Files (x86)\Automize7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize7\encPwd.jsd
C:\Program Files (x86)\Automize8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize8\encPwd.jsd
C:\Program Files (x86)\Automize9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize9\encPwd.jsd
C:\Program Files (x86)\DeluxeFTP\sites.xml
C:\Program Files (x86)\EasyFTP\data
C:\Program Files (x86)\FTP Now\sites.xml
C:\Program Files (x86)\FTPGetter\Profile\servers.xml
C:\Program Files (x86)\FTPShell\ftpshell.fsi
C:\Program Files (x86)\Fastream NETFile\My FTP Links
C:\Program Files (x86)\FileZilla\Filezilla.xml
C:\Program Files (x86)\Foxmail\mail
C:\Program Files (x86)\FreshWebmaster\FreshFTP\FtpSites.SMF
C:\Program Files (x86)\GoFTP\settings\Connections.txt
C:\Program Files (x86)\JaSFtp10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\encPwd.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\encPwd.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\encPwd.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\encPwd.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\encPwd.jsd
C:\Program Files (x86)\oZone3D\MyFTP\myftp.ini
C:\Program Files\NETGATE\Black Hawk
C:\ProgramData\NetDrive2\drives.dat
C:\ProgramData\Syncovery
C:\Softwarenetz\Mailing\Daten\mailing.vdt
C:\Users\IEUser\.config\fullsync\profiles.xml
C:\Users\IEUser\AppData\Local360Browser\Browser\Default\Login Data
C:\Users\IEUser\AppData\Local360Browser\Browser\Login Data
C:\Users\IEUser\AppData\LocalCatalinaGroup\Citrio\Default\Login Data
C:\Users\IEUser\AppData\LocalCatalinaGroup\Citrio\Login Data
C:\Users\IEUser\AppData\LocalChromium\Default\Login Data
C:\Users\IEUser\AppData\LocalChromium\Login Data
C:\Users\IEUser\AppData\LocalCocCoc\Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalCocCoc\Browser\Login Data
C:\Users\IEUser\AppData\LocalComodo\Chromodo\Default\Login Data
C:\Users\IEUser\AppData\LocalComodo\Chromodo\Login Data
C:\Users\IEUser\AppData\LocalComodo\Dragon\Default\Login Data
C:\Users\IEUser\AppData\LocalComodo\Dragon\Login Data
C:\Users\IEUser\AppData\LocalCoowon\Coowon\Default\Login Data
C:\Users\IEUser\AppData\LocalCoowon\Coowon\Login Data
C:\Users\IEUser\AppData\LocalEpic Privacy Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalEpic Privacy Browser\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome SxS\Default\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome SxS\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome\Default\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome\Login Data
C:\Users\IEUser\AppData\LocalIridium\Default\Login Data
C:\Users\IEUser\AppData\LocalIridium\Login Data
C:\Users\IEUser\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
C:\Users\IEUser\AppData\LocalMapleStudio\ChromePlus\Login Data
C:\Users\IEUser\AppData\LocalMustang Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalMustang Browser\Login Data
C:\Users\IEUser\AppData\LocalNichrome\Default\Login Data
C:\Users\IEUser\AppData\LocalNichrome\Login Data
C:\Users\IEUser\AppData\LocalOrbitum\Default\Login Data
C:\Users\IEUser\AppData\LocalOrbitum\Login Data
C:\Users\IEUser\AppData\LocalRockMelt\Default\Login Data
C:\Users\IEUser\AppData\LocalRockMelt\Login Data
C:\Users\IEUser\AppData\LocalSpark\Default\Login Data
C:\Users\IEUser\AppData\LocalSpark\Login Data
C:\Users\IEUser\AppData\LocalSuperbird\Default\Login Data
C:\Users\IEUser\AppData\LocalSuperbird\Login Data
C:\Users\IEUser\AppData\LocalTitan Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalTitan Browser\Login Data
C:\Users\IEUser\AppData\LocalTorch\Default\Login Data
C:\Users\IEUser\AppData\LocalTorch\Login Data
C:\Users\IEUser\AppData\LocalVivaldi\Default\Login Data
C:\Users\IEUser\AppData\LocalVivaldi\Login Data
C:\Users\IEUser\AppData\LocalYandex\YandexBrowser\Default\Login Data
C:\Users\IEUser\AppData\LocalYandex\YandexBrowser\Login Data
C:\Users\IEUser\AppData\Local\360Browser\Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\360Browser\Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Chromium\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Chromium\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\CocCoc\Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Comodo\Chromodo\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Comodo\Chromodo\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Comodo\Dragon\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Coowon\Coowon\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Coowon\Coowon\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Epic Privacy Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\INSoftware\NovaFTP\NovaFTP.db
C:\Users\IEUser\AppData\Local\Iridium\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Iridium\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Mustang Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Mustang Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Nichrome\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Nichrome\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Orbitum\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Orbitum\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\PokerStars*
C:\Users\IEUser\AppData\Local\QupZilla\profiles\default\browsedata.db
C:\Users\IEUser\AppData\Local\RockMelt\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\RockMelt\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Spark\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Spark\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Superbird\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Superbird\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Titan Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Titan Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Torch\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Torch\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Vivaldi\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Vivaldi\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\.purple\accounts.xml
C:\Users\IEUser\AppData\Roaming\BitKinex\bitkinex.ds
C:\Users\IEUser\AppData\Roaming\BlazeFtp\site.dat
C:\Users\IEUser\AppData\Roaming\Conceptworld\Notezilla\Notes8.db
C:\Users\IEUser\AppData\Roaming\Cyberduck
C:\Users\IEUser\AppData\Roaming\DeskSoft\CheckMail
C:\Users\IEUser\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
C:\Users\IEUser\AppData\Roaming\FTP Now\sites.xml
C:\Users\IEUser\AppData\Roaming\FTPBox\profiles.conf
C:\Users\IEUser\AppData\Roaming\FTPGetter\servers.xml
C:\Users\IEUser\AppData\Roaming\FTPInfo\ServerList.cfg
C:\Users\IEUser\AppData\Roaming\FTPInfo\ServerList.xml
C:\Users\IEUser\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\FileZilla\filezilla.xml
C:\Users\IEUser\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\IEUser\AppData\Roaming\FileZilla\sitemanager.xml
C:\Users\IEUser\AppData\Roaming\GmailNotifierPro\ConfigData.xml
C:\Users\IEUser\AppData\Roaming\Ipswitch
C:\Users\IEUser\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
C:\Users\IEUser\AppData\Roaming\NetDrive2\drives.dat
C:\Users\IEUser\AppData\Roaming\NetDrive\NDSites.ini
C:\Users\IEUser\AppData\Roaming\NetSarang\Xftp\Sessions
C:\Users\IEUser\AppData\Roaming\NexusFile\ftpsite.ini
C:\Users\IEUser\AppData\Roaming\NoteFly\notes
C:\Users\IEUser\AppData\Roaming\Notepad++\plugins\config\NppFTP\NppFTP.xml
C:\Users\IEUser\AppData\Roaming\Opera
C:\Users\IEUser\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\Login Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\Pocomail\accounts.ini
C:\Users\IEUser\Documents\*.bscp
C:\Users\IEUser\Documents\*.kdb
C:\Users\IEUser\Documents\*.kdbx
C:\Users\IEUser\Documents\*.spn
C:\Users\IEUser\Documents\*.tlp
C:\Users\IEUser\Documents\*.vnc
C:\Users\IEUser\Documents\*Mailbox.ini
C:\Users\IEUser\Documents\1Password
C:\Users\IEUser\Documents\Enpass
C:\Users\IEUser\Documents\My RoboForm Data
C:\Users\IEUser\Documents\NetSarang\Xftp\Sessions
C:\Users\IEUser\Documents\Pocomail\accounts.ini
C:\Users\IEUser\Documents\SuperPutty
C:\Users\IEUser\Documents\mSecure
C:\Users\IEUser\Documents\yMail2\Accounts.xml
C:\Users\IEUser\Documents\yMail2\POP3.xml
C:\Users\IEUser\Documents\yMail2\SMTP.xml
C:\Users\IEUser\Documents\yMail\ymail.ini
C:\Users\IEUser\site.xml
C:\Windows\32BitFtp.TMP
C:\Windows\32BitFtp.ini
C:\Windows\Prefetch\DLLHOST.EXE-D6B64AC2.pf
C:\Windows\System32
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\apppatch\sysmain.sdb
C:\Windows\SysWOW64\apphelp.dll
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\winmmbase.dll
C:\Windows\SysWOW64\KernelBase.dll
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.765_none_42efd88044e1819c\comctl32.dll
C:\Windows\SysWOW64\uxtheme.dll
C:\Windows\SysWOW64\winmm.dll
C:\Windows\SysWOW64\IPHLPAPI.DLL
C:\Windows\SysWOW64\dwmapi.dll
C:\Windows\SysWOW64\mpr.dll
C:\Windows\SysWOW64\userenv.dll
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\wininet.dll
C:\Windows\SysWOW64\wsock32.dll
C:\Windows\SysWOW64\ole32.dll
C:\Windows\SysWOW64\oleaut32.dll
C:\Windows\SysWOW64\user32.dll
C:\Windows\SysWOW64\advapi32.dll
C:\Windows\SysWOW64\comdlg32.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\SysWOW64\ws2_32.dll
C:\Windows\WindowsShell.Manifest
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\SHCore.dll
C:\Windows\SysWOW64\bcryptprimitives.dll
C:\Windows\SysWOW64\cfgmgr32.dll
C:\Windows\SysWOW64\combase.dll
C:\Windows\SysWOW64\cryptbase.dll
C:\Windows\SysWOW64\fltLib.dll
C:\Windows\SysWOW64\gdi32.dll
C:\Windows\SysWOW64\gdi32full.dll
C:\Windows\SysWOW64\kernel.appcore.dll
C:\Windows\SysWOW64\msctf.dll
C:\Windows\SysWOW64\msvcp_win.dll
C:\Windows\SysWOW64\msvcrt.dll
C:\Windows\SysWOW64\powrprof.dll
C:\Windows\SysWOW64\profapi.dll
C:\Windows\SysWOW64\psapi.dll
C:\Windows\SysWOW64\rpcrt4.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\shlwapi.dll
C:\Windows\SysWOW64\sspicli.dll
C:\Windows\SysWOW64\ucrtbase.dll
C:\Windows\SysWOW64\win32u.dll
C:\Windows\SysWOW64\windows.storage.dll
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.765_none_42efd88044e1819c
C:\Users\IEUser\Desktop
C:\Windows\Prefetch\COVID_PDF.EXE-37D47B96.pf
C:\Windows\SysWOW64\UxTheme.dll.Config
C:\Windows\SysWOW64\rpcss.dll
C:\Windows\System32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64log.dll
C:\Windows\System32\wow64win.dll

Following are some of the regirstry key changes that it tried to make:

HKCU\Software\Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKCU\������О�����������҉�ќ��Й����М�����Й��я��
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe
HKLM\SOFTWARE\Policies\Microsoft\MUI\Settings
HKLM\SOFTWARE\Policies\Microsoft\Windows\Display
HKLM\Software\WOW6432Node\Policies\Microsoft\MUI\Settings
HKLM\Software\WOW6432Node\Policies\Microsoft\Windows\Display
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKLM\System\CurrentControlSet\Control\Lsa
HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKLM\System\CurrentControlSet\Control\NLS\Language
HKLM\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions
HKLM\System\CurrentControlSet\Control\Session Manager\ResourcePolicies
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKLM\System\CurrentControlSet\Services\afunix\Parameters\Winsock\Mapping
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\Mapping
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\WinSock_Registry_Version
HKLM\System\CurrentControlSet\Services\Winsock\Parameters\Transports
HKCR\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InProcServer32\(Default)
HKCR\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InProcServer32\(Default)
HKCU\Control Panel\Desktop\MuiCached
HKCU\Software\AppDataLow
HKCU\Software\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}
HKCU\Software\Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)
HKCU\Software\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}
HKCU\Software\Classes\Local Settings\Software\Microsoft\Ole
HKCU\Software\Clients

It then tries to post the sensitive information to attlogistics-vn.com

IoCs

  • 9e26d68332abb02fb2e80a924f83eb8614afe4e8b841f51c9f82fd0c986d4571
  • attlogistics-vn.com

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV : Autoit.Covid.D

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions

Fake Aarogya Setu Android apps harbor spyware capabilities

 

A number of countries have taken the initiative of developing Covid-19 tracking apps over the last few months. Aarogya Setu is the Indian COVID-19 tracking mobile application. This app crossed five million downloads within the first three days from its launch making it widely popular in India. This popularity makes it a target for malware creators.

SonicWall Capture Labs threats research team observed fake Aarogya Setu apps containing spyware components in the wild. Here are few highlights from our findings:

 

CASE I

  • Md5: e5e44ac40123023eebd5caf9662f05d1, bfa19e91bb4b25d34ac10ad7b9fc5df2
  • App Name: Aarogya Setu
  • Package Name: cmf0.c3b5bm90zq.patch

There are a number of fake apps that have the package name – cmf0.c3b5bm90zq.patch:

The malware author uses the same code for a majority of these apps and spreads them by re-branding the icon and application name. In this case this app masquerades the legitimate Aarogya Setu app, however the copy is not perfect. The icon appears stretched and can be identified when kept side-by-side with the legitimate app:

Upon execution we do not see any activity on the screen, after some time the app icon disappears from the app drawer. The contains reference to a domain – johnnj2-37916.portmap.io – in the patch_preferences.xml file. During our analysis the malware did not try to communicate with this domain, however this domain is connected to malicious apps:

 

CASE II

  • Md5: bbe84ba545d652d9e06635a6e89d48b5
  • App Name: Aarogya Setu – AddOn
  • Package Name: yps.eton.application

Similar to Case I, there are a number of fake apps with the package name yps.eton.application:

 

This app masquerades itself as an Aarogya Setu Add-on app, even though there is no such official app. Upon installation and execution, this app requests for Device-Admin privileges and requests the victim to allow installation from this source. It installs the legitimate Aarogya Setu app from its resources folder (MD5: 4181352b37cd4ee809fa83390d3cc228 ) and thereby tries to appear less suspicious to the user.

 

CASE III

  • Md5: df5698d5aef850b217cbbfa9789bd347
  • App Name: Aarogya Setu
  • Package Name: com.android.tester

The malware writers have accurately copied the legitimate Aarogya Setu icon in this case. Installing the malicious and legitimate Aarogya Setu app and identifying the malicious app by looking at the icons is difficult:

We did not see network activity during our analysis session but there was a record of a domain – 204.48.26.131:29491 – within an xml file belonging to the app. This domain is connected with another malicious Android app:

 

Common Goals

All the three apps mentioned above contain spyware capabilities. Each app contains code that has similarity with the Android spyware SpyNote. We have blogged about SpyNote malware masquerading legitimate apps in the past. A recap of the capabilities of this spyware:

  • Make phone calls
  • Record audio
  • Send SMS
  • Take photos from the camera
  • Record videos from the camera
  • Record keystrokes (keylogger)
  • Check if the device is rooted
  • Start the spyware each time the device reboots

 

Deception

A common trend observed in some of these malicious apps is that the legitimate Aarogya Setu app is piggybacked in the resources folder as google.apk (MD5 – 4181352b37cd4ee809fa83390d3cc228).

Some of these malicious apps install the legitimate app in the background, this technique is used to fool the user into believing that the user installed the legitimate app. But in reality the malicious app executes its nefarious functions in the background.

If the user deletes Aarogya Setu app from the device by long pressing the icon > uninstall method, only the legitimate app is removed and the malicious app would still be present on the device. The only way to remove the malicious app is to remove it from settings > apps > uninstall. This trick has the potential to fool a number of users who are not vigilant.

 

SonicWall Capture Labs provides protection against this threat with the following signatures:

  • AndroidOS.SpyNote.GN
  • AndroidOS.SpyNote.SP
  • AndroidOS.SpyNote.SC