[ad_1]
If we study one other StrongPity pattern (12818a96211b7c47863b109be63e951075cf6a41652464a584dd2f26010f7535), the logic is comparable — it drops a traditional installer into the Temp listing and creates a listing for dropped malicious information.
Listed here are three notable similarities between the Home windows pattern and the Android pattern:
1. All of them disguised as regular apps by using the unique clear functions — the Android pattern repacks the unique one right into a trojanized model, whereas the Home windows pattern makes use of a trojanized installer filled with the unique program.
2. Each gather and exfiltrate information from the contaminated system.
3. Each are extremely modular. The Home windows pattern has a standalone Exfiltration and File Search module, a function that may be seen within the newest check Android pattern.
We discovered a number of clues that hyperlink the malicious Android samples with the StrongPity risk actor.
The pattern 74582c3d920332117541a9bbc6b8995fbe7e1aff communicates with the URL https://www.upn-sec3-msd[.]com/ProxyServer/service/. The area identify “upn-sec3-msd[.]com” was talked about in one other StrongPity report.
The area naming sample and area acquisition strategies are fairly comparable. For instance, the domains utilized by StrongPity in 2020 have a site naming sample just like the domains utilized by the recognized Android samples.
One of many domains, networktopologymaps[.]com, was possible purchased when registration at Gandi expired. The area was acquired through the Porkbun community registrar.
That is just like the area hostoperationsystems[.]com, which was beforehand talked about within the Talos report. This area was additionally acquired through Porkbun and incorporates a comparable area naming sample.
One other notable level of correlation to StrongPity is the listing of file extensions, which we’ve got seen in Android samples. The same listing of the file extensions for the information is offered in variants of the trojan for Home windows methods. For instance, one of many samples that we had examined earlier, gathers information with the next extensions:
.7z
.asc
.dgs
.doc
.docx
.gpg
.pdf
.pgp
.ppt
.pptx
.rar
.rjv
.rms
.rtf
.sft
.tc
.txt
.xls
.xlsx
As we beforehand talked about, there aren’t any public experiences of the StrongPity risk actor utilizing malicious Android functions within the assault. Nonetheless, we examined the trojan code-embedding strategies in addition to the trojan performance of the malicious code written by the identical risk actor for Home windows platforms, and we’ve got recognized some comparable patterns. This leads us to imagine that these may belong to the identical risk actor.
StrongPity actively develops new malicious android apps
We imagine that the StrongPity Risk actor is actively growing backdoors for Android. Primarily based on the check pattern that we’ve got recognized, we are able to see that the risk actor makes an attempt a number of strategies to lure potential victims: repackaged functions, compromised web sites, and faux variants of in style functions.
Primarily based on the extra functionalities that we recognized within the pretend Samsung safety service software (75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b), we predict that among the many APK information that we had recognized, the repackaged functions are bundled with the primary model of the Android trojan, whereas the pretend software might be a piece in progress for the subsequent model of the software.
Within the second model, we noticed the risk actor developed and included some further elements and in addition to added assist for extra message varieties.
The next desk exhibits the kinds that the risk actor has outlined.
Message sort
Particulars
MSG_ADD_MODULE
Add a brand new module
MSG_GET_MODULE
Get the module occasion
MSG_DEL_MODULE
Delete module file underneath <DIR>/.android/.li/<module identify>
MSG_DEL_APK
Delete the APK file underneath the obtain listing
MSG_START_MODULES
Desk 2. Message varieties outlined by the risk actor
On this model, MSG_COLLECT is not current — we predict they changed it with MSG_START_MODULES, a message used to learn all module names from the shared desire, and begin/initialize them one after the other.
We weren’t in a position to get entry to those modules, however primarily based on a number of the code performance that we noticed, we imagine that these modules are designed to gather information from the sufferer’s gadgets and write the collected information into an area SQLite db information file. Nonetheless, we weren’t capable of finding any of those modules within the wild.
There are additionally a number of different key variations between model 1 and model 2 of the trojan:
The message Handler for heartbeat message in model 2 is now break up into two messages: heartbeat and taken_config. Both of those messages can obtain a response from the C&C server and decrypt the response to replace the native configuration, equally to the model 1.
Model 2 makes use of totally different AES encryption keys: key(“aaaanothingimpossiblebbb”), and AES IV(“aaaanothingimpos”)
ScreenReceiver class is added to the second model of the trojan. The aim of this Receiver is to start out the malicious service through Screen_On and Screen_Off occasions.
Model 2 has a capability to execute “su” command, if the system is rooted. The primary utilization of the basis privilege right here is that it may grant permissions silently. Such permissions embrace accessibility, notification and different. Nonetheless, we didn’t discover any proof that the pattern would try and root the system.
Two elements have been added in model 2 for accessibility and notification.
Model 2 makes use of SQLite to retailer collected information. Moreover, it not makes use of ZIP.
In Model 2, the additional modules utilized in “MSG_START_MODULES” are downloaded from the C&C server through both the heartbeat or taken_config message. It’s attainable that these modules are decompressed as a part of the response into <DIR>/.android/.li and consequentially executed.
This investigation has supplied proof to attribute the Android malware pattern, which was posted on the Syrian e-Gov web site, to the StrongPity risk group. We have been additionally in a position to determine further Android trojan information and correlate these malicious Android functions with current public experiences primarily based on their similarities to the risk actor’s TTPs and community infrastructure they used.
Though there aren’t any beforehand recognized malicious Android functions attributed to the StrongPity group, we strongly imagine that the risk actor is within the means of actively growing new malicious elements that can be utilized to focus on Android platforms.
We imagine that the risk actor is exploring a number of methods of delivering the functions to potential victims, comparable to utilizing pretend apps and utilizing compromised web sites as watering holes to trick customers into putting in malicious functions. Sometimes, these web sites would require its customers to obtain the functions instantly onto their gadgets. So as to take action, these customers could be required to allow set up of the functions from “unknown sources” on their gadgets. This bypasses the “trust-chain” of the Android ecosystem and makes it simpler for an attacker to ship further malicious elements.
SHA256
Description
Detection
fd1aac87399ad22234c503d8adb2ae9f0d950b6edf4456b1515a30100b5656a7
The trojanized model of the Syria eGov Software
AndroidOS_StrongPity.HRX
374d92f553c28e9dad1aa7f5d334a07dede1e5ad19c3766efde74290d0c49afb
Pattern repackaged from Kingoroot
AndroidOS_StrongPity.HRX
a9378a5469319faffc48f3aa70f5b352d5acb7d361c5177a9aac90d9c58bb628
Pattern repackaged from internet.cybertik.wifi
AndroidOS_StrongPity.HRX
be9214a5804632004f7fd5b90fbac3e23f44bb7f0a252b8277dd7e9d8b8a52f3
Repackaged from Snaptube
AndroidOS_StrongPity.HRX
596257ef017b02ba6961869d78a2317500a45f00c76682a22bbdbd3391857b5d
Repackaged from Snaptube
AndroidOS_StrongPity.HRX
75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b
Pretend Samsung Safety Service pattern
AndroidOS_StrongPity.HRX
Community C&C Infrastructure
SHA256
Area
Detection
fd1aac87399ad22234c503d8adb2ae9f0d950b6edf4456b1515a30100b5656a7
Internetwideband[.]com
AndroidOS_StrongPity.HRX
374d92f553c28e9dad1aa7f5d334a07dede1e5ad19c3766efde74290d0c49afb
upeg-system-app[.]com
AndroidOS_StrongPity.HRX
a9378a5469319faffc48f3aa70f5b352d5acb7d361c5177a9aac90d9c58bb628
networktopologymaps[.]com
AndroidOS_StrongPity.HRX
be9214a5804632004f7fd5b90fbac3e23f44bb7f0a252b8277dd7e9d8b8a52f3
networktopologymaps[.]com
AndroidOS_StrongPity.HRX
596257ef017b02ba6961869d78a2317500a45f00c76682a22bbdbd3391857b5d
upeg-system-app[.]com
AndroidOS_StrongPity.HRX
75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b
upn-sec3-msd[.]com
AndroidOS_StrongPity.HRX
[ad_2]