company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

BianLian

Golang

Ransomware

loading..
loading..
loading..

BianLian: A new golan based cross functional ransomware in action

Increases in the command and control infrastructure of the new cross-platform ransomware BianLian this month suggest a quickening of the rate at which it is bei...

16-Sep-2022
7 min read

Related Articles

loading..

Trojan

ToxicPanda

Banking

Explore ToxicPanda, a new banking trojan spreading from Asia to Europe and LATAM...

Threat research team identified a new Android malware strain, initially thought to be TgToxic but exhibiting key divergences from its predecessor, leading us to classify it as "ToxicPanda." ToxicPanda is a banking Trojan leveraging Remote Access Trojan (RAT) techniques to initiate fraudulent money transfers through account takeover (ATO), exploiting On-Device Fraud (ODF) techniques. The malware bypasses banking countermeasures for identity verification and behavioral detection by targeting devices directly. Our analysis suggests that ToxicPanda has not yet reached in its advanced stages, as evidenced by incomplete command implementations and placeholder code. Specifically, several commands, such as those related to advanced ATS routines and EasyClick automation, remain unimplemented or serve only as placeholders. This limits the malware's ability to fully automate fraudulent actions, reducing its current threat level but indicating potential for future development. The incomplete commands suggest that the developers may still be testing capabilities or lack the expertise to deploy more sophisticated functionalities effectively. Despite this, it has been remarkably effective, leading to over 1,500 infections across Europe and Latin America, primarily targeting banking institutions in Italy, Spain, Portugal, and Peru. Unlike typical campaigns from Southeast Asian TAs, ToxicPanda appears to reflect a shift or expansion of Chinese-speaking threat actors into European and Latin American markets, marking an unusual and concerning development in their operational focus. This geographical expansion is significant because it suggests a diversification of targets, potentially driven by an interest in new financial markets, broader revenue streams, or a strategic response to increased security measures in their traditional regions. The shift also indicates that these actors are becoming more adaptable and willing to overcome language, regulatory, and logistical barriers to target previously unexplored regions, which could indicate an escalation in their overall capabilities and threat sophistication. ![https://cdn.prod.website-files.com/60201cc2b6249b0358f70f8a/6728b8b03b4e7753afff94a2_6728b73cd0427c03a05d3f0d_f1.png](https://sb-cms.s3.ap-south-1.amazonaws.com/6728b8b03b4e7753afff94a2_6728b73cd0427c03a05d3f0d_f1_e46c833eda.png) ***ToxicPanda’s icons as described by [Cleafy](https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam)*** ***Key campaign highlights include:*** - **Malware Type**: Android Banking Trojan - **Target OS**: Android Devices - **Target Regions**: Europe (Italy, Portugal, Spain, France) and Latin America (Perú) - **Infection Vector**: Side-loading via Social Engineering - **Fraud Techniques**: Account Takeover, On-Device Fraud, OTP Interception - **TTP Summary**: RAT capabilities, Accessibility Service abuse, Remote Control The findings suggest a strategic attempt by the TAs to expand their operations from primarily regional targeting in Asia to broader international fraud schemes, using rudimentary but highly adaptive malware. ## Technical Analysis ### Overview of ToxicPanda's Capabilities From a technical perspective, ToxicPanda shares core RAT capabilities similar to other banking trojans like [Medusa](https://www.secureblink.com/cyber-security-news/medusa-returns-new-malware-variant-threatens-android-users-worldwide) and Copybara, with an emphasis on ODF. The malware exploits Android's Accessibility Service, allowing TAs to remotely control infected devices, capture OTPs, manipulate user inputs, and bypass 2FA protection measures. ToxicPanda's reduced obfuscation and the absence of more advanced Automatic Transfer System (ATS) routines compared to its predecessor TgToxic imply a downgrade in technical complexity, perhaps reflecting the developers' relative inexperience with navigating foreign banking systems and stricter financial regulations, such as the European Union's PSD2 (Payment Services Directive) and GDPR (General Data Protection Regulation). These regulations impose stringent requirements for authentication, data privacy, and financial transactions, making it more challenging for malware to effectively operate without sophisticated adaptations. Additionally, differences in financial system architectures and anti-fraud mechanisms across regions further complicate the development of advanced features like ATS, which require a deeper understanding of localized banking processes. ### Infection Chain and Execution Flow #### 1. Initial Infection ToxicPanda spreads primarily through side-loading mechanisms, often disguised as benign applications or legitimate software. Social engineering plays a key role in encouraging users to install the malware, using techniques such as phishing campaigns that trick users into downloading fake apps through links, impersonation of legitimate apps on third-party app stores, and even fake pop-up ads claiming urgent updates. These apps often masquerade as popular utilities, financial applications, or security tools, which increases the likelihood of users trusting and installing them. #### 2. Abuse of Android Accessibility Services The core of ToxicPanda's malicious activities involves abusing Android's Accessibility Services to achieve elevated permissions. These permissions are often obtained by manipulating user consent through deceptive prompts or misleading UI elements, such as pretending to be a legitimate system update or security feature. This tactic tricks users into granting Accessibility Service permissions, which allows ToxicPanda to execute its malicious activities seamlessly. ToxicPanda is configured to: - **Intercept User Inputs**: By manipulating the Accessibility Service, ToxicPanda can log user inputs, capture credentials, and trigger actions remotely. - **Initiate Fraudulent Transactions**: The malware automates interactions with banking applications, enabling direct account takeovers. - **Localized UI Manipulation for Permissions**: ToxicPanda uses language-specific strings to manipulate UI elements, such as forcing clicks on buttons like "Home" or searching for system text like "Force Stop" in localized languages. This level of adaptation makes it highly effective in deceiving users across different regions. - **Localized Login Interfaces**: ToxicPanda further enhances social engineering efforts through localized login interfaces, as seen in screenshots of authorization systems in Chinese. These localized interfaces are designed to mimic legitimate screens, building trust among targeted users, particularly in Chinese-speaking regions, thus increasing the likelihood of successful phishing attempts. ![https://cdn.prod.website-files.com/60201cc2b6249b0358f70f8a/6728b8b03b4e7753afff9493_6728b804a07a118dc660e81c_f2.png](https://sb-cms.s3.ap-south-1.amazonaws.com/6728b8b03b4e7753afff9493_6728b804a07a118dc660e81c_f2_7aa48b2a4c.png) ***ToxicPanda forcing the click of the "Home" button and searching for specific UI texts such as "Force Stop" in Chinese to manipulate system interactions (Source: Cleafy)*** #### 3. OTP Interception and On-Device Fraud ToxicPanda can intercept OTPs sent via SMS or authenticator apps, allowing it to bypass banking two-factor authentication mechanisms. To avoid detection during OTP interception, the malware uses techniques such as mimicking legitimate system notifications, delaying interception to blend in with normal system processes, and utilizing accessibility service permissions to silently read and forward OTP messages without alerting the user. This capability facilitates On-Device Fraud, enabling attackers to initiate, authorize, and verify transactions without direct user interaction. ### Botnet Infrastructure and C2 Communication Our analysis disclosed a non-dormant botnet managed through a centralized Command and Control (C2) infrastructure, with over 1,500 infected devices. The botnet is controlled using three hard-coded domains: **dksu[.]top**, **mixcom[.]one**, and **freebasic[.]cn**. To avoid detection or mitigate domain takedown, attackers might employ additional fallback C2 servers or use domain generation algorithms (DGAs). DGAs allow the botnet to generate new domains dynamically, making it harder for defenders to block C2 communication completely, while fallback servers ensure continuity even if primary domains are taken down. These strategies illustrate how the botnet infrastructure may evolve to maintain resilience against countermeasures. These particular domains may have been chosen due to their relatively obscure nature, which helps avoid early detection by security solutions. Additionally, the use of a Chinese public DNS service and domains ending in '.cn' suggests a link to the threat actors' geographical origin, potentially pointing towards Chinese infrastructure or operational bases. ![6728bd1c08f9479cc80f8071.png](https://sb-cms.s3.ap-south-1.amazonaws.com/6728bd1c08f9479cc80f8071_10f1d9569c.png) ***Botnet Management Panel showcasing device status, operational controls, and fraud management capabilities (Source: Cleafy)*** This choice of domains reflects a strategic approach by the TAs to maintain low visibility while retaining control over infected devices. ToxicPanda employs a basic mechanism to select a C2 domain through a switch statement, defaulting to a primary server, which allows real-time adjustments using a command named `setCommandStyle`. In practice, it is unclear how frequently the C2 domain is adjusted, but evidence suggests that this adaptation mechanism has been observed in thwarting defensive measures by rapidly switching domains when disruptions are detected, thereby maintaining consistent botnet control. #### C2 Communication Flow - **Initial Contact**: A switch-based domain selection triggers initial contact with the C2 server using HTTPS, followed by a persistent connection through WebSockets for bidirectional, low-latency communication. - **Encryption**: ToxicPanda uses AES encryption in ECB mode to secure its communications. The encryption key, hard-coded in the malware, ensures data transmitted between infected devices and the C2 remains obfuscated from standard network monitoring tools. The use of ECB mode, while simple to implement, presents vulnerabilities as it is susceptible to pattern detection, which defenders could potentially exploit for better threat analysis. Figure 8 shows an example of the WebSocket traffic initiated between an infected device and the C2 server, where the server issues commands for fraudulent activities. This low-latency, persistent communication approach bypasses traditional HTTP monitoring and makes detection harder. ### Botnet Management Panel Our researchers gained visibility into ToxicPanda's C2 management panel by leveraging a combination of network traffic analysis and exploiting weaknesses in the malware's C2 communication protocols, offering rare insights into the operator's capabilities. This access was achieved through detailed reverse engineering of the malware, which allowed our team to extract hard-coded credentials and identify vulnerabilities in the panel's authentication process. The interface includes sections for _"Machine Management,"_ where TAs can remotely view device details, issue commands, and initiate On-Device Fraud activities. Key features observed include: - **Device Overview**: Columns listing device brand, model, geolocation, software version, and online/offline status. - **Operational Controls**: Operators can upgrade, reset, or remove malware from devices and manage fraudulent transactions in real-time. - **Centralized Fraud Management**: The admin panel also offers a quick view of device status, the ability to reset scripts, turn off cameras, and even initiate recording from infected devices. This level of control indicates an expanded toolkit that goes beyond just financial fraud, allowing operators to spy on victims and potentially collect sensitive personal data for further exploitation. The panel confirmed the suspected Chinese-speaking origin of the TAs, who appear to be managing this campaign centrally, with a distinct focus on European banking customers and emerging Latin American targets. ### Expanded Data Theft: Image Collection and Transmission ToxicPanda also collects device images from photo albums, converts them into BASE64 format, and transmits them to the C2 server. This adds another dimension to its data collection methods, targeting sensitive personal information beyond financial credentials. This capability broadens the scope of the data that TAs can leverage for further exploitation or monetization, highlighting the expansive nature of the threat. ### Fake App Store Listings as Infection Vectors The malware has also been observed using fake app listings, such as those mimicking legitimate applications like "99 Spedmart," "Amore Live," and "Honey Peach." These fake apps are distributed through compromised app stores or phishing links and often carry high user ratings and positive reviews to lure potential victims. The familiarity and popularity of these apps increase their credibility, making it more likely for users to install them without suspicion. These strategies contribute significantly to the high infection rate of ToxicPanda. ## Indicators of Compromise (IoCs) ### Hashes of Known ToxicPanda Samples: | Hash | App Name | |-----------------------------------------|------------| | 2f5c4325f77280b2b58be981f9051f04 | Chrome | | 6e0a7e94ce0a1fe70d43fe727dc41061 | dbltest | | f5c44a7044572e39e8fb9fa8e1780924 | Chrome | ### C2 Domains: - **dksu[.]top** - **mixcom[.]one** - **freebasic[.]cn** ## Conclusion ToxicPanda represents an evolving threat in the Android banking Trojan landscape, especially as Chinese-speaking TAs expand their operations into Europe and Latin America. The malware's less sophisticated technical foundation—including unfinished commands and simplified obfuscation—contrasts sharply with its rapid operational success, highlighting a growing risk that threat actors can achieve significant impact without highly advanced techniques. The campaign underscores the urgent need for proactive detection mechanisms. Organizations can bolster defenses by implementing user education initiatives to raise awareness of phishing and side-loading risks, deploying Mobile Device Management (MDM) solutions to enforce security policies, and mandating stricter app permissions policies to minimize the risk of malware gaining elevated privileges. These measures, combined with existing detection tools, can help prevent infections and mitigate damage. Specifically, employing advanced behavioral analytics tools, implementing machine learning-based anomaly detection, and integrating network traffic analysis tools like Zeek or Suricata could significantly enhance the ability to detect such malware. Additionally, leveraging mobile threat defense solutions and endpoint detection and response (EDR) systems could help in identifying early indicators of compromise and mitigating risks before they escalate. Current industry-standard antivirus solutions have struggled with this relatively basic threat, pointing to gaps in real-time detection capabilities. Enhanced early warning systems are crucial to mitigate such threats before they materialize at scale. To further bolster defenses, it is recommended to implement specific mitigations for each phase of the malware lifecycle, develop detailed behavioral analysis mechanisms, and enhance network traffic inspection capabilities to effectively detect C2 communication using WebSockets. Security teams should focus on incorporating indicators of compromise into automated threat detection tools and regularly update threat intelligence feeds to reflect the latest observed domains and behaviors. Regional banking institutions in Europe and LATAM should especially prioritize reviewing their mobile security policies and invest in educational programs aimed at reducing the risk of social engineering attacks. The expansion of traditionally regional threat actors into new territories requires a reassessment of regional security postures, particularly concerning banking institutions and their mobile security strategies. ToxicPanda’s reliance on familiar Android exploits and simple RAT tools shows that even known threats, when applied in new operational contexts, can pose serious challenges for financial institutions worldwide. ### Future Threat Projections Considering the incomplete capabilities and ongoing adaptations of ToxicPanda, we can project a potential evolution towards more sophisticated RAT capabilities, advanced ATS implementations, and increased use of domain generation algorithms for C2 infrastructure. The rapid domain switching mechanism, while currently simplistic, may evolve into more complex fallback systems or DGAs, providing resilience against domain takedowns. Financial institutions should prepare for enhanced ATS capabilities, potentially capable of executing more precise and automated account takeovers, and expect expanded efforts in social engineering campaigns, including more sophisticated phishing lures tailored to local languages and banking interfaces.

loading..   06-Nov-2024
loading..   1 min read
loading..

Android

NECRO

Explore the resurgence of the Necro Trojan, its infiltration of Google Play, and...

In recent years, the landscape of mobile malware has dramatically evolved, especially as users increasingly seek modified applications (mods) for popular services like [Spotify]( and WhatsApp. These mods often promise users enhanced functionality or ad-free experiences. Unfortunately, many of these unofficial modifications come with significant risks, including embedded malware that can compromise user data and device security. One such threat that has resurfaced is the **Necro Trojan**, a multi-stage malware loader that has been found infiltrating popular apps both on unofficial sources and within Google Play itself. The Necro Trojan poses a significant risk due to its sophisticated evasion techniques, including **obfuscation**, **steganography**, and multi-stage payload deployment, making it challenging to detect and mitigate. ### Significance of the Threat Necro is not just another run-of-the-mill malware. Its modular design allows it to execute a variety of malicious functions, such as: - Displaying ads in invisible windows. - Interacting with web elements in the background. - Downloading and executing arbitrary files. - Installing applications covertly. - Subscribing users to paid services without their consent. In total, **millions of devices** have been affected by this malware, which demonstrates the wide-reaching consequences of using modded applications from unofficial sources. Necro’s reappearance on **Google Play** through infected apps signals the continuous efforts of cybercriminals to exploit both trusted and untrusted distribution channels, significantly increasing the scope of potential victims. --- ### Technical Analysis #### Discovery of Necro Trojan The Necro Trojan was first discovered in 2019 when it was embedded in the widely used document-scanning application **CamScanner** on Google Play. At the time, the app had over **100 million downloads**. The malicious Necro loader was hidden within an innocuous-looking update, which, once installed, delivered the payload to the user’s device. Fast forward to 2024, and Necro has returned with even more complex evasion techniques and wider distribution. ***Spotify mod*** In **late August 2024**, security researchers identified the Necro Trojan once again, this time embedded in modded applications like **Spotify Plus** and **WhatsApp mods**, downloaded from unofficial sources. What made the discovery particularly concerning was that some infected apps were found within the **Google Play Store**, indicating that even vetted platforms are not immune to Necro's reach. #### Malware Delivery & Spread ##### Initial Infection Vectors The primary infection vectors for the Necro Trojan include: 1. **Unofficial APK websites**: Users looking for modified versions of apps, such as Spotify mods with premium features unlocked, were downloading infected versions from websites like **spotiplus[.]xyz**. These websites falsely claimed to offer certified and safe versions of the applications, luring users into a false sense of security. 2. **Google Play Store**: Legitimate-looking applications, such as **Wuta Camera** and **Max Browser**, were found to have been compromised with the Necro loader. These apps were downloaded millions of times, illustrating the widespread distribution. ***Wuta Camera App in Google Play*** ###### Example: In **Wuta Camera**, a popular photo-editing app, the Necro loader was embedded in versions starting from **v6.3.2.148**. By the time the malicious activity was discovered, the app had been downloaded over **10 million times**. After security researchers flagged the issue, the loader was removed in **v6.3.7.138**. ##### Modifications and Trojan Features Necro Trojan’s operation hinges on its ability to **modify legitimate apps** without arousing suspicion. A typical infected app includes a **custom Application subclass** that initializes a malicious SDK, such as **Coral SDK**, during its execution. This SDK is responsible for integrating various advertising modules into the app, but more importantly, it communicates with a **Command-and-Control (C2) server**, transmitting data about the compromised device. The C2 server then issues commands back to the Trojan, triggering specific malicious behaviors like: - Downloading additional malware. - Running code via the **DexClassLoader** (allowing it to execute arbitrary Java files). - Interacting with invisible ads to generate revenue for the attackers. ###### Technical Example: Here is a sample of the JSON data transmitted by the Trojan to the C2 server: ```json { "appId": "REDACTED", "channelId": "com.spoti.plus", "androidId": "REDACTED", "isAdb": false, "isProxy": false, "isSimulator": false, "isDebug": false, "localShellVer": 0, "sdkVer": 116, "appVersion": "1020000005", "appVersionName": "18.9.40.5" } ``` --- ### Obfuscation Techniques and Multi-Stage Payload Execution #### Obfuscation and Steganography One of the reasons Necro is so difficult to detect lies in its sophisticated use of **obfuscation techniques**. The malicious code is obfuscated using tools like **OLLVM** (Obfuscator-LLVM), which scrambles the code into a format that is extremely challenging to decompile or analyze. Additionally, **steganography** is employed to hide payloads within seemingly innocuous files, such as **PNG images**. The Trojan downloads these images from the C2 server, extracts the hidden data using Android’s `getPixel` method, and then reconstructs it into a **Base64-encoded JAR file**. Once decoded, this JAR file is executed by **DexClassLoader**, allowing the Trojan to execute the next stage of its payload without raising red flags. ###### Example of Steganography: The image contains the encoded payload in its least significant byte (LSB) values: ```java int pixelValue = bitmap.getPixel(x, y); byte payloadByte = (byte) (pixelValue & 0xFF); // Extracts the blue channel data (LSB) ``` This payload extraction process highlights Necro’s advanced ability to hide in plain sight and execute code without triggering conventional antivirus software. ### Real-World Case Studies #### Infected Applications: Wuta Camera and Max Browser ##### Wuta Camera: **Wuta Camera** is a widely used photo-editing app available on **Google Play** with over **10 million downloads**. It was initially released as a legitimate app, but in **version 6.3.2.148**, the Necro Trojan was embedded within it. This infection allowed attackers to exploit a large user base, especially in regions like **Russia, Brazil,** and **Vietnam**. By the time the infected version was discovered, thousands of users had already been affected. ###### How Necro Operated Within Wuta Camera: 1. Upon launch, Wuta Camera initialized its legitimate functions, including photo-editing features, while the **Necro Trojan loader** ran in the background. 2. Necro would connect to its **C2 server**, transmitting details about the user’s device, including **IMEI, IMSI**, and **Android OS version**. 3. The C2 server could then issue commands to: - Open **invisible WebViews** to interact with ads. - Download additional malware payloads (e.g., DexClassLoader running Base64 JARs). - Exfiltrate sensitive device information. After being reported by security researchers, **Google Play removed the malicious version**, and Wuta Camera was forced to release a **clean version** in **6.3.7.138**. ##### Max Browser: **Max Browser** was another popular app infected with the Necro Trojan. With over **1 million downloads**, it represented a significant attack vector for the Trojan authors. **Version 1.2.0** of Max Browser included the **Necro loader**, which used **Firebase Remote Config** to remotely update its payload. This version of the Trojan also utilized steganography to conceal malicious code in image files downloaded from the C2. ###### Key Features of the Necro Trojan in Max Browser: - **Obfuscation Layers**: Code was highly obfuscated using **OLLVM** and encrypted communication methods to evade security detection. - **Network Behavior**: The browser sent user data and app information to a remote server through encrypted POST requests, making it challenging for traditional security tools to detect. - **Stealth Operation**: Like Wuta Camera, Max Browser could open **hidden WebViews** to perform background ad fraud, ultimately draining user data and resources without their knowledge. By the time researchers identified the infection, the Trojan had affected a large number of users, primarily in **Southeast Asia**. The infected version was promptly removed after being flagged. --- ### Deep Dive into Code and Execution #### Code Samples and Steganographic Payload Extraction The **Necro Trojan** is particularly notable for its use of advanced code obfuscation and payload delivery techniques. Here, we will explore some of the **core technical elements** of the malware, including code samples that highlight its behavior. ##### DexClassLoader and Base64 Payload Execution One of the Trojan’s most dangerous techniques is its use of **DexClassLoader** to load and execute malicious payloads from dynamically downloaded JAR files. This allows the malware to evade static analysis and deliver malicious code at runtime. ###### Code Sample 1: Loading the Payload with DexClassLoader ```java // Sample code from the Trojan showing how a Base64-encoded JAR is loaded and executed. String encodedJar = "Base64 encoded JAR string here"; byte[] decodedJar = Base64.decode(encodedJar, Base64.DEFAULT); // Write the decoded bytes to a temporary file. File tempJar = new File(context.getCacheDir(), "temp.jar"); FileOutputStream fos = new FileOutputStream(tempJar); fos.write(decodedJar); fos.close(); // Use DexClassLoader to load and execute the JAR file. DexClassLoader classLoader = new DexClassLoader(tempJar.getPath(), context.getDir("dex", 0).getAbsolutePath(), null, context.getClassLoader()); Class<?> loadedClass = classLoader.loadClass("com.malicious.EntryPoint"); Method runMethod = loadedClass.getMethod("run"); runMethod.invoke(null); ``` **Explanation**: - The Trojan first decodes the **Base64-encoded JAR file** that it downloads from the C2 server. - The decoded file is temporarily stored in the app’s cache directory. - Using **DexClassLoader**, the malware dynamically loads the decoded JAR, making it invisible to many anti-malware tools. - The entry point `run()` method is invoked, which executes the next stage of the payload. #### Steganographic Techniques Another highly advanced technique used by the Necro Trojan is **steganography**. The payload is hidden inside **PNG images** using a simple, yet effective, **least significant bit (LSB) extraction** technique. By embedding the payload in the image, the Trojan can bypass traditional antivirus scanning, which doesn’t typically scan images for malicious code. ###### Code Sample 2: Extracting Payload from PNG Images ```java // Extracting the payload hidden in the least significant byte (LSB) of each pixel. Bitmap image = BitmapFactory.decodeStream(new FileInputStream("path/to/downloaded/image.png")); ByteBuffer payloadBuffer = ByteBuffer.allocate(image.getWidth() * image.getHeight() * 4); for (int y = 0; y < image.getHeight(); y++) { for (int x = 0; x < image.getWidth(); x++) { int pixel = image.getPixel(x, y); payloadBuffer.put((byte) (pixel & 0xFF)); // Store the least significant byte (blue channel) } } // Reconstruct the payload from the extracted bytes byte[] payload = new byte[payloadBuffer.position()]; payloadBuffer.rewind(); payloadBuffer.get(payload); // Decode the payload and prepare it for execution String base64Payload = new String(payload, StandardCharsets.UTF_8); byte[] decodedPayload = Base64.decode(base64Payload, Base64.DEFAULT); ``` **Explanation**: - The Trojan decodes the hidden payload from the **least significant byte (LSB)** of each pixel in the PNG image. - It reconstructs the Base64-encoded payload and then decodes it. - The decoded payload is then processed, typically by using **DexClassLoader** to execute the next stage. --- ***Infection Diagram*** ### Security Recommendations Given the sophisticated nature of the Necro Trojan, security measures need to go beyond traditional antivirus or basic app security. Here are **super-tailored and targeted recommendations** for users, developers, and enterprises: #### 1. For Users: - **Only Download Apps from Trusted Sources**: Stick to **official app stores** like Google Play or the Apple App Store, and avoid installing APKs from third-party websites. - **Verify App Permissions**: Always review the permissions an app requests. If an app requests permissions that seem excessive for its functionality (e.g., a photo-editing app requesting access to SMS), it should raise a red flag. - **Regularly Update Apps and OS**: Ensure that your device and apps are always running the latest versions, as these updates often include critical security patches. - **Use a Reputable Security Solution**: Install security software that specifically scans for **hidden malware**, such as steganography, and can analyze **real-time network behavior**. #### 2. For Developers: - **Review Third-Party SDKs**: The Trojan’s infection vector often involves compromised third-party SDKs, such as ad modules. Ensure that all SDKs used in the app are from trusted sources and regularly vetted for security. - **Implement Code Obfuscation Techniques**: While this seems counterintuitive, developers can also use obfuscation tools (like **ProGuard**) to prevent their apps from being easily modified or reverse-engineered by attackers. - **Monitor App for Abnormal Behavior**: Developers should implement analytics and monitoring that can detect unusual behaviors, such as large, unexpected data transfers or background app installations. #### 3. For Enterprises: - **Implement Mobile Device Management (MDM)**: Enterprises should use **MDM solutions** to monitor and control apps installed on company devices. These systems can help enforce policies that prevent the installation of unapproved apps. - **Network Traffic Monitoring**: Implement systems that can detect abnormal network traffic patterns, especially **encrypted outbound connections** to suspicious domains (e.g., bearsplay[.]com). - **Regular Threat Intelligence Feeds**: Subscribe to threat intelligence feeds that report new indicators of compromise (IOCs) for emerging threats like Necro. This allows security teams to update their defense mechanisms in real-time. #### 4. Additional Security Recommendations: - **Use App Sandboxing**: Running apps in a sandbox environment can help mitigate the damage if malware is present. Even if an app attempts to exfiltrate data or execute a payload, it will be limited to the sandboxed environment. - **Deep Packet Inspection (DPI)**: For enterprises, utilizing **DPI tools** can help detect malicious traffic by inspecting data packets in real-time, even if the malware uses obfuscation techniques. --- ### Conclusion The resurgence of the **Necro Trojan** illustrates the persistent and evolving threats that target mobile devices. Its ability to evade detection through **multi-stage loading**, **obfuscation**, and **steganography** poses a significant challenge to both users and security professionals. With millions of devices affected globally, the Necro Trojan demonstrates how even trusted platforms like Google Play can become a distribution vector for sophisticated malware. To mitigate these risks, it is crucial for all stakeholders—users, developers, and enterprises—to remain vigilant. Users must exercise caution when downloading apps, developers need to ensure their applications are secure and uncompromised, and enterprises must deploy robust security measures to protect their devices and data from these evolving threats. By staying informed, employing best security practices, and leveraging advanced security solutions, we can collectively reduce the threat posed by malware like Necro.

loading..   25-Sep-2024
loading..   1 min read
loading..

Malware

Voldemort Malware exploits Google Sheets for espionage, blending cybercrime with...

This **Threat Research** explores the underlying intricacies of the **Voldemort malware campaign**, a highly sophisticated cyber-espionage operation. Designed for **Malware Researchers**, **Security Analysts**, **CISOs**, and **CSOs**, this [analysis](https://www.secureblink.com/threat-research) delves into Voldemort’s use of trusted services, **multi-vector attacks**, and its ability to blend **cybercrime and espionage techniques**. Key to the campaign is its abuse of **Google Sheets** for **Command and Control (C2)** communications, masking its malicious activities behind trusted services. Furthermore, Voldemort uses **DLL side-loading** via legitimate Cisco WebEx executables and advanced **[fileless techniques](https://www.secureblink.com/cyber-security-news/phishing-espionage-attack-targets-us-taiwan-defense-conference)**, emphasizing the threat it poses to modern enterprises. --- #### **Scope** The Voldemort malware targets a broad range of industries including **insurance**, **aerospace**, **transportation**, and **education**, combining **espionage** with **cybercrime** techniques. This Threat Research & Analysis addresses: - **Phishing Techniques**: Detailing how Voldemort used **language-customized phishing** lures impersonating tax authorities. - **C2 via Legitimate Platforms**: Explaining the operational stealth of using **Google Sheets** for command communication and data exfiltration. - **DLL Side-loading and Exploits**: Investigating how Voldemort leverages legitimate software vulnerabilities. - **Espionage and Cybercrime Convergence**: Analyzing the blending of **cybercriminal** and **nation-state espionage** tactics. --- #### **Voldemort as a Hybrid Threat** The Voldemort malware combines **cybercrime** and **espionage**, using familiar techniques such as **phishing** while incorporating sophisticated evasion tactics like **cloud-based C2 infrastructure**. This hybridization is what makes Voldemort an **unprecedented** threat. ![Screenshot 2024-08-29 at 10.48.18 AM.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Screenshot_2024_08_29_at_10_48_18_AM_2fa1f2cd2c.png) ***sectors Voldemort malware email campaigns have been active (proofpoint)*** --- ### **Campaign Overview: Voldemort Malware** --- #### **Campaign Start and Phishing Volume** Voldemort’s first detection occurred on **August 5, 2024**, escalating rapidly with **20,000 phishing emails** sent by **mid-August**. The campaign’s **phishing emails** targeted more than **70 organizations globally** in industries like **insurance** and **aerospace**, pointing to potential **industrial espionage**. --- #### **Phishing Lures and Techniques** - **Impersonation Strategy**: Phishing emails impersonated tax authorities, such as **IRS (US)** and **HMRC (UK)**, using authentic sender domains to bypass basic security controls. - **Custom Language Phishing**: Emails were customized based on the region, targeting victims in their native language, further adding to their legitimacy. - **Embedded URLs**: Phishing emails included **Google AMP Cache URLs**, redirecting victims to **InfinityFree** hosted landing pages that delivered malicious payloads. ![Screenshot 2024-08-29 at 10.49.26 AM.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Screenshot_2024_08_29_at_10_49_26_AM_422fff4225.png) ***InfinityFree hosted landing page*** --- #### **Initial Attack Chain and Exploits** - **Phishing Email Components**: Clicking the malicious link triggered a **search-ms URI** download, masking malicious LNK or ZIP files as legitimate PDF documents. - **C2 via Google Sheets**: **Google Sheets** was used as the primary C2, allowing Voldemort to exfiltrate data and receive commands without triggering alarms. --- #### **Mid-Campaign Spike and Evolution** The campaign intensified on **August 17, 2024**, with a peak of **6,000 phishing emails** in one day. As the campaign progressed, attackers evolved their delivery techniques, using **obfuscated payloads** and **[TryCloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/) tunnels** for hosting malicious components. --- ### **Technical Features of Voldemort Malware** --- #### **Backdoor Capabilities: Command Execution and Payload Delivery** At its core, Voldemort uses a **C-based backdoor** to execute **espionage** activities, such as data exfiltration and command execution. The malware initially deploys via a phishing link that triggers **search-ms URI exploitation**, launching **fileless Python scripts** to avoid detection. These scripts gather detailed system information using **platform.uname()**. - **Exfiltration**: Data is **base64 encoded** and sent via encrypted requests to the C2 server. - **Follow-up Payloads**: Voldemort’s backdoor exploits legitimate software like **Cisco WebEx** to deliver secondary payloads using **DLL side-loading**. --- #### **Command and Control via Google Sheets** Voldemort’s most unique feature is its use of **Google Sheets** for C2 communications. This allows the malware to stay under the radar by communicating through **trusted cloud platforms**. Each infected machine is assigned a **UUID**, which it uses to interact with designated cells in the Google Sheet, executing commands or exfiltrating data. ![p4_6.png](https://sb-cms.s3.ap-south-1.amazonaws.com/p4_6_309cb2ffc4.png) - **Why Hard to Detect**: Traditional **firewalls and IDS** typically whitelist Google services, making it difficult for defenders to identify this **anomalous behavior**. --- #### **DLL Side-Loading and Fileless Execution** Voldemort’s **DLL side-loading** exploits **CiscoCollabHost.exe**, loading its malicious DLL to execute under the guise of a trusted process. Combined with **fileless execution** using **PowerShell** and **Python scripts** from **WebDAV shares**, this strategy allows Voldemort to bypass endpoint protection systems. ![p13_1.png](https://sb-cms.s3.ap-south-1.amazonaws.com/p13_1_aaa689de72.png) --- #### **Key Command Set** - **Ping**: Tests connectivity to C2 servers. - **Dir**: Retrieves directory listings for further exploration. - **Download/Upload**: Facilitates file exfiltration and payload deployment. - **Exec**: Executes commands remotely, giving full control over the infected machine. --- ### **Post-Exploitation and Persistence** --- Voldemort uses **scheduled tasks** to maintain persistence, ensuring its backdoor remains active after reboots. Additionally, the malware’s backdoor includes a **delayed execution** mechanism to avoid sandbox analysis. --- ### **Espionage Motivation and Attribution** --- Voldemort’s campaign exhibits characteristics of **Advanced Persistent Threats (APTs)**, focusing on **espionage** rather than financial gain. The malware targets **high-value sectors** like **aerospace** and **insurance**, which suggests **state-sponsored motivations**. #### **Blurring Cybercrime and Espionage** While Voldemort employs **cybercriminal tactics**, such as phishing, its long-term data collection and intelligence-gathering capabilities point to **espionage objectives**. The **blending of techniques** makes it difficult to attribute to a specific threat actor. --- ### **Indicators of Compromise (IoCs)** --- #### **Phishing URLs and Redirect Mechanisms** Key **phishing URLs** hosted on **InfinityFree** and **Google AMP Cache** are primary indicators of compromise. These URLs often redirect victims to landing pages containing malicious files. - **Examples**: - `hxxps://pubs[.]infinityfreeapp[.]com/IRS_P966[.]html` - `hxxps://resource[.]infinityfreeapp[.]com/ABC_of_Tax[.]html` --- #### **Malicious File Hashes** Monitoring file hashes such as **CiscoSparkLauncher.dll** and **test.zip** can help identify and block malicious files. - **CiscoSparkLauncher.dll Hash**: `561e15a46f474255fda693afd644c8674912df495bada726dbe7565eae2284fb` --- #### **IP Addresses: WebDAV and TryCloudflare Tunnels** **WebDAV shares** and **TryCloudflare tunnels** were used for payload delivery and command execution. - **Key IP**: `83[.]147[.]243[.]18` --- ### **Defensive Measures and Recommendations** --- #### **Monitor Google Sheets Traffic** Monitoring for **anomalous traffic** to **Google Sheets** is essential. Any unusual volume of data transferred or repeated connections from the same machine should raise alerts. --- #### **Restrict External File Access** Restrict access to **unnecessary external file-sharing services** like **WebDAV** and **TryCloudflare** to prevent fileless execution. --- #### **Implement Behavioral Detection** Since Voldemort relies on **fileless execution**, **behavioral-based detection** is critical. Monitoring **PowerShell and API calls** for anomalies can reveal malware attempting to execute scripts from remote sources. --- ### **Conclusion: Comprehensive Analysis of Voldemort Malware** The **Voldemort malware campaign** represents an evolution in **cyber-espionage**, merging **cybercriminal** and **nation-state tactics**. Its abuse of **trusted platforms** like **Google Sheets** introduces new challenges for defenders. As malware continues to leverage **cloud-based infrastructure** and **fileless execution**, security teams must evolve their defenses to monitor **trusted services** and detect **anomalous behaviors** early.

loading..   23-Sep-2024
loading..   1 min read