In this talk we'll take a look at the two Android surveillanceware families ViperRAT and FrozenCell which have both been used in long running campaigns. Victims include the Israeli Defence Force and analysis suggests the Palestinian Security Services, Ministry of the Interior, and leading political party in Palestine, were also targeted. We'll cover the capabilities of each family, their supporting infrastructure, some OpSec fails that allowed us to gain an insight into exfiltrated data, and see just how effective ViperRAT and FrozenCell have been given that they don't use any exploits.
3. • Threat Intel Services @ Lookout
• Hunting for surveillanceware
• Looking for novel techniques
• Tracking actors & campaigns
• Co-founded Tesserae Security
• Android app dev, BYOD security tool DigitalPrince
• Aussie Govt
• Prototyping, vuln research, IR, blue team, mobile sec,
device hardening
3
Flossman
$whoami
4. 4
Expanding Arsenals
New tools to follow the money & intel
Implementation of mTANs
Transactions tied to one time code sent to mobile
Security control to mitigate unauthorized transactions
Attackers rapidly evolve
Traditionally desktop based arsenal now with mobile capability
Actors focused on gathering intelligence have been making a similar transition
5. 5
Surveillanceware Prereqs
Can haz zero day?
T
r
i
T
s
yo
Hi there handsome … I’d love to hear more about your military unit and
the equipment you have access to. I’ll send more photos of myself, but
I’d feel more comfortable first if you installed this custom chat app. k
thx bai
9. 9
ViperRAT
First stages – Minimal footprint profiling
• Gather basic telemetry & profile device (installed apps, dev metadata etc)
• Functionality to manage installation of ‘agent’ aka 2nd stage.
• Provides attacker with basic API
• Get agent URLs, upload profile / check if previously posted
• Silently install 2nd stage or prompt user and flag operator that prompt shown
• Cleanup download of 2nd stage post install
• Entry points – user driven || on boot
10. • Attempts to hide in the noise on target device
• WhatsApp Update
• Viber Update
• System Update
• System Updates
10
ViperRAT
2nd Stages – Semi-tailored for victim environment
11. 11
ViperRAT
2nd Stages – Capabilities
• Search external storage for office docs
• PDF, doc, docx, xls, xlsx, ppt, pptx
• Retrieve the WhatsApp database and also pull
back the WhatsApp key for decryption
• User dictionary words
• user words entered into other apps
• associated app id
• frequency
• First Android app that uses dlls??
• Record audio
• Record video
• Take a screenshot
• Text messages
• Contacts
• Geolocation
• Browser bookmarks, search history – (default browser,
Chrome, Firefox)
• Call logs
• Launch the browser to attacker specified URL
• Taking photos with device camera
• Get installed apps
• Get / delete attacker specified files
• Cell tower id, cell LAC,MCC, Singal strength, base
station id (implemented for GSM, CDMA, LTE, WCDMA)
16. 16
ViperRAT
Directory structure – Recovering device and IMEI details
352117661948102
1723272119172935 3302822 2852102311761661948102
U S M S A N GS
19. 19
ViperRAT
Analysis around modified timestamps of exfil
• Mirror C2 - > Log2timeline -> Kibana
• Using modified timestamps from victim data from July 17th 2017
• Pictures taken when victims answer their phone
• Likely used for profiling users
• Looks like tapering off but still collecting 1k+ files a week
Victim behaviour – images taken when calls received
20. 20
ViperRAT
Operator instructions & behaviour – Fri & Sat only?
Contacts retrieved by operator
Geolocation info retrieved
SMS content retrieved
21. • Palestinian Security Services (Dismissal &
Promotion notices)
• General Directorate of Civil Defence - Ministry of
the Interior (Troop movements)
• 7th Fateh Conference of the Palestinian National
Liberation Front (Meeting Minutes)
•
21
FrozenCell
Desktop Lures
Trump
impersonator with
models - hot models
.mpg.exe
22. 22
FrozenCell
I got 99 apps but a sploit ain’t one
- Call recording
- SMS retrieval
- Image retrieval
- Location tracking
- Device metadata - MCC, MNC
- Downloading and installing attacker specified apps
- Searching for and exfiltrating PDF, doc, docx, ppt, pptx, xls,
and xlsx
- Contacts
- Huawei device with protected mode will automatically try to
add itself to the list of protected apps that are allowed to run
in the background while the screen’s off. Shows dialog to
get added if it can’t do it automatically.
23. • Trigger call recording
• Message needs to contain a #. for call recording.
• #....# where each . adds an hour to the total amount of time to record or before
recording is stopped
• Stop call recording
#,, - stops any recording that’s been kicked off by SMS command messages
• Ends with
• 15171 – enables receivers (call mon, hot micing, connectivity, update apk)
• 15181 – disable receivers
• 15191 – Uninstall
• 15101 - delete any recordings from <external_storage>/android/sys/rec/
• *.g – enable comms when only mobile data available
• *,g – disable comms when only mobile data available
23
FrozenCell
Out of band comms
Your Google verification code is
1644827
http://gmail.com/mail/u/0/#.#/
Your LinkedIn verification code is
15171.
Your order 177283 has shipped. UPS
tracking #8123661. Thanks for your
order http://wtrk.us/?x=33319204*.g
30. • Exfilled msg data indicates GMT +3
• Call data to +972 area code & 059 prefix
• Pretty sure server timezone is 12hrs off
• Eg; datetime in filename of recorded call is
7am, duration is 50 seconds, modify
timestamp on server file is 19:01 and they
get uploaded immediately on completion.
30
FrozenCell
You used to call me on the cell phone
Editor's Notes
Sophisticated end of the spectrum when it comes to exploits – NSO, FF, HT.
As researchers I think we sometimes underestimate the effectiveness of actors operating at the lower end of the cost spectrum when it comes to exploits. The two families I’ll talk about don’t use exploits but it’s worth keeping in mind that when you take out exploits the surveillanceware capabilities and functionality of actors at both ends of the spectrum are fairly similar and in some cases identical.
So if we’re not using zero days, what’s our attack vector?
More often a text message …. That’s carefully crafted …. along with some social engineering is simply all that is needed.
Messages like this that appear to be sent from females are super effective and are nowhere near the cost of developing your own zerodays. Also means that if their tooling falls into the hands of security researchers that investment into zeroday development isn’t burnt.
This is exactly what we saw earlier this year with targeted attacks against the IDF with an Android surveillanceware tool that we call ViperRAT.
In this case, members of the IDF received messages on social media from accounts that appeared to belong to women. Once a rapport was built with the victim they’d be asked to install another chat application, linked to by the attacker.
Other trojanised first stage applications did come with complete legitimate functionality intact and we a phone stats app, billiards game, and music player.
Goal of the first stage is all having a minimal footprint, while profiling a device, and managing the installation of the 2nd stage.
No DGA
No resilience to takedowns
Potentially multiple campaigns given the number of domains and associated apps but having found a pattern around that just yet.
Analysis of infrastructure did show that these guys had directory listings on for what we initially thought was exfiltrated data however running file magic wasn’t able to identify the content, catting it out showed what looked like two distinct sections, the first being base64 followed by binary data and each file had a fairly high entropy so we were pretty sure there was at least some encrypted data.
Dead end without the private RSA key? GG? Bits please, lets keep digging.
Value at n (manufacturer index) added to hex 0x37 gets the character we’re interested in
Id type – identifier we’re dealing with
Manufacturer – number of characters in the manufacturer name
Indexes where we find the manufacturer name – so the first one is 23, so we count our way in to index 23, and find 28. Not in diagram but we need to add 0x37 hex to the value at the specified index. The resulting character representation of that addition is going to get us part of the manufacturer name. So we can repeat that to find out that this specific compromised device is a samsung model. Looking at the remaining unused digits we are then able to get the IMEI. So we can automate this process to extract all victim IMEIs and models. Turns out Samsung was way in front.
We can do the same thing with subdirectories. Each device directory on the C2 contains a list of folders like this. An each of these names appears in the client itself and is used as an identifier when certain operations take place and specific data is taken. So analysing the client we can see that the identifier starting with CO412356789 is used when contact information is handled, similarly the CCAPT identifier is used by images are captured from the device camera.
So these guys haven’t used any zero days but they’ve managed to recover, by now, over 3 gig of data from approximately 600 devices.
Interestingly, we can also do analysis around the modified times of exfiltrated data on C2 infrastructure. So once we’ve mirrored a C2, we can run log2timeline over it, kick it over to Kibana and then filter on various filenames, types, and metadata. So the picture we see here is from a single C2 server, which we can see has been operational from halfway through this year. When we first analysed infrastructure back in January and February there were only 30 devices so their operations have picked up considerably since then given the number of victims we’re currently seeing.
This particular sever is still collecting 1000 of files a week although it looks like collection is tapering off however we’ve seen new samples released so maybe their moving to new infrastructure or evolving how they operate.
Narrow in on attacker behaviour …
We can also do the same timeline analysis around data that’s been stolen as a direct result of an operator explicitly triggering this functionality – for example pulling back contact info, geo, or SMS content happens rarely and has only been seen to occur on Friday’s and Saturday’s?? This doesn’t seem to be automated given how irregularly it occurs although it’s interesting to see given that Friday and Saturday are the weekend in certain middle eastern countries.
Issue instructions even if C2 down
Dialog shown for uninstall
API Key
No longer accessible and only used in late 2016 before they moved away from using opencellid.
Haven’t reused any creds that we’ve seen
Have had usernames specific to infrastructure
These ones are down atm.
Seeing this from a number of actors in this region – not sure if they all go to the same C2 training school and working off the same course material…
Smaller # number of infected devices
Multiple C2s – cleaned daily
Details for almost 500 individuals – passports, DOBs, addresses, etc.
Exfil of content is regularly scheduled
Saw two mobile families without exploits in what appear to be targeted attacks and they’ve been really successful at gathering intel from their targets.
No zero days so these guys are operating at a fraction of the cost in comparison to other actors
Multi platform actors is becoming more frequent