In this talk we'll take a look at the two Android surveillanceware families ViperRAT and FrozenCell which have both been used in long running campaigns. Victims include the Israeli Defence Force and analysis suggests the Palestinian Security Services, Ministry of the Interior, and leading political party in Palestine, were also targeted. We'll cover the capabilities of each family, their supporting infrastructure, some OpSec fails that allowed us to gain an insight into exfiltrated data, and see just how effective ViperRAT and FrozenCell have been given that they don't use any exploits.

1. Behind Enemy Lines
A look at two mobile APTs being used against
military & government
Flossman | DerbyCon 2017

2. ViperRAT & FrozenCell
Capabilities
Infrastructure & OpSec fails
Exfil analysis
Effectiveness?
2

3. • Threat Intel Services @ Lookout
• Hunting for surveillanceware
• Looking for novel techniques
• Tracking actors & campaigns
• Co-founded Tesserae Security
• Android app dev, BYOD security tool DigitalPrince
• Aussie Govt
• Prototyping, vuln research, IR, blue team, mobile sec,
device hardening
3
Flossman
$whoami

4. 4
Expanding Arsenals
New tools to follow the money & intel
Implementation of mTANs
Transactions tied to one time code sent to mobile
Security control to mitigate unauthorized transactions
Attackers rapidly evolve
Traditionally desktop based arsenal now with mobile capability
Actors focused on gathering intelligence have been making a similar transition

5. 5
Surveillanceware Prereqs
Can haz zero day?
T
r
i
T
s
yo
Hi there handsome … I’d love to hear more about your military unit and
the equipment you have access to. I’ll send more photos of myself, but
I’d feel more comfortable first if you installed this custom chat app. k
thx bai

6. 6
ViperRAT
Targeted attacks against the Israeli Defense Force

7. 7
ViperRAT
First Stages – The lazy adversary

8. 8
ViperRAT
First Stages – Trojanised but with legit functionality

9. 9
ViperRAT
First stages – Minimal footprint profiling
• Gather basic telemetry & profile device (installed apps, dev metadata etc)
• Functionality to manage installation of ‘agent’ aka 2nd stage.
• Provides attacker with basic API
• Get agent URLs, upload profile / check if previously posted
• Silently install 2nd stage or prompt user and flag operator that prompt shown
• Cleanup download of 2nd stage post install
• Entry points – user driven || on boot

10. • Attempts to hide in the noise on target device
• WhatsApp Update
• Viber Update
• System Update
• System Updates
10
ViperRAT
2nd Stages – Semi-tailored for victim environment

11. 11
ViperRAT
2nd Stages – Capabilities
• Search external storage for office docs
• PDF, doc, docx, xls, xlsx, ppt, pptx
• Retrieve the WhatsApp database and also pull
back the WhatsApp key for decryption
• User dictionary words
• user words entered into other apps
• associated app id
• frequency
• First Android app that uses dlls??
• Record audio
• Record video
• Take a screenshot
• Text messages
• Contacts
• Geolocation
• Browser bookmarks, search history – (default browser,
Chrome, Firefox)
• Call logs
• Launch the browser to attacker specified URL
• Taking photos with device camera
• Get installed apps
• Get / delete attacker specified files
• Cell tower id, cell LAC,MCC, Singal strength, base
station id (implemented for GSM, CDMA, LTE, WCDMA)

12. ViperRAT
Actor infrastructure & samples

13. 13
ViperRAT
Directory Indexing?

14. 14
ViperRAT
Exfil Analysis
CONFIDENTIAL AND PROPRIETARY
x
x
x
x
RSA encrypted AES key
Encrypted victim data
gg wp??

15. 15
ViperRAT
Directory Structure – Getting target IMEIs and manufacturers

16. 16
ViperRAT
Directory structure – Recovering device and IMEI details
352117661948102
1723272119172935 3302822 2852102311761661948102
U S M S A N GS

17. 17
ViperRAT
Subdirectory names on C2

18. 18
ViperRAT
Zero 0days, how effective?

19. 19
ViperRAT
Analysis around modified timestamps of exfil
• Mirror C2 - > Log2timeline -> Kibana
• Using modified timestamps from victim data from July 17th 2017
• Pictures taken when victims answer their phone
• Likely used for profiling users
• Looks like tapering off but still collecting 1k+ files a week
Victim behaviour – images taken when calls received

20. 20
ViperRAT
Operator instructions & behaviour – Fri & Sat only?
Contacts retrieved by operator
Geolocation info retrieved
SMS content retrieved

21. • Palestinian Security Services (Dismissal &
Promotion notices)
• General Directorate of Civil Defence - Ministry of
the Interior (Troop movements)
• 7th Fateh Conference of the Palestinian National
Liberation Front (Meeting Minutes)
•
21
FrozenCell
Desktop Lures
Trump
impersonator with
models - hot models
.mpg.exe

22. 22
FrozenCell
I got 99 apps but a sploit ain’t one
- Call recording
- SMS retrieval
- Image retrieval
- Location tracking
- Device metadata - MCC, MNC
- Downloading and installing attacker specified apps
- Searching for and exfiltrating PDF, doc, docx, ppt, pptx, xls,
and xlsx
- Contacts
- Huawei device with protected mode will automatically try to
add itself to the list of protected apps that are allowed to run
in the background while the screen’s off. Shows dialog to
get added if it can’t do it automatically.

23. • Trigger call recording
• Message needs to contain a #. for call recording.
• #....# where each . adds an hour to the total amount of time to record or before
recording is stopped
• Stop call recording
#,, - stops any recording that’s been kicked off by SMS command messages
• Ends with
• 15171 – enables receivers (call mon, hot micing, connectivity, update apk)
• 15181 – disable receivers
• 15191 – Uninstall
• 15101 - delete any recordings from <external_storage>/android/sys/rec/
• *.g – enable comms when only mobile data available
• *,g – disable comms when only mobile data available
23
FrozenCell
Out of band comms
Your Google verification code is
1644827
http://gmail.com/mail/u/0/#.#/
Your LinkedIn verification code is
15171.
Your order 177283 has shipped. UPS
tracking #8123661. Thanks for your
order http://wtrk.us/?x=33319204*.g

24. 24
FrozenCell
Geolocation in early variants.

25. • Mix of Windows / Linux
• All running Laravel 5 PHP Framework
• Doco is your friend
25
FrozenCell
Infrastructure

26. 26
FrozenCell
Almost the same OpSec school as ViperRAT actors

27. 27
FrozenCell
Exfil at a high level

28. • Low operational costs
• Risk of getting burned
• Still highly effective
• OpSec fails
• Zero given
• Expanding arsenals with multi platform actors
• FrozenCell & ViperRAT IOCs
• Twitterverse - @terminalrift
28
Summary
Threat actors on a budget

29. Questions

30. • Exfilled msg data indicates GMT +3
• Call data to +972 area code & 059 prefix
• Pretty sure server timezone is 12hrs off
• Eg; datetime in filename of recorded call is
7am, duration is 50 seconds, modify
timestamp on server file is 19:01 and they
get uploaded immediately on completion.
30
FrozenCell
You used to call me on the cell phone