API tools faq
paste
Advertisement
Guest User

Tempted Cedar - Avast

a guest
Feb 23rd, 2018
764
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.51 KB | None | 0 0
raw download clone embed print report
  1.  
  2. Avast antivirus
  3. Visit avast.com English
  4. Menu
  5. Close
  6. Sections
  7.  
  8. All1496
  9. Tips & Advice 352
  10. Threat Research 309
  11. Mobile Security 302
  12. Security News 153
  13. Business Security 124
  14. Avast News 71
  15. Garry Kasparov 15
  16. Blog Authors
  17. Visit Avast website
  18.  
  19. Threat Research
  20. Avast tracks down Tempting Cedar Spyware
  21. Threat Intelligence Team, 21 February 2018
  22.  
  23. Social engineering used to trick Facebook users into downloading Advanced Persistent Threat disguised as Kik Messenger app.
  24.  
  25. A few months ago, one of our customers contacted us regarding strange messages he received on Facebook Messenger. The messages came from fake Facebook profiles belonging to attractive, but fictitious women. These women encouraged him to download another chat application to continue their conversations. The chat application the women referred him to was spyware, disguised as the Kik Messenger app, distributed through a very convincing fake site.
  26.  
  27. After analyzing the fake Kik Messenger app, we spotted the spyware, or Advanced Persistent Threat (APT). We are calling the APT “Tempting Cedar Spyware”. We dug deeper into our archives and found APKs belonging to several fake messenger and feed reader apps, all of which included the same malicious modules.
  28.  
  29. During our analysis, we also discovered that our customer was not the only person to encounter the Tempting Cedar Spyware, and, unfortunately, many fell for the trap.
  30.  
  31. Tempting Cedar Spyware was designed to steal information like contacts, call logs, SMS, and photos, as well as device information, like geolocation - in order to keep track of movements - and was capable of recording surrounding sounds, including conversations victims had while their phone was within range.
  32.  
  33. Based on various clues from the fake Facebook profiles and the campaign infrastructure, we believe the people behind the Tempting Cedar Spyware are Lebanese. The campaign was highly targeted and ran deep under the radar. At the moment, Avast is one of few mobile antivirus providers detecting the threat. Our detection is Android:SpyAgent-YP [Trj].
  34.  
  35. Due to the potential impact on the victims targeted with the malware, we contacted law enforcement agencies to help us with threat mitigation.
  36.  
  37. 001.png
  38. null
  39.  
  40. Infection vector
  41. More than just Facebook friends
  42.  
  43. The malware was distributed using several fake Facebook profiles. After engaging in flirty conversations with their victims, which were most likely young men, the attackers offered to move the conversation from Facebook to a more “secure and private” platform, where they could have more intimate interactions. Then, the attackers sent a link to the victims, that led to a phishing website, which hosted a downloadable and malicious version of the Kik Messenger app. The victims had to adjust their device settings to install apps from unknown sources, before installing the fake messaging app. This should raise red flags for users, however, sometimes temptation trumps security.
  44.  
  45. Once the malware was installed, it immediately connected to a command and control (C&C) server.
  46.  
  47. The spyware was spread using at least the following three fake Facebook profiles. We have blurred the photos, as the photos used for the fake accounts were stolen from real people:
  48. Alona
  49. null
  50. Rita
  51. null
  52. Christina
  53.  
  54. 005.png
  55.  
  56. One interesting point to note is that the three girls interacted with one another on Facebook, perhaps to make their profiles appear a bit more credible:
  57. null
  58. null
  59.  
  60.  
  61.  
  62. Above: A screenshot of how the attackers convinced their victims to install the fake Kik Messenger application.
  63.  
  64. The website used to distribute a malicious copy of the Kik Messenger app, chat-messenger.site (185.8.237.151), operated until spring 2017 and was a very convincing copycat.
  65.  
  66. 009.png
  67. Deep analysis
  68.  
  69. The Tempting Cedar Spyware is split into different modules with specific commands. There are several modules designed to gather personal information about the victim, including contacts, photos, call logs, SMS, as well as information about the mobile device, such as geolocation, Android version, device model, network operator, and phone numbers.
  70.  
  71. 010.png
  72.  
  73. Other modules were created to record audio streams or gain access to the infected device’s file system.
  74.  
  75. 011.png
  76.  
  77. All modules with commands:
  78. Module name Commands
  79. AUDIO START, STOP, RECORD_START, RECORD_STOP
  80. CONTACTS COUNT, GET
  81. FS (File System) APP, CD, DOWNLOAD, DOWNLOAD_STATUS, EXTERNAL, GET, INSTALL, INTERNAL, LS, MKDIR, PWD, RM
  82. GEO GETLOC
  83. INFO / USER_INFO PS (running apps process list)
  84. PHOTOS LSX, GETX, LSI, GETI, TAKEPIC_FRONT, TAKEPIC_BACK
  85. TELEPHONE COUNT_CALL_LOGS, COUNT_SMS, GET_CALL_LOGS, GET_SMS
  86. KEEPALIVE without commands
  87. PING not implemented
  88. VIDEO not implemented
  89.  
  90. The spyware persisted as a service and ran after every reboot.
  91.  
  92. 012.png
  93.  
  94. The fake Kik application contains the same injected malicious class eighty9.guru and a specific rsdroid.crt file with different certificates belonging to the C&C domain.
  95.  
  96. 013.png
  97.  
  98. Through the reuse of the same rsdroid.crt certificate name, we were able to find additional C&C and data exfiltration servers.
  99.  
  100. All rsdroid.crt certificates from the fake APK:
  101. Issued to Valid from Valid to Serial number
  102. gserv.mobi 2015-04-28 2020-04-01 00fe4b81ee781fe486
  103. network-lab.info 2016-03-29 2026-03-27 0090400fbd572edcc6
  104. onlineclub.info 2017-05-24 2027-05-22 00e7238783cc4e87de
  105. free-apps.us 2017-08-24 2035-11-08 00b6965aa72d97446d
  106.  
  107.  
  108. C&C administration and infrastructure
  109. Following their victims’ every step
  110.  
  111. The malware communicated on the TCP port 2020, but it is also worth mentioning that there was also a C&C console running on port 443 with a familiar certificate subject common name - rsdroid.
  112.  
  113. The C&C console allowed attackers to live track their victims. The image below does not include any data, as we don’t want to disclose any of the victims’ locations, but shows the region where Tempting Cedar was spread the most:
  114. 015.png
  115.  
  116. Other hosts with this common name are easy to find using open source tools:
  117.  
  118. 016.png
  119.  
  120. Above: Open source data about the C&C server hosts
  121.  
  122. We created an image of the computer infrastructure used in the campaign:
  123.  
  124. Avast_Tempting_Cedar_Spyware.png
  125. All signs point to Lebanon
  126.  
  127. It is always difficult to attribute persistent threat campaigns, like this one, to cybercriminals. However, pieces of information point to the cybercriminals behind this campaign being Lebanese.
  128.  
  129. The first clue that led us to this conclusion are the attackers’ working hours. We only saw about 30 logins in the SSH log we received. The user root logged on on workdays, occasionally on Saturdays, but never on Sundays.
  130.  
  131. Avast_Tempting_Cedar_Spyware_Root_SSH_login_week.png
  132.  
  133. Avast_Tempting_Cedar_Spyware_Root_SSH_login_hour.png
  134. The working hours in the SSH log correspond with Eastern European and Middle Eastern time zones.
  135.  
  136. The second breadcrumb we found was the infrastructure used in the campaign, which also points to Lebanon.
  137.  
  138. WHOIS data revealed that two domains used were registered by someone from Lebanon, whereas others were registered with fictitious registrant data.
  139.  
  140. Chat-world.site was registered by Jack Zogby, Beirut, Lebanon, jack.zogby@yandex.com
  141.  
  142. Network-lab.info was registered by Jack Halawani, Beirut, Lebanon, jack.halawani@yandex.com
  143.  
  144. Over the last two years, SSH logins were made from Lebanese ISPs’ IP ranges. ( 185.99.32.0/22, 78.40.183.0/24)
  145.  
  146. One of the fake Facebook profile’s likes are also interesting, and if any of the victims had taken a closer look at these, they may not have fallen for the scam. Rita, the petite brunette, seems to be interested in military groups, and a Lebanese and Israel friendship.
  147. null
  148.  
  149. Above: Rita’s likes on Facebook
  150.  
  151. The Lebanon & Israel Friendship connection group is interesting when considering the the victims’ locations.
  152.  
  153. While we observed a low number of victims from the USA, France, Germany, and China, the majority of victims were from the Middle East, with most of the victims located in Israel:
  154.  
  155. Avast_Tempting_Cedar_map_victims.png
  156.  
  157. Above: Map showing the countries most of the victims came from
  158. Conclusion
  159.  
  160. The targeted Tempting Cedar campaign has been running under the radar since as far back as 2015, targeting people in Middle Eastern countries. The spyware’s infection vector involves social engineering using attractive, but fictitious Facebook profiles. The fake Kik APK sent to victims is masqueraded as a legitimate Kik Messenger app, however, after gaining access to victims’ phones, the spyware starts to exfiltrate sensitive data, sending data back to the attacker’s infrastructure. Evidence points to the attackers being a Lebanese hacking group; however, we cannot be 100% sure this is true. The social engineering part of the campaign seems to have targeted people in Eastern European and Middle Eastern countries.
  161.  
  162. Despite unsophisticated techniques and the level of operational security being used, the attack managed to remain undetected for several years.
  163.  
  164. The cybercriminals behind the Tempting Cedar Spyware were able to install a persistent piece of spyware by exploiting social media, like Facebook, and people’s lack of security awareness, and were thus able to gather sensitive and private data from their victims’ phones including real-time location data which makes the malware exceptionally dangerous.
  165. Steps to take to protect yourself against spyware
  166.  
  167. Here are a few things you can do to avoid being manipulated like this into downloading spyware:
  168.  
  169. Use antivirus software. Even if you accidentally download malware onto your phone, Avast will detect and remove the malware, to keep your data and privacy safe.
  170. Don’t talk to strangers. There is a reason why parents have been warning kids about talking to strangers and this case confirms that talking to strangers online is no different and is not a good idea.
  171. Never open links or download software sent to you from untrusted sources. The victims of this spyware campaign were tricked into downloading the spyware themselves because they trusted the girls they were talking to online, despite never meeting them in person. On top of this, they ignored Android’s warnings about downloading apps from unknown sources.
  172. Download from the source. Whenever possible, visit the homepage of an established company directly - by typing in the URL yourself - as they often promote their mobile apps on their websites and download the app straight from the source. Had the victims done this, they would have avoided the fake and malicious Kik app. The “girls” probably would have stopped talking to them, but that would have been for their own good!
  173.  
  174. IOCs
  175.  
  176. Fake Kik messenger SHA256:
  177. null
  178.  
  179.  
  180.  
  181. 041136252FFEF074B0DEBA167BD12B8977E276BAC90195B7112260AB31DDB810
  182.  
  183. 2807AB1A912FF0751D5B7C7584D3D38ACC5C46AFFE2F168EEAEE70358DC90006
  184.  
  185. 3065AD0932B1011E57961104EB96EEE241261CB26B9252B0770D05320839915F
  186.  
  187. 5259AD04BDEA3F41B3913AA09998DB49553CE529E29C868C48DF40D5AA7157EA
  188.  
  189. 624A196B935427A82E8060876480E30CE6867CB9604107A44F85E2DA96A7A22E
  190.  
  191. 9D1FDA875DE75DEA545D1FF84973B230412B8B4946D64FF900E9D22B065F8DCC
  192.  
  193. B181F418F6C8C79F28B1E9179CAEFEB81BDF77315814F831AF0CF0C2507860C4
  194.  
  195. D7A4ABA5FC2DEE270AE84EAC1DB98B7A352FB5F04FD07C3F9E69DE6E58B4C745
  196.  
  197. F67469C82E948628761FDFD26177884384481BA4BDBC15A53E8DF92D3F216648
  198.  
  199. FE2996BC0C47C0626F43395EEE445D12E7C024C1B0AA2358947B5F1D839A5868
  200.  
  201. Fake Datasettings SHA256:
  202. null
  203.  
  204. 1DEB727C05AA5FABF6224C0881970ACA78649A799EEB6864260DE97635FA005A
  205.  
  206. 94ADF4C8A27722307C11F6C0376D4A51CFD56BA3CC47F9E5447179D1E0F7289F
  207.  
  208. A411A587B4256007F0E0A3C3A3C3097062242B5359A05A986195E76DA7334B7D
  209.  
  210. Fake feedreader SHA256:
  211. null
  212.  
  213. 58F74545D47F5DA1ECF3093F412D7D9544A33D36430AB1AF709D835A59184611
  214.  
  215. Domains:
  216.  
  217. chat-world.site
  218.  
  219. chat-messenger.site
  220.  
  221. gserv.mobi
  222.  
  223. arab-chat.site
  224.  
  225. onlineclub.info
  226.  
  227. free-apps.us
  228.  
  229. network-lab.info
  230.  
  231. kikstore.net
  232.  
  233. IPs (including historic records):
  234.  
  235. 185.166.236.134
  236.  
  237. 46.28.109.69
  238.  
  239. 5.135.207.244
  240.  
  241. 31.31.75.174
  242.  
  243. 155.94.136.10
  244.  
  245. 213.32.65.238
  246.  
  247. 84.200.17.154
  248.  
  249. 185.8.237.151
  250.  
  251. 213.32.65.238
  252.  
  253. 5.45.176.236
  254.  
  255. 46.101.199.72
  256.  
  257. 185.99.32.0/22
  258.  
  259. 78.40.183.0/24
  260.  
  261. Rsdroid certificate serial numbers:
  262.  
  263. 10418450096179084191
  264.  
  265. 11696648495248868788
  266.  
  267. 13367542350555075590
  268.  
  269. 17798583036840002648
  270.  
  271. 17362149250016288818
  272.  
  273. 11008990750836915855
  274.  
  275. 12430448762037889566
  276.  
  277. 12941986373589998425
  278.  
  279. 14237693369114233902
  280.  
  281. 15175240657458101230
  282.  
  283. 18263349974554467657
  284.  
  285. 10031168301806868687
  286.  
  287. 12450086912549212859
  288.  
  289. 13469158752397659430
  290.  
  291. 13887786183890428647
  292.  
  293. 15448206077875179259
  294.  
  295. 15525317917180712785
  296.  
  297. 16639512314094306104
  298.  
  299. 10671561344391424094
  300.  
  301. 14360088739535268901
  302.  
  303. 16495367076336282102
  304.  
  305. 15684750702817909758
  306.  
  307. 17908820252718507450
  308.  
  309. 10302454590553748328
  310.  
  311. Fake FB profiles:
  312.  
  313. facebook.com/profile.php?id=100013563997788
  314.  
  315. facebook.com/profile.php?id=100011377795504
  316.  
  317. facebook.com/profile.php?id=100011891805784
  318.  
  319. Related articles
  320. Threat Research
  321. Botnet at large: Avast blocks Smominru miner
  322.  
  323. The cryptominer botnet attacked over half a million Windows servers and computers so far...but that number is growing.
  324. 2 February 2018 3 min read
  325. Threat Research
  326. Meltdown and Spectre: Yes, your device is likely vulnerable
  327.  
  328. “Meltdown” and “Spectre” are major vulnerabilities affecting almost every computer in the world.
  329. 5 January 2018 7 min read
  330. Threat Research
  331. New version of mobile malware Catelites possibly linked to Cron cyber gang
  332.  
  333. New malware targets accounts at over 2,200 financial institutions
  334. 20 December 2017 12 min read
  335. Never miss our news
  336. Follow us
  337.  
  338. 1988 - 2018 Copyright © Avast Software s.r.o. | Sitemap
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!