Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Mobile

We found a new spyware family disguised as chat apps on a phishing website. We believe that the apps, which exhibit many cyberespionage behaviors, are initially used for a targeted attack campaign. We first came across the threat in May on the site http://gooogle[.]press/, which was advertising a chat app called “Chatrious.” Users can download the malicious Android application package (APK) file by clicking the download button indicated on the site.

The website became inactive for months after that encounter in May. We only noticed that it came back in October, this time with a different app called “Apex App.” We have identified this as a spyware family that can steal user’s personal information. Trend Micro detects both of the threats as AndroidOS_CallerSpy.HRX.

Figure 1. Screenshots of Chatrious (left) and Apex App (right)

Figure 1. Screenshots of Chatrious (left) and Apex App (right)

Behavior analysis

CallerSpy claims it’s a chat app, but we found that it had no chat features at all and it was riddled with espionage behaviors. When launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.

Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)

Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)

CallerSpy sets several scheduling jobs to collect call logs, SMSs, contacts, and files on the device. It also receives commands from the C&C server to take screenshots, which it later sends to the server.

Figure 3. Scheduled jobs

Figure 3. Scheduled jobs

Source Command
alive_latest_files_watcher Starts latest_files_watcher job and keeps it alive
enviorment_schedulers Configures environment record module
keep_enviorment_scehdular_alive Starts the enviorment_scehdular job and keeps it alive
keep_listener_alive Starts listener job and keeps it alive
latest_files_watcher Collects latest call logs, SMSs, contacts, and files
listeners Updates configuration and takes a screenshot
record_enviorment Records environment
remote_sync Uploads privacy to the remote C&C server
sync_data_locally Collects all call log, SMS, contacts, and files information on the device

Table 1. Some of CallerSpy’s scheduling job tags

All of the stolen information are collected and stored in a local database before they’re uploaded to the C&C server periodically. This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.

Figure 4. Privacy database

Figure 4. Privacy database

The screenshot gets captured when a command is received from the C&C server. The screenshot image then gets encoded using Base64 and sent back to the server via a preconfigured Socket.IO connection.

Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)

Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)

Infrastructure analysis

The domain gooogle[.]press masquerades as Google to trick users into downloading the app. The domain even goes into putting a supposed copyright detail at the bottom of the website.

Figure 6. Fake copyright info

Figure 6. Fake copyright info

The attackers behind this campaign made an effort to hide their tracks. Whois Lookup reveals that this domain was registered on February 11, 2019 at Namecheap. However, we found that all the registrant data was untraceable. It is important to note, however, that domain privacy protection is common among domains that Namecheap offers.

Figure 7. gooogle[.]press registration info

Figure 7. gooogle[.]press registration info

We did catch four C&C IP addresses, all hosted on a legitimate service. We can only confirm that the C&C service uses Node.js on port 3000.

Initial phase of a bigger campaign

Based on the aforementioned clues and past findings, we believe that this is a new campaign. There have been no detections for it on VirusTotal at the time of writing.

Figure 9. VirusTotal scan result

Figure 8. VirusTotal scan result

The campaign’s target is still unclear because we have not seen actual victims. We also conclude that this is the initial phase of an attack based on the following reasons:

  • CallerSpy, as it is now, could prove uneven for a targeted attack. It has no user interface (UI), no real useful feature, and only implements espionage features. It uses the default app icon and even is labeled as “rat.” We also found some debug code left in CallerSpy.

Figure 10. CallerSpy icon and label (left), debug code (right)

Figure 9. CallerSpy icon and label (left), debug code (right)

  • Sample certification information indicates that it is only used for testing.

Figure 11. Certification details

Figure 10. Certification details

  • The download section of the webpage has three buttons indicating Apple, Android and Windows platforms, but it only supports Android for now.

Figure 12. The app advertises to be available on different platforms

Figure 11. The app advertises to be available on different platforms

  • So far, our monitoring has not found any volume infection, which could mean that the threat actor may be waiting for a chance to spread the malware.

The malicious apps can be detected by Trend Micro solutions, such as the Trend Micro™ Mobile Security for Android™. End users can also benefit from its multilayered security capabilities that secure the device owner’s data and privacy and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, the Trend Micro Mobile Security for Enterprise suite provides device, compliance, and application management, data protection, and configuration provisioning. It also protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

Indicators of Compromise (IoCs)

Sample hashes

SHA-256 Package name Label
0c4b08bec1251b1ebc715a7ef1a712cdcb4d37ce0093d88f7fa73b0e05bf7b0e com.sas.gplayservices.accesibility GSERVICES
38acf26161a2c6429ee40d9b70d8419a9bd00eaa8740d221f943cea3229372dd com.sas.gservices.accesibility GSERVICES
3bf85d0aff5ddc0c57e43b879631ee692d98d01f5c964336471f1cdfe0d291f8 com.example.rat rat
7cb0eb93de496e2141b6e0541465ca71a84063867381085692885c75aa59cb1b com.pdf.searcher.dd Pdf Searcher
8ad18bd8f5d2f1fd9e00211170e8a540ddf7f51618588fab31b4ddd2b34b75e1 com.pdfd.researcher.resaq_ver1 Caller
c8e1a702a27309c22728792c64aad4abc14ec2bfad1b30a4f27b8ebc6bcc68ff com.sas.gservices.accesibility GSERVICES

C&C servers
3.95.71.123:3000
18.206.105.66:3000
40.114.109.69:3000
52.21.5.241:2000

Phishing domain
http://gooogle[.]press/

MITRE ATT&CK Techniques

Tactic Technique ID Description
Initial Access Masquerade as Legitimate Application T1444 Used to masquerade as a legitimate chat app
Persistence Abuse Device Administrator Access to Prevent Removal T1401 Used to request device administrator privilege
Persistence App Auto-Start at Device Boot T1402 Used to listen for the BOOT_COMPLETED broadcast
Defense Evasion Suppress Application Icon T1508 Used to suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed
Discovery File and Directory Discovery T1420 Used to enumerate external storage file system
Discovery Location Tracking T1430 Used to track device’s location
Collection Access Call Log T1433 Used to gather call log data
Collection Access Contact List T1432 Used to gather contact list data
Collection Capture Audio T1429 Used to record audio information
Collection Capture SMS Messages T1412 Used to collect SMS messages
Collection Data from Local System T1533 Used to collect files from the device, including documents, photos, and  media files
Collection Location Tracking T1430 Used to track device’s location
Collection Screen Capture T1513 Used to take screenshot on the device
Exfiltration Standard Application Layer Protocol T1437 Used Standard HTTP Protocol
Command and Control Uncommonly Used Port T1509 Used uncommon ports 2000, 3000

The post Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack appeared first on .

Original Source