Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out PhantomLance multi-version attack analysis, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

In July 2019, Dr. Web reported on the backdoor Trojan horse in Google Play, which the researchers call "PhantomLance". Its earliest activity can be traced back to December 2015. So far, dozens of wild samples have been found, appearing in various application markets such as Google Play. The latest sample was released in the official Android market on November 6, 2019 and was officially deleted shortly afterwards.

In the course of investigation, it is found that there are many similarities between it and OceanLotus APT.

Malware version

In order to facilitate the research, the discovered samples are divided into basic version 1 to highly complex version 3 according to the technical complexity, and the version number is not completely related to the time of appearance.

The functions of all samples are similar, and the main purpose is to collect sensitive information, including geographic location, call records, contacts, SMS, list of installed applications, and device information. Attackers can download and execute a variety of malicious payloads based on a specific device environment.

Version 1

This version is the latest Google Play sample (MD5:2e06bbc26611305b28b40349a600f95c). Unlike other versions, it does not delete other executables. Attackers tried to bypass Google official filtering using a variety of techniques and upload it to the Google Play store in 2019. Suspicious permissions are not mentioned in the manifest file, and the attacker hides them in the dex executable and dynamically requests them during execution. Most malware operations require root privileges. If the device has root privileges, malware can obtain the required permissions through "setUidMode" without user involvement.

Version 2

This version was detected in 2019 or earlier, and a sample appeared in the Google Play store in November 2019. Based on the detection statistics and the version stamp, it can be judged that this version is a substitute for version 3.

The malicious payload APK is packaged in an assets encrypted (AES) file, with the decryption key and initialization vector (IV) in the first 32 + 16 bytes of the encrypted payload.

Before APK magic, the header contains a string that reflects the call to the payload method.

All version 2 payloads use the same package name "com.android.play.games", similar to the official Google Play game package "com.google.android.play.games". In addition, the developer version tag was found in the decrypted payload.

As described in version 1, the permissions required for malicious features are granted through an undocumented Android API, and two different certificates are found to sign the version 2 payload.

Version 2.1

It was discovered in early 2020 that the latest PhantomLance sample introduced a new technology for decrypting payloads: malicious payloads were bundled with implants and encrypted using AES. The key is not carried by itself, but is sent to the device through Google's Firebase remote configuration system, and other technical features are very similar to version 2.

A valid request is made to the Firebase API of the PhantomLance, and the response JSON structure contains the AES decryption key, where the "code_disable" value is the payload's decryption key.

{"entries": {"code_disable": "27ypYitp1UFc9Tvh"}, "appName": "com.ozerlab.callrecorder", "state": "UPDATE"}

The attacker attempted to implement the third phase of payload implantation. The second phase payload (MD5:83cd59e3ed1ba15f7a8cadfe9183e156) contains an APK file (MD5:7048d56d923e049ca7f3d97fb5ba9812) named "data" whose assets is corrupted.

The second phase reads the APK file, decrypts it, and rewrites its first 27 bytes.

After execution, an APK file (MD5:c399d93146f3d12feb32da23b75304ba) is generated, which is configured with a C2 server (cloud.anofrio [.] com, video.viodger [.] com, api.anaehler [.] com). Phase III APK has a native library called "data.raw" in assets, which is used for persistent control on infected devices.

Version 3

Version 2 has been replaced by this version, no new deployment of version 3 has been observed in 2019, and it is more advanced than version 2 in technical details.

Compared with the second edition, the first phase of the implantation process is more confusing. It decrypts the payload in a manner similar to version 2, and the encrypted content is divided into multiple files of less than 10256 bytes and an encrypted configuration file that contains payload decryption details.

Decryption process:

Each version 3 payload has the same package name "com.android.process.gpsp" and is signed with the same certificate used to sign some version 2. The only version tag found in version 3 is "10.2.98".

Mode of transmission

Attackers spread mainly through the application market. In addition to the com.zimice.browserturbo and com.physlane.opengl that have been reported to Google, other traces of transmission have been observed, indicating that many malicious applications have been deployed to Google Play in the past but have now been removed.

Several third-party markets have been identified that, unlike Google Play, still host malicious applications:

Https://apkcombo[.]com

Https://apk[.]support/

Https://apkpure[.]com

Https://apkpourandroid[.]com

In almost every malware deployment case, an attacker attempts to create a Github development account using a forged user license agreement (EULA).

During the investigation, it was found that the initial version uploaded by the attacker did not contain any malicious payload, but subsequent versions contained malicious payload or other malicious code.

infrastructure

Multiple domains similar to the previous ones were quickly identified in the analysis of the Secret2 server infrastructure, but were not linked to any known malicious samples.

It is found that IP:188.166.203 [.] 57:

Victim distribution

Attacks on Android devices in India, Vietnam, Bangladesh, Indonesia and other places have been observed since 2016.

Several surveys have also been carried out in Nepal, Myanmar and Malaysia, and South Asia is the organization's largest target area. In addition to common bait applications (such as Flash plug-ins, cleaners and updates), there are applications specific to Vietnam.

Correlation analysis

The researchers analyzed the association between PhantomLance and OceanLotus APT activities.

OceanLotus Android

In May 2019, Antiy Labs released a report on Android malware activity, claiming that the activity was related to OceanLotus APT, with samples traced back to December 2014 at the earliest. Most of the users affected by this activity are in Vietnam and only a few are in China. The main vectors of infection are malicious application links hosted on third-party websites, which are distributed via SMS or email.

The latest malware download occurred in December 2017, and a small number of activities were observed in 2018, but in terms of the number of hosted malware and the number of detected malware, the main activity time is from the end of 2014 to 2017.

A code structure comparison is made between the reported OceanLotus Android (MD5:0e7c2adda3bc65242a365ef72b91f3a8) and the unconfused (possibly developer version) PhantomLance payload v3 (MD5:243e2c6433833815f2ecc6640):

OceanLotus macOS back door

Analyze the macOS payload (MD5:306d3ed0a7c899b5ef9d0e3c91f05193) at the beginning of 2018 and associate it with the code pattern of Android malware. It is found that three of the seven main categories have the same name and similar functions: "Converter", "Packet" and "Parser".

Similarity analysis

Most OceanLotus malware uses three different C2 servers.

The attackers are very interested in Vietnam, the infrastructure of PhantomLance and OceanLotus overlap, and the code similarity between Android and MacOS backdoor.

IOCsPhantomLance

HEUR:Backdoor.AndroidOS.PhantomLance.*

HEUR:Trojan-Dropper.AndroidOS.Dnolder.*

Android campaign linked to OceanLotus (2014-2017)

HEUR:Trojan.AndroidOS.Agent.eu

HEUR:Trojan.AndroidOS.Agent.vg

HEUR:Trojan-Downloader.AndroidOS.Agent.gv

MacOS campaign linked to OceanLotus

HEUR:Backdoor.OSX.OceanLotus.*

MD5

PhantomLance malware

2e06bbc26611305b28b40349a600f95c

B1990e19efaf88206f7bffe9df0d9419

7048d56d923e049ca7f3d97fb5ba9812

E648a2cc826707aec33208408b882e31

3285ae59877c6241200f784b62531694

8d5c64fdaae76bb74831c0543a7865c3

6bf9b834d841b13348851f2dc033773e

0d5c03da348dce513bf575545493f3e3

0e7c2adda3bc65242a365ef72b91f3a8

A795f662d10040728e916e1fd7570c1d

D23472f47833049034011cad68958b46

8b35b3956078fc28e5709c5439e4dcb0

Af44bb0dd464680395230ade0d6414cd

65d399e6a77acf7e63ba771877f96f8e

79f06cb9281177a51278b2a33090c867

B107c35b4ca3e549bdf102de918749ba

83cd59e3ed1ba15f7a8cadfe9183e156

C399d93146f3d12feb32da23b75304ba

83c423c36ecda310375e8a1f4348a35e

94a3ca93f1500b5bd7fd020569e46589

54777021c34b0aed226145fde8424991

872a3dd2cd5e01633b57fa5b9ac4648d

243e2c6433815f2ecc204ada4821e7d6

PhantomLance payload-free versions

A330456d7ca25c88060dc158049f3298

A097b8d49386c8aab0bb38bbfdf315b2

7285f44fa75c3c7a27bbb4870fc0cdca

B4706f171cf98742413d642b6ae728dc

8008bedaaebc1284b1b834c5fd9a7a71

0e7b59b601a1c7ecd6f2f54b5cd8416a

Android campaign 2014-2017

0e7c2adda3bc65242a365ef72b91f3a8

50bfd62721b4f3813c2d20b59642f022

5079cb166df41233a1017d5e0150c17a

810ef71bb52ea5c3cfe58b8e003520dc

C630ab7b51f0c0fa38a4a0f45c793e24

Ce5bae8714ddfca9eb3bb24ee60f042d

D61c18e577cfc046a6252775da12294f

Fe15c0eacdbf5a46bc9b2af9c551f86a

07e01c2fa020724887fc39e5c97eccee

2e49775599942815ab84d9de13e338b3

315f8e3da94920248676b095786e26ad

641f0cc057e2ab43f5444c5547e80976

Domains and IP addresses

PhantomLance

Mine.remaariegarcia [.] com

Egg.stralisemariegar [.] com

Api.anaehler [.] com

Cloud.anofrio [.] com

Video.viodger [.] com

Term.ursulapaulet [.] com

Inc.graceneufville [.] com

Log.osloger [.] biz

File.log4jv [.] info

News.sqllitlever [.] info

Us.jaxonsorensen [.] club

Staff.kristianfiedler [.] club

Bit.catalinabonami [.] com

Hr.halettebiermann [.] com

Cyn.ettebiermahalet [.] com

Android campaign 2014-2017

Mtk.baimind [.] com

Ming.chujong [.] com

Mokkha.goongnam [.] com

Ckoen.dmkatti [.] com

Sadma.knrowz [.] com

Itpk.mostmkru [.] com

Aki.viperse [.] com

Game2015 [.] net

Taiphanmemfacebookmoi [.] info

Nhaccuatui.android.zyngacdn [.] com

Quam.viperse [.] com

Jang.goongnam [.] com

On how to carry out PhantomLance multi-version attack analysis to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.