In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article will explain in detail how to carry out PhantomLance multi-version attack analysis, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.
In July 2019, Dr. Web reported on the backdoor Trojan horse in Google Play, which the researchers call "PhantomLance". Its earliest activity can be traced back to December 2015. So far, dozens of wild samples have been found, appearing in various application markets such as Google Play. The latest sample was released in the official Android market on November 6, 2019 and was officially deleted shortly afterwards.
In the course of investigation, it is found that there are many similarities between it and OceanLotus APT.
Malware version
In order to facilitate the research, the discovered samples are divided into basic version 1 to highly complex version 3 according to the technical complexity, and the version number is not completely related to the time of appearance.
The functions of all samples are similar, and the main purpose is to collect sensitive information, including geographic location, call records, contacts, SMS, list of installed applications, and device information. Attackers can download and execute a variety of malicious payloads based on a specific device environment.
Version 1
This version is the latest Google Play sample (MD5:2e06bbc26611305b28b40349a600f95c). Unlike other versions, it does not delete other executables. Attackers tried to bypass Google official filtering using a variety of techniques and upload it to the Google Play store in 2019. Suspicious permissions are not mentioned in the manifest file, and the attacker hides them in the dex executable and dynamically requests them during execution. Most malware operations require root privileges. If the device has root privileges, malware can obtain the required permissions through "setUidMode" without user involvement.
Version 2
This version was detected in 2019 or earlier, and a sample appeared in the Google Play store in November 2019. Based on the detection statistics and the version stamp, it can be judged that this version is a substitute for version 3.
The malicious payload APK is packaged in an assets encrypted (AES) file, with the decryption key and initialization vector (IV) in the first 32 + 16 bytes of the encrypted payload.
Before APK magic, the header contains a string that reflects the call to the payload method.
All version 2 payloads use the same package name "com.android.play.games", similar to the official Google Play game package "com.google.android.play.games". In addition, the developer version tag was found in the decrypted payload.
As described in version 1, the permissions required for malicious features are granted through an undocumented Android API, and two different certificates are found to sign the version 2 payload.
Version 2.1
It was discovered in early 2020 that the latest PhantomLance sample introduced a new technology for decrypting payloads: malicious payloads were bundled with implants and encrypted using AES. The key is not carried by itself, but is sent to the device through Google's Firebase remote configuration system, and other technical features are very similar to version 2.
A valid request is made to the Firebase API of the PhantomLance, and the response JSON structure contains the AES decryption key, where the "code_disable" value is the payload's decryption key.
{"entries": {"code_disable": "27ypYitp1UFc9Tvh"}, "appName": "com.ozerlab.callrecorder", "state": "UPDATE"}
The attacker attempted to implement the third phase of payload implantation. The second phase payload (MD5:83cd59e3ed1ba15f7a8cadfe9183e156) contains an APK file (MD5:7048d56d923e049ca7f3d97fb5ba9812) named "data" whose assets is corrupted.
The second phase reads the APK file, decrypts it, and rewrites its first 27 bytes.
After execution, an APK file (MD5:c399d93146f3d12feb32da23b75304ba) is generated, which is configured with a C2 server (cloud.anofrio [.] com, video.viodger [.] com, api.anaehler [.] com). Phase III APK has a native library called "data.raw" in assets, which is used for persistent control on infected devices.
Version 3
Version 2 has been replaced by this version, no new deployment of version 3 has been observed in 2019, and it is more advanced than version 2 in technical details.
Compared with the second edition, the first phase of the implantation process is more confusing. It decrypts the payload in a manner similar to version 2, and the encrypted content is divided into multiple files of less than 10256 bytes and an encrypted configuration file that contains payload decryption details.
Decryption process:
Each version 3 payload has the same package name "com.android.process.gpsp" and is signed with the same certificate used to sign some version 2. The only version tag found in version 3 is "10.2.98".
Mode of transmission
Attackers spread mainly through the application market. In addition to the com.zimice.browserturbo and com.physlane.opengl that have been reported to Google, other traces of transmission have been observed, indicating that many malicious applications have been deployed to Google Play in the past but have now been removed.
Several third-party markets have been identified that, unlike Google Play, still host malicious applications:
Https://apkcombo[.]com
Https://apk[.]support/
Https://apkpure[.]com
Https://apkpourandroid[.]com
In almost every malware deployment case, an attacker attempts to create a Github development account using a forged user license agreement (EULA).
During the investigation, it was found that the initial version uploaded by the attacker did not contain any malicious payload, but subsequent versions contained malicious payload or other malicious code.
infrastructure
Multiple domains similar to the previous ones were quickly identified in the analysis of the Secret2 server infrastructure, but were not linked to any known malicious samples.
It is found that IP:188.166.203 [.] 57:
Victim distribution
Attacks on Android devices in India, Vietnam, Bangladesh, Indonesia and other places have been observed since 2016.
Several surveys have also been carried out in Nepal, Myanmar and Malaysia, and South Asia is the organization's largest target area. In addition to common bait applications (such as Flash plug-ins, cleaners and updates), there are applications specific to Vietnam.
Correlation analysis
The researchers analyzed the association between PhantomLance and OceanLotus APT activities.
OceanLotus Android
In May 2019, Antiy Labs released a report on Android malware activity, claiming that the activity was related to OceanLotus APT, with samples traced back to December 2014 at the earliest. Most of the users affected by this activity are in Vietnam and only a few are in China. The main vectors of infection are malicious application links hosted on third-party websites, which are distributed via SMS or email.
The latest malware download occurred in December 2017, and a small number of activities were observed in 2018, but in terms of the number of hosted malware and the number of detected malware, the main activity time is from the end of 2014 to 2017.
A code structure comparison is made between the reported OceanLotus Android (MD5:0e7c2adda3bc65242a365ef72b91f3a8) and the unconfused (possibly developer version) PhantomLance payload v3 (MD5:243e2c6433833815f2ecc6640):
OceanLotus macOS back door
Analyze the macOS payload (MD5:306d3ed0a7c899b5ef9d0e3c91f05193) at the beginning of 2018 and associate it with the code pattern of Android malware. It is found that three of the seven main categories have the same name and similar functions: "Converter", "Packet" and "Parser".
Similarity analysis
Most OceanLotus malware uses three different C2 servers.
The attackers are very interested in Vietnam, the infrastructure of PhantomLance and OceanLotus overlap, and the code similarity between Android and MacOS backdoor.
IOCsPhantomLance
HEUR:Backdoor.AndroidOS.PhantomLance.*
HEUR:Trojan-Dropper.AndroidOS.Dnolder.*
Android campaign linked to OceanLotus (2014-2017)
HEUR:Trojan.AndroidOS.Agent.eu
HEUR:Trojan.AndroidOS.Agent.vg
HEUR:Trojan-Downloader.AndroidOS.Agent.gv
MacOS campaign linked to OceanLotus
HEUR:Backdoor.OSX.OceanLotus.*
MD5
PhantomLance malware
2e06bbc26611305b28b40349a600f95c
B1990e19efaf88206f7bffe9df0d9419
7048d56d923e049ca7f3d97fb5ba9812
E648a2cc826707aec33208408b882e31
3285ae59877c6241200f784b62531694
8d5c64fdaae76bb74831c0543a7865c3
6bf9b834d841b13348851f2dc033773e
0d5c03da348dce513bf575545493f3e3
0e7c2adda3bc65242a365ef72b91f3a8
A795f662d10040728e916e1fd7570c1d
D23472f47833049034011cad68958b46
8b35b3956078fc28e5709c5439e4dcb0
Af44bb0dd464680395230ade0d6414cd
65d399e6a77acf7e63ba771877f96f8e
79f06cb9281177a51278b2a33090c867
B107c35b4ca3e549bdf102de918749ba
83cd59e3ed1ba15f7a8cadfe9183e156
C399d93146f3d12feb32da23b75304ba
83c423c36ecda310375e8a1f4348a35e
94a3ca93f1500b5bd7fd020569e46589
54777021c34b0aed226145fde8424991
872a3dd2cd5e01633b57fa5b9ac4648d
243e2c6433815f2ecc204ada4821e7d6
PhantomLance payload-free versions
A330456d7ca25c88060dc158049f3298
A097b8d49386c8aab0bb38bbfdf315b2
7285f44fa75c3c7a27bbb4870fc0cdca
B4706f171cf98742413d642b6ae728dc
8008bedaaebc1284b1b834c5fd9a7a71
0e7b59b601a1c7ecd6f2f54b5cd8416a
Android campaign 2014-2017
0e7c2adda3bc65242a365ef72b91f3a8
50bfd62721b4f3813c2d20b59642f022
5079cb166df41233a1017d5e0150c17a
810ef71bb52ea5c3cfe58b8e003520dc
C630ab7b51f0c0fa38a4a0f45c793e24
Ce5bae8714ddfca9eb3bb24ee60f042d
D61c18e577cfc046a6252775da12294f
Fe15c0eacdbf5a46bc9b2af9c551f86a
07e01c2fa020724887fc39e5c97eccee
2e49775599942815ab84d9de13e338b3
315f8e3da94920248676b095786e26ad
641f0cc057e2ab43f5444c5547e80976
Domains and IP addresses
PhantomLance
Mine.remaariegarcia [.] com
Egg.stralisemariegar [.] com
Api.anaehler [.] com
Cloud.anofrio [.] com
Video.viodger [.] com
Term.ursulapaulet [.] com
Inc.graceneufville [.] com
Log.osloger [.] biz
File.log4jv [.] info
News.sqllitlever [.] info
Us.jaxonsorensen [.] club
Staff.kristianfiedler [.] club
Bit.catalinabonami [.] com
Hr.halettebiermann [.] com
Cyn.ettebiermahalet [.] com
Android campaign 2014-2017
Mtk.baimind [.] com
Ming.chujong [.] com
Mokkha.goongnam [.] com
Ckoen.dmkatti [.] com
Sadma.knrowz [.] com
Itpk.mostmkru [.] com
Aki.viperse [.] com
Game2015 [.] net
Taiphanmemfacebookmoi [.] info
Nhaccuatui.android.zyngacdn [.] com
Quam.viperse [.] com
Jang.goongnam [.] com
On how to carry out PhantomLance multi-version attack analysis to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.