Quick and dirty over APT37 (aka Group123, aka ScarCruft) Android spying backdoor

reaper groupAPT37 (aka Group123, aka ScarCruft) is an espionage hacking group involved in malicious activities since at least 2016. Despite the real goals of this threat group and their main objectives are currently unknown to the writer, APT37 seems to focus its efforts mainly against targets located in the region of South Korea.

Usually this threat actor uses lure documents related to korean peninsula military / security / general affairs in their spear-phishing attempts and  often makes use of encoded executable payloads masquerading them as jpeg files (keeping legitimate file headers as well).

Another well known characteristic of the group is that it relies very often on cloud services for command and control (C2) functions.

A very recent campaign has been observed to be conducted by Group123 / APT37 involving new technical and tactical solutions aimed at compromising individuals and / or entities geographically located in the ROK.

The attack started with at least one spear-phishing email directed to one single specific target (according to the writer’s visibility at the time of this post).

The original message has been written in korean and the source email appears to be an @hanmail.net one. The recepient’s email address appears to be another @hanmail.net address. Hanmail is the name of the Korean email service provided by Daum Communications and its use results to be quite common in that specific world region.

Following some raw information about the original message collected (some data removed for privacy reasons):

email_group123_apt37This specific email contained three attachments: two .jpge files (20190612_160359_s.jpge and 20190612_160419_s.jpge) and a .txt one. The .txt one has instructions in order to guide the user towards the download of applications (one for Microsoft and one for Android on the basis of OS used) that should be able to open and display the two attached jpge files.

Indeed, browsing the sites indicated in the istructions (shortened by the bit.ly) we can download the applications capable of deciphering and correctly displaying these images.

Following there are statistics by hits and countries for the applications drop URL:

1. Clicks and Countries statistics for malicious ZIP package (targeting desktop environment)

immagine_image_viewer_zip

 

2. Clicks and Countries statistics for malicious APK package (targeting mobile environment)

 

immagine_image_viewer_apk

Two shortened URLs has been designed to serve different malware types, one for desktop environment (Microsoft) and one for mobile environment (Android). Indeed, the file Android_JPGE_Viewer.apk, downloaded from hxxps://www.dropbox.com/s/5prgwypzkfilz6p/Android_JPGE_Viewer.apk?dl=1, it’s the Android counterpart of the file JPGE_Viewer.exe (deployed within a zip archive), originally downloaded from the URL hxxps://www.dropbox.com/s/hve5jjvlsxzl60i/JPGE_Viewer.zip?dl=1.

However, there’s a slight difference between them: JPGE_Viewer.exe seems to perform no malicious actions if executed isolated. However, if executed giving the file 20190612_160359_s.jpge to be processed, some special DWORD values are identified within it in order to map, extract and execute a XOR encoded shellcode. The kill chain is then concluded with the installation of a spy backdoor within the system.

The file Android_JPGE_Viewer.apk instead, presents some malicious characteristics by itself. Extracting the original archive we can note three .dex files as reported in the following image

classex

Having a deeper view, classes2.dex is of our primary interest. As stated above, unlike the fake Windows image viewer, this APK is able to perform malicious activities as soon as installed on the device. Indeed, it goes to register a background service and set up several receivers to ensure that all inbound and outgoing calls get recorded with some call metadata as well.

This is performed through functions startRecord, stopRecord of CallReceiver.class

call_2

The application goes to set an AlarmKit alert as well as soon as started within startTask() directives of MainActivity.class. Every time the alarm “sounds” (yes, it seems like “wake up Neo, The Matrix has you…” :>), it verifies and controls all the registrations made in order to send them to cloud services configured as C2 (DropBox and Yandex).

Following an extraction about the startRepeatingAlarm function

alarmkitThrough the PhoneInfoBuilder.class the malicious package is able to retrieve some basic information on the device as well.

Functions getDeviceModel(), getPermissionDetail(), getUniqID(), getVersionCode(), getWifiMac() helps to create a device fingerprint.

Application seems to be able to download and execute additional payloads and execute arbitrary commands in the context of victim system.

Following an extraction of code aimed at handling the download and the execution of commands from C2

command_exec2

Finally, can be interested to note that API credentials for cloud services are stored into native lib files and packed. This is likely in order to hide them or make the detection and / or reversing activities harder.

[+] Conclusions

This operation is very interesting because at the same time it spreads malware variants for both desktop and mobile environments. This certainly represents an update in the TTP (Technical and Tactical Procedures) adopted by APT37 (aka Group123).

[+] Indicators of Compromise

SHA256 (artifact): 396eaff05bf3eebd90e8a4981b79ee9acfed0e95365f2d3151aefa3cd5aefbaa

SHA256 (artifact): 8863dc53aba8dbaa7a76ab4653d54a4a7412dc9bb986b8fe1d3d8350bbb730f1

SHA256 (artifact): 14397769f1ae34622757b6b4247562027c4402454af4c925b0d9da22c2e325ee

URL (C2 Cloud Service): hxxps://www.dropbox.com/upgrade?oqa=upeaoq

URL (C2 Cloud Service): hxxps://cloud-api.yandex.net

URL (Drop Point): hxxps://www.dropbox.com/s/5prgwypzkfilz6p/Android_JPGE_Viewer.apk?dl=1

URL (Drop Point): hxxps://www.dropbox.com/s/hve5jjvlsxzl60i/JPGE_Viewer.zip?dl=1

Package Name (artifact): come.example.imageviewer

File Name (artifact): Android_JPGE_Viewer.apk

File Name (artifact): JPGE_Viewer.[exe|zip]

Issuer (APK Certificate): C=US, O=Android, CN=Android Debug

SHA1 (APK Certificate): DE61E1A79B2EF010C4196CD0AAA4E470045B5B45

[+] File Detection Rule

rule APT37_ImageViewerDEX_v21 : APT37 Threat Group {
meta:
description = "Strings based detection of malicious DEX file"
author = "Emanuele De Lucia"
tlp = "white"
hash1 = "396eaff05bf3eebd90e8a4981b79ee9acfed0e95365f2d3151aefa3cd5aefbaa"
strings:
$ = "executeCommands" fullword ascii
$ = "startRepeatingAlarm" fullword ascii
$ = "%path_password_eye_mask_strike_through" fullword ascii
$ = "(Lcom/example/imageviewer/tool/LibLoader;" fullword ascii
$ = "cloudManager" fullword ascii
$ = "cryptManager" fullword ascii
condition:
uint16(0) == 0x6564 and filesize < 1000KB and all of them
}

h/t: @7boxt3r

External Insight: https://blog.alyac.co.kr/2452

Leave a Reply

Your email address will not be published. Required fields are marked *