ACTION CODE= 49: Delete a file in the indicated directory. ACTION CODE= 48: List the file information in the current directory and upload it to the C&C server.ACTION CODE= 46: Download pictures as wallpaper.ACTION CODE= 41: Control the vibrate function, including the pattern and when it will vibrate.ACTION CODE= 37: Set phone’s UiMode, like night mode/car mode.ACTION CODE= 34: Monitor the phone sensors’ data in real time.ACTION CODE =10, 11: Control the Wi-Fi state.Here’s a list of some of the action codes and what each does to the device: This is the command that allows attackers to manipulate the device’s functionalities without the owner’s consent or knowledge. We also found several Dynamic Name Servers (DNS), which at some point led to the same C&C IP address:Ī notable command contains action code and Object DATA, which enables attackers to specify the target and content, making this a very flexible malware for cybercriminals. This can be an attempt to obscure their traffic. Interestingly, we also found that the backdoor connects to a domain rather than directly connecting to the C&C server’s IP address. The commands from the C&C server are encrypted and locally decrypted by the APK upon receipt. GhostCtrl can possess the infected device to do its bidding The malicious APK will then connect to the C&C server to retrieve commands via the socket (an endpoint for communication between machines), new Socket("", 3176). The main APK has backdoor functions usually named to mislead the user into thinking it’s a legitimate system application. Once installed, a wrapper APK will launch a service that would let the main, malicious APK run in the background:įigure 2: How the wrapper APK leads to the main APK Avoiding it is very tricky: even if the user cancels the “ask for install page” prompt, the message will still pop up immediately. The malicious APK, after dynamically clicked by a wrapper APK, will ask the user to install it. When the app is launched, it base64-decodes a string from the resource file and writes it down, which is actually the malicious Android Application Package (APK). Given that it’s a RAT as a service, this can be modified (or removed) during compilation.įigure 1: Snapshot of GhostCtrl version 3’s resources.arsc file indicating it’s an OmniRAT variant (highlighted) There’s actually a red flag that shows how the malicious APK is an OmniRAT spinoff. Predictably OmniRAT cracking tutorials abound in various underground forums, and some its members even provide patchers for it. A lifetime license for an OmniRAT package costs between US $25 and $75. It touts that it can remotely take control of Windows, Linux, and Mac systems at the touch of an Android device’s button-and vice versa. GhostCtrl is also actually a variant (or at least based on) of the commercially sold, multiplatform OmniRAT that made headlines in November 2015. Based on the techniques each employed, we can only expect it to further evolve. The third iteration combines the best of the earlier versions’ features-and then some. The first stole information and controlled some of the device’s functionalities without obfuscation, while the second added more device features to hijack. Socially engineered phishing emails were also attack vectors they had malicious URLs that led would-be victims to download these apps. GhostCtrl was hosted in RETADUP's C&C infrastructure, and the samples we analyzed masqueraded as a legitimate or popular app that uses the names App, MMS, whatsapp, and even Pokemon GO. It was accompanied by an even more dangerous threat: an Android malware that can take over the device.ĭetected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we’ve named this Android backdoor GhostCtrl as it can stealthily control many of the infected device’s functionalities. The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought-at least in terms of impact. Updated as of August 6, 2017, 7:45 PM PDT to clarify GhostCtrl's attack vectors.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |