forked from LexusWang/Aurora-demos
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path89.txt
More file actions
121 lines (92 loc) · 6.87 KB
/
89.txt
File metadata and controls
121 lines (92 loc) · 6.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
Background: What is OceanLotus?
"OceanLotus" (also known as APT-TOCS, APT32, OceanLotus) is considered an APT attack group originating from a certain country in the Indochina Peninsula. Active since 2012, it has continuously targeted sensitive Chinese entities and is one of the most active APT groups attacking mainland China in recent years.
Antian and other security vendors have previously released multiple analysis reports on OceanLotus, mainly focusing on PC platforms. The attack methods are often spear-phishing and phishing attacks, with relatively few mobile attacks. However, with the development of mobile internet, on one hand, people’s phones are increasingly dual-purpose, containing both personal privacy and social attributes; on the other hand, smartphone wireless communication can bypass internal security monitoring devices. Therefore, attacks targeting mobile platforms have become an important part of the overall attack chain. Below, Antian Mobile Security presents a detailed analysis based on a mobile attack incident that occurred in China.
Specific Analysis
| MD5 | Package Name | Program Icon Screenshot |
|----------------------------------|---------------------------------|-------------------------|
| 86C5495B048878EC903E6250600EC308 | com.tornado.nextlauncher.theme.windows8pro | |
| F29DFFD9817F7FDA040C9608C14351D3 | com.android.wps | |
Table 1. Basic Information of Typical Samples
The app disguises itself as a legitimate application, hides its icon after running, releases malicious sub-packages in the background, and receives remote control commands. It steals users’ SMS, contacts, call logs, geolocation, browser history, and other private information; downloads APKs without authorization; takes photos and records audio; and uploads user privacy to the server, resulting in privacy leakage.
Sample Analysis
After launching, the app opens the LicenseService service:
This service starts the f thread to register and release spy sub-packages:
Registration URL: http://ckoen.dmkatti.com
Dynamic loading of spy sub-packages:
Sub-package analysis
The main package reflectively calls the Execute method of the com.android.preferences.AndroidR class:
First, it establishes a socket connection:
Socket address: mtk.baimind.com
Through communication with the phone, it sends control commands and uploads some private information such as SMS, contacts, call logs, geolocation, and browser history.
Additionally, the spy sub-package establishes HTTPS communication used to upload large files such as audio recordings, screenshots, documents, photos, and videos.
HTTPS address:
https://jang.goongnam.com/resource/request.php (currently inactive; this C2 belongs to OceanLotus assets)
CC Location Function
mtk.baimind.com dex file, socket communication receiving remote commands
jang.goongnam.com dex file, uploading screenshots, audio files, documents, etc.
Table 2. CC Locations and Functions
As shown below: firstly, the signature Subject contains "HackingTeam" and "Christian Pozz" (the name of an administrator from Hacking Team); secondly, the registration functionality in the code indicates it is commercial spyware sold externally; lastly, according to leaked documents from Hacking Team, the country OceanLotus belongs to is also on its client list.
Extended Analysis
Based on the common origin of the registered CC, we found the following samples:
MD5 Program Name
C630AB7B51F0C0FA38A4A0F45C793E24 Google Play services
BF1CA2DAB5DF0546AACC02ABF40C2F19 ChromeUpdate
45AE1CB1596E538220CA99B29816304F FlashUpdate
CE5BAE8714DDFCA9EB3BB24EE60F042D Google Play services
D1EB52EF6C2445C848157BEABA54044F AdAway
50BFD62721B4F3813C2D20B59642F022 Google Play services
Table 3. Homologous Samples Found via CC Retrieval
Unlike the analyzed sample, the above samples have significant functional improvements, adding privilege escalation. Taking 45AE1CB1596E538220CA99B29816304F as an example, decrypting the file named dataOff.db in its assets directory reveals a privilege escalation configuration file, as shown below:
This confirms the statement by the CEO of Hacking Team after the code leak that “the leaked code is only a small part.” This also indirectly reflects how cyber arms dealers have lowered the barrier for APT attacks to some extent, causing greater uncertainty in cyberattacks.
We also noticed that this series of malicious codes has been distributed through domestic third-party app stores and file-sharing websites.
Hash URL
641f0cc057e2ab43f5444c5547e80976 http://download****.mediafire.com/sj*m*p**h1rg/so**lfeh*****rb/TOS_Multi_Backup_V1.1.apk
c20fa2c10b8c8161ab8fa21a2ed6272d http://ws.yingyonghui.com/4d*****a197ad8be*****d88d3c*****/5523a87c/apk/******/com.slhapp.khogameandroid.*************.apk
Table 4. Sample Distribution Links
Summary
The OceanLotus group is constantly evolving, continuously updating its attack techniques and weaponry to bypass security software defenses. Besides constantly updating its weapon library, the group is also very familiar with China’s situation, including policies and user habits. This not only confuses related personnel and increases attack success rates but may also cause immeasurable losses to target victims.
Therefore, for individuals, it is essential to improve cybersecurity awareness and not be deceived by phishing information. For security vendors, it is even more necessary to deepen understanding of this group, continuously conduct targeted countermeasures, enhance security defense capabilities, and truly safeguard users’ mobile security.
6、Appendix(IOC)
5079CB166DF41233A1017D5E0150C17A
F29DFFD9817F7FDA040C9608C14351D3
0E7C2ADDA3BC65242A365EF72B91F3A8
C630AB7B51F0C0FA38A4A0F45C793E24
CE5BAE8714DDFCA9EB3BB24EE60F042D
BF1CA2DAB5DF0546AACC02ABF40C2F19
D1EB52EF6C2445C848157BEABA54044F
45AE1CB1596E538220CA99B29816304F
50BFD62721B4F3813C2D20B59642F022
86c5495b048878ec903e6250600ec308
780a7f9446f62dd23b87b59b67624887
DABF05376C4EF5C1386EA8CECF3ACD5B
86C5495B048878EC903E6250600EC308
F29DFFD9817F7FDA040C9608C14351D3
C83F5589DFDFB07B8B7966202188DEE5
229A39860D1EBEAFC0E1CEF5880605FA
A9C4232B34836337A7168A90261DA410
877138E47A77E20BFFB058E8F94FAF1E
5079CB166DF41233A1017D5E0150C17A
2E780E2FF20A28D4248582F11D245D78
0E7C2ADDA3BC65242A365EF72B91F3A8
315F8E3DA94920248676B095786E26AD
D1EB52EF6C2445C848157BEABA54044F
DABF05376C4EF5C1386EA8CECF3ACD5B
AD32E5198C33AA5A7E4AEF97B7A7C09E
DF2E4CE8CC68C86B92D0D02E44315CC1
C20FA2C10B8C8161AB8FA21A2ED6272D
55E5B710099713F632BFD8E6EB0F496C
CF5774F6CA603A748B4C5CC0F76A2FD5
66983EFC87066CD920C1539AF083D923
69232889A2092B5C0D9A584767AF0333
C6FE1B2D9C2DF19DA0A132B5B9D9A011
CE5BAE8714DDFCA9EB3BB24EE60F042D
50BFD62721B4F3813C2D20B59642F022
C630AB7B51F0C0FA38A4A0F45C793E24
810EF71BB52EA5C3CFE58B8E003520DC
BF1CA2DAB5DF0546AACC02ABF40C2F19
45AE1CB1596E538220CA99B29816304F
5AF0127A5E97FB4F111ECBA2BE1114FA
74646DF14970FF356F33978A6B7FD59D
DF845B9CAE7C396CDE34C5D0C764360A
C20FA2C10B8C8161AB8FA21A2ED6272D
641F0CC057E2AB43F5444C5547E80976