wolf in sheep’s clothingbenkow.cc/wp_prezo.pdf · what to expect 1.00 introduction 2.00...
TRANSCRIPT
REST ASSURED
Wolf in Sheep’s Clothing- UndressedBornHack 2019
www.csis.dk
Who’s who Benoit Ancel
Wolf in Sheep’s Clothing- Undressed
What to expect 1.00 Introduction2.00 Win32.Agent3.00 Android.Agent4.00 IOS.Agent5.00 Multi-platform-malware6.00 Kumar Manish, WOLF and the pack7.00 Victims intelligence8.00 Toolset
Wolf in Sheep’s Clothing- Undressed
Title of the presentation
1.00Introduction
Wolf in Sheep’s Clothing- Undressed
5
Origin of the research
• 1226 domains resolved
• 1 really interesting:
chrome-update-center.com
Investigation around 68.65.122.53 (VPS used for phishing, banking…)
6
chrome-update-center.com
• Fake Google Play page acting as dropzone.
• Payloads are selected depending on the User-Agent of the victim:
• if( /iPhone|iPad|iPod/i.test(navigator.userAgent))
• i.diawi.com/i3cuz6 (IPA)
• else if ( /Android/i.test(navigator.userAgent))
• update.apk
• else:
• Update.exe
Title of the presentation
2.00Win32.Agent
Wolf in Sheep’s Clothing- Undressed
• Update.exe is a RAT for Windows (probably a debug build)
• The malware is composed of 2 stages:
• 1- Loader
• 2- RAT
• Already on VT with
good detections
8
Win32.Agent
• Stage 2 is a RAT called CARAT (Caphyon RAT?) or W1 RAT.
• No reference online.
• Install itself in c:\program files\chrome\test.exe
• Persistence in Software\Microsoft\Windows
\CurrentVersion\Run
9
Win32.Agent.W1_RAT
After decrypting the strings, the RAT verifies that each decrypted
string starts with CARAT_
10
Win32.Agent.W1_RAT
~ 20 features available, nothing advanced or fancy:
11
Win32.Agent.W1_RAT
Fingerprint victim Read file Rename file List processes exec Screencast
Search files ls Delete file Kill process Get keylogger logs Mic
Upload file Copy file Create dir Enum servicesCredentials
stealers
Get file size Move file Edit timestamp file Stop service Autokill
Title of the presentation
3.00Android.Agent
Wolf in Sheep’s Clothing- Undressed
• Not packed (probably debug build)
• Looks like basic android RAT
13
Android.Agent
• HTTP/FTP Exfiltration (hard-coded creds)
14
Android.Agent
• Screenshots
• Call/Mic record
• Docs/pics stealer
• Screencast
• Contacts, SMS, browsing history …
15
Android.Agent
• Patchwork of old codes:
• https://github.com/koush/Screenshot (9yo)
• https://github.com/murali129/ScreenOCR (1yo)
• https://github.com/jakubkinst/DEECo-Offload (3yo)
16
Android.Agent
Title of the presentation
4.00IOS.Agent
Wolf in Sheep’s Clothing- Undressed
• Copy paste from:
• https://github.com/andrealufino/ALSystemUtilities (no longer maintained, 3yo)
• https://github.com/gali8/Tesseract-OCR-iOS
• https://github.com/davidmurray/ios-reversed-headers
18
IOS.Agent
Title of the presentation
5.00Multi-platform malware
Wolf in Sheep’s Clothing- Undressed
• It looks like somebody tried to have a multi-platform tool
• Lame code (copy paste, bugs, scam app (ios))
• Lame infrastructure
• It looks like an audacious cybercrime actor is trying something.
20
Multi-platform malware
Unknown panels located on the same domain, used as C&C for mobile malware
21
Aaahh… Panels!
Panels entirely open with full backup of databases and all stolen data.
22
Aaahh… Panels!
• It’s ~20 Gb of data available
• Pictures
• Audio records
• Documents
• Smartphone configuration
• Everything stolen is available in the databases
23
Data!
After a quick analysis it’s clear, this actor is interesting.
24
Data!
Title of the presentation
6.00Kumar Manish, WOLF and the pack
Wolf in Sheep’s Clothing- Undressed
• All the data point to a man: Kumar Manish from Wolf Research.
• Fun fact: opendir « website_logo » on the malware C&C with Wolf Research
Logo and Kumar Manish Picture
26
Kumar ManishCEO of Wolf Research
KUMAR
27
Kumar ManishCEO of Wolf Research
NO KIDDING!
28
Wolf Research
Wolf Research develops advanced big data systems, cyber security & AI,
and data extraction solutions for the government and homeland security
sectors. Our solutions are designed to overcome various operational
challenges.
HQ in Germany, offices in :Cyprus, Bulgaria, Romania, India and US
• Who is Wolf Research ?
Known stories:
• Motherboard: The Forgotten Prisoner of a Spyware Deal Gone Wrong
(Scam attempt against Mauritania Government)
• Forbes: Meet The 'Cowboys Of Creepware' -- Selling Government-Grade
Surveillance To Spy On Your Spouse (spouseware business)
• Bloomberg: The Post-Snowden Cyber Arms Hustle
The company's co-founder Manish Kumar is a "criminal of the worst kind,"
according to David Vincenzetti, the CEO of Hacking Team29
Wolf Research
Audio: Origin of the company.
Sub contractors:
Development based in Romania (Decode.ro)
Testers in India (Puna) (Squarebits)
30
Wolf Research – leader of the pack
This name appears everywhere: Iurie Gutu
• One of developers of IOS/Android malware
(with Valentin Brad)
• The apk/ipa malware is invoiced to a
Romanian Company: Decode.ro
31
Dev - Decode.ro
32
Dev - Decode.roPanel and IOS developments
33
SquarebitsMobile App Development Company based in India
Google drive link found in the database:
34
Squarebits
35
SquarebitsTHE KUMAR FAMILY
Title of the presentation
7.00Victims intelligence
Wolf in Sheep’s Clothing- Undressed
Public IPs based geolocation for the smartphone
37
Victims intelligenceA true globetrotter
• Looks like demo smartphone for sellers
• Different actors testing or presenting Wolf Research products
38
Victims intelligence
Audio Record: presentation products
• Many calls/SMS from +336 numbers (France, mobile phone) in the database
• French audio records
• 90.102.1.97 used by the smartphone (registrant [email protected])
• SMS in the database:
« DHL EXPRESS from NEXA TECHNOLOGI is scheduled for delivery TODAY by End of Day. Track at … »
• A strange apk called « Nexa Tracker »
• Personal phone number used by a Nexa VIP
39
Nexa
40
Nexa
41
• Interesting connection:• Correlate known stories of the Wolf adventures in Israel• Can be an attack vector• (Very) Big company in WIFI interception
• Interesting data
• You don’t see WiSpear tools every days
• Proof:• Smartphone named “Wispear”• Geolocation• Pictures
42
WiSpearWIFI INTERCEPTION AND SECURITY SOLUTIONS
43
WiSpear
44
WiSpear
45
WiSpear
“Prosafe is a leading owner and
operator of semi-submersible
accommodation, safety and support
vessels.”
46
Prosafe
A lot of pictures of the Prosafe HQ in Cyprus
47
Partnership
Wolf Research
The panels
Nexa
AmesysWiSpear Prosafe Political targets
…
Title of the presentation
8.00Toolset
Wolf in Sheep’s Clothing- Undressed
Test smartphones containa lot of useful data:
49
The testing phone
50
The testing phone
51
The W1 Crypter
52
The W1 Crypter
53
The W1 Crypter
54
Attack vectors (?)
Audio record Jailbreak – Google play
• Audio records
• Data keeps flowing
55
MISC
• Only the tip of the iceberg
• This kind of behavior can do great damage to international operations
• Wolf Research: Bad legit company or good scammers?
56
Conclusion
• Old backend still up.
• New company: Wimidefence (“secure” phone)
57
Kumar Manish in 2019