REST ASSURED

Wolf in Sheep’s Clothing- UndressedBornHack 2019

www.csis.dk

Who’s who Benoit Ancel

Wolf in Sheep’s Clothing- Undressed

What to expect 1.00 Introduction2.00 Win32.Agent3.00 Android.Agent4.00 IOS.Agent5.00 Multi-platform-malware6.00 Kumar Manish, WOLF and the pack7.00 Victims intelligence8.00 Toolset

Wolf in Sheep’s Clothing- Undressed

Title of the presentation

1.00Introduction

Wolf in Sheep’s Clothing- Undressed

5

Origin of the research

• 1226 domains resolved

• 1 really interesting:

chrome-update-center.com

Investigation around 68.65.122.53 (VPS used for phishing, banking…)

6

chrome-update-center.com

• Fake Google Play page acting as dropzone.

• Payloads are selected depending on the User-Agent of the victim:

• if( /iPhone|iPad|iPod/i.test(navigator.userAgent))

• i.diawi.com/i3cuz6 (IPA)

• else if ( /Android/i.test(navigator.userAgent))

• update.apk

• else:

• Update.exe

Title of the presentation

2.00Win32.Agent

Wolf in Sheep’s Clothing- Undressed

• Update.exe is a RAT for Windows (probably a debug build)

• The malware is composed of 2 stages:

• 1- Loader

• 2- RAT

• Already on VT with

good detections

8

Win32.Agent

• Stage 2 is a RAT called CARAT (Caphyon RAT?) or W1 RAT.

• No reference online.

• Install itself in c:\program files\chrome\test.exe

• Persistence in Software\Microsoft\Windows

\CurrentVersion\Run

9

Win32.Agent.W1_RAT

After decrypting the strings, the RAT verifies that each decrypted

string starts with CARAT_

10

Win32.Agent.W1_RAT

~ 20 features available, nothing advanced or fancy:

11

Win32.Agent.W1_RAT

Fingerprint victim Read file Rename file List processes exec Screencast

Search files ls Delete file Kill process Get keylogger logs Mic

Upload file Copy file Create dir Enum servicesCredentials

stealers

Get file size Move file Edit timestamp file Stop service Autokill

Title of the presentation

3.00Android.Agent

Wolf in Sheep’s Clothing- Undressed

• Not packed (probably debug build)

• Looks like basic android RAT

13

Android.Agent

• HTTP/FTP Exfiltration (hard-coded creds)

14

Android.Agent

• Screenshots

• Call/Mic record

• Docs/pics stealer

• Screencast

• Contacts, SMS, browsing history …

15

Android.Agent

• Patchwork of old codes:

• https://github.com/koush/Screenshot (9yo)

• https://github.com/murali129/ScreenOCR (1yo)

• https://github.com/jakubkinst/DEECo-Offload (3yo)

16

Android.Agent

Title of the presentation

4.00IOS.Agent

Wolf in Sheep’s Clothing- Undressed

• Copy paste from:

• https://github.com/andrealufino/ALSystemUtilities (no longer maintained, 3yo)

• https://github.com/gali8/Tesseract-OCR-iOS

• https://github.com/davidmurray/ios-reversed-headers

18

IOS.Agent

Title of the presentation

5.00Multi-platform malware

Wolf in Sheep’s Clothing- Undressed

• It looks like somebody tried to have a multi-platform tool

• Lame code (copy paste, bugs, scam app (ios))

• Lame infrastructure

• It looks like an audacious cybercrime actor is trying something.

20

Multi-platform malware

Unknown panels located on the same domain, used as C&C for mobile malware

21

Aaahh… Panels!

Panels entirely open with full backup of databases and all stolen data.

22

Aaahh… Panels!

• It’s ~20 Gb of data available

• Pictures

• Audio records

• Documents

• Smartphone configuration

• Everything stolen is available in the databases

23

Data!

After a quick analysis it’s clear, this actor is interesting.

24

Data!

Title of the presentation

6.00Kumar Manish, WOLF and the pack

Wolf in Sheep’s Clothing- Undressed

• All the data point to a man: Kumar Manish from Wolf Research.

• Fun fact: opendir « website_logo » on the malware C&C with Wolf Research

Logo and Kumar Manish Picture

26

Kumar ManishCEO of Wolf Research

KUMAR

27

Kumar ManishCEO of Wolf Research

NO KIDDING!

28

Wolf Research

Wolf Research develops advanced big data systems, cyber security & AI,

and data extraction solutions for the government and homeland security

sectors. Our solutions are designed to overcome various operational

challenges.

HQ in Germany, offices in :Cyprus, Bulgaria, Romania, India and US

• Who is Wolf Research ?

Known stories:

• Motherboard: The Forgotten Prisoner of a Spyware Deal Gone Wrong

(Scam attempt against Mauritania Government)

• Forbes: Meet The 'Cowboys Of Creepware' -- Selling Government-Grade

Surveillance To Spy On Your Spouse (spouseware business)

• Bloomberg: The Post-Snowden Cyber Arms Hustle

The company's co-founder Manish Kumar is a "criminal of the worst kind,"

according to David Vincenzetti, the CEO of Hacking Team29

Wolf Research

Audio: Origin of the company.

Sub contractors:

Development based in Romania (Decode.ro)

Testers in India (Puna) (Squarebits)

30

Wolf Research – leader of the pack

This name appears everywhere: Iurie Gutu

• One of developers of IOS/Android malware

(with Valentin Brad)

• The apk/ipa malware is invoiced to a

Romanian Company: Decode.ro

31

Dev - Decode.ro

32

Dev - Decode.roPanel and IOS developments

33

SquarebitsMobile App Development Company based in India

Google drive link found in the database:

34

Squarebits

35

SquarebitsTHE KUMAR FAMILY

Title of the presentation

7.00Victims intelligence

Wolf in Sheep’s Clothing- Undressed

Public IPs based geolocation for the smartphone

37

Victims intelligenceA true globetrotter

• Looks like demo smartphone for sellers

• Different actors testing or presenting Wolf Research products

38

Victims intelligence

Audio Record: presentation products

• Many calls/SMS from +336 numbers (France, mobile phone) in the database

• French audio records

• 90.102.1.97 used by the smartphone (registrant rlh@nexatech.fr)

• SMS in the database:

« DHL EXPRESS from NEXA TECHNOLOGI is scheduled for delivery TODAY by End of Day. Track at … »

• A strange apk called « Nexa Tracker »

• Personal phone number used by a Nexa VIP

39

Nexa

40

Nexa

41

• Interesting connection:• Correlate known stories of the Wolf adventures in Israel• Can be an attack vector• (Very) Big company in WIFI interception

• Interesting data

• You don’t see WiSpear tools every days

• Proof:• Smartphone named “Wispear”• Geolocation• Pictures

42

WiSpearWIFI INTERCEPTION AND SECURITY SOLUTIONS

43

WiSpear

44

WiSpear

45

WiSpear

“Prosafe is a leading owner and

operator of semi-submersible

accommodation, safety and support

vessels.”

46

Prosafe

A lot of pictures of the Prosafe HQ in Cyprus

47

Partnership

Wolf Research

The panels

Nexa

AmesysWiSpear Prosafe Political targets

…

Title of the presentation

8.00Toolset

Wolf in Sheep’s Clothing- Undressed

Test smartphones containa lot of useful data:

49

The testing phone

50

The testing phone

51

The W1 Crypter

52

The W1 Crypter

53

The W1 Crypter

54

Attack vectors (?)

Audio record Jailbreak – Google play

• Audio records

• Data keeps flowing

55

MISC

• Only the tip of the iceberg

• This kind of behavior can do great damage to international operations

• Wolf Research: Bad legit company or good scammers?

56

Conclusion

• Old backend still up.

• New company: Wimidefence (“secure” phone)

57

Kumar Manish in 2019

Thank you

For more information, please contactban@csis.dk

www.csis.dk

REST ASSURED