©2018 check point software technologies ltd....startapp.android.publish intense.pub1.sbgs ©2018...
TRANSCRIPT
1 ©2018 Check Point Software Technologies Ltd.
2 ©2018 Check Point Software Technologies Ltd.
Who Are We
@ C u r l y C y b e r @ L o t e m f i
A s e e l K a y a l M a l w a re A n a l y s t
L o t e m F i n ke l s t e i n H e a d o f T h re a t I n t e l l i g e n c e
3 ©2018 Check Point Software Technologies Ltd.
In the Wild
4 ©2018 Check Point Software Technologies Ltd.
In the Wild
5 ©2018 Check Point Software Technologies Ltd.
In the Wild
apk.دولة خالفة االسالمية
The State of the Islamic Caliphate.apk
6 ©2018 Check Point Software Technologies Ltd.
Wallpapers
7 ©2018 Check Point Software Technologies Ltd.
Manifest
8 ©2018 Check Point Software Technologies Ltd.
Manifest
9 ©2018 Check Point Software Technologies Ltd.
Manifest
10 ©2018 Check Point Software Technologies Ltd.
Packages
andriod.browser
startapp.android.publish
intense.pub1.sbgs
11 ©2018 Check Point Software Technologies Ltd.
Packages
andriod.browser
startapp.android.publish
intense.pub1.sbgs
12 ©2018 Check Point Software Technologies Ltd.
Andriod
Defines.class
AMService.class
AirplaneManager.class
CallsManager.class
CameraView.class
CommandManager.class
FileUploadTask.class
MediaManager.class
RecordAudioTask.class
ScreenControl.class
SendThread.class
Settings.class
ShutDownManager.class
Utils.class
13 ©2018 Check Point Software Technologies Ltd.
Andriod
Defines.class
Settings.class
AMService.class
AirplaneManager.class
CallsManager.class
CameraView.class
CommandManager.class
FileUploadTask.class
MediaManager.class
RecordAudioTask.class
ScreenControl.class
SendThread.class
ShutDownManager.class
Utils.class
14 ©2018 Check Point Software Technologies Ltd.
Andriod
Defines.class
Settings.class
AMService.class
AirplaneManager.class
CallsManager.class
CameraView.class
CommandManager.class
FileUploadTask.class
MediaManager.class
RecordAudioTask.class
ScreenControl.class
SendThread.class
ShutDownManager.class
Utils.class
15 ©2018 Check Point Software Technologies Ltd.
Andriod
Defines.class
Settings.class
AMService.class
AirplaneManager.class
CallsManager.class
CameraView.class
CommandManager.class
FileUploadTask.class
MediaManager.class
RecordAudioTask.class
ScreenControl.class
SendThread.class
ShutDownManager.class
Utils.class
16 ©2018 Check Point Software Technologies Ltd.
Andriod
Defines.class
Settings.class
AMService.class
AirplaneManager.class
CallsManager.class
CameraView.class
CommandManager.class
FileUploadTask.class
MediaManager.class
RecordAudioTask.class
ScreenControl.class
SendThread.class
ShutDownManager.class
Utils.class
17 ©2018 Check Point Software Technologies Ltd.
Andriod
Defines.class
Settings.class
AMService.class
AirplaneManager.class
CallsManager.class
CameraView.class
CommandManager.class
FileUploadTask.class
MediaManager.class
RecordAudioTask.class
ScreenControl.class
SendThread.class
ShutDownManager.class
Utils.class
18 ©2018 Check Point Software Technologies Ltd.
Andriod
Settings.class
CommandManager.class
Defines.class
AMService.class
AirplaneManager.class
CallsManager.class
CameraView.class
FileUploadTask.class
MediaManager.class
RecordAudioTask.class
ScreenControl.class
SendThread.class
ShutDownManager.class
Utils.class
19 ©2018 Check Point Software Technologies Ltd.
Andriod
Settings.class
CommandManager.class
Defines.class
AMService.class
AirplaneManager.class
CallsManager.class
CameraView.class
FileUploadTask.class
MediaManager.class
RecordAudioTask.class
ScreenControl.class
SendThread.class
ShutDownManager.class
Utils.class
20 ©2018 Check Point Software Technologies Ltd.
Get~~~AllSms===
Get~~~AllBrowser===
Get~~~AllContacts===
Commands
21 ©2018 Check Point Software Technologies Ltd.
Get~~~File~~~1.mp4===
Get~~~File~~~2.pdf===
Get~~~File~~~3.docx===
Commands
22 ©2018 Check Point Software Technologies Ltd.
Take~~~Video~~~1~~~7===
Take~~~Audio~~~300===
Take~~~RecordCall===
Commands
23 ©2018 Check Point Software Technologies Ltd.
Phone Network Location Battery Storage
Sensors Clipboard Accounts Browser Calls
Messages Contacts Applications Images Videos
24 ©2018 Check Point Software Technologies Ltd.
25 ©2018 Check Point Software Technologies Ltd.
f i r m w a r e s y s t e m u p d a t e . c o m
26 ©2018 Check Point Software Technologies Ltd.
Subject
EMAILADDRESS=
O=TELECOM, L=TEXAS,
ST=OPEN-SSL, C=AU
Valid from:
Tue Nov 08 07:20:04
IST 2016
27 ©2018 Check Point Software Technologies Ltd.
Subject
EMAILADDRESS=
O=TELECOM, L=TEXAS,
ST=OPEN-SSL, C=AU
Valid from:
Tue Nov 08 07:20:04
IST 2016
28 ©2018 Check Point Software Technologies Ltd.
c o m . a n d r i o d . b r o w s e r
29 ©2018 Check Point Software Technologies Ltd.
30 ©2018 Check Point Software Technologies Ltd.
C&C Communication Certificate Spelling Mistakes
31 ©2018 Check Point Software Technologies Ltd.
200+ Backdoored Appl icat ions
32 ©2018 Check Point Software Technologies Ltd.
Backdoors
Different themes
33 ©2018 Check Point Software Technologies Ltd.
Backdoors
Different themes
34 ©2018 Check Point Software Technologies Ltd.
Backdoors
Different themes
35 ©2018 Check Point Software Technologies Ltd.
Backdoors
Different themes Repackaged apps
36 ©2018 Check Point Software Technologies Ltd.
Backdoors
Different themes Repackaged apps
37 ©2018 Check Point Software Technologies Ltd.
Backdoors
Different themes Repackaged apps Malicious packages
38 ©2018 Check Point Software Technologies Ltd.
2 0 1 5 2 0 1 6 2 0 1 7 2 0 1 8 2 0 1 9
com.andriod
com.memopt
com.container
org.pnr.update
com.memopt com.memopt
com.andriod
com.container
org.pnr.update
com.eracomteck
example.badoo
com.golf.rv
com.andriod
com.container
org.pnr.update
com.eracomteck
example.badoo
com.golf.rv
39 ©2018 Check Point Software Technologies Ltd.
Backdoors
Different themes Repackaged apps Malicious packages C&C communication
40 ©2018 Check Point Software Technologies Ltd.
f i rmwaresystemupdate.com
190.2.144.140
190.2.145.145 ychatonline.net
93.190.138.106
109.236.91.33
185.64.106.241 89.38.98.49
46.4.143.130
41 ©2018 Check Point Software Technologies Ltd.
190.2.144.140
42 ©2018 Check Point Software Technologies Ltd.
43 ©2018 Check Point Software Technologies Ltd.
aFJzjapqpdaR8mATti9qSu/OLO3KiVc7o0ui610
ZGVJleSyXOB1HJSm+HR2auqZ3/tFEyVDvdWS6zv
zcvzBrJlasYbCiouMwODBsQHKwZwHx2Uc7s5Y8n
8DtDpDagUMTFs4mwL6V4EmIYAyPWN4jhWe1fbkX
2w/ZRSqgnip3HsHf/9rNJOYQ3VZVfW4IXpTf1XL
gTJxqbf/79NFdxX5ovqPXgOoSUnkcw69Imb6dhE
2MjrADGdtMhHq0voYH86ywKagC5s3E4d0y8CE2p
xtSh/VHQmVbhPpfheeBx41QHYRyaVmH4rpn2eep
JlpFVBvPHaYCAbsPP8HFrtn/twwPduCNnb2abl2
EHkrMMDjs4UD+TebkHbniBuY4VY48qWelv96rmp
phq4JQkEIaA2Pn2P5tc5Y5JMqoEyvJwUJPjKBPT
D4BSzNyaoVgyYUuY8qIFWKz3cA9EVJEc3/BDjva
6MXtpFJ1MspII+aKLpzMcgjkJcp6PdmPc1zxgw6
OlpgpOSjcGLHWmjLtgNS35ThEjTPb9oyFWk7HSA
vyDmpGRGqp4CrQSAbSRFx1kIhwiMQr2CAxQ8nO2
ggxwAIYM1++c/GrIpKSWormSqwJfd+iQablSs0w
AX0IUakZR/cAbScJ92S+gCjPfmtJtibMQGueMUB
laDt2vPsjIIndiawThHeaOn+lhoB0icXSJypNNM
UjyCFh3Qo65MU3c/jZyJw7vCgGovb+AuUY6BR2X
yR80VJRYVZIdI9vDnRp3AILm0iMbZi=
8e9fb9371981bc1e_190101_133701337.log
Victim ID Date Time
44 ©2018 Check Point Software Technologies Ltd.
aFJzjapqpdaR8mATti9qSu/OLO3KiVc7o0ui610
ZGVJleSyXOB1HJSm+HR2auqZ3/tFEyVDvdWS6zv
zcvzBrJlasYbCiouMwODBsQHKwZwHx2Uc7s5Y8n
8DtDpDagUMTFs4mwL6V4EmIYAyPWN4jhWe1fbkX
2w/ZRSqgnip3HsHf/9rNJOYQ3VZVfW4IXpTf1XL
gTJxqbf/79NFdxX5ovqPXgOoSUnkcw69Imb6dhE
2MjrADGdtMhHq0voYH86ywKagC5s3E4d0y8CE2p
xtSh/VHQmVbhPpfheeBx41QHYRyaVmH4rpn2eep
JlpFVBvPHaYCAbsPP8HFrtn/twwPduCNnb2abl2
EHkrMMDjs4UD+TebkHbniBuY4VY48qWelv96rmp
phq4JQkEIaA2Pn2P5tc5Y5JMqoEyvJwUJPjKBPT
D4BSzNyaoVgyYUuY8qIFWKz3cA9EVJEc3/BDjva
6MXtpFJ1MspII+aKLpzMcgjkJcp6PdmPc1zxgw6
OlpgpOSjcGLHWmjLtgNS35ThEjTPb9oyFWk7HSA
vyDmpGRGqp4CrQSAbSRFx1kIhwiMQr2CAxQ8nO2
ggxwAIYM1++c/GrIpKSWormSqwJfd+iQablSs0w
AX0IUakZR/cAbScJ92S+gCjPfmtJtibMQGueMUB
laDt2vPsjIIndiawThHeaOn+lhoB0icXSJypNNM
UjyCFh3Qo65MU3c/jZyJw7vCgGovb+AuUY6BR2X
yR80VJRYVZIdI9vDnRp3AILm0iMbZi=
8e9fb9371981bc1e_190101_133701337.log
45 ©2018 Check Point Software Technologies Ltd.
8e9fb9371981bc1e_190101_133701337.log
0~~~1~~~2018/05/11
15:05:14~~~+447533345167~~~Snapchat code:
069501. Do not share it or use it
elsewhere!~~~71~~~184~~
0~~~1~~~2018/05/10
15:10:58~~~Jazireh~~~Tabrik! Ba Jazireh
Irancell dar 7 ruze gozashte, 182 Rial dar
hazineye tamase Irancelli khod sarfejoie
kardid!~~~70~~~183~~
0~~~1~~~2018/05/06
17:17:50~~~.IRANCELL.~~~ پایان اعتبارشماروبه
شماره # با ازمخاطبتماس هزینه درخواست.است
~~174~~~63~~~*704*مقصد
0~~~1~~~2018/05/01
22:10:05~~~Telegram~~~Telegram code
75454~~~65~~~168~~
0~~~1~~~2018/04/29
18:49:49~~~Irancell~~~ ،گرامی مشترک
منویفعال خود به های سرویس ليستجهت مشاهده
:نمایيدمن مراجعه ایرانسل اپليکيشندر زیر
فعال من سرویس های -خدمات -منو حساب من
http://irancell.ir/dlmyicl~~~34~~~165~~
46 ©2018 Check Point Software Technologies Ltd.
Victim Distribution
47 ©2018 Check Point Software Technologies Ltd.
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
+982113371337
100K Contacts
48 ©2018 Check Point Software Technologies Ltd.
400K Messages
49 ©2018 Check Point Software Technologies Ltd.
50 ©2018 Check Point Software Technologies Ltd.
Similar Threats
Dark Caracal APT – C – 23 ZooPark
51 ©2018 Check Point Software Technologies Ltd.
S o p h i s t i c a t i o n
I m p a c t
52 ©2018 Check Point Software Technologies Ltd.
Attack Vector
Technical Level
Operation Security
Sensitive Data Social Engineering High Profile Victims
53 ©2018 Check Point Software Technologies Ltd. e d u c a t i o n s - s c h o o l s . n e t a n d r o i d u p d a t e r s . c o m
Domestic Kitten ZooPark
54 ©2018 Check Point Software Technologies Ltd.
Fingerprints
f i r m w a r e s y s t e m u p d a t e . c o m
55 ©2018 Check Point Software Technologies Ltd.
Fingerprints
f i r m w a r e s y s t e m u p d a t e . c o m
56 ©2018 Check Point Software Technologies Ltd.
Fingerprints
1 7 8 . 1 6 2 . 2 0 3 . 1 0 2 1 3 8 . 2 0 1 . 1 0 6 . 7 5 9 5 . 2 1 1 . 2 4 0 . 1 0 7
57 ©2018 Check Point Software Technologies Ltd.
Victimology
ISIS supporters Yemen officials Kurdish minority Iranian citizens
58 ©2018 Check Point Software Technologies Ltd.
Internals
59 ©2018 Check Point Software Technologies Ltd.
Internals
60 ©2018 Check Point Software Technologies Ltd.
Conclusion
Mobile attack vector
61 ©2018 Check Point Software Technologies Ltd.
Conclusion
Mobile attack vector Years of activity
62 ©2018 Check Point Software Technologies Ltd.
Conclusion
Mobile attack vector Years of activity Iranian attackers