wolf in sheep’s clothingbenkow.cc/wp_prezo.pdf · what to expect 1.00 introduction 2.00...
TRANSCRIPT
![Page 1: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/1.jpg)
REST ASSURED
Wolf in Sheep’s Clothing- UndressedBornHack 2019
www.csis.dk
![Page 2: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/2.jpg)
Who’s who Benoit Ancel
Wolf in Sheep’s Clothing- Undressed
![Page 3: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/3.jpg)
What to expect 1.00 Introduction2.00 Win32.Agent3.00 Android.Agent4.00 IOS.Agent5.00 Multi-platform-malware6.00 Kumar Manish, WOLF and the pack7.00 Victims intelligence8.00 Toolset
Wolf in Sheep’s Clothing- Undressed
![Page 4: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/4.jpg)
Title of the presentation
1.00Introduction
Wolf in Sheep’s Clothing- Undressed
![Page 5: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/5.jpg)
5
Origin of the research
• 1226 domains resolved
• 1 really interesting:
chrome-update-center.com
Investigation around 68.65.122.53 (VPS used for phishing, banking…)
![Page 6: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/6.jpg)
6
chrome-update-center.com
• Fake Google Play page acting as dropzone.
• Payloads are selected depending on the User-Agent of the victim:
• if( /iPhone|iPad|iPod/i.test(navigator.userAgent))
• i.diawi.com/i3cuz6 (IPA)
• else if ( /Android/i.test(navigator.userAgent))
• update.apk
• else:
• Update.exe
![Page 7: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/7.jpg)
Title of the presentation
2.00Win32.Agent
Wolf in Sheep’s Clothing- Undressed
![Page 8: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/8.jpg)
• Update.exe is a RAT for Windows (probably a debug build)
• The malware is composed of 2 stages:
• 1- Loader
• 2- RAT
• Already on VT with
good detections
8
Win32.Agent
![Page 9: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/9.jpg)
• Stage 2 is a RAT called CARAT (Caphyon RAT?) or W1 RAT.
• No reference online.
• Install itself in c:\program files\chrome\test.exe
• Persistence in Software\Microsoft\Windows
\CurrentVersion\Run
9
Win32.Agent.W1_RAT
![Page 10: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/10.jpg)
After decrypting the strings, the RAT verifies that each decrypted
string starts with CARAT_
10
Win32.Agent.W1_RAT
![Page 11: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/11.jpg)
~ 20 features available, nothing advanced or fancy:
11
Win32.Agent.W1_RAT
Fingerprint victim Read file Rename file List processes exec Screencast
Search files ls Delete file Kill process Get keylogger logs Mic
Upload file Copy file Create dir Enum servicesCredentials
stealers
Get file size Move file Edit timestamp file Stop service Autokill
![Page 12: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/12.jpg)
Title of the presentation
3.00Android.Agent
Wolf in Sheep’s Clothing- Undressed
![Page 13: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/13.jpg)
• Not packed (probably debug build)
• Looks like basic android RAT
13
Android.Agent
![Page 14: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/14.jpg)
• HTTP/FTP Exfiltration (hard-coded creds)
14
Android.Agent
![Page 15: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/15.jpg)
• Screenshots
• Call/Mic record
• Docs/pics stealer
• Screencast
• Contacts, SMS, browsing history …
15
Android.Agent
![Page 16: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/16.jpg)
• Patchwork of old codes:
• https://github.com/koush/Screenshot (9yo)
• https://github.com/murali129/ScreenOCR (1yo)
• https://github.com/jakubkinst/DEECo-Offload (3yo)
16
Android.Agent
![Page 17: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/17.jpg)
Title of the presentation
4.00IOS.Agent
Wolf in Sheep’s Clothing- Undressed
![Page 18: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/18.jpg)
• Copy paste from:
• https://github.com/andrealufino/ALSystemUtilities (no longer maintained, 3yo)
• https://github.com/gali8/Tesseract-OCR-iOS
• https://github.com/davidmurray/ios-reversed-headers
18
IOS.Agent
![Page 19: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/19.jpg)
Title of the presentation
5.00Multi-platform malware
Wolf in Sheep’s Clothing- Undressed
![Page 20: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/20.jpg)
• It looks like somebody tried to have a multi-platform tool
• Lame code (copy paste, bugs, scam app (ios))
• Lame infrastructure
• It looks like an audacious cybercrime actor is trying something.
20
Multi-platform malware
![Page 21: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/21.jpg)
Unknown panels located on the same domain, used as C&C for mobile malware
21
Aaahh… Panels!
![Page 22: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/22.jpg)
Panels entirely open with full backup of databases and all stolen data.
22
Aaahh… Panels!
![Page 23: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/23.jpg)
• It’s ~20 Gb of data available
• Pictures
• Audio records
• Documents
• Smartphone configuration
• Everything stolen is available in the databases
23
Data!
![Page 24: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/24.jpg)
After a quick analysis it’s clear, this actor is interesting.
24
Data!
![Page 25: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/25.jpg)
Title of the presentation
6.00Kumar Manish, WOLF and the pack
Wolf in Sheep’s Clothing- Undressed
![Page 26: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/26.jpg)
• All the data point to a man: Kumar Manish from Wolf Research.
• Fun fact: opendir « website_logo » on the malware C&C with Wolf Research
Logo and Kumar Manish Picture
26
Kumar ManishCEO of Wolf Research
KUMAR
![Page 27: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/27.jpg)
27
Kumar ManishCEO of Wolf Research
NO KIDDING!
![Page 28: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/28.jpg)
28
Wolf Research
Wolf Research develops advanced big data systems, cyber security & AI,
and data extraction solutions for the government and homeland security
sectors. Our solutions are designed to overcome various operational
challenges.
HQ in Germany, offices in :Cyprus, Bulgaria, Romania, India and US
• Who is Wolf Research ?
![Page 29: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/29.jpg)
Known stories:
• Motherboard: The Forgotten Prisoner of a Spyware Deal Gone Wrong
(Scam attempt against Mauritania Government)
• Forbes: Meet The 'Cowboys Of Creepware' -- Selling Government-Grade
Surveillance To Spy On Your Spouse (spouseware business)
• Bloomberg: The Post-Snowden Cyber Arms Hustle
The company's co-founder Manish Kumar is a "criminal of the worst kind,"
according to David Vincenzetti, the CEO of Hacking Team29
Wolf Research
Audio: Origin of the company.
![Page 30: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/30.jpg)
Sub contractors:
Development based in Romania (Decode.ro)
Testers in India (Puna) (Squarebits)
30
Wolf Research – leader of the pack
![Page 31: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/31.jpg)
This name appears everywhere: Iurie Gutu
• One of developers of IOS/Android malware
(with Valentin Brad)
• The apk/ipa malware is invoiced to a
Romanian Company: Decode.ro
31
Dev - Decode.ro
![Page 32: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/32.jpg)
32
Dev - Decode.roPanel and IOS developments
![Page 33: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/33.jpg)
33
SquarebitsMobile App Development Company based in India
![Page 34: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/34.jpg)
Google drive link found in the database:
34
Squarebits
![Page 35: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/35.jpg)
35
SquarebitsTHE KUMAR FAMILY
![Page 36: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/36.jpg)
Title of the presentation
7.00Victims intelligence
Wolf in Sheep’s Clothing- Undressed
![Page 37: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/37.jpg)
Public IPs based geolocation for the smartphone
37
Victims intelligenceA true globetrotter
![Page 38: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/38.jpg)
• Looks like demo smartphone for sellers
• Different actors testing or presenting Wolf Research products
38
Victims intelligence
Audio Record: presentation products
![Page 39: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/39.jpg)
• Many calls/SMS from +336 numbers (France, mobile phone) in the database
• French audio records
• 90.102.1.97 used by the smartphone (registrant [email protected])
• SMS in the database:
« DHL EXPRESS from NEXA TECHNOLOGI is scheduled for delivery TODAY by End of Day. Track at … »
• A strange apk called « Nexa Tracker »
• Personal phone number used by a Nexa VIP
39
Nexa
![Page 40: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/40.jpg)
40
Nexa
![Page 41: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/41.jpg)
41
![Page 42: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/42.jpg)
• Interesting connection:• Correlate known stories of the Wolf adventures in Israel• Can be an attack vector• (Very) Big company in WIFI interception
• Interesting data
• You don’t see WiSpear tools every days
• Proof:• Smartphone named “Wispear”• Geolocation• Pictures
42
WiSpearWIFI INTERCEPTION AND SECURITY SOLUTIONS
![Page 43: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/43.jpg)
43
WiSpear
![Page 44: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/44.jpg)
44
WiSpear
![Page 45: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/45.jpg)
45
WiSpear
![Page 46: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/46.jpg)
“Prosafe is a leading owner and
operator of semi-submersible
accommodation, safety and support
vessels.”
46
Prosafe
A lot of pictures of the Prosafe HQ in Cyprus
![Page 47: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/47.jpg)
47
Partnership
Wolf Research
The panels
Nexa
AmesysWiSpear Prosafe Political targets
…
![Page 48: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/48.jpg)
Title of the presentation
8.00Toolset
Wolf in Sheep’s Clothing- Undressed
![Page 49: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/49.jpg)
Test smartphones containa lot of useful data:
49
The testing phone
![Page 50: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/50.jpg)
50
The testing phone
![Page 51: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/51.jpg)
51
The W1 Crypter
![Page 52: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/52.jpg)
52
The W1 Crypter
![Page 53: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/53.jpg)
53
The W1 Crypter
![Page 54: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/54.jpg)
54
Attack vectors (?)
Audio record Jailbreak – Google play
![Page 55: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/55.jpg)
• Audio records
• Data keeps flowing
55
MISC
![Page 56: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/56.jpg)
• Only the tip of the iceberg
• This kind of behavior can do great damage to international operations
• Wolf Research: Bad legit company or good scammers?
56
Conclusion
![Page 57: Wolf in Sheep’s Clothingbenkow.cc/wp_prezo.pdf · What to expect 1.00 Introduction 2.00 Win32.Agent 3.00 Android.Agent 4.00 IOS.Agent 5.00 Multi-platform-malware 6.00 Kumar Manish,](https://reader035.vdocuments.site/reader035/viewer/2022070804/60561cceebddd3192e28e0d5/html5/thumbnails/57.jpg)
• Old backend still up.
• New company: Wimidefence (“secure” phone)
57
Kumar Manish in 2019