SpyNote targets IRCTC users

 

SpyNote targets IRCTC users

We at K7 Labs, recently came across an email message as shown in Figure 1, from Indian Railway Catering and Tourism Corporation (IRCTC) about SpyNote, an Android RAT targeting IRCTC users. This spyware is not only used to steal users’ sensitive information but can also spy on a user’s location or remotely control the victims’ device.

Let’s now get into the details of how this SpyNote works.

This RAT is propagated via WhatsApp with the malicious link https://irctc[.]creditmobile[.]site/irctcconnect[.]apk

Once the user falls prey to this RAT and installs this malicious “irctcconnect.apk”, this app pretends to be the genuine IRCTC icon in the device app drawer as shown in Figure 2.

Once this RAT is installed on the device, it frequently brings up the Accessibility Service setting option on the device, as shown in Figure 3, until the user eventually allows this app to have the Accessibility Service enabled.

Technical Analysis

With the necessary permissions as shown in Figure 3, this APK acts as a Trojan with Keylogger capabilities. It creates a directory “Config/sys/apps/log“, in the devices’ external storage and the logs are saved to the file “log-yyyy-mm-dd.log” in the created directory, where yyyy-mm-dd is the date of when the keystrokes were captured as shown in Figure 4.

This malware collects location information like altitude, latitude, longitude, precision and even the speed at which the device is moving as shown in Figure 5.

SpyNote then proceeds to combine all the aforementioned data and compresses (using gZIPOutputStream API) them before forwarding it to the C2 server as shown in Figure 6.

C2 Communication

This RAT contacts the C2 server online[.]spaxdriod[.]studio at IP 154.61.76[.]99, which is hardcoded in Figure 7.

Figure 8 shows the connection established with the C2.

After the connection is established, the malware sends the gzip compressed data to the C2 as evident from the network packet’s header in Figure 9.

The decompressed gzip content of the data is shown below in Figure 10.

Decoding packets from the C2

The C2 responds by sending a series of compressed data, which when decompressed, is revealed to be system commands and the related APK payload as shown in Figure 11. In our case, the APK was extracted using Cyberchef.

We analyzed the C&C command ‘info’ and the associated APK. This command collects the clipboard data and verifies the victims’ device for the presence of a hardcoded list of mobile security products, may be with the aim of disabling them or forwarding the info to the C2.

The structure of the commands sent from the C2 to victims’ device is as follows:

At K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a reputable security product like K7 Mobile Security and also regularly update and scan your devices with it. Also keep your devices updated and patched against the latest vulnerabilities.

Indicators of Compromise (IoCs)

Package NameHashDetection Namecom.appser.verapp45c154af52c65087161b8d87e212435aSpyware ( 0056a7b31 )

URL

https://irctc[.]creditmobile[.]site/irctcconnect[.]apk

C2

154.61.76[.]99

online[.]spaxdriod[.]studio

MITRE ATT&CK

TacticsTechniquesDefense EvasionApplication Discovery Obfuscated Files or Information, Virtualization/Sandbox EvasionDiscoverySecurity Software Discovery, System Information DiscoveryCollectionEmail Collection, Data from Local SystemCommand and ControlEncrypted Channel, NonStandard Port


Comments

Post a Comment

Popular posts from this blog

AMOS (MacOS Stealer)

  In the last week of April 2023, it was reported on twitter , that through a telegram channel a new malware was being offered as “Atomic MacOS Stealer”. Many samples of this malware were found on the internet. Figure 1 – Atomic MacOS Stealer Most of these samples were masquerading as an installer of various applications like Tor browser, Photoshop CC, Notion, FL studio. Figure 2 – Amos DMGfiles masquerading as different applications These are delivered as a DMGfile(Disk Image) which is the common format for software distribution & installation packages on macOS. We identified the Tor browser DMG file for the analysis. When we execute the DMG file it gets mounted and we can see the resulting window advises the user to execute the application by right clicking. Figure 3 – Tor Browser These fake applications are created by using Appify , which is used to create applications just by having the executable alone. The icons can be customised. That’s why these applications are in dif...
Read more

Ransomed by Warlock Dark Army “OFFICIALS”

  Recently we came across a tweet shared by petikvx . The tweet was on a ransomware family that had the group name similar to the WARLOCK DARK ARMY. The similarities with Chaos ransomware seem to end with the attacker group’s name. Upon analyzing the ransomware from the tweet we suspect both to be very different groups just based on their malware’s attributes. The sample under consideration was compiled using C/C++, in case of Chaos ransomware it is usually .Net. Statically looking at the file we noticed a resource entry under Bitmap with an identifier “14”, while analyzing the file code we noticed that this resource was read and loaded on to the memory. Hence we decided to dump that resource entry. Figure 1: Encrypted blob in resource section Figure 2 : Loading blob into the memory During our code analysis we found this blob was XOR encrypted. The first 16 bytes of this blob acts as the key for XOR decryption and the rest is the data which plays a key role in this ransomware’s in...
Read more

MuddyWater Back with DarkBit

  Recently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload. Initial Access Method The initial lure was delivered as an ISO file. Figure 1 – ISOFile The payload included a shortcut file (with a .doc extension) and a zip file. Figure 2 – Contents Inside ISO File The shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown below. PrintBrm.exe is a windows inbuilt command line tool . Figure 3 – Shortcut File cmd.exe /c xcopy .\HR-Update.zip %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\HR-Update.zip -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe Figure 4 – HR-Update.exe Running HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ran...
Read more