Tuesday, November 3, 2015

Reversing the SMS C&C protocol of Emmental - 2nd part

During my previous post I investigate the source code of the emmental malware, following all the flows, in order to understand how the C&C commands are interpreted by the malware. I took as an example the GOOGL command.

Using this same approach, it is possible to figured out what other C&C commands are doing. Although there are a few more C&C commands, the ones I am interested in are: GOOGL, STARTB, DEL, YAHOO, SETP, CLEARP. In the end, and after checking the code I understood what this set of command do:
  • GOOGL -> set the phone number to forward the tokens (sms_phone)
  • STARTB -> service started
  • DEL -> UNINSTALL the application
  • YAHOO -> SETUP the URL_MAIN (Used to communicate with the C&C via HTTP)
  • SETP -> Set the C&C phone number (PHONE_NUMBER)
  • CLEARP -> clear the C&C phone number

So now that I know what this C&C command do, it is time to perform some tests and try to act as the C&C, via SMS. The first thing I do is to install and run the malware. Also I open a shell with root permissions to check the content of the malware configuration file.

Initial MainPreferences.xml

The initial file, after installation contains the following:                                                             
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="Pref5"></string>
    <int name="DEL" value="0" />
    <string name="Num5"></string>
    <string name="filters"></string>
    <int name="RID" value="25" />
    <string name="Num10"></string>
    <string name="PHONE_NUMBER"></string>
    <int name="RTB" value="0" />
    <int name="FIRST_ACTIVITY" value="1" />
    <string name="IMEI">3582******</string>
    <string name="Pref10"></string>
    <string name="URL_DATA">http://szaivert-numis.at/standardbilder/dll/1.php;http://losbalonazos.com/wp-admin/1.php</string>
    <string name="USE_URL_MAIN"></string>
    <string name="URL_LOG">http://szaivert-numis.at/standardbilder/dll/4.php;http://losbalonazos.com/wp-admin/4.php</string>
    <string name="URL_SMS">http://szaivert-numis.at/standardbilder/dll/2.php;http://losbalonazos.com/wp-admin/2.php</string>
    <string name="Pref3"></string>
    <string name="URL_MAIN">http://www.buildingforsale.eu/statistik/mainn.php;http://bildschirm24.com/mainn.php</string>
    <string name="USE_URL_LOG">http://szaivert-numis.at/standardbilder/dll/4.php</string>
    <string name="Num1"></string>
    <string name="Pref1"></string>
    <string name="Num3"></string>
</map>



Setting the C&C phone number 

Once I send the first command, SETP (CODE SETP +41xxxxxxx), to setup the C&C phone number, this I can see the the XML file has changed. Also the compromised phone is sending and ACK message to the C&C through SMS.
Note that the CODE is just a number generated by the malware which it is used a token to validate the C&C. In this case the case of this analysis the token generated by the malware is 544298 and it is stored in the field PASSADDED.

                                                            <
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="Pref5"></string>
    <int name="PASSADDED" value="542298" />
    <int name="DEL" value="0" />
    <string name="Num5"></string>
    <string name="filters"></string>
    <string name="USE_URL_DATA"></string>
    <string name="Num10"></string>
    <int name="RID" value="25" />
    <string name="PHONE_NUMBER">+417*********</string>
    <string name="USE_URL_SMS"></string>
    <int name="FIRST_ACTIVITY" value="1" />
    <int name="RTB" value="0" />
    <string name="IMEI">********************</string>
    <string name="URL_DATA"></string>
    <string name="Pref10"></string>
    <string name="USE_URL_MAIN"></string>
    <string name="URL_LOG"></string>
    <string name="URL_SMS"></string>
    <string name="Pref3"></string>
    <string name="USE_URL_LOG"></string>
    <string name="URL_MAIN"></string>
    <string name="Pref1"></string>
    <string name="Num1"></string>
    <string name="Num3"></string>
</map>


To start the service I send a message CODE STARTB, and a confirmation is sent to the C2C.

Setting the C&C URL 


Also, When I send the YAHOO command (CODE YAHOO http://www.c2c-demo.com), the XML file is updated with the new C2C URL http://www.c2c-demo.com. The compromised devices replies with an ACK ('Buffer Setted' message)

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="Pref5"></string>
    <int name="PASSADDED" value="542298" />
    <int name="DEL" value="0" />
    <string name="Num5"></string>
    <string name="filters"></string>
    <string name="USE_URL_DATA"></string>
    <string name="Num10"></string>
    <int name="RID" value="25" />
    <string name="PHONE_NUMBER">+417****</string>
    <string name="USE_URL_SMS"></string>
    <int name="FIRST_ACTIVITY" value="1" />
    <int name="RTB" value="2" />
    <string name="IMEI">3582****4</string>
    <string name="URL_DATA"></string>
    <string name="Pref10"></string>
    <string name="USE_URL_MAIN"></string>
    <string name="URL_LOG"></string>
    <string name="URL_SMS"></string>
    <string name="Pref3"></string>
    <string name="USE_URL_LOG"></string>
    <string name="URL_MAIN">http://www.c2c-demo.com</string>
    <string name="sms_phone">/string>
    <string name="Pref1"></string>
    <string name="Num1"></string>
    <string name="Num3"></string>
</map>




Setting the C&C phone number to forward the stolen tokens

Now, if if want to setup the phone number where the tokens needs to be forwarded (could be a different one from the phone C&C) I just need to send a message: CODE GOOGLE +41xxxxx. Automatically, any new message sent to the victim will be forwarded, for example a token from the Bank. Moreover, nothing is displayed int the compromised phone.




If I check the Manifest.xml , I see it contains the number of the phone where the SMS are forwaded:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="Pref5"></string>
    <int name="PASSADDED" value="542298" />
    <int name="DEL" value="0" />
    <string name="Num5"></string>
    <string name="filters"></string>
    <string name="USE_URL_DATA"></string>
    <string name="Num10"></string>
    <int name="RID" value="25" />
    <string name="PHONE_NUMBER">+41******</string>
    <string name="USE_URL_SMS"></string>
    <int name="FIRST_ACTIVITY" value="1" />
    <int name="RTB" value="2" />
    <string name="IMEI">3**********</string>
    <string name="URL_DATA"></string>
    <string name="Pref10"></string>
    <string name="USE_URL_MAIN"></string>
    <string name="URL_LOG"></string>
    <string name="URL_SMS"></string>
    <string name="Pref3"></string>
    <string name="USE_URL_LOG"></string>
    <string name="URL_MAIN">http://www.c2c-demo.com</string>
    <string name="sms_phone">+4179******</string>
    <string name="Pref1"></string>
    <string name="Num1"></string>
    <string name="Num3"></string>
</map>


Deleting the malware

The last step is to check the DEL command.If i send the command CODE DEL an windows pop ups in the compromised phone which informs the user that in order to update to a new version, the current version needs to be delete. If the user accepts the malware is uninstalled and deleted. Very clever way to delete the malware :)

At this stage, I know now how the SMS C&C  and I can easily interact with it.