Using this same approach, it is possible to figured out what other C&C commands are doing. Although there are a few more C&C commands, the ones I am interested in are: GOOGL, STARTB, DEL, YAHOO, SETP, CLEARP. In the end, and after checking the code I understood what this set of command do:
- GOOGL -> set the phone number to forward the tokens (sms_phone)
- STARTB -> service started
- DEL -> UNINSTALL the application
- YAHOO -> SETUP the URL_MAIN (Used to communicate with the C&C via HTTP)
- SETP -> Set the C&C phone number (PHONE_NUMBER)
- CLEARP -> clear the C&C phone number
So now that I know what this C&C command do, it is time to perform some tests and try to act as the C&C, via SMS. The first thing I do is to install and run the malware. Also I open a shell with root permissions to check the content of the malware configuration file.
Initial MainPreferences.xml
The initial file, after installation contains the following:
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="Pref5"></string>
<int name="DEL" value="0" />
<string name="Num5"></string>
<string name="filters"></string>
<int name="RID" value="25" />
<string name="Num10"></string>
<string name="PHONE_NUMBER"></string>
<int name="RTB" value="0" />
<int name="FIRST_ACTIVITY" value="1" />
<string name="IMEI">3582******</string>
<string name="Pref10"></string>
<string name="URL_DATA">http://szaivert-numis.at/standardbilder/dll/1.php;http://losbalonazos.com/wp-admin/1.php</string>
<string name="USE_URL_MAIN"></string>
<string name="URL_LOG">http://szaivert-numis.at/standardbilder/dll/4.php;http://losbalonazos.com/wp-admin/4.php</string>
<string name="URL_SMS">http://szaivert-numis.at/standardbilder/dll/2.php;http://losbalonazos.com/wp-admin/2.php</string>
<string name="Pref3"></string>
<string name="URL_MAIN">http://www.buildingforsale.eu/statistik/mainn.php;http://bildschirm24.com/mainn.php</string>
<string name="USE_URL_LOG">http://szaivert-numis.at/standardbilder/dll/4.php</string>
<string name="Num1"></string>
<string name="Pref1"></string>
<string name="Num3"></string>
</map>
Setting the C&C phone number
Once I send the first command, SETP (CODE SETP +41xxxxxxx), to setup the C&C phone number, this I can see the the XML file has changed. Also the compromised phone is sending and ACK message to the C&C through SMS.
Note that the CODE is just a number generated by the malware which it is used a token to validate the C&C. In this case the case of this analysis the token generated by the malware is 544298 and it is stored in the field PASSADDED.
Note that the CODE is just a number generated by the malware which it is used a token to validate the C&C. In this case the case of this analysis the token generated by the malware is 544298 and it is stored in the field PASSADDED.
<
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="Pref5"></string>
<int name="PASSADDED" value="542298" />
<int name="DEL" value="0" />
<string name="Num5"></string>
<string name="filters"></string>
<string name="USE_URL_DATA"></string>
<string name="Num10"></string>
<int name="RID" value="25" />
<string name="PHONE_NUMBER">+417*********</string>
<string name="USE_URL_SMS"></string>
<int name="FIRST_ACTIVITY" value="1" />
<int name="RTB" value="0" />
<string name="IMEI">********************</string>
<string name="URL_DATA"></string>
<string name="Pref10"></string>
<string name="USE_URL_MAIN"></string>
<string name="URL_LOG"></string>
<string name="URL_SMS"></string>
<string name="Pref3"></string>
<string name="USE_URL_LOG"></string>
<string name="URL_MAIN"></string>
<string name="Pref1"></string>
<string name="Num1"></string>
<string name="Num3"></string>
</map>
To start the service I send a message CODE STARTB, and a confirmation is sent to the C2C.
Setting the C&C URL
Also, When I send the YAHOO command (CODE YAHOO http://www.c2c-demo.com), the XML file is updated with the new C2C URL http://www.c2c-demo.com. The compromised devices replies with an ACK ('Buffer Setted' message)
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="Pref5"></string>
<int name="PASSADDED" value="542298" />
<int name="DEL" value="0" />
<string name="Num5"></string>
<string name="filters"></string>
<string name="USE_URL_DATA"></string>
<string name="Num10"></string>
<int name="RID" value="25" />
<string name="PHONE_NUMBER">+417****</string>
<string name="USE_URL_SMS"></string>
<int name="FIRST_ACTIVITY" value="1" />
<int name="RTB" value="2" />
<string name="IMEI">3582****4</string>
<string name="URL_DATA"></string>
<string name="Pref10"></string>
<string name="USE_URL_MAIN"></string>
<string name="URL_LOG"></string>
<string name="URL_SMS"></string>
<string name="Pref3"></string>
<string name="USE_URL_LOG"></string>
<string name="URL_MAIN">http://www.c2c-demo.com</string>
<string name="sms_phone">/string>
<string name="Pref1"></string>
<string name="Num1"></string>
<string name="Num3"></string>
</map>
Setting the C&C phone number to forward the stolen tokens
Now, if if want to setup the phone number where the tokens needs to be forwarded (could be a different one from the phone C&C) I just need to send a message: CODE GOOGLE +41xxxxx. Automatically, any new message sent to the victim will be forwarded, for example a token from the Bank. Moreover, nothing is displayed int the compromised phone.
If I check the Manifest.xml , I see it contains the number of the phone where the SMS are forwaded:
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="Pref5"></string>
<int name="PASSADDED" value="542298" />
<int name="DEL" value="0" />
<string name="Num5"></string>
<string name="filters"></string>
<string name="USE_URL_DATA"></string>
<string name="Num10"></string>
<int name="RID" value="25" />
<string name="PHONE_NUMBER">+41******</string>
<string name="USE_URL_SMS"></string>
<int name="FIRST_ACTIVITY" value="1" />
<int name="RTB" value="2" />
<string name="IMEI">3**********</string>
<string name="URL_DATA"></string>
<string name="Pref10"></string>
<string name="USE_URL_MAIN"></string>
<string name="URL_LOG"></string>
<string name="URL_SMS"></string>
<string name="Pref3"></string>
<string name="USE_URL_LOG"></string>
<string name="URL_MAIN">http://www.c2c-demo.com</string>
<string name="sms_phone">+4179******</string>
<string name="Pref1"></string>
<string name="Num1"></string>
<string name="Num3"></string>
</map>
Deleting the malware
The last step is to check the DEL command.If i send the command CODE DEL an windows pop ups in the compromised phone which informs the user that in order to update to a new version, the current version needs to be delete. If the user accepts the malware is uninstalled and deleted. Very clever way to delete the malware :)
At this stage, I know now how the SMS C&C and I can easily interact with it.