Skip to main content

Android Malware Analysis: zazdi botnet campaign ( ͡° ͜ʖ ͡°) (day 84)



Welcome back to the android malware analysis series, today we are going to analyze one of the sample from "zazdi" botnet campaign that is found back at around 2019. What is really interesting about this particular type of malware species is how creative the malware author utilizes a known good service to launch their operation.

as we know in the world of malware analysis, botnet requires to talk to its C&C server(Command & Control server) in order to take the next step of the attack. C&C server naturally easy to spot by malware analyzer since it always used a rogue server

But zazdi botnet uses Firebase Cloud Messaging (FCM) as its C&C server to send communication messages with its infected device. FCM is basically just a new version of Google Cloud Messaging



the malware samples can be download from https://github.com/ashishb/android-malware/blob/master/zazdi_botnet/4593635ba742e49a64293338a383f482f0f1925871157b5c4b1222e79909e838.apk

Static Analysis:




to get certificate information you can use jarsigner utility, this might come in handy since some malware author uses the same certification across its malware samples.

Certificate Information:

- Signed by "CN=JAWAL APPLICATIONS, OU=DEV UNIT, O=MOBISTARTAPP, L=CASABLANCA, ST=CASA SETTAT, C=MA"
Digest algorithm: SHA1
Signature algorithm: SHA1withRSA, 2048-bit key



to get the permissions of the app you could use jadx utility and be aware that this command also extracts the source code.

Uses Permissions:

- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.ACCESS_NETWORK_STATE
- android.permission.ACCESS_WIFI_STATE
- android.permission.INTERNET
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.ACCESS_FINE_LOCATION
- android.permission.WAKE_LOCK
- com.android.launcher.permission.READ_SETTINGS
- com.google.android.providers.gsf.permission.READ_GSERVICES
- com.android.launcher.permission.INSTALL_SHORTCUT
- android.permission.RECEIVE_BOOT_COMPLETED
- android.permission.GET_ACCOUNTS
- android.permission.GET_TASKS
- com.google.android.c2dm.permission.RECEIVE
- com.mobistartapp.windows7launcher.permission.C2D_MESSAGE

The result shows that the malware ask a lot of permission to run this is common in android malware world since the author wants to have better control in the device.

lets try to grab some hardcoded  URL in the app to see if there is any interesting backend connection instead of the firebase

~# grep -r "http://"
~# grep -r "https://"

mobistartapp domain:

http://www.mobistartapp.com/Apps/privacy-policy.php?app_id=com.mobistartapp.flashlight http://www.mobistartapp.com/fcm_server_php/fcm_users_sms_register.php http://www.mobistartapp.com/social/facebook/index.php?app_id=com.mobistartapp.windows7launcher
http://www.mobistartapp.com/fcm_server_php/fcm_users_inventory_register.php

hizaxytv domains:

http://www.hizaxytv.com

coderoute domains:

http://www.coderoute.ma 

In the end, I was able to find three domains that are contacted by the application. All of the URL that comes from mobistartapp domain is already shut down so I can't go any further on investigating the website but according to SonicWall security teams this URL have one of the .php files that contains the Firebase dashboard used to send commands for controlling the operations of the infected devices.

but rest of the two domains still alive and virus total already marked this as a dodgy website

hizaxytv domains:

 



coderoute domains:

 



Dynamic Analysis:

To get more information about the malware samples I try to install it in my android emulator and redirect all of the network communication to the burp suite proxy in my host.

Android emulator setup for proxy:


Make sure the burp suite certification is installed on the device so we can also listen to https connection:


When you start to install and click the malware app in the emulator it will automatically change the appearance on your android GUI like Windows 7 (just like the name implies) and what interesting is that the malware installs three additional application that also part of the zazdi botnet campaign :
  • com.mobistartapp.flashlight (dodgy flashlight app)
  • com.hzdi.flappybee (dodgy flabby bird app game)
  • com.tassaly.santaskiingchallenge (another dodgy santa skiing app game)
all of this app was grab from the app store and installed in the background

flashlight and Santa skiing app:


 

the app connects to the app store to install these applications:



interesting enough this app contact the previously listed domain that we got from the static analysis:


all of this domain lead to the same url which is /Win7Launcher/settings_win7launcher.xml but unfortunately, this URL is not exist anymore thus I just assume this .xml file contains different options which can be used to send messages/notifications to the victim.

but there is one domain that is not listed when we do static analysis. So I got the bottom of this and found other interesting findings at the application.

file: com.mobistartapp.windows7launcher.helpers.c





take a look at the stringbuilder() variable we can see that the domain string is in reversed so this is the reason why it is not identified when we do grep.

from the result also we can get another URL path used by mobistartapp domain:
  • /fcm_server_php/windows7_launcher/fcm_log_windows7_launcher/fcm_insert_log.php
  • /fcm_server_php/windows7_launcher/fcm_register.php
  • /fcm_server_php/hzpermis/fcm_register_accounts.php
  • /fcm_server_php/hzpermis/fcm_register_location.php
  • /fcm_server_php/hzpermis/fcm_register_clipboard.php
  • /fcm_server_php/hzpermis/fcm_register_login.php
take a look at the burp suite log history again we can see that the domain is queried continuously for persistency, I got curious and try to search through the source code again to find a portion of code that is responsible for this event. After couple of minutes, I think I found it and it was run at the service component in the android app which responsible to run a task in the background.

file:  com.mobistartapp.windows7launcher.services.NetworkChangeReceiverList



we can see that every second the code will probe the same URL path with different domains over and over again.

Obtain screenshot and send to backend:

I found out that there is an activity in android that can be invoked through implicit intent to be able to invoke screenshot at the device and send it to the firebase server.

file: com.mobistartapp.windows7launcher.activities.ScreenshotActivity





as you can see from the image above in order for us to invoke the screenshot activity we need to have an android with SDK environment equal or above 21.

Furthermore, it also needs three parameters that need to be passed which is app_id, upload_server_url and is_firebase_upload

Persistent activity through broadcast:





The app used broadcast receiver to listen for android.intent.action.BOOT_COMPLETE event in the devices this means that this receiver will execute it task when the device boot up and from the image the task that is going to be execute is to call the main activity which is SplashActivity



we can see the intent that was send set to have flag 268435456 this equivalent to FLAG_ACTIVITY_NEW_TASK according to the android developer page this means that the malicious apps will be placed inside and on top of the targeted task.

"Thus the malicious activity hijacks the target's task," The next time the target app is launched from Launcher, the hijacked task will be brought to the front and the malicious activity will be visible.

I think that's all folks. Now, there are many things that I still didn't cover in this analysis I hope from this blog you can continue my analysis and found something more interesting.

So I hope you enjoy this post and see you at the next android malware analysis series.

References:

https://github.com/firebase/quickstart-android/tree/master/messaging
https://securitynews.sonicwall.com/xmlpost/the-android-zazdi-botnet-uses-fcm-to-communicate-with-its-infected-bots/
https://arstechnica.com/information-technology/2019/12/vulnerability-in-fully-patched-android-phones-under-active-attack-by-bank-thieves/
Labels:

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »