Wednesday, October 19, 2022

SharkDBS IRC/FTP Bot

As always, IOCs at the end. 


Characteristics:

  • Uses IRC to send data to the attacker and FTP.

  • Get the victim's IP address via external services, uses ip2location until it is able to connect to the external service.

  • Get list of applications

  • Send SMS using the device.

  • Requests several permissions:

    • android.permission.INTERNET

    • android.permission.READ_EXTERNAL_STORAGE

    • android.permission.RECEIVE_BOOT_COMPLETED

    • android.permission.REBOOT

    • android.permission.CALL_PHONE

    • android.permission.READ_SMS

    • android.permission.READ_CONTACTS

    • android.permission.SEND_SMS

    • android.permission.WRITE_EXTERNAL_STORAGE

    • android.permission.READ_CALL_LOG

    • android.permission.SYSTEM_ALERT_WINDOW

  • Includes Spanish strings in the code, suggesting the actor is from a Spanish speaking country. 

  • The IP the duckdns serves the APK from is from Spain.

  • Useful links:

  • Virustotal Graph: https://www.virustotal.com/graph/embed/g1f66b84527234df186946867ace02cc1d175d8dd4bd045cf948261dd16565c7d 

  • Virustotal Collection: https://www.virustotal.com/gui/collection/4b368a9e4f689c2585fdf10248d7a117bfca4300bb6494d9c10ea5278400e0f1



This sample seems like work in progress. There is functionality implemented that is not called during execution. 


The channel and ids and credentials used to send data via IRC or via FTP. 


When connecting to the remote IRC server it answers from `irc.prodigybot[.]net`:



The random ID is generated by choosing a random number which is hardcoded:


It iterates in a loop to ensure that the BOT_IP is always the latest one:


There is functionality to get the list of applications installed in the device but it is not called, the same goes for sending SMS and getting the contacts list. 



The owner or owners point to maybe two different actors, SharK and G0ku, as seen in the code:


 

On the other side, this duckdns dynDNS url has been used in the past for other payloads and has hosted other unrelated malicious files:




Also, the serving IP address 95.60.57[.]103 is from Spain:



Similar samples were seen in the wild previously the 12th of August of 2022 and points to a work in progress. In previous samples, it contains similar functionality with slight differences. For example, data is stored in resources and the credentials stay the same. The resource owner might point to two actors.



Some functions not present in the current sample such as fetching mails via accountmanager are present in these old samples:

IOCs:

  • Sample SHA256: a0715a88e289763cac6ca6ce5b5b24575c6d966591c7949eb88d0024dcace2bc

  • anunnakii.duckdns.org:6667 IRC port

  • Owners: {"G0KU", "SharK"}

  • Resolving IP address of the dyndns: 95.60.57[.]103

  • Other SHA256:

    • ca0f0b0f2175ad5a982c6a135fb833e0d0f6093fdbd8004483804e5177c89671

    • 496590c57e3c3cc1cebbfb5135667a00ff11678ca0a3c913c5532ce8169221f4

    • c3fa7ac9db35a7d28468b25429a8334d22c6819b12df923e6dd65e2d0f9c8aa3

    • 7e339c8bac29595a26185bdda3242919e0c0ab64fa54ce454ede738c983c306d

    • 33c9320da28b5d1bd7b1a3ef1ac2b16f2977dfb6cd5e03f2868d956fa1d6ab45

    • 2855011ea35cb91642ca75bd3d027273b83cb4511f5a4da50c41b15df9490793



at No comments:
Subscribe to: Posts (Atom)

2023

Every year I start writing about a wrap-up of my year but I never end up finishing it. Hope this year is different. I'm starting with th...

  • Operating with ArrayBuffers in Frida
     Lots of situations will require working directly with ArrayBuffers but operating with them might not be straightforward because data might ...
  • Zanubis updates with screenshot recording
    As always, IOCs and targets at the end. Previous updates of this family at:  https://www.entdark.net/2022/09/zanubis-latam-banking-trojan.ht...
  • Zanubis LATAM Banking Trojan
      Brief note: I analyzed this sample I found thanks to MHT's tweet https://twitter.com/malwrhunterteam/status/1564972377452298245?s=20...