Android ransomware is back

ESET researchers discover a new Android ransomware family that attempts to spread to victims’ contacts and deploys some unusual tricks

After two years of decline in Android ransomware, a new family has emerged. We have seen the ransomware, detected by ESET Mobile Security as Android/Filecoder.C, distributed via various online forums. Using victims’ contact lists, it spreads further via SMS with malicious links. Due to narrow targeting and flaws in both execution of the campaign and implementation of its encryption, the impact of this new ransomware is limited. However, if the developers fix the flaws and the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat.

Android/Filecoder.C has been active since at least July 12th, 2019. Within the campaign we discovered, Android/Filecoder.C has been distributed via malicious posts on Reddit and the “XDA Developers” forum, a forum for Android developers. We reported the malicious activity to XDA Developers and Reddit. The posts on the XDA Developers forum were removed swiftly; the malicious Reddit profile was still up at the time of publication.

Android/Filecoder.C spreads further via SMS with malicious links, which are sent to all contacts in the victim’s contact list.

After the ransomware sends out this batch of malicious SMSes, it encrypts most user files on the device and requests a ransom. Due to flawed encryption, it is possible to decrypt the affected files without any assistance from the attacker.

Users with ESET Mobile Security receive a warning about the malicious link; should they ignore the warning and download the app, the security solution will block it.

The campaign we discovered is based on two domains (see the IoCs section below), controlled by the attackers, that contain malicious Android files for download. The attackers lure potential victims to these domains via posting or commenting on Reddit (Figure 1) or XDA Developers (Figure 2).

Mostly, the topics of the posts were porn-related; alternatively, we’ve seen also technical topics used as a lure. In all comments or posts, the attackers included links or QR codes pointing to the malicious apps.

Figure 1. The attacker’s Reddit profile with malicious posts and comments

Figure 2. Some of the attackers’ malicious posts on the XDA Developers forum

In one link that was shared on Reddit, the attackers used the URL shortener This URL was created on Jun 11, 2019 and as seen in Figure 3 its statistics show that, at the time of writing, it had reached 59 clicks from different sources and countries.

Figure 3. Statistics for the link shared on Reddit during the ransomware campaign

As previously mentioned, the Android/Filecoder.C ransomware spreads links to itself via SMS messages to all the entries in the victim’s contact list.

These messages include links to the ransomware; to increase the potential victims’ interest, the link is presented as a link to an app that supposedly uses the potential victim’s photos, as seen in Figure 4.

To maximize its reach, the ransomware has the 42 language versions of the message template seen in Figure 5. Before sending the messages, it chooses the version that fits the victim device’s language setting. To personalize these messages, the malware prepends the contact’s name to them.

Figure 4. An SMS with a link to the ransomware; this language variant is sent if the sending device has the language set to English

Figure 5. A total of 42 language versions that are hardcoded in the ransomware

Once potential victims receive an SMS message with the link to the malicious application, they need to install it manually. After the app is launched, it displays whatever is promised in the posts distributing it – most often, it’s a sex simulator online game. However, its main purposes are C&C communication, spreading malicious messages and implementing the encryption/decryption mechanism.

As for C&C communication, the malware contains hardcoded C&C and Bitcoin addresses in its source code. However, it can also dynamically retrieve them: they can be changed anytime by the attacker, using the free Pastebin service.

Figure 6. An example of a set of addresses for the ransomware to retrieve C&C addresses

The ransomware has the ability to send text messages, due to having access to the user’s contact list. Before it encrypts files, it sends a message to each of the victim’s contacts using the technique described in the “Spreading” section above.

Next, the ransomware goes through files on accessible storage – meaning all the device’s storage except where system files reside – and encrypts most of them (see the “File encryption mechanism” section below). After the files are encrypted, the ransomware displays its ransom note (in English) as seen in Figure 7.

Figure 7. A ransom note displayed by Android/Filecoder.C

It is true that if the victim removes the app, the ransomware will not be able to decrypt the files, as stated in the ransom note. However, the files can still be recovered, due to flawed encryption (see more in the following section). Also, according to our analysis, there is nothing in the ransomware’s code to support the claim that the affected data will be lost after 72 hours.

As seen in Figure 8, the requested ransom is partially dynamic. The first part of what will be the amount of bitcoins to be requested is hardcoded – the value is 0.01 – while the remaining six digits are the user ID generated by the malware.

This unique practice may serve the purpose of identifying the incoming payments. (In Android ransomware, this is typically achieved by generating a separate Bitcoin wallet for each encrypted device.) Based on the recent exchange rate of approximately US$9,400 per bitcoin, the derived ransoms will fall in the range US$94-188 (assuming that the unique ID is generated randomly).

Figure 8. How the malware calculates the ransom

 Unlike typical Android ransomware, Android/Filecoder.C doesn’t prevent use of the device by locking the screen.

As seen in Figure 9, at the time of writing, the mentioned Bitcoin address, which can be dynamically changed but was the same in all cases we’ve seen, has recorded no transactions.

Figure 9. The Bitcoin address used by the attackers

The ransomware uses asymmetric and symmetric encryption. First, it generates a public and private key pair. This private key is encrypted using the RSA algorithm with a hardcoded value stored in the code and sent to the attacker’s server. The attacker can decrypt that private key and, after the victim pays the ransom, send that private key to the victim to decrypt their files.

When encrypting files, the ransomware generates a new AES key for each file that will be encrypted. This AES key is then encrypted using the public key and prepended to each encrypted file, resulting in the following pattern: ( (AES)public_key + (File)AES ).seven

The file structure is seen in Figure 10.

Figure 10. Overview of encrypted file structure

The ransomware encrypts the following filetypes, by going through accessible storage directories:

“.doc”, “.docx”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.pst”, “.ost”, “.msg”, “.eml”, “.vsd”, “.vsdx”, “.txt”, “.csv”, “.rtf”, “.123”, “.wks”, “.wk1”, “.pdf”, “.dwg”, “.onetoc2”, “.snt”, “.jpeg”, “.jpg”, “.docb”, “.docm”, “.dot”, “.dotm”, “.dotx”, “.xlsm”, “.xlsb”, “.xlw”, “.xlt”, “.xlm”, “.xlc”, “.xltx”, “.xltm”, “.pptm”, “.pot”, “.pps”, “.ppsm”, “.ppsx”, “.ppam”, “.potx”, “.potm”, “.edb”, “.hwp”, “.602”, “.sxi”, “.sti”, “.sldx”, “.sldm”, “.sldm”, “.vdi”, “.vmdk”, “.vmx”, “.gpg”, “.aes”, “.ARC”, “.PAQ”, “.bz2”, “.tbk”, “.bak”, “.tar”, “.tgz”, “.gz”, “.7z”, “.rar”, “.zip”, “.backup”, “.iso”, “.vcd”, “.bmp”, “.png”, “.gif”, “.raw”, “.cgm”, “.tif”, “.tiff”, “.nef”, “.psd”, “.ai”, “.svg”, “.djvu”, “.m4u”, “.m3u”, “.mid”, “.wma”, “.flv”, “.3g2”, “.mkv”, “.3gp”, “.mp4”, “.mov”, “.avi”, “.asf”, “.mpeg”, “.vob”, “.mpg”, “.wmv”, “.fla”, “.swf”, “.wav”, “.mp3”, “.sh”, “.class”, “.jar”, “.java”, “.rb”, “.asp”, “.php”, “.jsp”, “.brd”, “.sch”, “.dch”, “.dip”, “.pl”, “.vb”, “.vbs”, “.ps1”, “.bat”, “.cmd”, “.js”, “.asm”, “.h”, “.pas”, “.cpp”, “.c”, “.cs”, “.suo”, “.sln”, “.ldf”, “.mdf”, “.ibd”, “.myi”, “.myd”, “.frm”, “.odb”, “.dbf”, “.db”, “.mdb”, “.accdb”, “.sql”, “.sqlitedb”, “.sqlite3”, “.asc”, “.lay6”, “.lay”, “.mml”, “.sxm”, “.otg”, “.odg”, “.uop”, “.std”, “.sxd”, “.otp”, “.odp”, “.wb2”, “.slk”, “.dif”, “.stc”, “.sxc”, “.ots”, “.ods”, “.3dm”, “.max”, “.3ds”, “.uot”, “.stw”, “.sxw”, “.ott”, “.odt”, “.pem”, “.p12”, “.csr”, “.crt”, “.key”, “.pfx”, “.der”

However, it doesn’t encrypt files in directories that contain the strings “.cache”, “tmp”, or “temp”.

The ransomware also leaves files unencrypted if the file extension is “.zip” or “.rar” and the file size is over 51,200 KB/50 MB, and “.jpeg”, “.jpg” and “.png” files with a file size less than 150 KB.

The list of filetypes contains some entries unrelated to Android and at the same time lacks some typical Android extensions such as .apk, .dex, .so. Apparently, the list has been copied from the notorious WannaCryptor aka WannaCry ransomware.

Once the files are encrypted, the file extension “.seven” is appended to the original filename, as seen in Figure 11.

Figure 11. Encrypted files with the extension “.seven”

Code to decrypt encrypted files is present in the ransomware. If the victim pays the ransom, the ransomware operator can verify that via the website seen in Figure 12 and send the private key to decrypt the files.

Figure 12. Ransom payment verification web page

However, because of the hardcoded key value that is used to encrypt the private key, it would be possible to decrypt files without paying the ransom by changing the encryption algorithm to a decryption algorithm. All that is needed is the UserID (see Figure 13) provided by the ransomware, and the ransomware’s APK file in case its authors change the hardcoded key value. So far, we have seen the same value in all samples of the Android/Filecoder.C ransomware.

Figure 13. The UserID can be found in the ransom note

  • First of all, keep your devices up to date, ideally set them to patch and update automatically, so that you stay protected even if you’re not among the most security savvy users.
  • If possible, stick with Google Play or other reputable app stores. These markets might not be completely free from malicious apps, but you have a fair chance of avoiding them.
  • Prior to installing any app, check its ratings and reviews. Focus on the negative ones, as they often come from legitimate users, while positive feedback is often crafted by the attackers.
  • Focus on the permissions requested by the app. If they seem inadequate for the app’s functions, avoid downloading the app.
  • Use a reputable mobile security solution to protect your device.
Hash ESET detection name
B502874681A709E48F3D1DDFA6AE398499F4BD23 Android/Filecoder.C
D5EF600AA1C01FA200ED46140C8308637F09DFCD Android/Filecoder.C
B502874681A709E48F3D1DDFA6AE398499F4BD23 Android/Filecoder.C
F31C67CCC0D1867DB1FBC43762FCF83746A408C2 Android/Filecoder.C
Bitcoin address
Contact e-mail address
[email protected][.]ru
Affected Android versions
Android 5.1 and above

29 Jul 2019 – 04:35PM

Scam impersonates WhatsApp, offers ‘free internet’

The fraudulent campaign is hosted by a domain that is home to yet more bogus offers pretending to come from other well-known brands

Recently, ESET researchers in Latin America received a message on WhatsApp stating that the app was giving away 1000 GB of internet data to celebrate its anniversary. It shouldn’t come as much of a surprise when we say that it was a scam, but let’s look at it in greater detail.

Figure 1. The ruse

What strikes us right off the bat here is that the URL that comes with the message is not an official WhatsApp domain. Even though businesses may sometimes run promotions through third parties, the rule of thumb here is to check on the company’s website to make sure any promotion is real and valid.

Nevertheless, if you were to click on the link, you would be taken to a page that invites you to answer a series of questions in the form of a survey – ranging from how you found the offer to your opinion on the app.

Figure 2. The ‘survey’

While you would be responding to the questionnaire, the site would invite you to pass along the offer to at least 30 more people in order to qualify for the big ‘reward’. Needless to say, this is merely a way to boost the campaign’s reach.

Figure 3. The ploy designed to boost the campaign’s reach

So, what are the fraudsters running this WhatsApp-themed scam looking to gain from it? Apparently their goal here is click fraud – a highly prevalent monetization scheme that relies on racking up bogus ad clicks that ultimately bring revenues for the operators of any given campaign.

Even though in this case we found no evidence that clicking the link led to the installation of malicious software or that there was any intention to phish for personal information, it doesn’t mean that this cannot change at any time.

Meanwhile, the same domain that hosts this scam is also home to many other ‘offers’, each pretending to come from a different company, including Adidas, Nestlé and Rolex, to name but a few. The number of Google-indexed sites in Figure 4 shows how the cybercriminals behind these campaigns multiply the fraudulent offers that they are launching into cyberspace.

Figure 4. A sample of more scams run by the operators of the WhatsApp-themed fraud


At its simplest, this fraud is a riff on the same motif that we wrote about in 2017, when a similar WhatsApp-themed scam made the rounds. It also promised to unlock free internet access, but in reality you would end up on sites that signed you up for premium and costly SMS services or installed third-party apps on your smartphone. And in 2018, meanwhile, perhaps the same fraudsters used ‘free Adidas shoes’ as the bait. Regardless of the tune, the end goal was invariably the same – give the scammers an easy way to line their pockets.

Attacks that rely on social engineering are rampant, simply because they continue to be very effective. Con artists know full well that everybody likes to receive something for free or help others, and these are just some of our traits that make us susceptible to fraud.

If we want to avoid getting caught out, we need to keep up on the scammers’ methods and watch out for red flags. In addition, if it sounds too good to be true, it probably is – sticking to that old and beautifully simple adage will go a long way toward bolstering your safety.

29 Jul 2019 – 11:30AM

South African power company battles ransomware attack

The power utility appears to be well on track to a swift recovery following an attack that ultimately left some people without electricity

City Power, one of the companies that supplies electricity to South Africa’s biggest city Johannesburg, is grappling with a ransomware attack that left some residents without power, according to Reuters.

The unspecified ransomware strain “has encrypted all our databases, applications and network”, reads the utility’s announcement from early Thursday local time.

The applications that were affected include the company’s prepaid vending system, which made it impossible for people to ‘refill’ their accounts and buy electricity units. As ZDNet notes, all this occurred on the pay day date (the 25th) for many South Africans who would then go on and pay for new electricity packages for the upcoming month.

The City of Johannesburg, which owns the utility, apologized for the “inconvenience” and said that its response to outages may be delayed after the system for ordering and dispatching material was also affected. The grid itself was not impacted.

No details about the attack vector or the criminals’ demands are available. The municipality was quick to reassure customers that their personal information had not been exfiltrated by cybercriminals – unlike the case, for example, with the ever more frequent data breaches.

Meanwhile, the utility is working ’round the clock to restore its systems. “If everything goes according to plan, everything should be restored by Friday,” it said. The company’s website, for one, remains inaccessible as of time of writing.

The municipality appears not to have followed in the footsteps of two cities in Florida, the US, which recently decided to cough up some hefty money to ransomware extortionists.

In closing, a quick aside: While this wasn’t the case with the incident at City Power, attacks aimed at electricity supply interruption aren’t unheard of. Ukraine, for one, has experienced two attack-induced blackouts in recent years. ESET researchers have analyzed samples of malware known as Industroyer that was probably to blame for an hour-long outage that hit parts of Kiev and nearby areas in December 2016. That piece of malicious code was found to be capable of controlling electricity substation switches and circuit breakers directly, including in some cases literally switching them off and on.

26 Jul 2019 – 01:05PM

Streaming service withstands 13‑day DDoS siege

The attack, unleashed by a 400,000-strong Mirai-style botnet, may be the largest of its kind on record

A botnet made up of 402,000 enslaved Internet-of-Things (IoT) devices has staged a 13-day distributed denial-of-service (DDoS) attack against an undisclosed streaming service, according to a blog post by cybersecurity firm Imperva. The company said it successfully counteracted the onslaught and the target suffered no downtime.

The attack, which goes back to late April and early May, was the largest application-layer DDoS attack (i.e. targeting Layer 7 of the OSI model) that Imperva has ever observed. The attackers apparently attempted to exhaust the application server’s resources with a barrage of HTTP traffic in a bid to take the service, or parts thereof, out. The onslaught was consistently well above 100,000 HTTP requests per second (RPS), peaking at 292,000 RPS.

For a time, the attack was directed at the authentication component of the streaming site. Chances are then that that the attackers carried out brute-force attacks and tested logins, although no analysis of the brute-force aspects of the attack was performed.

Nevertheless, a closer look at the IPs of the devices involved showed that the attack originated mainly from Brazil. Also, most of the devices had two ports open, 2000 and 7547, that are known to have been used by Mirai.

The Mirai botnet malware is notorious for having hijacked tens of thousands of IoT devices in 2016 that were then unleashed to conduct a series of DDoS attacks. This included knocking out thousands of websites for many internet users, especially on the US East Coast.

Compared to attacks that hit Layers 3 (Network) and 4 (Transport) of the OSI stack, Layer 7-specific attacks often receive less attention and can be harder to counter, including because applications are intended to receive requests from users and the bogus requests are made to look like legitimate traffic. DDoS attacks in general may also be intended as smoke screens for other nefarious actions.

25 Jul 2019 – 06:35PM

Data breaches can haunt firms for years

The compromised company may bear the financial brunt of the breach within the first year after the incident occurs, but the price tag is still far from final

The average cost of a data breach has risen 12% over the past five years to US$3.92 million globally, according to IBM’s 2019 Cost of a Data Breach study, which drew on input from more than 500 companies around the world that suffered a breach over the past year.

The rising financial impact was attributed to a trio of factors – the multi-year financial fallout from breaches, increased regulation, and the complexity of resolving criminal attacks.

The report comes at a time when several companies are facing the prospects of hefty bills for massive cyber-incidents. This includes Equifax in the United States and British Airways and Marriot Starwood in the United Kingdom.

For the first time this year, the study from IBM Security and Ponemon Institute also looked at the ‘long tail’ financial impacts of breaches. It found that while the compromised firm typically bears the financial brunt of the incident within the first year after it occurs, by no means is it ‘out of the woods’ so soon.

“While an average of 67% of data breach costs were realized within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach. The long tail costs were higher in the second and third years for organizations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals,” reads the press release.

Among other findings, the report highlighted that in a number of ‘scenarios’ the financial consequences can climb even higher.

First, the incidents tend to be costlier for firms that suffered breaches at the hands of malicious actors, as opposed to incidents caused by human or system errors. Malicious breaches didn’t only account for more than one-half of the incidents under review, but they also cost an extra US$1 million than the inadvertent breaches (US$4.45 million versus US$3.5 million).

In addition, for firms based in the US, the average cost of a breach climbed all the way to US$8.19 million, having risen by 130% over the past 14 years.

Typically, breaches weigh particularly heavily on healthcare organizations, which recorded the highest cost of (US$6.5 million) and topped the list for the ninth year in a row.

Regardless of the industry, however, a data breach can be downright devastating for a small and even mid-sized business. The study found that companies with fewer than 500 employees suffered losses of more than US$2.5 million on average. To put that into perspective, small businesses typically earn $50 million or less in annual revenue.

The average life cycle of a breach was 279 days. More precisely, on average it took companies 206 days to spot and another 73 days to contain the incident. When it comes to only malicious breaches, it took even longer – 314 days.

“Companies in the study who were able to detect and contain a breach in less than 200 days spent US$1.2 million less on the total cost of a breach,” according to the report. It outlined a slew of more factors that influenced the financial fallout, including the number of data records lost, whether the breach originated from a third party, and whether the company made extensive use of encryption.

In her excellent article last year, ESET security researcher Lysa Myers outlined how preparing for the worst can actually help firms avoid falling victim to such incidents in the first place.

24 Jul 2019 – 02:04PM

VLC player has a critical flaw – and there’s no patch yet

On the flip side, there are currently no known cases of the vulnerability being exploited in the wild

Germany’s national Computer Emergency Response Team (CERT-Bund) has issued a security advisory to alert users of VLC media player of a severe vulnerability affecting this extremely popular open-source software.

“A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files,” said CERT-Bund, which also discovered the security loophole.

The memory-corruption flaw is known to reside in the player’s latest release,, but may also be present in its earlier versions. It affects the program’s Windows, Linux and UNIX versions and has earned a score of 4 out of 5 on the German agency’s severity scale.

Meanwhile, according to the NIST National Vulnerability Database (NVD), the bug is ‘critical’, having been ranked 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. It is caused by a heap-based memory buffer over-read condition and falls within the CWE-119 identifier. No system privileges and no user interaction are said to be needed for successful exploitation of the vulnerability, which is tracked under CVE-2019-13615.

That said, German tech website notes that the exploitation may require a specially crafted .mp4 file, although neither CERT-Bund nor NVD make mention of this.

Crucially, a patch has yet to be created, and the timing of its rollout is unclear. According to the bugtracker maintained by VLC’s developer, VideoLAN, work on the fix has been assigned the highest priority. As of the time of writing, the patch is said to be 60% complete.

On the bright side, there are no known cases of the security hole being under active exploitation. Nevertheless, until the patch is shipped, perhaps the only workaround appears to be to refrain from using the player altogether.

VLC media player boasts more than 3.1 billion installs across various operating systems and various release versions, so this is by no means equivalent to the number of affected systems.

22 Jul 2019 – 05:30PM

With FaceApp in the spotlight, new scams emerge

ESET researchers discover fraudulent schemes piggybacking on the popularity of the face-modifying tool FaceApp, using a fake “Pro” version of the application as a lure

The latest hype around the FaceApp application has attracted scammers who want to make a quick profit.

The FaceApp application, which offers various face-modifying filters, is available for both Android and iOS. While the app itself is free, some features, marked as “PRO”, are paid. Recent concerns about FaceApp privacy issues have generated a huge wave of media attention.

Scammers have been trying, to various ends, to exploit this wave of interest, using a fake “Pro” – yet free – version of the application as a lure. The fraudsters have also made an effort to spread the word about this fictitious version of the currently-viral app – at the time of writing this blogpost, a Google search for “FaceApp Pro” returns some 200,000 articles.

We have seen two ways the scammers try to make money from the non-existent “Pro” version of FaceApp.

In one of the scams we have seen, attackers have used a fake website that claims to offer the “premium” version of FaceApp for free.

Figure 1. A fraudulent website used in one of the scams

In reality, the scammers trick their victims into clicking through countless offers for installing other paid apps and subscriptions, ads, surveys, and so on. Victims also receive requests from various websites to allow displaying notifications. When enabled, these notifications lead to further fraudulent offers.

Figure 2. Notifications from the browser lead to further scams

During our test, we ended up with the regular, free version of FaceApp that is also available on Google Play. However, instead of using Google Play as the source, the app was downloaded from a popular file-sharing service (, as seen in Figure 3. This means users could easily end up downloading malware if that was the attackers’ intention.

Figure 3. FaceApp presented as “FaceApp PRO” and downloaded from an unofficial source

The second type of scam includes YouTube videos, again promoting download links for a free “Pro” version of FaceApp. The shortened download links, however, point to apps whose only functionality is to make users install various additional apps from Google Play. One of the YouTube videos, seen in Figure 4, has over 150,000 views at the time of writing.

While this type of scam is typically used merely to deliver ads, the shortened links could lead to users installing malware in just one click. We have seen this happen in the past, for example with Fortnite used as a lure.

Figure 4. A YouTube video claiming to offer a link for downloading the installation package (APK) for a “FaceApp Pro” application for Android

The mentioned link was clicked over 96,000 times, which, however, doesn’t tell us much about the number of actual installations. (But still, serious businesses don’t even dream of such a high click rate.)

Figure 5. Statistics for the link leading to the fake “FaceApp Pro” installation package referenced in the YouTube video above

Hypes attract scammers, and the bigger the wave, the higher the risk of falling victim of a scam. Before joining the hype, users should remember to stick to basic security principles.

Regardless how exciting the topic is, avoid downloading apps from sources other than official app stores, and examine available information about the app (developer, rating, reviews, etc.). Especially in the Android ecosystem, there are fakes around every popular app or game; fortunately, the chances are good for security-conscious users to tell the fakes from genuine offerings. As insurance for the case the user falls victim to a scam, having a reputable security app installed on a mobile device can help prevent some negative consequences.

Indicators of Compromise (IoCs)

Hash ESET detection name
BB99A60D9F69A18B3D115D615C0E2FBD Android/ScamApp.BX
BD45B786F58FA155B4ECF102DBF01FB5 Android/ScamApp.BY

19 Jul 2019 – 11:30AM

Okrum: Ke3chang group targets diplomatic missions

Tracking the malicious activities of the elusive Ke3chang APT group, ESET researchers have discovered new versions of malware families linked to the group, and a previously unreported backdoor

In this blogpost, we will sum up the findings published in full in our white paper “Okrum and Ketrican: An overview of recent Ke3chang group activity”.

The Ke3chang group, also known as APT15, is a threat group believed to be operating out of China. Its activities were traced back to 2010 in FireEye’s 2013 report on operation Ke3chang – a cyberespionage campaign directed at diplomatic organizations in Europe.

We have been tracking the malicious activities related to this threat actor and discovered a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum. According to ESET telemetry, Okrum was first detected in December 2016, and targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala and Brazil throughout 2017.

Furthermore, from 2015 to 2019, we detected new versions of known malware families attributed to the Ke3chang group – BS2005 backdoors from operation Ke3chang and the RoyalDNS malware, reported by NCC Group in 2018.

Note: New versions of operation Ke3chang malware from 2015-2019 are detected by ESET systems as Win32/Ketrican and collectively referred to as Ketrican backdoors/samples, marked with the relevant year, across our white paper and this blogpost.

2015: Ketrican

In 2015, we identified new suspicious activities in European countries. The group behind the attacks seemed to have a particular interest in Slovakia, where a big portion of the discovered malware samples was detected; Croatia, the Czech Republic and other countries were also affected.

Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang, and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe.

2016-2017: Okrum

The story continued in late 2016, when we discovered a new, previously unknown backdoor that we named Okrum. The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors.

2017: Ketrican and RoyalDNS

We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor, freshly compiled in 2017.

In 2017, the same entities that were affected by the Okrum malware (and by the 2015 Ketrican backdoors) again became targets of the malicious actors. This time, the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor.

2018: Ketrican

In 2018, we discovered a new version of the Ketrican backdoor that featured some code improvements.

2019: Ketrican

The group continues to be active in 2019 – in March 2019, we detected a new Ketrican sample that has evolved from the 2018 Ketrican backdoor. It attacked the same targets as the backdoor from 2018.

This timeline of events shows that the attackers were focused on the same type of targets but were using different malicious toolsets to compromise them. In the process, they exposed Okrum, a formerly unknown project. Figure 1 shows ESET detections related to our investigation in the context of previously documented Ke3chang activity.

Figure 1. Timeline of previously documented Ke3chang group activity and ESET detections related to our investigation

Our research has shown that the Ketrican, Okrum, and RoyalDNS backdoors detected by ESET after 2015 are linked to previously documented Ke3chang group activity, and to each other, in a number of ways. These are the most important connections: 

  • Ketrican backdoors from 2015, 2017, 2018 and 2019 have all evolved from malware used in Operation Ke3chang
  • The RoyalDNS backdoor detected by ESET in 2017 is similar to the RoyalDNS backdoor used in previously reported attacks
  • Okrum is linked to Ketrican backdoors in that it was used to drop a Ketrican backdoor compiled in 2017
  • Okrum, Ketrican and RoyalDNS target the same type of organizations; some of the entities affected by Okrum were also targeted with one or more of Ketrican/RoyalDNS backdoors
  • Okrum has a similar modus operandi as previously documented Ke3chang malware – it is equipped with a basic set of backdoor commands and relies on manually typing shell commands and executing external tools for most of its malicious activity

Distribution and targets

According to our telemetry, Okrum was used to target diplomatic missions in Slovakia, Belgium, Chile, Guatemala, and Brazil, with the attackers showing a particular interest in Slovakia.

The operators of the malware tried to hide malicious traffic with its C&C server within regular network traffic by registering seemingly legitimate domain names. For example, the samples used against Slovak targets communicated with a domain name mimicking a Slovak map portal (support.slovakmaps[.]com). A similar masquerade was used in a sample detected in a Spanish speaking country in South America – the operators used a domain name that translates as “missions support” in Spanish (misiones.soportesisco[.]com).

How the Okrum malware was distributed to the targeted machines is a question that remains to be answered.

Technical details

The Okrum backdoor is a dynamic-link library that is installed and loaded by two earlier-stage components. During our investigation, the implementation of these two components was being changed frequently. Every few months, the authors actively changed implementation of the Okrum loader and installer components to avoid detection. By the time of publication, ESET systems have detected seven different versions of the loader component and two versions of the installer, although the functionality remained the same.

The payload of Okrum is hidden in a PNG file. When the file is viewed in an image viewer, a familiar image is displayed, as seen in Figure 2, but the Okrum loaders are able to locate an extra encrypted file that the user cannot see. This steganography technique is an attempt by the malicious actors to stay unnoticed and evade detection.

Figure 2. An innocuous-looking PNG image with an encrypted malicious DLL embedded inside

As for functionality, Okrum is only equipped with basic backdoor commands, such as downloading and uploading files, executing files and shell commands. Most of the malicious activity has to be performed by typing shell commands manually, or by executing other tools and software. This is a common practice of the Ke3chang group, which had also been pointed out previously in the Intezer and NCC Group reports monitoring Ke3chang group activity.

Indeed, we have detected various external tools being abused by Okrum, such as a keylogger, tools for dumping passwords, or enumerating network sessions. The Ketrican backdoors we detected from 2015 to 2019 used similar utilities. We can only guess why the Ke3chang actor uses this technique – maybe the combination of a simple backdoor and external tools fully accommodates their needs, while being easier to develop; but it may also be an attempt to evade behavioral detection.

The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image, employing several anti-emulation and anti-sandbox tricks, as well as making frequent changes in implementation.

Our analysis of the links between previously documented Ke3chang malware and the newly discovered Okrum backdoor lets us claim with high confidence that Okrum is operated by the Ke3chang group. Having documented Ke3chang group activity from 2015 to 2019, we conclude that the group continues to be active and works on improving its code over time.

ESET detection names and other Indicators of Compromise for these campaigns can be found in the full white paper: “Okrum and Ketrican: An overview of recent Ke3chang group activity”.

Tactic ID Name Description
Execution T1059 Command-Line Interface Okrum’s backdoor uses cmd.exe to execute arbitrary commands.
T1064 Scripting The backdoor uses batch scripts to update itself to a newer version.
T1035 Service Execution The Stage 1 loader creates a new service named NtmsSvc to execute the payload.
Persistence T1050 New Service To establish persistence, Okrum installs itself as a new service named NtmSsvc.
T1060 Registry Run Keys / Startup Folder Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.
T1053 Scheduled Task The installer component tries to achieve persistence by creating a scheduled task.
T1023 Shortcut Modification Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.
Privilege Escalation T1134 Access Token Manipulation Okrum can impersonate a logged on user’s security context using a call to the ImpersonateLoggedOnUser API.
Defense Evasion T1140 Deobfuscate/Decode Files or Information The Stage 1 loader decrypts the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.
T1107 File Deletion Okrum’s backdoor deletes files after they have been successfully uploaded to C&C servers.
T1158 Hidden Files and Directories Before exfiltration, Okrum’s backdoor uses hidden files to store logs and outputs from backdoor commands.
T1066 Indicator Removal from Tools Okrum underwent regular technical improvements to evade antivirus detection.
T1036 Masquerading Okrum establishes persistence by adding a new service NtmsSvc with the display name Removable Storage in an attempt to masquerade as a legitimate Removable Storage Manager.
T1027 Obfuscated Files or Information Okrum’s payload is encrypted and embedded within the Stage 1 loader, or within a legitimate PNG file.
T1497 Virtualization/Sandbox Evasion The Stage 1 loader performs several checks on the victim’s machine to avoid being emulated or executed in a sandbox.
Credential Access T1003 Credential Dumping Okrum was seen using MimikatzLite and modified Quarks PwDump to perform credential dumping.
Discovery T1083 File and Directory Discovery Okrum was seen using DriveLetterView to enumerate drive information.
T1082 System Information Discovery Okrum collects computer name, locale information, and information about the OS and architecture.
T1016 System Network Configuration Discovery Okrum collects network information, including host IP address, DNS and proxy information.
T1049 System Network Connections Discovery Okrum used NetSess to discover NetBIOS sessions.
T1033 System Owner/User Discovery Okrum collects the victim user name.
T1124 System Time Discovery Okrum can obtain the date and time of the compromised system.
Collection T1056 Input Capture Okrum was seen using a keylogger tool to capture keystrokes.
Exfiltration T1002 Data Compressed Okrum was seen using a RAR archiver tool to compress data.
T1022 Data Encrypted Okrum uses AES encryption and base64 encoding of files before exfiltration.
T1041 Exfiltration Over Command and Control Channel Data exfiltration is done using the already opened channel with the C&C server.
Command And Control T1043 Commonly Used Port Okrum uses port 80 for C&C.
T1090 Connection Proxy Okrum identifies a proxy server if it exists and uses it to make HTTP requests.
T1132 Data Encoding The communication with the C&C server is base64 encoded.
T1001 Data Obfuscation The communication with the C&C server is hidden in the Cookie and Set-Cookie headers of HTTP requests.
T1071 Standard Application Layer Protocol Okrum uses HTTP for communication with its C&C.
T1032 Standard Cryptographic Protocol Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C&C server in the registration phase.

18 Jul 2019 – 11:30AM

BlueKeep patching isn’t progressing fast enough

Keeping up with BlueKeep; or how many internet-facing systems, and in which countries and industries, remain ripe for exploitation?

As of early July, more than 805,000 internet-facing systems remained susceptible to the BlueKeep security vulnerability, the news of which spooked the internet two months ago and prompted a flurry of alerts urging users and organizations to patch the critical flaw post-haste.

The tally, released today by cybersecurity ratings company BitSight, also shows that the number of vulnerable public-facing machines fell by 17 percent between May 31st and July 2nd, after the firm’s previous scan from the end of May put their number at almost 973,000. That said, neither figure includes computers that are within networks and are hidden from view, but may still be susceptible to lateral attacks.

In addition, BitSight looked at mitigation progress in various industries. While “progress has been made across the board”, legal, non-profit/NGOs and Aerospace/Defense have been the most responsive industries addressing BlueKeep. Meanwhile, the list of laggards includes consumer goods, utilities, and technology industries. Telecom and education are deemed to be the most exposed overall.

When it comes to countries, organizations in China and the United States remain the most exposed, although both of them have also made the biggest strides in patching the flaw.

Why worry?

As discussed in greater length in one of our recent articles, the BlueKeep vulnerability resides in a Windows component known as Remote Desktop Services. The flaw, designated CVE-2019-0708, affects Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008. By contrast, Windows 8 and Windows 10 are not affected.

Worries abound that an exploit targeting the Remote Code Execution (RCE) vulnerability could soon be let loose on the internet and cause untold damage, providing attackers with access to a system via a backdoor and without requiring user credentials or interaction. Additionally, the flaw is ‘wormable’, meaning that exploits might use it to spread malware within or outside of networks much like WannaCryptor, also known as WannaCry, did in May 2017.

Since rolling out the patch on May 14th, Microsoft has issued two alerts urging users and admins to install the fix. The United States’ National Security Agency (NSA) and, most recently, also the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security (DHS) have both issued rare warnings of their own.

Security researchers have been able to create several proof-of-concept exploits, but none of them are publicly available. Fortunately, there is no evidence of BlueKeep being exploited in the wild, although it is widely believed that it won’t take long before cybercriminals deploy a working exploit of their own.

17 Jul 2019 – 08:53PM

How your Instagram account could have been hijacked

A researcher found that it was possible to subvert the platform’s password recovery mechanism and take control of user accounts

An independent researcher has found a security loophole in Instagram’s mobile password recovery flow that could have allowed attackers to break into user accounts.

The flaw, discovered and reported by India-based researcher Laxman Muthiyah, has since been fixed by Instagram’s owner, Facebook. The researcher, meanwhile, received a bug bounty payout of US$30,000 for his work.

Muthiyah, who has a history of spotting bugs in Facebook, said that his latest bug hunting effort was prompted by Facebook’s recent decision to increase payouts for vulnerabilities that can lead to account takeovers. Instagram’s web interface with a link-based password reset is not susceptible to the vulnerability.

As described in this posting and demonstrated in this proof-of-concept video, the security hole had to do with how the photo-sharing service enabled users to regain access to their accounts in case they’d forgotten their password.

As part of the password recovery process, you receive a six-digit code to your recovery phone number that you’re asked to enter into the app as a way of validating your identity. The code expires after 10 minutes and Instagram has additional safeguards in place in order to foil brute-force attacks at the code, where ne’er-do-wells would try to ram their way in by trying out all possible combinations in a bid to arrive at the correct one. With six digits from 0-9, there would be no fewer and no more than a million possibilities to try.

Still, Muthiyah demonstrated that the process could be subverted.

Hazarding a guess

The good thing is that the photo-sharing service puts a cap on the number of attempts that can be made from a particular IP address within the 10-minute window. As a result, Muthiyah initially found that only 250 out of 1,000 requests he’d sent eventually went through while the rest ended up rate-limited, or effectively denied.

However, he realized that he “was able to send requests continuously without getting blocked”, even though the number of requests sent within a time span was indeed restricted.

“After a few days of continuous testing, I found two things that allowed me to bypass their rate limiting mechanism,” he said. The two things were a race hazard and an IP rotation. “Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited,” he said.

Long story short, Muthiyah co-opted 1,000 IP addresses from cloud-based services for the task and tried out 200,000 code combinations against a test account.

“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes,” he wrote. Generally speaking, brute-force techniques are also associated with botnets.

In conclusion, on top of using a strong and unique password to access (not only) your Instagram account, it’s always best to rely also on an extra authentication factor, and the platform recently its two-factor authentication options. Last month, the site also announced the testing of a new in-app process for users to regain access to accounts that have been overtaken by cybercriminals.

16 Jul 2019 – 05:36PM