{ "Event": { "analysis": "2", "date": "2016-12-01", "extends_uuid": "", "info": "OSINT - New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer", "publish_timestamp": "1480590692", "published": true, "threat_level_id": "3", "timestamp": "1480590587", "uuid": "584003cf-ec58-48c8-933e-4172950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#37ab00", "name": "enisa:nefarious-activity-abuse=\"mobile-malware\"" }, { "colour": "#6edb00", "name": "circl:topic=\"finance\"" }, { "colour": "#001cad", "name": "estimative-language:likelihood-probability=\"very-likely\"" } ], "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590373", "to_ids": false, "type": "comment", "uuid": "58400425-0490-4bb9-80ec-4454950d210f", "value": "In January of 2016, we found various \u00e2\u20ac\u0153SmsSecurity\u00e2\u20ac\u009d mobile apps that claimed to be from various banks. These apps supposedly generated one-time passwords (OTPs) that account holders could use to log into the bank; instead they turned out to be malicious apps that stole any password sent via SMS messages. These apps were also capable of receiving commands from a remote attacker, allowing them to take control of a user\u00e2\u20ac\u2122s device.\r\n\r\nSince then, we\u00e2\u20ac\u2122ve found some new variants of this attack that add new malicious capabilities. These capabilities include: anti-analysis measures, automatic rooting, language detection, and remote access via TeamViewer. In addition, SmsSecurity now cleverly uses the accessibility features of Android to help carry out its routines in a stealthy manner, without interaction from the user. We detect these malicious apps as ANDROIDOS_FAKEBANK.OPSA." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590390", "to_ids": false, "type": "link", "uuid": "58400436-13f4-4c54-a3fd-d943950d210f", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/new-smssecurity-variant-roots-phones-abuses-accessibility-features-teamviewer" }, { "category": "Payload delivery", "comment": "ANDROIDOS_FAKEBANK.OPSA", "deleted": false, "disable_correlation": false, "timestamp": "1480590420", "to_ids": true, "type": "sha1", "uuid": "58400454-171c-4465-99be-b82a950d210f", "value": "323bf07667bf9d65055f80a15a90508e99e05632" }, { "category": "Payload delivery", "comment": "ANDROIDOS_FAKEBANK.OPSA", "deleted": false, "disable_correlation": false, "timestamp": "1480590420", "to_ids": true, "type": "sha1", "uuid": "58400454-b7a0-49df-890f-b82a950d210f", "value": "d84353986ee05ac61308063271ade3f8f2876ef9" }, { "category": "Payload delivery", "comment": "ANDROIDOS_FAKEBANK.OPSA", "deleted": false, "disable_correlation": false, "timestamp": "1480590420", "to_ids": true, "type": "sha1", "uuid": "58400454-b8d8-4f88-8f62-b82a950d210f", "value": "8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590447", "to_ids": true, "type": "url", "uuid": "5840046f-4aa8-4a52-ad8b-4249950d210f", "value": "http://clubk-ginza.net/css/3.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590447", "to_ids": true, "type": "url", "uuid": "5840046f-a8c0-41dd-83c4-4624950d210f", "value": "http://edda-mally.at/css/3.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590447", "to_ids": true, "type": "url", "uuid": "5840046f-d7ec-4fda-88d0-4874950d210f", "value": "http://gruposoluciomatica.com.br/os3/inc/main.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590447", "to_ids": true, "type": "url", "uuid": "5840046f-c7f0-4ce6-9afe-41e9950d210f", "value": "http://izmirsatranckursu.net/includes/main.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590448", "to_ids": true, "type": "url", "uuid": "58400470-d4b0-48fd-b9ac-4c67950d210f", "value": "http://jbrianwashman.com/images/photo26962/main.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590448", "to_ids": true, "type": "url", "uuid": "58400470-6ad8-424f-94dc-4d60950d210f", "value": "http://losbalonazos.com/wp-admin/3.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590448", "to_ids": true, "type": "url", "uuid": "58400470-7a78-4a71-a237-4b31950d210f", "value": "http://moseybook.com/blog/wp-includes/main.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590448", "to_ids": true, "type": "url", "uuid": "58400470-a5ac-49fc-84f5-4a4b950d210f", "value": "http://naritamemorial.com/analog/3.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590449", "to_ids": true, "type": "url", "uuid": "58400471-870c-4b6c-bf7e-4015950d210f", "value": "http://pplweb.pplmotorhomes.com/includes/main.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590449", "to_ids": true, "type": "url", "uuid": "58400471-28ac-4d9f-8281-4b52950d210f", "value": "http://sedalbi.com/img/main.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590449", "to_ids": true, "type": "url", "uuid": "58400471-90f4-42ea-ad64-4cca950d210f", "value": "http://szaivert-numis.at/standardbilder/dll/3.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590449", "to_ids": true, "type": "url", "uuid": "58400471-7f5c-4863-be26-44d2950d210f", "value": "http://www.ircvenezia.it/free/main.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590450", "to_ids": true, "type": "url", "uuid": "58400472-36dc-4b9e-abba-4cc2950d210f", "value": "http://www.oguhtell.ch/cart/3.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590450", "to_ids": true, "type": "url", "uuid": "58400472-bcc4-4701-aa67-4f13950d210f", "value": "http://www.santamariagorettimestre.it/img/main.php" }, { "category": "Network activity", "comment": "The following command-and-control (C&C) servers were used by variants", "deleted": false, "disable_correlation": false, "timestamp": "1480590450", "to_ids": true, "type": "url", "uuid": "58400472-46c0-440d-aeb7-4704950d210f", "value": "http://www.vanca.com/media/3.php" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590490", "to_ids": false, "type": "target-org", "uuid": "5840049a-e6b4-4da7-a071-4666950d210f", "value": "Aargauische Kantonalbank" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590491", "to_ids": false, "type": "target-org", "uuid": "5840049b-b858-4d3b-8819-472e950d210f", "value": "Bank Austria" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590491", "to_ids": false, "type": "target-org", "uuid": "5840049b-1fc4-4e76-9646-46c6950d210f", "value": "Banque Cantonale de Fribourg" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590491", "to_ids": false, "type": "target-org", "uuid": "5840049b-de64-49e2-bc68-44f1950d210f", "value": "BKB Bank" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590491", "to_ids": false, "type": "target-org", "uuid": "5840049b-23ec-4710-abf4-4839950d210f", "value": "Credit Suisse" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590492", "to_ids": false, "type": "target-org", "uuid": "5840049c-dc4c-4899-ac27-4188950d210f", "value": "Glarner Kantonalbank" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590492", "to_ids": false, "type": "target-org", "uuid": "5840049c-71e0-49ab-9a17-4620950d210f", "value": "Luzerner Kantonalbank" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590492", "to_ids": false, "type": "target-org", "uuid": "5840049c-5dac-488e-b24b-457d950d210f", "value": "Ober Bank" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590492", "to_ids": false, "type": "target-org", "uuid": "5840049c-7e84-45a0-b8ce-44e0950d210f", "value": "Obwaldner Kantonalbank" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590492", "to_ids": false, "type": "target-org", "uuid": "5840049c-7538-414b-b391-46e2950d210f", "value": "Raiffeisen Bank" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590493", "to_ids": false, "type": "target-org", "uuid": "5840049d-5230-4978-9ca6-47f7950d210f", "value": "Schaffhauser Kantonalbank" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590493", "to_ids": false, "type": "target-org", "uuid": "5840049d-6af8-4467-b9f8-4644950d210f", "value": "Sparkasse" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590493", "to_ids": false, "type": "target-org", "uuid": "5840049d-da18-4052-93ad-41bb950d210f", "value": "Volksbank" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1480590493", "to_ids": false, "type": "target-org", "uuid": "5840049d-43b8-4505-9f90-49c1950d210f", "value": "Z\u00c3\u00bcrcher Kantonalbank" }, { "category": "Payload delivery", "comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae", "deleted": false, "disable_correlation": false, "timestamp": "1480590588", "to_ids": true, "type": "sha256", "uuid": "584004fc-10f8-4b8e-9b38-b82a02de0b81", "value": "448d0cb7c84f79233908d9387c81551f50f5288597dd71432c641c7c29683186" }, { "category": "Payload delivery", "comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae", "deleted": false, "disable_correlation": false, "timestamp": "1480590588", "to_ids": true, "type": "md5", "uuid": "584004fc-6104-4404-9c1e-b82a02de0b81", "value": "032f7b1e11010a0d9abb6bcfd805e31a" }, { "category": "External analysis", "comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae", "deleted": false, "disable_correlation": false, "timestamp": "1480590588", "to_ids": false, "type": "link", "uuid": "584004fc-4cbc-4e76-8ada-b82a02de0b81", "value": "https://www.virustotal.com/file/448d0cb7c84f79233908d9387c81551f50f5288597dd71432c641c7c29683186/analysis/1471948127/" }, { "category": "Payload delivery", "comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: d84353986ee05ac61308063271ade3f8f2876ef9", "deleted": false, "disable_correlation": false, "timestamp": "1480590588", "to_ids": true, "type": "sha256", "uuid": "584004fc-34b8-4fb4-954a-b82a02de0b81", "value": "839727158d3a3a6c342a154d07bfd70ad342d82a65c672163cc287213e72da80" }, { "category": "Payload delivery", "comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: d84353986ee05ac61308063271ade3f8f2876ef9", "deleted": false, "disable_correlation": false, "timestamp": "1480590589", "to_ids": true, "type": "md5", "uuid": "584004fd-b944-4e04-b745-b82a02de0b81", "value": "eea6183fa2dda392976d318b7123bf36" }, { "category": "External analysis", "comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: d84353986ee05ac61308063271ade3f8f2876ef9", "deleted": false, "disable_correlation": false, "timestamp": "1480590589", "to_ids": false, "type": "link", "uuid": "584004fd-77dc-4fa8-9503-b82a02de0b81", "value": "https://www.virustotal.com/file/839727158d3a3a6c342a154d07bfd70ad342d82a65c672163cc287213e72da80/analysis/1473457620/" }, { "category": "Payload delivery", "comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 323bf07667bf9d65055f80a15a90508e99e05632", "deleted": false, "disable_correlation": false, "timestamp": "1480590589", "to_ids": true, "type": "sha256", "uuid": "584004fd-5b30-4ca5-a993-b82a02de0b81", "value": "3b34615ab4dfbe984ec3ac6c8a266cd25b7d78b1a1db14a9d37c10c1a84007e5" }, { "category": "Payload delivery", "comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 323bf07667bf9d65055f80a15a90508e99e05632", "deleted": false, "disable_correlation": false, "timestamp": "1480590589", "to_ids": true, "type": "md5", "uuid": "584004fd-4e08-4c7c-bb7e-b82a02de0b81", "value": "c89dd35061a5500a0e9db4b1d5ad1326" }, { "category": "External analysis", "comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 323bf07667bf9d65055f80a15a90508e99e05632", "deleted": false, "disable_correlation": false, "timestamp": "1480590590", "to_ids": false, "type": "link", "uuid": "584004fe-0ab4-4dd9-8b6f-b82a02de0b81", "value": "https://www.virustotal.com/file/3b34615ab4dfbe984ec3ac6c8a266cd25b7d78b1a1db14a9d37c10c1a84007e5/analysis/1473459659/" } ] } }