{ "Event": { "analysis": "2", "date": "2016-12-28", "extends_uuid": "", "info": "OSINT - Switcher: Android joins the \u00e2\u20ac\u02dcattack-the-router\u00e2\u20ac\u2122 club", "publish_timestamp": "1484666699", "published": true, "threat_level_id": "3", "timestamp": "1484666593", "uuid": "58638245-8b08-4bb0-8bed-fcb802de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#44d400", "name": "enisa:nefarious-activity-abuse=\"DNS-poisoning-or-DNS-spoofing-or-DNS-Manipulations\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" }, { "colour": "#5f0077", "name": "ms-caro-malware:malware-platform=\"AndroidOS\"" }, { "colour": "#37ac00", "name": "enisa:nefarious-activity-abuse=\"infected-trusted-mobile-apps\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1482916441", "to_ids": false, "type": "link", "uuid": "58638259-c9e8-4088-b086-4b7102de0b81", "value": "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1482916457", "to_ids": false, "type": "comment", "uuid": "58638269-40bc-445a-bf3a-410d02de0b81", "value": "Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router\u00e2\u20ac\u2122s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router\u00e2\u20ac\u2122s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack." }, { "category": "Payload delivery", "comment": "; package name \u00e2\u20ac\u201c com.baidu.com", "deleted": false, "disable_correlation": false, "timestamp": "1482916542", "to_ids": true, "type": "md5", "uuid": "586382be-6074-4438-ae9f-405702de0b81", "value": "acdb7bfebf04affd227c93c97df536cf" }, { "category": "Payload delivery", "comment": "package name \u00e2\u20ac\u201c com.snda.wifi", "deleted": false, "disable_correlation": false, "timestamp": "1482916570", "to_ids": true, "type": "md5", "uuid": "586382da-f680-423e-9749-486402de0b81", "value": "64490fbecefa3fcdacd41995887fe510" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1484666529", "to_ids": false, "type": "mobile-application-id", "uuid": "5863831c-49b8-4b71-90df-fcb902de0b81", "value": "com.baidu.com", "Tag": [ { "colour": "#37ab00", "name": "enisa:nefarious-activity-abuse=\"mobile-malware\"" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1484666593", "to_ids": false, "type": "mobile-application-id", "uuid": "5863831c-03e0-42fe-9f79-fcb902de0b81", "value": "com.snda.wifi", "Tag": [ { "colour": "#37ab00", "name": "enisa:nefarious-activity-abuse=\"mobile-malware\"" } ] }, { "category": "Network activity", "comment": "We recommend that all users check their DNS settings and search for the following rogue DNS servers:", "deleted": false, "disable_correlation": false, "timestamp": "1482916707", "to_ids": true, "type": "ip-dst", "uuid": "58638363-3d7c-4aca-a0b0-fcbd02de0b81", "value": "101.200.147.153" }, { "category": "Network activity", "comment": "We recommend that all users check their DNS settings and search for the following rogue DNS servers:", "deleted": false, "disable_correlation": false, "timestamp": "1482916708", "to_ids": true, "type": "ip-dst", "uuid": "58638364-4f10-4a03-aa8a-fcbd02de0b81", "value": "112.33.13.11" }, { "category": "Network activity", "comment": "We recommend that all users check their DNS settings and search for the following rogue DNS servers:", "deleted": false, "disable_correlation": false, "timestamp": "1482916708", "to_ids": true, "type": "ip-dst", "uuid": "58638364-b520-492b-8fbb-fcbd02de0b81", "value": "120.76.249.59" }, { "category": "Payload delivery", "comment": "; package name \u00e2\u20ac\u201c com.baidu.com - Xchecked via VT: acdb7bfebf04affd227c93c97df536cf", "deleted": false, "disable_correlation": false, "timestamp": "1482916805", "to_ids": true, "type": "sha256", "uuid": "586383c5-b9c4-40a5-9cff-415902de0b81", "value": "d3aee0e8fa264a33f77bdd59d95759de8f6d4ed6790726e191e39bcfd7b5e150" }, { "category": "Payload delivery", "comment": "; package name \u00e2\u20ac\u201c com.baidu.com - Xchecked via VT: acdb7bfebf04affd227c93c97df536cf", "deleted": false, "disable_correlation": false, "timestamp": "1482916806", "to_ids": true, "type": "sha1", "uuid": "586383c6-8d48-4538-b730-485b02de0b81", "value": "12c74cd9a54563c087faa057eae6e46b8d9dc0c1" }, { "category": "External analysis", "comment": "; package name \u00e2\u20ac\u201c com.baidu.com - Xchecked via VT: acdb7bfebf04affd227c93c97df536cf", "deleted": false, "disable_correlation": false, "timestamp": "1482916806", "to_ids": false, "type": "link", "uuid": "586383c6-307c-499d-be91-4c4502de0b81", "value": "https://www.virustotal.com/file/d3aee0e8fa264a33f77bdd59d95759de8f6d4ed6790726e191e39bcfd7b5e150/analysis/1482813091/" } ] } }