302 lines
No EOL
13 KiB
JSON
302 lines
No EOL
13 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-08-25",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - WAP-billing Trojan-Clickers on rise",
|
|
"publish_timestamp": "1503662042",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1503661852",
|
|
"uuid": "59a00e7b-5bac-4e57-ab87-48d8950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#37ab00",
|
|
"local": "0",
|
|
"name": "enisa:nefarious-activity-abuse=\"mobile-malware\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a00e88-854c-406b-a578-4e61950d210f",
|
|
"value": "https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "59a00e95-a5b4-45e3-89f7-443f950d210f",
|
|
"value": "During the preparation of the \u00e2\u20ac\u0153IT threat evolution Q2 2017\u00e2\u20ac\u009d report I found several common Trojans in the \u00e2\u20ac\u0153Top 20 mobile malware programs\u00e2\u20ac\u009d list that were stealing money from users using WAP-billing \u00e2\u20ac\u201c a form of mobile payment that charges costs directly to the user\u00e2\u20ac\u2122s mobile phone bill so they don\u00e2\u20ac\u2122t need to register a card or set up a user-name and password. This mechanism is similar to premium rate SMS messages but Trojans do not need to send any SMS in this case \u00e2\u20ac\u201c they just need to click on a button on a web-page with WAP-billing.\r\n\r\nFrom user\u00e2\u20ac\u2122s perspective a page with WAP-billing looks like regular web-page. Usually such pages contain complete information about payments and a button. By clicking on this button user will be redirected to a mobile network operator server, which may show additional information and request user\u00e2\u20ac\u2122s final decision about payment by clicking on another button. If the user connects to the Internet through mobile data, the mobile network operator can identify him/her by IP address. Mobile network operators charges users only if they are successfully identified and only after click on the button.\r\n\r\nFrom a financial point of view, this mechanism is similar to the Premium rate SMS service \u00e2\u20ac\u201c charge is directly applied to users\u00e2\u20ac\u2122 phone bills. However, in this case Trojans do not need to send any SMS \u00e2\u20ac\u201c just to click on button on a web-page with WAP-billing.\r\n\r\nWe hadn\u00e2\u20ac\u2122t seen any Trojans like this in a while, but several of them appeared out of nowhere. Different Trojans from different cybercriminal groups targeting different countries (Russia and India) became common at the same time. Most of them had been under development since the end of 2016 / the beginning of 2017, but their prevalence increased only in the second half of Q2 2017. Therefore, I decided to take a closer look at these Trojans.\r\n\r\nIn general, these Trojans are doing similar things. First, they turn off WiFi and turn on mobile Internet. They do this because WAP-billing works only through mobile Internet. Then they open a URL which redirects to the page with WAP-billing. Usually, Trojans load such pages and click on buttons using JavaScript (JS) files. After that they need to delete incoming SMS messages containing information about subscriptions from the mobile network operator.\r\n\r\nFurthermore, some of them have the ability to send premium rate SMS messages. In addition, some are exploiting Device Administrator rights to make it harder to delete the Trojan.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a00ed4-42d8-4753-9460-4d94950d210f",
|
|
"value": "f3d2febbf356e968c7310ec182ee9ce0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a00ed4-7ccc-4116-b456-4932950d210f",
|
|
"value": "9e492a6fb926e1338dadc32463196288"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a00ed4-4a60-43f5-83a0-4eee950d210f",
|
|
"value": "a93d3c727b970082c682895fea4db77b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a00ed4-45d4-44e5-b12f-49e2950d210f",
|
|
"value": "66fe79bee25a92462a565fd7ed8a03b4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a00ed4-1534-4f3a-8ac3-4524950d210f",
|
|
"value": "aeae6bfdd18712637852c6d824955859"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a00ed4-ad9c-40b0-bd66-4551950d210f",
|
|
"value": "da07419994e65538659cd32bf9d18d8a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: aeae6bfdd18712637852c6d824955859",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59a00ef1-15c4-4dd6-948f-4a9502de0b81",
|
|
"value": "a38d879bc02f6721d2fe326b4142c0ad429bb414be2416f69ce8fd570f15b3e6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: aeae6bfdd18712637852c6d824955859",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a00ef1-7e20-4b75-b968-406802de0b81",
|
|
"value": "aa85ebc9cb653f2e3b9872ee753a1c14fc800c51"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: aeae6bfdd18712637852c6d824955859",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a00ef1-c804-464c-86f8-4c9d02de0b81",
|
|
"value": "https://www.virustotal.com/file/a38d879bc02f6721d2fe326b4142c0ad429bb414be2416f69ce8fd570f15b3e6/analysis/1500263716/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 66fe79bee25a92462a565fd7ed8a03b4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59a00ef1-f798-4148-839e-463902de0b81",
|
|
"value": "dba977d43d84d2f0a1e42bc3cc6c9c656bb0012651ff1531ce5d0fa9d2368a7f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 66fe79bee25a92462a565fd7ed8a03b4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a00ef1-00e4-403d-9434-4bde02de0b81",
|
|
"value": "3dc1d84e406ce57eaf895dd102d9efc75318ac5d"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 66fe79bee25a92462a565fd7ed8a03b4",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a00ef1-d380-4f26-a5dc-4a8402de0b81",
|
|
"value": "https://www.virustotal.com/file/dba977d43d84d2f0a1e42bc3cc6c9c656bb0012651ff1531ce5d0fa9d2368a7f/analysis/1488259926/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: a93d3c727b970082c682895fea4db77b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59a00ef1-efb0-4962-a9b6-42d102de0b81",
|
|
"value": "2f012d6adccebb975eedc790a250000c30c3cd9de2c7d1b6e3067d68cbb6262f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: a93d3c727b970082c682895fea4db77b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a00ef1-c4e4-4e09-b333-40ae02de0b81",
|
|
"value": "83a5bc964392c4775576d937639541b03a150f27"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: a93d3c727b970082c682895fea4db77b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a00ef1-0694-421e-8e4d-452202de0b81",
|
|
"value": "https://www.virustotal.com/file/2f012d6adccebb975eedc790a250000c30c3cd9de2c7d1b6e3067d68cbb6262f/analysis/1496415838/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 9e492a6fb926e1338dadc32463196288",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59a00ef1-174c-432f-b82e-4f6b02de0b81",
|
|
"value": "1f00c1d379b3fe49215c96dabf310f8208ef4203e12e6f04ce3a15265254a96f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 9e492a6fb926e1338dadc32463196288",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a00ef1-af74-480d-94f6-409e02de0b81",
|
|
"value": "dd62d1565048b8f31f19de3d7f4103c93bbffc3a"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 9e492a6fb926e1338dadc32463196288",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a00ef1-a984-4ff7-86c6-478402de0b81",
|
|
"value": "https://www.virustotal.com/file/1f00c1d379b3fe49215c96dabf310f8208ef4203e12e6f04ce3a15265254a96f/analysis/1501376726/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: f3d2febbf356e968c7310ec182ee9ce0",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59a00ef1-a6b4-4814-b547-465802de0b81",
|
|
"value": "3e3c73987b0ad9cb8ab10100ca875df65ebe7560b7f08f875c8acee18c7af92f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: f3d2febbf356e968c7310ec182ee9ce0",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a00ef1-ef08-4eef-8480-4fc302de0b81",
|
|
"value": "a18fc97ea0be7be9b8c943997e046e5e2a49c2a7"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: f3d2febbf356e968c7310ec182ee9ce0",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1503661809",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a00ef1-6128-4fef-ad1f-411602de0b81",
|
|
"value": "https://www.virustotal.com/file/3e3c73987b0ad9cb8ab10100ca875df65ebe7560b7f08f875c8acee18c7af92f/analysis/1497642003/"
|
|
}
|
|
]
|
|
}
|
|
} |