Sunday, September 16, 2018

Dangerous Invoices and Dangerous Infrastructure

One of the things I've learned in twenty-nine years investigating malware is that MOST bad guys are lazy and cheap.  One of the main ways that shows up is in the reuse of infrastructure.  Or as one of my criminology friends says it "most criminals are caught by identifying patterns of habit and convenience."  That's why it can sometimes be useful to examine a malware sample, even if it fails to trigger due to age.  It is likely that OTHER samples are using the same infrastructure or deployment system.

My friends at Cofense published their finding last week that Microsoft Office macros are still the number one way that malware is being delivered via email, accounting for 45% of all malware delivery mechanisms they have recently studied.  Anyone with a spam collection can quickly reach that same conclusion.  A couple such campaigns even showed up in my personal email this week.

Here's three emails from consecutive days last week sent to one of my personal email domains:

A Purchase Order from "ADNOC" (Sep 6, 2018)

A Purchase Order from H&H Nails (Sep 5, 2018)

A Purchase Order from SS Braid (Sep 4, 2018)
The most convincing phish, as PhishMe and later Cofense have repeatedly demonstrated by studying what millions of customers actually click on, are those which imitate a common business practice, such as these Purchase Orders. In an attempt to be helpful, many will open a Purchase Order received in email, even if they don't recognize the company name, often as a means of directing the PO to the appropriate department.  Big Mistake!

Working from oldest to newest: 

SS BRAID PO.doc was recognized as being malicious by 33 of 59 AV vendors at VirusTotal - a helpful analysis from VMRay, linked in the comments section tells us that the sample attempts to download "kc.exe" from the site rollboat[.]tk.
MD5
02b6f049f4d8246ee982d8c34a160311
sale contract.doc was recognized as being malicious by 29 of 59 AV vendors at VirusTotal - and in this case, Dr.Web shared their analysis with VirusTotal, also revealing that the action of open the document would launch the same "kc.exe" file from rollboat, as the other file.
MD5
736de7cd6a9c76bd7df49e6b3df6000e
SHA-1
1315994222d45410c8508cf614378e35c4f56c94


As it turns out, in the three consecutive daily email blasts identified above, each sample had two email attachments, and they were all the same attachments only with different names.
The three 386KB files all had the same hashes, and the three 176KB files also all had the same hashes.  So, for at least September 4, 5, and 6, 2018, kc.exe was the target that the malicious actor wanted us to launch on our computer.  The file is no longer available, which could stall the investigation, but let's look at Habit and Convenience.  If the actor is already hosting on rollboat[.]tk, is it not likely he'll keep doing so until someone prevents him?

Each of the subdirectories contained additional malicious files.  By the directory time stamps, its clear that this criminal continued delivering his malware that began on Sep 4, Sep 5, Sep 6, at least through Sep 14th (Friday).  Since everyone needs a weekend, and business-process-imitating malware is most profitable on weekdays, the criminals haven't uploaded any new malware on Saturday September 15th, or Sunday September 16th.  

The leftover cnn.exe file from September 6th is well-detected (32 of 67 at VirusTotal) although Microsoft, Symantec, and TrendMicro all report the executable as "clean."  The more recent ogox.exe file from September 14th has a slightly poorer 1 in 3 detection (20 of 67 at VirusTotal), as is typical for Friday malware only 60 hours later.  (The various AV engines will all tell you that's because blah blah blah.  I'm running their code. I just infected myself with their AV running. Whatever.) 

Invoice.exe = (14 of 67 on VirusTotal)  - (checks smtp.gmail.com and then self-terminates)
MD5
1261b8382cfa2b905f0f52a3aef49ce4
SHA-1
e80c07f700cf817a1eca1f8186f820492f8a2fbc
Order.exe = (34 of 68 on VirusTotal
MD5
57b430ea422d1f33fef19f02fb85c7f0
SHA-1
60a64400207fd9835899189aa0c3cbca027fe8cf

MD5
0fa8876252c632b64afad8fd7fa6344f
SHA-1
ab372d169743758bb81abaa4bc303d5303f6d913

ogo.exe = (44 of 68 on VirusTotal
MD5
f321b38b171a3cbc1eff4a41ac5bbe47
SHA-1
da61f88e2e95a23e58d96cf845c523fd10023cb7

Regardless of what this malware actually does, the two take-aways here?  Malware continues to spread by imitating common business practices, such as processing Invoices and Purchase Orders.  And Criminals continue to rely on Habit and Convenience, which means they are still able to be tracked by looking at their infrastructure choices.

Update

Monday morning, back to work!  Sure enough, we checked the rollboat directory for fresh files this morning:

VirusTotal 19 of 65
MD5
793a3a5e434add85d24df212bf3a72d0
SHA-1
cedcb4b74baf0ba7b39aeea1983bd2f48586e9a4



MD5
d13f100887011e3110b224779c11594b
SHA-1
22971ed9a43f7f8e9b8b55de9d28406bb83cffb1



VirusTotal 20 of 67 
MD5
de1a7961917537084aa383fd398beac5
SHA-1
a52e447bfe24760c31142f9a3b0efc90cd7c2366

I'll also note that this morning on my Windows 10 machine running current Chrome, the file downloads were prevented - marked "This file is dangerous, so Chrome has blocked it."  When I told Chrome to let me download one any way, Windows Defender stopped it.  Sharing information DOES help!







Friday, September 14, 2018

Interac: One Phish to Phish Them All

I recently had the pleasure of bumping into some of my Canadian friends at a Law Enforcement conference.  So when I saw someone mention a "National Bank of Canada" phish, I thought I would pull on the string a bit and see if it was actually an "Interac" phish.   Interac is a system for easily sending money between different Canadian banks. The phishers love it, because by imitating Interac, they can steal login information from any Canadian, regardless of where they bank.

By walking up to a higher directory, sure enough, the National Bank of Canada phish was just a tiny part of an underlying Interac phish hosted at 178.128.125[.]127, a Digital Ocean box in Kalívia, Attiki, Greece.


178.128.125[.]127/deposit 
We can tell by the timestamp of the directory that this is a fresh phish - created earlier this morning:


On each of the banks, clicking on their logo would take the visitor to a phishing site for that brand.  (Curiously, HSBC did not work for this author - it took us to the real HSBC website via a Google search?) 

ATB Phish

Desjardins Phish

Laurentian Bank (LBC) Phish

Manulife Bank Phish 

RBC Royal Bank Phish 
Quite a few of the Phish seemed to be formatted for browsing on a Smart phone: 

BMO Mobile Phish 

CIBC Mobile Phish 

Meridian Bank Phish 

Scotiabank Mobile Phish 

Simplii Financial Phish 

Tangerine Phish 

TD Bank Phish 

On most of the phishing pages after entering a Userid and Password, the phish would indicate that the deposit was no longer available by displaying an Interac Error page: 

An Interac Error page displays briefly, then forwards to the real bank
This means that the banks may be able to detect this phishing victims by looking for "referring URLs" coming from pages named "error.html", for example, in this case:

hXXp://178.128.125[.]127/deposit/banks/Laurentian/error.html

A few of the brands, such as National Bank of Canada, did ask for additional information:

National Bank of Canada Phish Validation page

After "Validating" the phish forwarded to the real site, nbc.ca, which means they also might wish to check for "referring URLs" containing "Validation" in the path, such as this one:

hXXp://178.128.125[.]127/deposit/banks/National/Validation/

The CIBC Mobile Phish also had some additional questions for their potential victim:

CIBC Mobile Phish Validation page

So, my Canadian friends, if you get an unanticipated request to deposit funds to your account via Interac, you might want to delay accepting that deposit!






Tuesday, September 11, 2018

IRS Call Scammers Sentenced in Texas

Back in 2016 we blogged about a major set of arrests in India and the United States related to a call center scam imitating the IRS.  (See "Major Call Center Scam Revealed - 56 Indicted")

This post is to just share an update on that case.  There have been so many arrests made and yet the fraud continues every day!  I received two IRS calls myself in the past week!

To begin, the IRS is NEVER going to call you and threaten arrest.  If you receive such a call, the investigative agency for IRS scams is TIGTA, the Treasury Inspector General for Tax Administration. You can call their scam hotline to report at 1.800.366.4484, or share details online at the IRS Impersonation Scam Reporting form.  All of the arrests below started because someone reported their scammers.  Although the form seems to be focused on people who actually lost money, even non-loss reports can be helpful.

The biggest round of arrests came in October 27, 2016, which was the focus of that "Major Call Center Scam" blog post.  The DOJ press release was titled "Dozens of Individuals Indicted in Multimillion-Dollar Indian Call Center Scam Targeting U.S. Victims
Over the next several months, many of the criminals pled guilty.  All but two were from India, although several were now American citizens.  Each has now been sentenced for their crimes in a mass sentencing before Judge Hittner in Houston, Texas.  Below, we show their guilty plea date, where they were living and/or conducting their crime, and what the DOJ/TIGTA press release said about their guilty plea.  We feel that the sentences were fair, ranging from just over four years to 188 months (15 1/2 years).  

Just wanted to share that EVENTUALLY, Justice is served.

However, PLEASE KEEP REPORTING!  There certainly are more IRS-imitating criminals who need to go to prison!

Bharatkumar Patel (April 13, 2017) - a resident of Midlothian, Illinois - sentenced to 50 months in prison and removal to India. 


According to his plea, beginning in or about July 2013, Patel worked as a member of a crew of runners operating in the Chicago area and elsewhere throughout the country. Patel admitted to purchasing reloadable cards or retrieving wire transfers and using the misappropriated personal identifying information of U.S. citizens. Patel also admitted to opening personal bank accounts in order to receive scam proceeds and payments from defrauded victims as well as creating limited liability companies in his name to further the conspiracy. According to his plea, Patel opened one bank account that received more than $1.5 million in deposits over a one-year period and another bank account that received more than $450,000 in deposits over a five-month period.

Ashvinbhai Chaudhari (April 26, 2017) - a resident of Austin, Texas. - sentenced to 87 months in prison.


According to his plea, since in or about April 2014, Chaudhari worked as a member of a crew of runners operating in Illinois, Georgia, Nevada, Texas and elsewhere throughout the country. At the direction of both U.S. and India-based co-conspirators, often via electronic WhatsApp text communications, Chaudhari admitted to driving around the country with other runners to purchase reloadable cards registered with misappropriated personal identifying information of U.S. citizens. Once victim scam proceeds were loaded onto those cards, Chaudhari admitted that he liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts while keeping a percentage of the victim funds for himself. Chaudhari also admitted to shipping money orders purchased with victim funds to other U.S. based co-conspirators, receiving fake identification documents from an India-based co-conspirator and using those documents to receive victim scam payments via wire transfers.


Harsh Patel (May 11, 2017) - a resident of Piscataway, New Jersey. - sentenced to 82 months in prison and deportation after his sentence.


According to his plea, since around January 2015, Patel worked as a runner operating primarily in New Jersey, California and Illinois. At the direction of India-based co-conspirators, often via electronic WhatsApp text communications, Patel admitted to purchasing reloadable cards registered with misappropriated personal identifying information of U.S. citizens. Once victim scam proceeds were loaded onto those cards, Patel admitted that he liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts while keeping a percentage of the victim funds for himself. Patel also admitted to receiving fake identification documents from an India-based co-conspirator and other sources and using those documents to receive victim scam payments via wire transfers.


Nilam Parikh (May 18, 2017) - a resident of Pelham, Alabama - sentenced to 48 months in prison 


Since around December 2013, Parikh worked as a runner operating in Alabama.  In connection with her plea, Parikh admitted that, at the direction of an India-based co-conspirator, often via electronic WhatsApp text communications, Parikh purchased reloadable cards registered with misappropriated personal identifying information of U.S. citizens.  Once victim scam proceeds were loaded onto those cards, Parikh admitted that she liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts, while keeping part of the victim funds for herself as payment.  Parikh also admitted to sending and receiving scam proceeds to and from her co-conspirators via Federal Express.


Information on the next five all came from the same DOJ Press Release: "Five More Defendants Please Guilty for their Roles in Multimillion Dollar India-Based Call Center Scam Targeting U.S. Victims


Dilipkumar A. Patel (May 26, 2017) - a resident of Corona, California - sentenced to 108 months in prison and removal to India. 


Based on the admissions made in his May 26 guilty plea, since late 2013, Dilipkumar A. Patel operated as a runner in and around Southern California, along with other co-defendants based in the region. At the direction of India-based co-conspirators, often via electronic WhatsApp communications, Patel admitted to participating in the purchase of reloadable cards registered with the PII of U.S. citizens, and the subsequent liquidation of victim scam funds loaded to those cards by co-conspirators, while keeping a percentage of the victim funds on the cards for himself. 


Fahad Ali (May 26, 2017) - a resident of Dyer, Indiana (from Pakistan) - sentenced to 108 months in prison 


According to his guilty plea, also on May 26, beginning in or around 2013, Fahad Ali worked as a member of a crew of runners operating in the Chicago, Illinois area, the Southern District of Texas and elsewhere throughout the country. Ali admitted that he first served as a driver for an Illinois-based co-defendant engaging in activities in furtherance of the conspiracy. Ali later operated at the direction of that co-defendant and others, via various means of communication, including text messages, to purchase reloadable cards, and then liquidate victim scam proceeds placed on those cards by India-based co-conspirators, in exchange for recurring payments. Ali also admitted to using false identification documents to receive wire transfers from victims of the fraud.


Hardik Patel (June 2, 2017) - a resident of Arlington Heights, Illinois - sentenced to 188 months in prison and removal to India upon completion of the sentence.

Based on the statements in his June 2 guilty plea, beginning in August 2012, Hardik Patel owned and managed the day-to-day operations of an India-based scam call center before later leaving for the U.S. While in India, in his capacity as a manager, Hardik Patel communicated extensively via email, text, and other means with various India-based co-defendants to operate the scheme and exchange scripts used in the scheme, coordinate the processing of payments from scammed victims, obtain and exchange lead lists used by callers to target U.S. victims, and exchange spreadsheets containing the personal identifying information (PII) of U.S. persons misappropriated by the scammers to register reloadable cards used in the scheme. Hardik Patel also managed worker payroll and kept detailed records of profits and expenses for various associated scam call centers. Hardik Patel continued to communicate with India-based co-defendants about the scheme and assist with the conspiracy after he moved to the U.S. 



Rajubhai Patel (June 2, 2017) - a resident of Willowbrook, Illinois - sentenced to 151 months in prison 


According to his June 6 guilty plea, Rajubhai Patel operated as a runner and assisted a co-defendant in managing the activities of a crew of other runners, based primarily out of Illinois, who liquidated victim funds in various locales in the U.S. for conspirators from India-based call centers. Rajubhai Patel communicated about the liquidation of scam funds via electronic WhatsApp communications with domestic and India-based co-defendants, purchased reloadable cards registered using the misappropriated PII of U.S. citizens that were later used to receive victims’ funds, and used those cards to purchase money orders and deposit them into various bank accounts of co-defendants and others as directed. Rajubhai Patel also admitted to creating and maintaining spreadsheets that detailed deposits, payments to co-conspirators, expenses and profits from the scheme.


Viraj Patel (June 2, 2017) - a resident of Anaheim, California - sentenced to 165 months in prison and removal to India.


According to admissions made in his June 2 guilty plea, Viraj Patel first became involved in the conspiracy between April and September 2013, prior to entering the U.S., when he worked at and assisted with overseeing the operations of a call center in India engaging in scam activity at the behest of a co-defendant. After entering the U.S., beginning in December 2014 Viraj Patel engaged in additional activities in support of the scheme in exchange for a cut of the profits, including serving as a processor of scam victim payments and as a runner engaging in the purchase and liquidation of cards loaded with victim scam funds. Viraj Patel communicated with various India-and U.S.-based co-defendants in furtherance of the conspiracy, and also obtained and circulated lead lists to his co-conspirators containing the PII of U.S. citizens for use by the call centers in targeting victims of the various fraud schemes and to register reloadable cards used to launder the proceeds of the schemes.  


Bhavesh Patel (July 7, 2017) - a resident of Gilbert, Arizona and Alabama - sentenced to 121 months in prison.


According to Bhavesh Patel’s guilty plea, beginning in or around January 2014, Bhavesh Patel managed the activities of a crew of runners, directing them to liquidate victim scam funds in areas in and around south and central Arizona per the instructions of conspirators from India-based call centers. Patel communicated via telephone about the liquidation of scam funds with both domestic and India-based co-defendants, and he and his crew used reloadable cards containing funds derived from victims by scam callers to purchase money orders and deposit them into various bank accounts as directed, in return for percentage-based commissions from his India-based co-defendants. Patel also admitted to receiving and using fake identification documents, including phony driver’s licenses, to retrieve victim scam payments in the form of wire transfers, and providing those fake documents to persons he managed for the same purpose.


Asmitaben Patel (July 7, 2017) - a resident of Willowbrook, Illinois - (previously sentenced to 24 months) 


Based on admissions in Asmitaben Patel’s guilty plea, beginning in or around July 2013, Asmitaben Patel served as a runner liquidating victim scam funds as part of a group of conspirators operating in and around the Chicago area. At the direction of a co-defendant, Patel used stored value cards that had been loaded with victim funds to buy money orders and deposit them into various bank accounts, including the account of a lead generating business in order to pay the company for leads it provided to co-conspirators that were ultimately used to facilitate the scam.


The next seven criminals guilty pleas were announced by the Department of Justice on November 13, 2017 in their press release:  "Last Defendant in the United States Pleads Guilty in Multimillion Dollar India-Based Call Center Scam Targeting U.S. Victims"


Miteshkumar Patel (November 13, 2017) - a resident of Willowbrook, Illinois - sentenced to 240 months.


Based on admissions in Miteshkumar Patel’s plea, beginning in or around 2013, Miteshkumar Patel managed a crew of a half dozen domestic runners involved in the criminal scheme, liquidating as much as approximately $25 million in victim funds for conspirators from India-based call center and organizational co-defendant HGLOBAL.  Patel communicated about the fraudulent scheme with various domestic and India-based co-defendants via email, text messaging and WhatsApp messaging.  Miteshkumar Patel and his runners purchased reloadable GPR cards that were registered using the misappropriated personal identifying information (PII) of unsuspecting victims that were later used to receive victims’ funds, and used those reloadable cards containing victims’ funds to purchase money orders and then deposit those money orders into bank accounts, as directed, while keeping a portion of the scam proceeds as profit.  Miteshkumar Patel also trained the runners he managed on how to conduct the liquidation scheme, provided them with vehicles to conduct their activities in Illinois and throughout the country, and directed a co-defendant to open bank accounts and limited liability companies for use in the conspiracy.  Miteshkumar Patel further admitted to using a gas station he owned in Racine, Wisconsin to liquidate victim funds, and possessing and using equipment at his Illinois apartment to make fraudulent identification documents used by co-defendant runners in his crew to receive wire transfers directly from scam victims and make bank deposits in furtherance of the conspiracy.


Raman Patel (age 82) (November 13, 2017) - a resident of Gilbert, Arizona - (previously sentenced in Phoenix, Arizona to probation, in consideration of his age and his cooperation.)

According to admissions in Raman Patel’s guilty plea, from in or around 2014, Patel served as a domestic runner in and around south-central Arizona, liquidating victim scam funds per the instructions of a co-defendant.  Patel also served as a driver for two co-defendants in furtherance of their GPR liquidation and related activities and sent bank deposit receipts related to the processing of victim payments and fraud proceeds to an India-based co-defendant via email and document scan services offered at various retail stores.

Sunny Joshi of Sugar Land, Texas - sentenced to 151 months in prison for money laundering conspiracy, and 120 months in prison for naturalization fraud.

Rajesh Bhatt of Sugar Land, Texas - sentenced to 145 months in prison and removal to India.


Based on admissions in Joshi and Bhatt’s guilty pleas, beginning in or around 2012, Joshi and Bhatt worked together as runners in the Houston, Texas area along with a co-defendant.  They admitted to extensively communicating via email and text with, and operating at the direction of, India-based conspirators from organizational co-defendant CALL MANTRA call center to liquidate up to approximately $9.5 million in victim funds, including by purchasing GPR cards and using those cards, funded by co-conspirators with scam victim funds, to purchase money orders and deposit them in third party bank accounts, while keeping a percentage of the scam proceeds for themselves as profit.  Joshi has also agreed to plead guilty to one count of naturalization fraud pursuant to a federal indictment obtained against him in the Eastern District of Louisiana, based on fraudulently obtaining his U.S. citizenship.


Jagdishkumar Chaudhari of Montgomery, Alabama - sentenced to 108 months in prison and removal to India.


Jagdishkumar Chaudhari admitted in his plea that between April 2014 and June 2015, he worked as a member of a crew of runners operating in the Chicago area and elsewhere throughout the country, at the direction of Miteshkumar Patel and others.  In exchange for monthly cash payments, Jagdishkumar Chaudhari admitted to driving to hundreds of retail stores to purchase GPR cards to be loaded with victim funds by co-conspirators in India, purchasing money orders with GPR cards that had been funded with victim proceeds, depositing money orders purchased using victim scam proceeds at various banks, and retrieving wire transfers sent by victims of the scheme.  Jagdishkumar Chaudhari is an Indian national with no legal status in the United States, and has agreed to deportation after he serves his sentence as a condition of his guilty plea.


Praful Patel of Fort Myers, Florida - sentenced to 60 months in prison 


In his plea, Praful Patel admitted that between in or around June 2013 and December 2015, he was a domestic runner who liquidated funds in and around Fort Myers, Florida for conspirators from India-based call center and organizational co-defendant HGLOBAL.  Praful Patel communicated extensively via WhatsApp texts with his conspirators.  For a percentage commission on transactions he conducted, Praful Patel admitted to purchasing reloadable GPR cards that were registered using the misappropriated PII of unsuspecting victims that were later used to receive victims’ funds, using those reloadable GPR cards containing victims’ funds to purchase money orders and depositing those money orders into bank accounts as directed, and using fake identity documents to receive wire transfers from victims.


Jerry Norris of Oakland, California - sentenced to 60 months in prison 


According to Norris’ guilty plea, beginning in or around January 2013 continuing through December 2014, he was a runner who worked with conspirators associated with India-based call center and organizational co-defendant HGLOBAL, and was responsible for the liquidation of victim scam funds in and around California.  Norris admitted he communicated extensively via WhatsApp and email with India-based co-defendants including Sagar “Shaggy” Thakar, purchased GPR cards used in the scheme, sent lead lists to conspirators in India that were then used by callers located in the call centers to target potential victims in the telefraud scheme, received scam proceeds via wire transfers using fictitious names, and laundered scam proceeds from GPR cards via ATM withdrawals.


Others sentenced whose guilty pleas were not mentioned above include: 


Montu Barot - 60 months in prison and removal to India after sentence

Rajesh Kumar - 60 months in prison 


Nilesh Pandya - sentenced to three years probation 


Dilipkumar R. Patel of Florida - sentenced to 52 months in prison 


Nisarg Patel of New Jersey - sentenced to 48 months in prison and removal to India.


Dipakkumar Patel, of Illinois, was sentenced to 51 months by Judge Eleanor Ross in Atlanta, Georgia.



Monday, September 10, 2018

Android Malware Intercepts SMS 2FA: We have the Logs!

A couple years ago I was doing some phishing investigations training at the Police School in Santiago, Chile.  One module in my training was called "Logs Don't Lie" which pointed out that in most cases we have everything we need to prioritize a phishing response just by looking at the log files, either on the compromised phishing server, or in the Financial Institutions own logs.

Malware C2 servers are another great place to apply the rule "Logs Don't Lie."  Most security researchers realize that there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations.  @LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware.  And the Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do!    (Sidenote:  @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while @LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware.  You should follow both on Twitter if you care about such things.  Thanks to them both for the pointer that leads to what follows.)

In this case, the malware is believed to be called "Anubis II" and likely uses the "Builder" that is depicted in this YouTube video, titled "Builder Android Bot Anubis 2"

Launcher the APK Builder "Android Botnet Anubis II" 

Malware actor chooses from his list of banking targets
In the comments section of the video, someone has shared a screen shot of the botmaster's control panel.  In this case it is demonstrating that 619 Android phones can be controlled from the botnet:

Phones that can be controlled from Anubis II control panel
In the particular instance referred to by Lukas and NullCookies, the malware seems to have been active primarily in June of 2018.   The server hosting the Anubis II panel has a list of banks that it can present.

The targets which have custom web inject (or phone inject) content include:
  • 7 Austrian banks
  • 18 Australian banks
  • 5 Canadian banks
  • 6 Czech banks
  • 11 German banks
  • 11 Spanish banks
  • 11 French banks
  • 8 Hong Kong banks
  • 11 Indian banks
  • 6 Japanese banks
  • 1 Kenyan bank
  • 4 New Zealand banks
  • 32 Polish banks
  • 4 Romanian banks
  • 9 Turkish banks
  • 10 UK banks (Bank of Scotland, Barclays, CSGCSDNMB, Halifax, HSBC, Natwest, Royal Bank of Scotland, Santander, TSB, Ulster)
  • 10 US banks (Bank of America, Capital One, Chase, Fifth Third, NetTeller, Skrill, SunTrust, USAA, US Bank, Wells Fargo Mobile)

Fake Android Login Pages for Banks 

While each of the 190 sites has a fake login page available, we thought we would show a sampling from banks around the world . . . 

There are also several Crypto Currency organizations listed:
  • blockchaine
  • coinbase
  • localbitcoin
  • unocoin
As well as some Online Payment, Email, and Social Media sites:
  • eBay
  • Facebook
  • Gmail
  • PayPal
  • ZebPay

Each bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone attempts to log in to the given bank.

 Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content, inviting the phone owner to "Sing In" to the bank.  Perhaps there is a Wells Fargo Choir?  Hopefully that will cause victims to NOT fall for this particular malware!

The Wells Fargo Choir?  Sing On!


The SMS Intercepts

One of the main benefits of having access to the server was to see so many examples of successful SMS message intercepts!  At the time of the server dump, this one contained 32,900+ unique "keylog" entries and 52,000+ logged SMS messages from at least 47 unique devices.

Here's an example showing a Bank Two Factor Authentication request being forward to the criminals:

Text: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn't request the code, call 1.800.xxx.xxxx for assistance.

Keylogging was also enabled, allowing the criminal to see when a bank app was being used:

06/14/2018, 09:07:34 EDT|(FOCUSED)|[From:, REDACTED BANK, Account Number:, ******6680, Date:, May 30, 2018 10:10:42 AM EDT, Status:, Canceled, Amount:, $100.00, Type:, Deposit, Transfer ID:, 25098675]

In this example, an online payment company is sharing a message:

06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a friendly reminder that you have a payment due today by 6pm If you have any questions or need to make a payment  via phone call 804-999-9999 or we have a new payment processing system that allows , for your convenience, to simply text in the last 4 digits of a card you've previously used and the security code and we're able to process your payment.  Feel free to call  REDACTED with any questions at 804-xxx-xxxx]

Hundreds of Gmail verification codes were found in the logs:

06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]

Quite a few Uber codes were also found in the logs:

Text: [#] 9299 is your Uber code. qlRnn4A1sbt

Paypal, Quickbooks, LinkedIn, Facebook, Stash, and Stripe all had 2FA codes make appearances in the logs:

Text: FREE PayPal: Your security code is: 321842. Your code expires in 10 minutes. Please don't reply.

Text: [Your QuickBooks Self-Employed Code is 952708, 1 min ago]

Text: 383626 is your Facebook password reset code or reset your password here: https://fb.com/l/9wBUVuGxxxx5zC

Text: Your LinkedIn verification code is 967308.

Text: 103-667 is your Stripe verification code to use your payment info with Theresa.

Text: Your Stash verification code is 912037. Happy Stashing!

Text: Cash App: 157-578 is the sign in code you requested.

Text: Your verification code for GotHookup is: 7074

In a directory called "/numers/" there were also examples of address book dumps from phone contacts.  The small number of these seem to indicate this would be a "triggered" request, where the botnet operator would have to request the address book.  In the example we found, with seven area code (404) numbers, four (770) numbers and four (678) numbers, it is likely an Atlanta, Georgia based victim.

The Keylogging feature also seems to be something that is turned on or off by request of the botnet operators.  There were far fewer devices for which keylogs were found.   Example keylog entries looked like this:

A telephone prompt looked like this:


  • 06/15/2018, 14:38:55 EDT|(CLICKED)|[Call management, •, 10m, 4 missed calls, Ashley Brown (3), Mom]
  • 06/15/2018, 14:38:59 EDT|(CLICKED)|[Call Ashley Big Cousin, Quick contact for Ashley Brown]
  • 06/15/2018, 14:39:01 EDT|(CLICKED)|[1 804-999-9999, Mobile, Call Ashley Brown]


Responding to a message looked like this:


  • 06/15/2018, 16:02:34 EDT|(CLICKED)|[Messaging, •, now, Expand button, (804) 999-9999 , Hey Terry can you send the address, REPLY]
  • 06/15/2018, 16:02:37 EDT|(FOCUSED)|[Aa]
  • 06/15/2018, 16:02:46 EDT|(CLICKED)|[Copy, Forward, Delete]
  • 06/15/2018, 16:02:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:02:54 EDT|(CLICKED)|[Messaging]
  • 06/15/2018, 16:02:57 EDT|(CLICKED)|[Enter message]
  • 06/15/2018, 16:05:11 EDT|(CLICKED)|[Answer]
  • 06/15/2018, 16:05:29 EDT|(CLICKED)|[]
  • 06/15/2018, 16:10:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:10:52 EDT|(CLICKED)|[Enter]
  • 06/15/2018, 16:11:01 EDT|(FOCUSED)|[2007 Their Address Ct  North CityTheyTyped OK 11111]
  • 06/15/2018, 16:11:03 EDT|(FOCUSED)|[]
A YouTube session looked like this:


  • 06/27/2018, 15:23:36 EDT|(CLICKED)|[YouTube]
  • 06/27/2018, 15:23:46 EDT|(CLICKED)|[Pause video]
  • 06/27/2018, 15:41:19 EDT|(FOCUSED)|[14:46, Go to channel, FINDING OUT THE GENDER!!!, Menu, The Rush Fam · 26K views4 hours ago, 6:12, Go to channel, TRY NOT TO CRY CHALLENGE REACTION WITH KID (SHE ACTUALLY CRIED), Menu, CJ SO COOL · 2.5M views · 1 year ago, SUBSCRIBED]
  • 06/27/2018, 15:46:38 EDT|(FOCUSED)|[]
  • 06/27/2018, 15:46:41 EDT|(CLICKED)|[Enter]
  • 06/27/2018, 15:46:53 EDT|(CLICKED)|[Play video]
  • 06/27/2018, 15:48:06 EDT|(CLICKED)|[ · 0:11]
  • 06/27/2018, 15:48:09 EDT|(CLICKED)|[ · 0:09]
  • 06/27/2018, 15:48:10 EDT|(CLICKED)|[ · 0:08]
  • 06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: "BREAKING UP IN FRONT OF COMPANY!!" PRANK ON PANTON SQUAD!!!]

Distribution 

From looking for this malware in various collections, such as Virus Total Intelligence, it seems that the malware is fairly common.  Many new versions of the malware show up in their collection every day.   The most common point of distribution seems to be from the Google Play Store.

A popularly reported stream of such apps was reported on by, well, just about everyone in July 2018.  Some of the headlines included:

Anubis Strikes Again: Mobile Malware continues to plague users in Official App Stores  - from IBM X-Force Research's Security Intelligence blog

Best graphic goes to Secure Computing Magazine:

https://www.scmagazine.com/


A more recent post, from AlienVault, (20 days ago):  "Anubis Android Malware in the Play Store

A search in VirusTotal Intelligence reveals 62 new filehashes ONLY FROM TODAY (September 10, 2018) that match a definition name of "Anubis".  Some of the more popular names for the trojan on VirusTotal include:

DrWeb:  Android.BankBot.1679
Ikarus: Trojan-Banker.AndroidOS.Anubis
Kaspersky: HEUR:Trojan-Dropper.AndroidOS.Hqwar.bbSophos: Andr/BankSpy-AH 




Kaspersky authored a special article on this banking trojan, which they call "HQWar" back in April under the headline "Phantom menace: mobile banking trojan modifications reach all-time high: Mobile banking Trojans hit the list of cyber-headaches in Q2 2018"   In that article they said they have documented 61,000 versions! 

Kaspersky: Phantom Menace
As I mentioned Lukas at the beginning of this blog, ESET has produced an amazing number of articles on Android banking trojans lurking in the Google Play store.  Here are a few of them:

Monday, September 03, 2018

India's Cosmos Bank Suffers Unlimited ATM Attack

On August 10th, many American Financial Institutions received a warning from the FBI that the Bureau had found evidence that criminals were plotting an "Unlimited Operation."  We've written about these Unlimited Attacks a number of times in the past in this blog, but this is the first time that we know of where the FBI announced the attack before hand.  In these attacks, hackers compromise the internal systems of a bank and gain control of systems that allow them to bypass or reset ATM withdrawal limits.  Then, the magnetic stripe information for a selected number of cards is shared with trusted cash-out gangs around the world, who make physical ATM cards with the stripe information encoded and stand by for the pre-arranged attack to begin.  Once zero-hour arrives, hundreds of cash-out gang members begin draining every ATM machine they can find.  Literally emptying the machines, with the balance available for withdrawal being magically reset in real time by the hackers inside the systems of the targeted bank.

The most famous Unlimited Attack was also one of the earliest, when $9 Million in cash was withdrawn from at least 2100 ATM machines in 280 cities around the world on November 7th and 8th, 2008 in the RBS WorldPay attack.  That was far surpassed in 2013, when cash-out gangs in 26 Countries stole $40M.  More recently, Standard Bank was victimized in the first Japanese Unlimited Attack in 2016, involving at least 14,000 "maximum" ATM withdrawals.

In this case, the FBI's prediction came true almost immediately, even before our favorite security journalist, Brian Krebs, was able to get his story out: FBI Warns of Unlimited ATM Cashout Blitz.

The Times of India reported on August 14th "How hackers siphoned over Rs 94 crore off a co-operative bank in Pune", revealing that the 112 year old Cosmos Bank was the target of the attack.  During this attack hackers were able to cause the ATM Network to approve "Rupay" transactions by validating the requests against a fake payment gateway controlled by the hackers.  In 2.5 hours, from 3 pm to 5:30 pm, 12,000 Visa card transactions withdrew Rs 78 crore (approximately $10.9 Million USD) before Cosmos Bank terminated all ATM Visa Transactions, however Rupay transactions continued until at least 10PM.  RuPay is an India-only card system designed to allow national payments in India without reliance on Visa and Mastercard.  2,890 India-based RuPay transactions totaled an additional Rs 2.5 crore ($351,500 USD).  In addition to the ATM damages, on August 13th, the same hackers wired Rs 13.94 crore (almost $2M  USD) to Hong Kong via a fraudulent SWIFT transfer.  (Three separate MT103 transactions were sent to ALM Trading Limited at Hang Seng Bank in Hong Kong, according to Securonix analysis of the event.  Securonix believes the behavior of the attackers is consistent with the North Korean based APT group known as "Lazarus Group".  MITRE's ATT&CK program (Adversarial Tactics, Techniques & Common Knowledge) provides more information on the Lazarus Group.

As with many previous Unlimited attacks, Cosmos Bank chairman Milind Kale said that no customer accounts were impacted, as these were "dummy" accounts that were established for the attack.  If this attack is like historical ones, many of the follow-up arrests will come from using ATM video footage to identify individual cash-out gangs and try to follow their communications back to the criminals who recruited them for the scheme.