by Rahul Sasi
CloudSEK is an artificial intelligence technology-based risk management enterprise, which focuses on customized, intelligent security monitors.
CloudSEK’s SaaS-based products help a client, assess security real-time from the perspective of an attacker 24*7. Our monitors track our client’s various Internet-based resources for potential security risks. Instead of using traditional static threat detection engines and manual verification process our monitors use Machine Learning and Artificial Intelligence to identify threats.
The blog is an analysis of some critical information CloudSEK acquired from our data partner.
CloudSEK monitors were researching the activities of an APT [Advanced persistent threat ] that is targeting software companies globally.What is interesting is this APT appear to conduct widespread intellectual property theft for economic gains, targeted individuals as well as performed intelligence gathering that would be useful for governments. Based on our analysis , the attacker have recently launched campaigns to target Christmas season. Malware masquerades as Santa Claus and many similar Christmas Apps.
Brief Overview :
CloudSEK was monitoring an underground hacking team, that was selling a Desktop malware in various underground forums. The desktop malware is specifically designed for jumping air-gapped systems , and given the type of documents the attackers are seeking , it was collecting classified data from software companies and government organisations.
The desktop malware after successful installation proceeds to callback to its controllers located in Germany . The main attraction of this Trojan is the capability to collect data from air-gapped systems. The trojan gathers system information and disk information and sends that to the controller. The malware collects two sets of data:
One of the features was a USB module that is capable of collecting data from air-gapped systems [No internet access] . This module copies important data from an infected system to a plugged-in USB device till it reaches an infect machine that has got internet access. The malware was also copying trash folder from infected system into a hidden volume on the connected USB .
CloudSEK was able to obtain more information on attackers infrastructure and was able to identify how exfiltrated data was placed on the attacker’s servers . We observed that the data collected are stored in a folders marked by an infection id on the controllers. Each victim will has an infection id and a folder related to his/her data.
Controllers seemed to have almost 120 GB of data as Malware and are constantly collecting critical files from infected machines. The collected data are kept in their respective folders.
Even though there were folders for key-logging and voice recording no actual code for this was found within the trojan nor any data on the controllers. It is possible the Trojan is still under development.
Based on many artefacts collected from this malware, controllers as well as passive dns query, its is confirmed that a company based in South Asia is responsible for the development of this malware. This company would be referred as santa-apt from here on. This company on its website says that they provide software development consultation as well as provides spy softwares to monitor employees. Based on the above, CloudSEK monitors were constantly tracking this hacking team and our trackers were able to find the following information.
- CloudSEK found that Santa-APT is recruiting for Mobile App developers.
- Many of the developers who are working for Santa-APT has mobile application background [IPhone and Android ].
- We identified Santa-APT Mobile malware are masquerading as Games and utilities.
- And recently attackers started pushing malware pretending to be Santa Clause games.
- We identified many malware controllers used by Santa-APT .
- One of the malware controllers managed by Santa-APT belongs to a mobile malware .
- The mobile malware controller had nearly 8k infections .
Screenshot of the Android and iOS Malware used by the team:
We were able to get more information about the controllers and how collected data was monitored on the controllers. Further in this blog we would explain in detail about the various operations performed by the Mobile malware.
CloudSEK monitors were constantly tracking this hacking team and their infrastructure . While checking the contents of many applications owned by Santa-apt, we identified their mobile malware. The mobile malware after infection connected back to a C&C server over http. This IP was in the same network range as the desktop malware and was hosted in Germany. The application is a mobile malware admin interface code named as “top gun”. There were almost 8k infected mobile users on that control panel.
CloudSEK was able to collect more data about the internal working of the mobile malware.
The controller had admin users as well as normal users:
Each infected user data could be viewed by logging in with a username and password on the user panel .
User Data Dashboard:
The mobile malware had the feature to upload the following data to the control panel.
- Call Records
- Location Info
- Cam Shots
- Environment Recordings
- Browser History
- Program Info
- Change Sim Card
- Device Status
That’s pretty much everything on the phone. And like every other android malware , the user has to grant permissions for app, and our Santa request for all the possible permissions.
It has a feature to upload minute-by-minute location of the user.
Stolen SMS from infected Phones:
Attacks were capable to play recorded call messages.
View/play call records:
Uploaded gallery contents video/image from infected phones:
An interesting feature to the controller was an option to send an alert to attacker if his victims leaves a particular region on map or enters a pre set region. This way attackers could track if his victim has reached office or left office. So if victims enters/leaves a pre set location, then the attackers gets an sms notification. Triggers are also made for calls and sms from a preset individual.
Triggers could be used to record the environment of the user and upload back to the server.
This Christmas make sure you think about security before installing an app.Verify the permissions you are granting an application before accepting them. Ensure that an application has enough legitimate reviews . And last but not the least, do not let someone else install any application on your official/personal devices.
CloudSEK’s SaaS-based solution monitor client’s online assets from the perspective of an attacker 24/7 . CloudSEK monitor leverages modern machine learning technology to detect threats real time and provide actionable intelligence.
The target of this APT are so diverse, ranging from government officials , high profile individuals to engineers from technology companies . More attribution , victim informations and artefacts about Santa-APT could be provided on request at [theoracle (-@-) cloudsek.com ]