Decrypting the Daam Malware: A Deep Dive Analysis of the Daam Malware Having Ransomware Capabilities

In this article, we will delve into the details of Daam Malware, a new threat that has ransomware capabilities. We will explore its origins, modus operandi, and ways to protect yourself from this malware. Read on to learn more.
Updated on
April 25, 2023
Published on
April 25, 2023
Read MINUTES
8
Subscribe to the latest industry news, threats and resources.

  • Category: Malware Intelligence
  • Region: Global

Executive Summary

On 17 April 2023, CloudSEK’s Threat Intelligence Research Team discovered a newly emerged malware, titled ‘Daam’. The malware was found to be communicating with various Android APK files, likely indicating the source of infection. While writing this report, two C2 panels were found operating on the following IPs:

  • 84[.]234[.]96[.]117[:]3000/#/login
  • 192[.]99[.]251[.]51[:]3000/#/login

The WebSocket associated with the above IP can be found at the following URL: hxxp[:]//192[.]99[.]251[.]51[:]3000/socket[.]io/?EIO=3&transport=websocket&sid=H1j-nXwa-LRJNA2AACsl

Note:Interestingly, this malware was also observed to have ransomware capabilities since it encrypts the files using AES algorithms present in the root directory and SD card and drops a ‘readme_now.txt’ file.

Screenshot of the C2 panel of the Daam malware

Open Web Analysis

After analyzing the IP address (192[.]99[.]251[.]51) of the C2 panel using the Open Web, it was discovered that the panel was in communication with several APK files that had been recently uncovered.

Screenshot showing the C2 panel communicating with different APKs

While writing this report, CloudSEK researchers observed multiple websites offering free versions of these applications while some of them are already being marked as malicious/suspicious on various online sandboxing platforms. As of the time of writing this report, the applications detected on some of these platforms were added as recently as 3 days ago, coinciding with the date of detection of the C2 panel.

List of Websites Distributing The APKs

napkforpc.com

apk-new.com

Andyroid.net

Apkod.com

Androidfreeware.mobi

333download.com

Downloadpark.mobi

Androidtop.net

apktoy.com

About the Malicious APKs

A simple Google search about the applications provided the following descriptions about them:

  • Psiphon Client for Android and Windows: Psiphon is circumvention software for Windows and Mobile platforms that provides uncensored access to Internet content.
  • Boulders: Boulders is a game where your main aim is to grab all the treasure from a mine and make it out alive.
  • Currency Pro: Currency Pro is a currency converter that provides the world's foreign currency conversion rates.

Technical Analysis

Upon investigation, the CloudSEK research team discovered that the aforementioned three applications are utilizing a common malicious package file named "com.android.callservice". These trojanized applications were being used to distribute the Daam malware. Although the analyzed samples do not exhibit any malicious behavior, the specific packages utilizing this file are engaging in malicious activities such as retrieving the name of Google accounts, recording phone, VoIP calls, and audio, gaining access to the camera, modifying the device password, accessing contact lists, capturing screenshots, stealing SMS messages, taking Chrome browser bookmarks, downloading/uploading files, encrypting files utilizing the AES algorithm, etc.

To Note:

During the dynamic analysis of the malware, it was noticed that the malware, once installed on the victim's device, conducted environment-related checks that limited its full functionality. These checks were triggered when the malware sent a request to the Command and Control (C2) server using the WebSocket protocol, and the request was configured based on the victim's device configuration.

Device information exfiltration by the malware in the background

Permissions Requested by the Malware

Once installed on an Android device, the malicious applications are granted access to highly sensitive permissions including RECORD_AUDIO, READ_HISTORY_BOOKMARK, KILL_BACKGROUND_PROCESSES, and READ_CALL_LOGS.

User permissions of a sensitive nature that have been requested by the malicious application

Features of the Malware

Security Checks Bypass

The malware is capable of circumventing security checks on a range of mobile brands.

Security check bypasses implemented by the malware

Recording Audio & Phone/VoIP Calls

The Daam malware has the ability to record all ongoing calls(phone and VoIP) on a victim's device and subsequently transmit them to the C2 server.

Code snippet responsible for recording calls on the affected device

The malware also searches for certain package IDs of applications that provide VoIP services, such as WhatsApp, Hike, etc., in order to record VoIP calls.

Code snippet depicting the package IDs searched by the malware for recording VoIP calls

File Exfiltration

The malware can traverse through all the readable local directories and is capable of exfiltrating all the files from the victim’s device.

Code snippet responsible for file exfiltration

Stealing Contacts

In addition to stealing contacts from a victim's device, the Daam malware is also capable of pilfering newly added contacts.

Code snippet responsible for stealing newly created contacts from the victim’s device

File Encryption

The malware has been skillfully crafted to utilize the AES encryption algorithm to encrypt all files on the device without the owner's consent. Following the encryption, all encrypted files are deleted from local storage, leaving only the encrypted files with a .enc extension.

Code snippet responsible for the encryption of files on the victim’s device

Impact

  • The exposed PII could enable other threat actors to orchestrate social engineering schemes, phishing attacks, and identity theft.  
  • If the encrypted system contains critical data which is not backed up, the victim will be left with no option but to pay the ransom.
  • Since password reuse is a common practice, threat actors could leverage the exposed credentials to gain access to the users’ other accounts.
  • The malware also can change the device passwords locking out the users from accessing, along with encryption capabilities.

Mitigation

  • Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers. This includes: noisy calls, heating up or slowing down of devices, battery issues, apps operating abnormally, unusual notifications, etc.
  • Install a strong antivirus in the system to detect malicious signatures.
  • Enable all the Google Privacy Protection policies that forbid and warn users while downloading malicious applications.
  • Lookout for applications asking for unnecessary permissions to operate.
  • Never download applications from unknown sources and repositories, there is a high chance of malicious obfuscations.*

*While statistics indicate that third-party websites may host a higher percentage of malicious or infected files, it's important to exercise caution and do your research before downloading any application from an unfamiliar source.

Indicators of Compromise (IOCs)

MD5

49cfc64d9f0355fadc93679a86e92982

99580a341b486a2f8b177f20dc6f782e

ee6aec48e19191ba6efc4c65ff45a88e

SHA-1

67a3def7ad736df94c8c50947f785c0926142b69

bc826967c90acc08f1f70aa018f5d13f31521b92

f3b135555ae731b5499502f3b69724944ab367d5

SHA-256

37d4c5a0ea070fe0a1a2703914bf442b4285658b31d220f974adcf953b041e11

184356d900a545a2d545ab96fa6dd7b46f881a1a80ed134db1c65225e8fa902b

0fdfbf20e59b28181801274ad23b951106c6f7a516eb914efd427b6617630f30

SHA-512

2b82d39be969fd0d92986de1806f011ca2b99f159967d1aee2dfd8f175e1730e57741e91edb5e1244a61bc76bac64260416b16fa95d27aaa2eb259a8cb746496

d2cfbc281fe353b8018cb4e7a861a551f0ebfccb65aa03e964109db8f0caf424eace828f268f01d99d074c89990dc2e7091ba3971c513d781dd4792212463957

0f1fb2554bd05df4c4987f64fc9c22695cb2f0951b1b46202fb0aa24ff5008d14dfd2782e1c508b5534c16c024034d75b72cee2aebeeb4337e0fda69314ee0db

File names

Boulder.s.apk

PsiphonAndroid.s.apk

Currency_Pro_v3.6.2.apk

Command and Control

192.99.251[.]51

84.234.96[.]117

References

Appendix

Websites distributing unofficial versions of affected applications that can likely be malicious

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations