- Category: Malware Intelligence
- Region: Global
Executive Summary
On 17 April 2023, CloudSEK’s Threat Intelligence Research Team discovered a newly emerged malware, titled ‘Daam’. The malware was found to be communicating with various Android APK files, likely indicating the source of infection. While writing this report, two C2 panels were found operating on the following IPs:
- 84[.]234[.]96[.]117[:]3000/#/login
- 192[.]99[.]251[.]51[:]3000/#/login
The WebSocket associated with the above IP can be found at the following URL: hxxp[:]//192[.]99[.]251[.]51[:]3000/socket[.]io/?EIO=3&transport=websocket&sid=H1j-nXwa-LRJNA2AACsl
Note:Interestingly, this malware was also observed to have ransomware capabilities since it encrypts the files using AES algorithms present in the root directory and SD card and drops a ‘readme_now.txt’ file.
Open Web Analysis
After analyzing the IP address (192[.]99[.]251[.]51) of the C2 panel using the Open Web, it was discovered that the panel was in communication with several APK files that had been recently uncovered.
While writing this report, CloudSEK researchers observed multiple websites offering free versions of these applications while some of them are already being marked as malicious/suspicious on various online sandboxing platforms. As of the time of writing this report, the applications detected on some of these platforms were added as recently as 3 days ago, coinciding with the date of detection of the C2 panel.
About the Malicious APKs
A simple Google search about the applications provided the following descriptions about them:
- Psiphon Client for Android and Windows: Psiphon is circumvention software for Windows and Mobile platforms that provides uncensored access to Internet content.
- Boulders: Boulders is a game where your main aim is to grab all the treasure from a mine and make it out alive.
- Currency Pro: Currency Pro is a currency converter that provides the world's foreign currency conversion rates.
Technical Analysis
Upon investigation, the CloudSEK research team discovered that the aforementioned three applications are utilizing a common malicious package file named "com.android.callservice". These trojanized applications were being used to distribute the Daam malware. Although the analyzed samples do not exhibit any malicious behavior, the specific packages utilizing this file are engaging in malicious activities such as retrieving the name of Google accounts, recording phone, VoIP calls, and audio, gaining access to the camera, modifying the device password, accessing contact lists, capturing screenshots, stealing SMS messages, taking Chrome browser bookmarks, downloading/uploading files, encrypting files utilizing the AES algorithm, etc.
To Note:
During the dynamic analysis of the malware, it was noticed that the malware, once installed on the victim's device, conducted environment-related checks that limited its full functionality. These checks were triggered when the malware sent a request to the Command and Control (C2) server using the WebSocket protocol, and the request was configured based on the victim's device configuration.
Permissions Requested by the Malware
Once installed on an Android device, the malicious applications are granted access to highly sensitive permissions including RECORD_AUDIO, READ_HISTORY_BOOKMARK, KILL_BACKGROUND_PROCESSES, and READ_CALL_LOGS.
Features of the Malware
Security Checks Bypass
The malware is capable of circumventing security checks on a range of mobile brands.
Recording Audio & Phone/VoIP Calls
The Daam malware has the ability to record all ongoing calls(phone and VoIP) on a victim's device and subsequently transmit them to the C2 server.
The malware also searches for certain package IDs of applications that provide VoIP services, such as WhatsApp, Hike, etc., in order to record VoIP calls.
File Exfiltration
The malware can traverse through all the readable local directories and is capable of exfiltrating all the files from the victim’s device.
Stealing Contacts
In addition to stealing contacts from a victim's device, the Daam malware is also capable of pilfering newly added contacts.
File Encryption
The malware has been skillfully crafted to utilize the AES encryption algorithm to encrypt all files on the device without the owner's consent. Following the encryption, all encrypted files are deleted from local storage, leaving only the encrypted files with a .enc extension.
Impact
- The exposed PII could enable other threat actors to orchestrate social engineering schemes, phishing attacks, and identity theft.
- If the encrypted system contains critical data which is not backed up, the victim will be left with no option but to pay the ransom.
- Since password reuse is a common practice, threat actors could leverage the exposed credentials to gain access to the users’ other accounts.
- The malware also can change the device passwords locking out the users from accessing, along with encryption capabilities.
Mitigation
- Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers. This includes: noisy calls, heating up or slowing down of devices, battery issues, apps operating abnormally, unusual notifications, etc.
- Install a strong antivirus in the system to detect malicious signatures.
- Enable all the Google Privacy Protection policies that forbid and warn users while downloading malicious applications.
- Lookout for applications asking for unnecessary permissions to operate.
- Never download applications from unknown sources and repositories, there is a high chance of malicious obfuscations.*
*While statistics indicate that third-party websites may host a higher percentage of malicious or infected files, it's important to exercise caution and do your research before downloading any application from an unfamiliar source.
Indicators of Compromise (IOCs)
MD5
49cfc64d9f0355fadc93679a86e92982
99580a341b486a2f8b177f20dc6f782e
ee6aec48e19191ba6efc4c65ff45a88e
SHA-1
67a3def7ad736df94c8c50947f785c0926142b69
bc826967c90acc08f1f70aa018f5d13f31521b92
f3b135555ae731b5499502f3b69724944ab367d5
SHA-256
37d4c5a0ea070fe0a1a2703914bf442b4285658b31d220f974adcf953b041e11
184356d900a545a2d545ab96fa6dd7b46f881a1a80ed134db1c65225e8fa902b
0fdfbf20e59b28181801274ad23b951106c6f7a516eb914efd427b6617630f30
SHA-512
2b82d39be969fd0d92986de1806f011ca2b99f159967d1aee2dfd8f175e1730e57741e91edb5e1244a61bc76bac64260416b16fa95d27aaa2eb259a8cb746496
d2cfbc281fe353b8018cb4e7a861a551f0ebfccb65aa03e964109db8f0caf424eace828f268f01d99d074c89990dc2e7091ba3971c513d781dd4792212463957
0f1fb2554bd05df4c4987f64fc9c22695cb2f0951b1b46202fb0aa24ff5008d14dfd2782e1c508b5534c16c024034d75b72cee2aebeeb4337e0fda69314ee0db
File names
Boulder.s.apk
PsiphonAndroid.s.apk
Currency_Pro_v3.6.2.apk
Command and Control
192.99.251[.]51
84.234.96[.]117
References
Appendix