- Category: Malware Intelligence
- Region: Global
On 17 April 2023, CloudSEK’s Threat Intelligence Research Team discovered a newly emerged malware, titled ‘Daam’. The malware was found to be communicating with various Android APK files, likely indicating the source of infection. While writing this report, two C2 panels were found operating on the following IPs:
The WebSocket associated with the above IP can be found at the following URL: hxxp[:]//192[.]99[.]251[.]51[:]3000/socket[.]io/?EIO=3&transport=websocket&sid=H1j-nXwa-LRJNA2AACsl
Note:Interestingly, this malware was also observed to have ransomware capabilities since it encrypts the files using AES algorithms present in the root directory and SD card and drops a ‘readme_now.txt’ file.
Open Web Analysis
After analyzing the IP address (192[.]99[.]251[.]51) of the C2 panel using the Open Web, it was discovered that the panel was in communication with several APK files that had been recently uncovered.
While writing this report, CloudSEK researchers observed multiple websites offering free versions of these applications while some of them are already being marked as malicious/suspicious on various online sandboxing platforms. As of the time of writing this report, the applications detected on some of these platforms were added as recently as 3 days ago, coinciding with the date of detection of the C2 panel.
About the Malicious APKs
A simple Google search about the applications provided the following descriptions about them:
- Psiphon Client for Android and Windows: Psiphon is circumvention software for Windows and Mobile platforms that provides uncensored access to Internet content.
- Boulders: Boulders is a game where your main aim is to grab all the treasure from a mine and make it out alive.
- Currency Pro: Currency Pro is a currency converter that provides the world's foreign currency conversion rates.
Upon investigation, the CloudSEK research team discovered that the aforementioned three applications are utilizing a common malicious package file named "com.android.callservice". These trojanized applications were being used to distribute the Daam malware. Although the analyzed samples do not exhibit any malicious behavior, the specific packages utilizing this file are engaging in malicious activities such as retrieving the name of Google accounts, recording phone, VoIP calls, and audio, gaining access to the camera, modifying the device password, accessing contact lists, capturing screenshots, stealing SMS messages, taking Chrome browser bookmarks, downloading/uploading files, encrypting files utilizing the AES algorithm, etc.
During the dynamic analysis of the malware, it was noticed that the malware, once installed on the victim's device, conducted environment-related checks that limited its full functionality. These checks were triggered when the malware sent a request to the Command and Control (C2) server using the WebSocket protocol, and the request was configured based on the victim's device configuration.
Permissions Requested by the Malware
Once installed on an Android device, the malicious applications are granted access to highly sensitive permissions including RECORD_AUDIO, READ_HISTORY_BOOKMARK, KILL_BACKGROUND_PROCESSES, and READ_CALL_LOGS.
Features of the Malware
Security Checks Bypass
The malware is capable of circumventing security checks on a range of mobile brands.
Recording Audio & Phone/VoIP Calls
The Daam malware has the ability to record all ongoing calls(phone and VoIP) on a victim's device and subsequently transmit them to the C2 server.
The malware also searches for certain package IDs of applications that provide VoIP services, such as WhatsApp, Hike, etc., in order to record VoIP calls.
The malware can traverse through all the readable local directories and is capable of exfiltrating all the files from the victim’s device.
In addition to stealing contacts from a victim's device, the Daam malware is also capable of pilfering newly added contacts.
The malware has been skillfully crafted to utilize the AES encryption algorithm to encrypt all files on the device without the owner's consent. Following the encryption, all encrypted files are deleted from local storage, leaving only the encrypted files with a .enc extension.
- The exposed PII could enable other threat actors to orchestrate social engineering schemes, phishing attacks, and identity theft.
- If the encrypted system contains critical data which is not backed up, the victim will be left with no option but to pay the ransom.
- Since password reuse is a common practice, threat actors could leverage the exposed credentials to gain access to the users’ other accounts.
- The malware also can change the device passwords locking out the users from accessing, along with encryption capabilities.
- Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers. This includes: noisy calls, heating up or slowing down of devices, battery issues, apps operating abnormally, unusual notifications, etc.
- Install a strong antivirus in the system to detect malicious signatures.
- Enable all the Google Privacy Protection policies that forbid and warn users while downloading malicious applications.
- Lookout for applications asking for unnecessary permissions to operate.
- Never download applications from unknown sources and repositories, there is a high chance of malicious obfuscations.*
*While statistics indicate that third-party websites may host a higher percentage of malicious or infected files, it's important to exercise caution and do your research before downloading any application from an unfamiliar source.
Indicators of Compromise (IOCs)
Command and Control