Overview of the incident
Recently, the QiAnXin Threat Intelligence Center noticed that foreign security vendor humansecurity exposed an incident called BADBOX on the extranet, reporting that it had observed at least 74,000 Android-based phones, tablets, and globally networked TV boxes showing signs of being infected with BADBOX; and from Trend Micro, the backdoor is believed to have been implanted in an order of magnitude of 20 million devices. In fact, humansecurity has already provided a detailed technical analysis of the incident in its analysis report, which you can view for yourself if you are interested. In this article, we would like to do some related and extended analysis based on QiAnXin's own intelligence vision, and hope to provide more supplementary information to the industry from our perspective.
Analyzing the details
Based on the historical traffic records of the QiAnXin Threat Intelligence Center, it can be seen that several C2 addresses provided by humansecurity do not have a small amount of infections in China. taking cbphe.com as an example, it can be seen that cbphe.com basically had a relatively smooth daily access situation from 22 to 23 May, and gradually grew from 23 May, after which the there was a sudden spike in infections that has continued until now.
In addition, we found multiple samples associated under the domain name flyermobi.com, and first selected one sample for qualitative analysis, here a randomly selected e6027f962eaaf7dede8a271166409fe6.
Sample information:
MD5: e6027f962eaaf7dede8a271166409fe6
Package Name: com.gavv.tissm
The sample decrypts the /a/b.data file in the original package, releases the jar, and loads it by way of the dexclassloader
Original package document:
Released jar and dex in mobile devices
Then dynamically load the jar file:
The sample will upload the version number (v), device model (tp), Android system version (bdr), software version (rv), package name (pk) and other data of the released jar to the decrypted url, compare the returned version information, and download the new jar if there is an update to the version, thus realizing the version update. url is as follows:
hxxp://adc[.] flyermobi.com/update/update.conf?bdr=xx&rv=x&v=xxx&pk=xxx&tp=Generic+Android-x86_64
The part of the string to decrypt:
Decryption algorithm:
public class De {
public static void main(String[] args) {
System.out.println(dec("d62kyun6d", "C4FF3D0FF6730B4AE7BFA387C88862560050076610A3517E03BA599535DEAA943134CA7E20F8138A7D0331"));
}
public static String dec(String key,String msg){
String v7_3 = "";
byte[] v7_2;
int v0 = 0;
if (msg.length()>=2){
String v7_1 = msg.toLowerCase();
int v2 = v7_1.length() / 2;
byte[] v3 = new byte[v2];
while(v0 < v2) {
int v4 = v0 * 2;
v3[v0] = (byte)Integer.parseInt(v7_1.substring(v4, v4 + 2), 16);
++v0;
}
v7_2 = v3;
byte[] v6 = a(v7_2, key);
try {
v7_3 = new String(v6, "UTF-8");
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
}
return v7_3;
}
public static byte[] a(byte[] arg4, String arg5) {
try {
SecretKeySpec v5 = Sekey(arg5);
Cipher v0 = Cipher.getInstance("AES/CFB/NoPadding");
v0.init(2, v5, new IvParameterSpec(new byte[v0.getBlockSize()]));
return v0.doFinal(arg4);
}
catch(Exception v4) {
v4.printStackTrace();
return null;
}
}
private static SecretKeySpec Sekey(String arg2) {
byte[] v2_1;
if(arg2 == null) {
arg2 = "";
}
StringBuilder v0 = new StringBuilder(0x20);
while(true) {
v0.append(arg2);
if(v0.length() >= 0x20) {
break;
}
arg2 = "0";
}
if(v0.length() > 0x20) {
v0.setLength(0x20);
}
try {
v2_1 = v0.toString().getBytes("UTF-8");
}
catch(UnsupportedEncodingException v2) {
v2.printStackTrace();
v2_1 = null;
}
return new SecretKeySpec(v2_1, "AES");
}
}
The return result contains the download address, md5, version number, etc.
In the released jar, the webview is used to realize the function of brushing the advertisement profit in the background. The advertisement address is obtained by visiting the url, and MotionEvent is used to realize the automatic clicking of advertisements.
Visit url: http://adc.flyermobi.com/config/config.conf、http://adc.flyermobi.com/config/config.conf.default to get ad related url
Request an advertisement using a webview:
Ad clicks are realized through MotionEvent:
Analysis to this point, it can be confirmed that this sample behavior and humansecurity mentioned basically the same, the malicious program is a built-in backdoor, through the backdoor the actual remote download of other code modules and load the function; the main function of the module is currently seen to be used in the background click on the ads to profit.
Next, we try to correlate and analyze the related C2 addresses. Firstly, we input these publicly disclosed domain names (cbphe.com , cbpheback.com , ycxrl.com , dcylog.com , flyermobi.com ;) into the [Threat Graph Analysis] module of the QiAnXin Threat Intelligence Center, and the Threat Graph automatically displays the historical resolution records, whois, associated samples, and many other correlations of these domain names on the canvas. The threat map will automatically display the historical resolution records, whois, associated samples, and other associations of these domain names on the canvas.
Among them, we notice that the domain name flyermobi.com has a resolving IP 128.199.193.15, which is associated with other domain names, among which there is a domain name apkcar.com that also resolves to the IP 128.199.193.15 and has its subdomain ymex.apkcar.com, ymlog.apkcar.com has a similar domain structure to the previous rnznd.ycxrl.com and z3rv.ycxrl.com (subdomains of ycxrl.com).
Drilling down further into the correlation data, you can see that ymsdk.apkcar.com was once cname to adbsdk.flyermobi.com and expanded out to more subdomains, URLs, and samples as shown below:
Selecting one of the samples to analyze (MD5: f33401aaf64a2dd3ed14e6f441ac83ab), we can see that the code is very similar to the code of the sample analyzed earlier:
By this point, we are basically sure that apkcar.com, is the domain name of the same group in this incident, which is not mentioned in any other security vendor's report. We have extended a new C2 that was previously undiscovered by means of the QiAnXin Threat Graph correlation.
summarize
After the above analysis, it can be confirmed that this incident is true, the attacker through the set-top box built-in backdoor way, use the backdoor to remotely download and load other malicious code module; and finally through the background hidden click ads for profit.
Currently, the full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), Skyrocket, SkyEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, have integrated the threat intelligence involved in this incident to support the precise detection of such attacks.
IOC
DOMAIN
cbphe.com
cbpheback.com
ycxrl.com
dcylog.com
flyermobi.com
apkcar.com
URL
hxxp://128[.] 199.97.77/logs/log.active
hxxp://adc[.] flyermobi.com/update/update.conf
hxxp://ymsdk[.] apkcar.com/adbu
MD5
e6027f962eaaf7dede8a271166409fe6
f33401aaf64a2dd3ed14e6f441ac83ab
Reference Links
[1]. https://humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf
[2]. https://arstechnica.com/security/2023/10/thousands-of-android-devices-come-with-unkillable-backdoor-preinstalled/