In a previous post, we observed legitimate security software for the Android operating system using outside marketing companies leveraging shady traffic delivery tactics like scareware to get people to download their applications from Google Play. We said we'd report more interesting observations or unusual activity as we came across it, and here is a fresh example:
This scareware error message above is pretty comical: it's an Apple logo with both English and Chinese writing telling users to “Repair your u82f9u679cu624bu673a now.” Thanks to a Chinese lesson from my good friend Asura, we now know that “u82f9u679c” means "Apple" and “u624bu673a” means “mobile.” The message claims that our Android phone is having critical problems (to verify this message we used Firefox on an iPhone for the user-agent). The next part of the message urges us to download “Onavo Count” before a fatal system error occurs. In the name of research, let’s agree to save our phone and go along with what the message says, shall we?
Utilizing the RiskIQ web crawler, we manually kicked off a crawl (fig-2) to see the sequence and get the location of the Onavo Count application.
Skipping to Sequence 4 within the crawl shows us that we are visiting the legitimate Apple iTunes website to get the application.
The above is a great starting point for digging deeper and investigating possible infrastructure via RiskIQ's PassiveTotal product. The use of PassiveTotal data sets, such as Passive DNS, Domain WHOIS, IP resolution, and SSL certificates, will greatly assist us in getting more intelligence on this threat actor and their infrastructure. With these data sets, we'll be able to reveal dark corners of the internet that we otherwise would have missed, which is vital in the creation of new detections.
Since we already know the domain involved with the scareware, we can use the domain's WHOIS information to find out additional assets tied to the threat actor. The value of the information we get from a WHOIS data lookup provides us with ownership of internet assets (domain registration, domain name servers, IP addresses, ASN ownership, dates and times, and points of contact for this information). This data gives analysts an ideal starting point for pivoting and uncovering threat actor infrastructure.
Using the registrant email address email@example.com from the WHOIS lookup provides us with additional assets connected to the threat actor’s email address (Fig-5 is a snippet).
In the next step in our review process, we use the information from the web crawl in Figure 2. We can start by looking inside PassiveTotal results at the IP address that is hosting the scareware, which is IP address 220.127.116.11.
This data is showing that the IP address is based in China, corroborated by a few of our data source partners, which noticed the IP was malicious. We will focus on the four unique hosts that threat actors used recently. Going back to our previous step, we review the WHOIS data from these hosts, which confirmed the connection to the threat actor we are tracking. We now also have a new email address for a possible additional threat actor, 1qifan.com, with an email address of firstname.lastname@example.org (to keep this post short we will stick with the threat actor we already know about and not pivot on the possible additional threat actor).
One of the final steps that we will showcase for this scareware threat is the example in Figure 7 of host pairs within PassiveTotal. With one single click on the host name in Figure 6, we have uncovered a plethora of new indicators we didn't know about. With these new—potentially malicious—indicators, we'll start from the beginning of the process we just went over. This pivoting inside PassiveTotal makes us extremely excited because although we just started research on this particular scareware issue, we already we have a ton of new data to review.
In conclusion, we started off with a single RiskIQ web crawl and a single domain and ended up uncovering new infrastructure, indicators, and threat actors by using PassiveTotal data sets. We'll be sure to share any further interesting findings we surface on this topic!