Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
October 12, 2017, Steve Ginty
RiskIQ research continues to affirm that Trojans are dominating the malicious app market as they find enduring success with evolving tactics that make them harder to detect. In Q2, RiskIQ discovered 10,934 Trojans in the wild, many of which target financial and banking institutions.
Now, RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps, first blogged about by SyfLabs, targeting financial institutions and media organizations. Serving malicious Adobe Flash Android apps to unsuspecting users, research shows the campaign leveraging this infrastructure began in July and is still active as of publishing.
Querying for malware hashes associated with Red Alert and looking for more information on this attack campaign, analysts found the following data connection on this URL query:
Update Flash Player
Package name: com.aox.exsoft
Fig-1 Data connected to Red Alert 2
Querying for the host in RiskIQ’s PassiveTotal platform shows that the domain was registered in late July and resolves to a single IP address, 22.214.171.124—the same IP address seen in the above URL query scan:
Fig-2 Passive DNS data for the domain returned in the URL query
Conducting a pivot off of the email address, firstname.lastname@example.org, used to register the above domain, reveals an additional eight domains of interest:
Fig-3 Other domains registered with email@example.com
Additionally, querying RiskIQ’s rogue mobile database reveals two malicious apps purporting to be Adobe Flash Player updates being hosted by g-shoock[.]xyz and g-shoock[.]ru:
Fig-4 A malicious app purporting to be Adobe Flash Player update
Fig-5 A malicious app purporting to be Adobe Flash Player update
When downloaded the malicious apps above can:
As seen in the screenshots above, both mobile apps were identified via RiskIQ’s crawler on domains registered using the same email address used to register our initial starting point. Exploring both of these domains in RiskIQ’s PassiveTotal platform highlights connections to a larger actor-owned infrastructure.
Both entities, which now appear on the RiskIQ Blacklist, started resolving around the beginning of June 2017. A quick pivot around RiskIQ’s data shows that the entities overlap via passive DNS on the IP address, 126.96.36.199, the same IP we observed from our first query.
Fig-6 Passive DNS data shows both malicious apps began resolving around the same time
Continued monitoring of this infrastructure shows that the attack campaign is still active, and in recent days, additional Adobe Flash typosquatting domains have been registered by this actor group. Querying our crawler for this new infrastructure reveals that these domains are also observed downloading APK files:
While, at this time, VirusTotal shows the APK file in question as not malicious, its connection to infrastructure previously connected to known malicious apps and the fact that the domains are typosquatting Adobe’s brand leads RiskIQ to assess that this is, in fact, malicious:
Fig-7 The APK file in VirusTotal
Signing up for RiskIQ Community Edition gives you access to the RiskIQ PassiveTotal public project, which provides you with full visibility into the list of infrastructure associated with this fake mobile Adobe update campaign.