Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
RiskIQ research continues to affirm that Trojans are dominating the malicious app market as they find enduring success with evolving tactics that make them harder to detect. In Q2, RiskIQ discovered 10,934 Trojans in the wild, many of which target financial and banking institutions.
Now, RiskIQ has identified infrastructure related to the Red Alert 2 Android trojan and rogue mobile Android apps, first blogged about by SyfLabs, targeting financial institutions and media organizations. Serving malicious Adobe Flash Android apps to unsuspecting users, research shows the campaign leveraging this infrastructure began in July and is still active as of publishing.
Querying for malware hashes associated with Red Alert and looking for more information on this attack campaign, analysts found the following data connection on this URL query:
Update Flash Player
Package name: com.aox.exsoft
Fig-1 Data connected to Red Alert 2
Querying for the host in RiskIQ’s PassiveTotal platform shows that the domain was registered in late July and resolves to a single IP address, 18.104.22.168—the same IP address seen in the above URL query scan:
Fig-2 Passive DNS data for the domain returned in the URL query
Conducting a pivot off of the email address, firstname.lastname@example.org, used to register the above domain, reveals an additional eight domains of interest:
Fig-3 Other domains registered with email@example.com
Additionally, querying RiskIQ’s rogue mobile database reveals two malicious apps purporting to be Adobe Flash Player updates being hosted by g-shoock[.]xyz and g-shoock[.]ru:
Fig-4 A malicious app purporting to be Adobe Flash Player update
Fig-5 A malicious app purporting to be Adobe Flash Player update
When downloaded the malicious apps above can:
As seen in the screenshots above, both mobile apps were identified via RiskIQ’s crawler on domains registered using the same email address used to register our initial starting point. Exploring both of these domains in RiskIQ’s PassiveTotal platform highlights connections to a larger actor-owned infrastructure.
Both entities, which now appear on the RiskIQ Blacklist, started resolving around the beginning of June 2017. A quick pivot around RiskIQ’s data shows that the entities overlap via passive DNS on the IP address, 22.214.171.124, the same IP we observed from our first query.
Fig-6 Passive DNS data shows both malicious apps began resolving around the same time
Continued monitoring of this infrastructure shows that the attack campaign is still active, and in recent days, additional Adobe Flash typosquatting domains have been registered by this actor group. Querying our crawler for this new infrastructure reveals that these domains are also observed downloading APK files:
While, at this time, VirusTotal shows the APK file in question as not malicious, its connection to infrastructure previously connected to known malicious apps and the fact that the domains are typosquatting Adobe’s brand leads RiskIQ to assess that this is, in fact, malicious:
Fig-7 The APK file in VirusTotal
Signing up for RiskIQ Community Edition gives you access to the RiskIQ PassiveTotal public project, which provides you with full visibility into the list of infrastructure associated with this fake mobile Adobe update campaign.
We're #ThreatHunting in D.C.! The #infosec community is out in force to learn how to supercharge their investigations with RiskIQ's advanced data sets inside the @PassiveTotal platform.
Via @Forbes, RiskIQ research finds over 18,000 websites infested with #Magecart card-skimming #malware https://t.co/dKSfziG3dr #ecommerce
Just Launched! Adam Hunt of @riskIQ and Fredrik Nilsson of @axisipvideo discuss #cybersecurity, #IoT, and the threat of regulatory fines from #dataprivacy breaches on the latest Inside @ForbesCouncils #podcast! https://t.co/G0UoPfQCHf