If I tell you: massive phishing campaign, Russian botnet, AndroidBanker and Leboncoin (a sort of French Ebay) you do think about ?
If you answered loudly (or not) “HELL YEAH !!!” You got it 🤠
The Internet is vast and full of mysteries. And it’s precisely this mysterious side that fascinates me. So you understand that when I get an express ticket to the behind the scenes of an attack (especially like this one) I don’t think twice!
1°) The Context
Recently one of my friends offered for sale an object on the leboncoin. Later, about a couple of days, he received a text message to notify him that he did received the prepayment for the sale.
[name_of_my_friend], I sent you the prepayment www-leboncoin.com/357143040654321870
Before writing this article I tried to see if we talked about it elsewhere, and you can also check it, there is only the UFC forum (a French association for the protection of consumer rights) and a Tweet of benkow_ .
& mdash; Benkøw moʞuƎq (@benkow_) January 7, 2019
Once the link in the text message is opened, a page similar to the one on the benkow_’s tweet is displayed. Of course, the content can’t be displayed if we obviously don’t download the “app”. And then, as if to signify the excitement of the attacker, the mistakes of spelling are multiplying up to the drama …
Most users who get caught by this hideous scam are saved thanks to this screen:
Or thanks to that one for the less concerned:
Yup! Although unsettling on many points, this campaign falls apart because many have received the message but only a few have tried everything to have the little .apk file installed on their device.
2°) The payload (the .apk file)
The file is very light (for an application 🤠), not more than 300 KB.
As soon as it’s executed, the fake app will connect to the fake site so that the victim can enter their bank details (bye bye to all the bucks).
Once done, a direct connection with the Control and Command (C2C) server will take place and via a file “gate.php”, the server gives the zombie a kind of mutex (basically an identifier, eg: 543759810537698240).
And this is where it gets funny:
The authors seem to have initially planned to deal with an android botnet via HTTP totally submissive and dedicated to its C2C (Control and Command server). The thing is that on Android, there isn’t a real way of persistence compaired to the other systems.
For example, the app permissions are chosen by the user during the installation and even all are enabled, there is no guarantee that the daemon (the application service) will launch properly when the device reboots.
Not to mention the fact that a mobile phone rarely stays in the same place (logical at the same time). The Internet connection won’t work all the time or at least will engage some salty costs to the victim if the device is infected (especially if the victim is a proletarian with a small Internet budget 🤠)
But don’t worry, on this side the authors had a genius idea to spread the malware (yup, really). You want a clue ? Here are the permissions:
Well I admit it’s not exatraordinary stuff, given that it’s some basic backdoor permissions … except for a tiny detail. The kind of tiny details that are zapped on the moment but once retrieved it would make you say “Great Scott!”
Indeed, when I conducted my investigation with my friend (thank you mate !), we came across this topic of the UFC forum that choose
it’s more precisely this passage which interests us:
“I contacted the person who has sent me this text message, she answered me but she told she was harassed by people phone calling as me !” She had managed to install the .apk where she was asked to provide her banking details to finalize the prepayment !! ”
When we read that, we say “Of course that the sender has managed to install the .apk because she’s the vilain ! In addition to that: “too funny the attacker is harassed by its own victims #so_much_lol!!!”
Yup but nope! Do you remember the identifier generated by the “gate.php” file on the fake site? And the identifier in the URL of the SMS sent to the victim?
As you’ve probably guessed it, the text message received by the victim was actually sent by… another victim and without his/her knowledge!
And that’s genius. Indeed, rather than sending the phishing SMS themselves and thus leaving some traces, the authors have used the backdoored devices to relay messages to the potential victims. They have just invented an incognito mode for text messages !!
The only glitch in this genius technique is it seems that the hackers have misapplied their idea. Indeed, The fact that the sender of the famous phishing message is harassed, indicates clearly that the hacker’s manner to procedd is quite ill thought-out. Which is rather paradoxical when we see the real arsenal deployed for this campaign being worthy of the largest groups of cybercriminals,
To better illustrate my words let me make a list:
Arguments to prove that hackers are in fact script-kiddies:
- ALL viruses linked to this organization are detected by a vast majority of antivirus
- The TLS certificates are quickly self-signed and thus poorly signed (Ex: “CN: dddddddd fdfd” for the leboncoin backdoor) whereas they have thousands of registered domains
- Authors only and *exclusively* target two platforms: Windows and Android, one would almost believe they only know these two operating systems 🤠
- Some pieces of code are copied and pasted from StackOverflow, Github (less the credits) and even Pastebin
- It’s actually quite easy to get acess to their Control and Command server
- Some of their viruses are real “call centers” with more than a hundred different IP addresses contacted within the first seconds of execution
- They use Virus Total to see if their backdoors are detected by antivirus
Now some points that, I must admit, show the “determined” nature of the individuals:
- Many *too many* servers (mostly Russian, by the way)
- Genuine malware versioning management
- Use and implementation of cryptographic functions (especially RSA)
- Attack exportation (first in Russia, then in China and recently in France with the leboncoin episode)
- Huge (thousands) of domain names registered in less than 6 months (mostly for phishing purposes)
- Portability of the control infrastructure (the IP/Web address changes pretty often)
- They covered up their traces in the code (The seventh CIA developpement tradecraft is thus respected 🤠)
My friend and I, managed to find their control and command server. On the other hand, it didn’t look like anything else. The home page of the web server displayed a default Apache/CentOS page while the HTTP headers advertised Nginx very clearly. After a quick verification we found out that it was a version of Ubuntu serving Nginx.
Fooling around the server, we managed to find a flaw that allowed us to confirm that it was a totally custom solution. Anecdotally, we found some traces of previous installations over Internet (test?). Not functional but on two companies compromised sites (one American and the other one Indian).
This attack is definitely thought-provoking by its sophistication (perfect imporsonation of leboncoin, use of the new prepayment feature as a credible pretext for the operation, text messaging relay over victims to spread the malware,…). However, the attack does not shake or even outright the French plateform nor its users.
Honestly I’m almost prompted by pity for those individuals when I see all that good ideas and efforts to create their own solution to pwn the world. Unfortunately, it’s a flop. It’s the proof that crime does not pay 🤠
TELEX: as a simple but effective countermeasure, just think about being more attentive to links before clicking directly.
Bonus: the IOC’s of the campaign
hxxp://gb-leboncoin[.]info hxxp://uk-leboncoin[.]info hxxp://uk-leboncoin[.]top hxxp://gb-leboncoin[.]top hxxp://www.m-leboncoin[.]info hxxp://www.gb-leboncoin[.]top hxxp://www.e-leboncoin[.]info hxxp://www.u-leboncoin[.]info hxxp://www.www-leboncoin[.]info hxxp://www.e-leboncoin[.]top hxxp://www.gb-leboncoin[.]info hxxp://fr-leboncoin[.]top hxxp://a-leboncoin[.]top hxxp://t-leboncoin[.]info hxxp://www.uk-leboncoin[.]info hxxp://www.mob-leboncoin[.]info hxxp://www.a-leboncoin[.]top hxxp://leboncoin-ql[.]top hxxp://fr-leboncoin[.]info hxxp://mob-leboncoin[.]info hxxp://www.uk-leboncoin[.]top hxxp://u-leboncoin[.]info hxxp://www.mob-leboncoin[.]top hxxp://www.t-leboncoin[.]top hxxp://m-leboncoin[.]info hxxp://www.leboncoin-ql[.]top hxxp://u-leboncoin[.]top hxxp://od-leboncoin[.]info hxxp://www.od-leboncoin[.]info hxxp://www.fr-leboncoin[.]info hxxp://www.t-leboncoin[.]info hxxp://llc-leboncoin[.]top hxxp://www.llc-leboncoin[.]top hxxp://www.u-leboncoin[.]top hxxp://www-leboncoin[.]info hxxp://www.od-leboncoin[.]top hxxp://t-leboncoin[.]top hxxp://e-leboncoin[.]top hxxp://od-leboncoin[.]top hxxp://mob-leboncoin[.]top hxxp://e-leboncoin[.]info hxxp://www.fr-leboncoin[.]top hxxp://leboncoin-xc[.]top hxxp://a-leboncoin[.]info hxxp://my-leboncoin[.]top hxxp://www.my-leboncoin[.]top hxxp://www.a-leboncoin[.]info hxxp://www.llc-leboncoin[.]info hxxp://www.leboncoin-ql[.]info hxxp://my-leboncoin[.]info hxxp://www.leboncoin-tr[.]top hxxp://leboncoin-tr[.]top hxxp://www.my-leboncoin[.]info hxxp://llc-leboncoin[.]info hxxp://leboncoin-ql[.]info hxxp://leboncoin-bk[.]top hxxp://www.leboncoin-my[.]top hxxp://leboncoin-my[.]info hxxp://www.leboncoin-bk[.]top hxxp://leboncoin-my[.]top hxxp://www.leboncoin-my[.]info hxxp://leboncoin-bk[.]info hxxp://leboncoin-tr[.]info hxxp://www.leboncoin-tr[.]info hxxp://www.leboncoin-bk[.]info hxxp://www.leboncoin-vd[.]info hxxp://leboncoin-vd[.]top hxxp://leboncoin-vd[.]info hxxp://www.leboncoin-vd[.]top hxxp://leboncoin-cz[.]top hxxp://www.leboncoin-cz[.]top hxxp://www.leboncoin-cz[.]info hxxp://leboncoin-cz[.]info hxxp://leboncoin-jp[.]top hxxp://leboncoin-jp[.]info hxxp://leboncoin-xc[.]info hxxp://www.leboncoin-xc[.]info hxxp://www.leboncoin-jp[.]info hxxp://www.leboncoin-jp[.]top hxxp://leboncoin-mp[.]top hxxp://www.leboncoin-xc[.]top hxxp://leboncoin-lx[.]top hxxp://leboncoin-lp[.]info hxxp://leboncoin-ml[.]top hxxp://leboncoin-kp[.]top hxxp://leboncoin-kz[.]top hxxp://leboncoin-lv[.]top hxxp://leboncoin-sl[.]top hxxp://arbeit.jobs-hegele[.]in 08/05/2019 com.bertjerts 172eb70cd27b6d24b47abe39c887c2fd6164f238a4c18877aad139c1de9ed6a9 08/05/2019 com.backsmart a289da988c92c9889c0efb9901b5e875fb2a37dbb0cbd31708dba647bdf4c403 12/05/2019 com.bertrander 5f7b91bcd4877802a5b1a69bb322fa934d4a9ec1b5ac1a472636de57c33e07c3 18/05/2019 com.jertay 1bc805d19613bbab15027bd7d29a5bc3b8709bff0c7fd49cf04bb998cfc09b0d 08/06/2019 com.garson f22ea76a0d69cf03915fd17f6472b790c21fecea70ff94520cbed71e8eeba198 11/06/2019 com.lebronjoin b9610d39792609dc56fe0058571ec786df65e43e522d123eb26b5c5532737234 (WTF?) 11/06/2019 com.berlins 225023859abbad7f788a47dd72ea3b702799360b50b69dc670b6fb1c02e5bf64