Security Posts

ISC Stormcast For Monday, October 2nd, 2023 https://isc.sans.edu/podcastdetail/8682

A software company sold a New Jersey police department an algorithm that was right less than 1 percent of the time.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In an era dominated by technological evolution, Cybersecurity Awareness Month 2023, now celebrating its 20th year, accentuates the growing significance of cybersecurity. This initiative encourages individuals and organizations to embrace crucial cybersecurity measures to help with online safety. AT&T Cybersecurity once again demonstrates its commitment to this cause by actively participating in this pivotal educational month. Cybersecurity is working all the time, everywhere, whenever you use technology. As technology permeates every aspect of our lives, from mobile devices to connected home appliances, the necessity for robust cybersecurity has never been more pronounced. Cybercriminals persistently devise methods to compromise technology, aiming to disrupt personal and professional realms. For two decades, Cybersecurity Awareness Month has sought to underline these burgeoning challenges and offer clear, actionable advice to help people construct a secure digital environment for themselves and others. Businesses such as AT&T Cybersecurity care about every part of the process, including awareness. Specializing in business security services, AT&T Cybersecurity safeguards businesses through cybersecurity consulting and managed security services.  Additionally, AT&T includes protecting consumers through AT&T ActiveArmor and inherent network security. The company emphasizes the importance of ensuring the privacy and security of personal information, including emerging biometric markers such as fingerprints and eye-iris prints. Theresa Lanowitz, Head Evangelist at AT&T Cybersecurity, calls out the nuance. "You can have security without privacy,” she explains, “but you cannot have privacy without security.” Hence, implementing proper security controls is pivotal to preventing unauthorized access and upholding privacy. “Consumers need to make sure the companies they share information with are committed to protecting their privacy,” she advises. The theme for 2023 Cybersecurity Awareness Month is "Secure Our World." The core messages revolve around four essential cybersecurity best practices:

1. Use a Password Manager: Understanding the advantages of using password managers while debunking security and user-friendliness myths.
2. Use Multifactor Authentication: Look for a way to turn on multifactor authentication on personal and professional devices and networks.
3. Recognize and Report Phishing: Learn to identify and report phishing activities, a prevalent technique among cybercriminals.
4. Update Software: Installing regular updates and activating automated updates are essential to ensure your software isn’t exposing your computer to threats.

The impact of Cybersecurity Awareness Month is expanding, to endow everyone with the requisite knowledge to stay safer online. AT&T Cybersecurity is proud to support this extensive online safety awareness and education initiative co-managed by the Cybersecurity and Infrastructure Security Agency and the National Cybersecurity Alliance or CISA. The ongoing dedication and commitment to cybersecurity awareness are imperative to counteract the escalating threats in the digital landscape. Cybersecurity Awareness Month 2023 stands as a testament to collective efforts in fostering a more secure digital world. AT&T Cybersecurity continues to be at the forefront, contributing to global cybersecurity success and ensuring privacy and security are synonymous with our digital identities. More about Cybersecurity Awareness Month. Founded in 2004, Cybersecurity Awareness Month occurs every October and is regarded as the preeminent global initiative focused on promoting cybersecurity awareness and best practices. This collaborative effort involves businesses, government agencies, educational institutions, associations, nonprofit organizations, tribal communities, and individuals, all dedicated to fostering online safety education. For additional details about Cybersecurity Awareness Month 2023 and to engage in various activities, please visit CISA’s Cybersecurity Awareness Month and Stay Safe Online Cybersecurity Awareness Month. Also, follow and use #CybersecurityAwarenessMonth and #SecureOurWorld on social media throughout October.

ZIP archives store compressed files including their metadata (filesize, date/time, ...). When a contained file is password protected, the compressed data is encrypted, but the metadata is not. As an example, take this ZIP file that I created. It contains a single file (mimikatz.exe), and that file is protected with a password (infected): Although the file is password protected, it's the compressed file content that is encrypted (see screenshot: Encrypted +) but the filename, the filsize, filedate, ..., all that metadata is not encrypted. That can be read without knowing the password. I was involved in a forum discussion, where the OP shared a password protected ZIP archive of a file that the OP considered suspicious. For whatever reason, the OP wanted us to express our opinion about the file without having the opportunity to take a look at the file (the OP would share the password later with us). I could make an educated guess about the filecontent with the crc32 checksum. Let me explain. My tool zipdump.py can be used to analyze ZIP files using Python modules zipfile and pyzipper. But it can also parse the binary structure of a ZIP file, and extract all the relevant metadata in its raw form. I do this with option -f l (find list): First we see a PKZIP file record (named PK0304 by zipdump), then a PKZIP directory entry record (PK0102) and finally, a PKZIP end-of-directory record (PK0506). All the metadata is in cleartext. With the filename and the CRC32 checksum, I can make an educated guess about the file content. I download mimikatz.exe from github, and I calculate its crc32 checksum with hash.py: The crc32 checksum of the file inside the archive and the file that I downloaded, are the same. This is a weak indication that the files are the same. crc32 is an error detection checksum, it is not a cryptographic hash. It's only 32 bits long, and it is easy to craft a file that produces a desired crc32 checksum. It is certainly not strong evidence. The OP was surprised that metadata was not encrypted, so I was pretty sure that the crc32 had not been tampered with. My trick worked because I had a good idea of what file was inside the archive. Wihout that information, it would have been impossible, because there are countless files with that crc32 checksum. I think that this crc32 code is also used by Gmail to detect malicious files inside password protected ZIP files. If you need to create archive files where metadata is also encrypted, you need to use other formats, like 7zip for example. Or double-ZIP your files.   Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Comienza la primera semana de Octubre, y yo tengo una agenda más que interesante por delante de actividades que complementaré con algunas actividades públicas que os paso a contar, ya que voy a estar en Alicante, Albacete y en la televisión en abierto en Cuatro con Iker Jiménez y Carmen Porter. Por si alguna de las citas os encajan en vuestra agenda y os apetece venir.
Figura 1: 4, 5 y 6 de Octubre - Navaja Negra,II Forum Europeo de IA de IA & Horizonte 
Te dejo a continuación la lista con los detalles de las actividades, pero ten en cuenta que tienes más información y detalles en las webs de los eventos, así que échales un ojo a cada uno de ellos.
4 de Octubre: II Forum Europeo de IA  [Alicante]
Me llegó esta invitación por Andrei Manuel, Founder de Bit2Me, y no pude decirle que no, así que he metido un poco con "calzador" en mi agenda un viaje exprés a Alicante el 4 de Octubre, para participar en este evento. Daré una charla de 30 minutos en el foro, que es para hablar de todas las posibilidades y retos de la Inteligencia Artificial, así que como yo estaré al final de la mañana, hablaré de mis cosas. Ya sabéis, si seguís lo que voy publicando por aquí.
Figura 2: II Forum Europeo de IA en Alicante. 4 de Octubre
El evento es de día entero, y tiene un elenco de ponentes espectacular, así que si tienes posibilidad ese día de pasarte por allí, merece la pena que le eches un ojo a la agenda del II Forum Europeo de IA.
5 de Octubre: Navaja Negra [Albacete]
El día siguiente, jueves,  toca Albacete para dar la charla en la Navaja Negra, donde me toca dar la primera charla nada más acabar la inauguración, y justo antes del gran Miguel Ángel de Castro, así que emoción a tope. Y la charla será para hablar de una PoC que hemos construido jugando con juguetes. Así que hablaré de "Advanced Persistent Thre...Toys", para contaros un proyecto con el que Pablo González, Fran Ramírez, Alvaro Núñez-Romero y yo llevamos tiempo jugueteando. Ya sabéis, de esas cosas que hacemos en el equipo de Ideas Locas.
Figura 3: Agenda de charlas para Navaja Negra.
De la Navaja Negra poco más que contaros, ya sabéis que es una pedazo de CON de tres días de duración, donde tendréis también un taller de Pablo González y Alvaro Núñez-Romero para aprender, jugar, y practicar con Web3, Hacking & Pentesting de BlockChain, SmartContracts & Tokenomicss usando Level_UP!
Figura 4: Taller sobre Seguridad en Web3 en Navaja Negraimpartido por Álvaro Núñez-Romero.
Y luego, la lista de ponentes, pues espectacular, como siempre. Amador Aparicio, Fernando Rubio Román, Manuel S. Lemos, Marc Rivero, Ruth Sala Ordoñez, Raúl Siles, Miguel Ángel de Castro, Pablo González, Alvaro Núñez-Romero, Joel Gámez Molina, Ivan Portillo, Emilio Rico Ruiz, Abraham Pasamar o Ricardo Narvaja entre otros.
Figura 5: Habrá stand y sesión de firmas de 0xWord
También habrá un stand de 0xWord allí, y podrás usar tus Tempos de MyPublicInbox para conseguir libros, chapas, pegatinas, etcétera, así que ven listo si quieres algo de material. Y haremos unos horarios de firmas de libros con algunos autores. Yo estaré el día 5 de Noviembre firmando nada más terminar mi charla, así que si quieres comprar un libro y llevártelo firmado, yo estaré por allí una hora o así para ello. Y si los llevas comprados online por anticipado, para recoger allí, tendrás prioridad para recogerlos.
Del 05 al 06 de Octubre: Horizonte [Televisión en abierto - Cuatro] Y para terminar la semana, nada más regresar de Navaja Negra iré directo al plató de televisión de Horizonte de mis queridos Iker Jiménez y Carmen Porter, para hablar de tecnología, actualidad, y esas cosas que tanto nos gustan a los dos. Os encantaría ver cómo Iker deja volar su imaginación y le saca partido a la GenAI en su día a día.
Figura : En Horizonte con Iker Jiménez y Carmen Porter
Será como siempre, unos minutos, probablemente después de las 12:00, pero realmente el programa comienza el Jueves 05 a las 23:00 horas, así que si eres de los que disfrutan la noche de la televisión, por allí estaré.
¡Saludos Malignos!
Autor: Chema Alonso (Contactar con Chema Alonso)  


Sigue Un informático en el lado del mal RSS 0xWord
- Contacta con Chema Alonso en MyPublicInbox.com

This is just a small update to my XOR known-plaintext attack tool, with some improvements on the algorithm. xor-kpa_V0_0_8.zip (http)
MD5: EB6397FC81C920DF4E1753A4A31DA9B4
SHA256: 9706979A4B1FBC6E318F6015C69ED2759ADC871632FDB9034615A4488DAC32E0

This updates changes the THP_READALL logic, and adds THP_ECHO_THIS and THP_ALLOW_LIST. simple_listener_v0_1_3.zip (http)
MD5: 6C90E789D4C10B6EF5E918306A7A58E7
SHA256: 16E55E8983E4208151CB407F72238537C7631396FFFECC431230F7879AFAC664

Here is an overview of content I published in September:

Blog posts:

• Update: zipdump.py Version 0.0.28
• Update: emldump.py Version 0.0.13
• Update: file-magic.py Version 0.0.7
• Update: zipdump.py Version 0.0.28
• Update: hash.py Version 0.0.10

SANS ISC Diary entries:

• Analysis of a Defective Phishing PDF
• Creating a YARA Rule to Detect Obfuscated Strings
• Quickie: Generating a YARA Rule to Detect Obfuscated Strings
• YARA Support for .LNK Files
• IPv4 Addresses in Little Endian Decimal Format

To consolidate all of our security intelligence and news in one location, we have migrated Naked Security to the Sophos News platform.

By Artem Dinaburg eBPF (extended Berkeley Packet Filter) has emerged as the de facto Linux standard for security monitoring and endpoint observability. It is used by technologies such as BPFTrace, Cilium, Pixie, Sysdig, and Falco due to its low overhead and its versatility. There is, however, a dark (but open) secret: eBPF was never intended for security monitoring. It is first and foremost a networking and debugging tool. As Brendan Gregg observed: eBPF has many uses in improving computer security, but just taking eBPF observability tools as-is and using them for security monitoring would be like driving your car into the ocean and expecting it to float. But eBPF is being used for security monitoring anyway, and developers may not be aware of the common pitfalls and under-reported problems that come with this use case. In this post, we cover some of these problems and provide workarounds. However, some challenges with using eBPF for security monitoring are inherent to the platform and cannot be easily addressed. Pitfall #1: eBPF probes are not invoked In theory, the kernel is never supposed to fail to fire eBPF probes. In practice, it does. Sometimes, although very rarely, the kernel will not fire eBPF probes when user code expects to see them. This behavior is not explicitly documented or acknowledged, but you can find hints of it in bug reports for eBPF tooling. This bug report provides valuable insight. First, the issues involved are rare and difficult to debug. Second, the kernel may be technically correct, but the observed behavior on the user side is missing events, even if the proximate behavior was different (e.g., too many probes). Comments on the bug report present two theories for why events are missing:

• First, there is a set limit on the number of kRetProbes that the kernel can have active at once. As of kernel 6.4.5, the default limit is 4,096. Attempts to create more kRetProbes will fail, resulting in a missed event.
• Second, the callback logic for a kProbe and a kRetProbe is slightly different, which means that sometimes a kProbe will not see a matching kRetProbe, resulting in a missed event.

More of these issues are likely lurking in the kernel, either as documented edge cases or surprise emergent effects of unrelated design decisions. eBPF is not a security monitoring mechanism, so there is not a guarantee that probes will fire as expected. Workarounds None. The callback logic and value for the maximum number of kRetProbes are hard-coded into the kernel. While one can manually edit and rebuild the kernel source, doing so is not advisable or feasible for most scenarios. Any tools relying on eBPF must be prepared for an occasional missing callback. Pitfall #2: Data is truncated due to space constraints An eBPF program’s stack space is limited to 512 bytes. When writing eBPF code, developers need to be particularly cautious about how much scratch data they use and the depth of their call stacks. This limit affects both the amount and kind of data that can be processed using eBPF code. For instance, 512 bytes is less than the longest permitted file path length, which is 4,096 bytes. Workarounds There are multiple options to get more scratch space, but they all involve cheating. Thanks to the bpf_map_lookup_elem helper, it’s possible to use a map’s memory directly. Directly using maps as storage effectively functions as malloc, but for eBPF code. A plausible implementation is a per-CPU array with a single key, whose size corresponds to our allocation needs: u64 first_key = 0; u8 *scratch_buffer = per_cpu_map.lookup(&first_key); // implemented with bpf_map_lookup_elem However, how do we send this data back to our user mode code? A naive approach is to use even more maps, but this approach fails with variable-sized objects like paths and it also wastes memory. Maps can be very expensive in terms of memory use because data must be replicated per CPU to ensure integrity. Unfortunately, per-CPU maps allocate memory based on the number of possible hot-swappable CPUs. This number can easily be huge—on VMWare Fusion, it defaults to 128, so a single map entry wastes 127 times as much space as it uses. Another approach is to stream data through the perf ring buffer. The linuxevents library uses this method to handle variable paths. The following is an example pseudocode implementation of this approach: u64 first_key = 0; u8 *scratch_space = per_cpu_array.lookup(&first_key); for (const auto &component_ptr : path.components()) { bpf_probe_read_str(scratch_space, component_ptr, scratch_space_size); perf_submit(scratch_space); } Streaming data through the perf ring buffer significantly increases the effective size of each component and also enhances space efficiency, albeit at the expense of additional data reconstruction work. To handle edge cases like untriggered probes or lost/overwritten data, a recovery method must be implemented after data transmission. Unfortunately, perf buffers are allocated in a similar way to per-CPU maps. On newer systems, the BPF ring buffer can be used instead to avoid that issue (the same ring buffer is shared across CPUs) Pitfall #3: Limited instruction count An eBPF program can have only 4,096 instructions, and reusing code (e.g., by defining a function) is not possible. Until recently, loops were not supported (or they had to be manually unrolled). While eBPF allows a maximum of 1 million instructions to be executed at runtime, the program can still be only 4,096 instructions long. Workarounds Rebuild your programs to take advantage of bounded loops (i.e., loops where the iteration count can be statically determined). These loops are now supported and they save precious program space compared to unrolling loops. Another workaround to increase the program size is multiple programs that tail call each other, which they can do up to 32 times until execution is interrupted. A drawback of this approach is that program state is lost between each transition. To keep state across tail calls, consider storing data in an eBPF map accessible by all 32 programs. Pitfall #4: Time-of-check to time-of-use issues An eBPF program can and will run concurrently on different CPU cores. This is true even for kernel code. Since there is no way to call kernel synchronization functions or to reliably acquire locks from eBPF, data races and time-of-check to time-of-use issues are a serious concern. Workarounds The only workaround is to carefully choose the event attach point, depending on the program. For example, eBPF commonly needs to work with functions that accept user data. In this situation, a good attach point is right after user data has been read into kernel mode. When dealing with kernel code and synchronization is involved, you may not be able to mitigate time-of-check to time-of-use issues. As an example, the dentry structure that backs files is often modified under lock by the kernel, and it is impossible to acquire these locks from an eBPF probe. Often the only indication that something is wrong is a bad return code from an API like bpf_probe_read_user. Make sure to handle such errors in a way that does not completely make the event data unusable. For example, if you are streaming data through perf in different packets, insert an error packet that notifies clients of missing data so that they can realign themselves to the event stream without causing corruption. Pitfall #5: Event overload Because eBPF lacks concurrency primitives and an eBPF probe cannot block the event producer, an attach point can be easily overwhelmed with events. This can lead to the following issues:

1. Missed events, as the kernel stops calling the probe
2. Data loss due to the lack of storage space for new data
3. Data loss due to the complete overwriting of older but not yet consumed data by newer information
4. Data corruption from partial overwrites or complex data formats, disrupting normal program operation

These data loss and corruption scenarios depend on the number of probes and events that are adding items into the event stream and on the extent of system activity. For instance, a docker container startup sequence or a deployment script can trigger a surprisingly large number of events. Developers should choose events to be monitored carefully and should avoid repetition and constructs that can make it harder to recover from data loss. Workarounds The user-mode helper should treat all data coming from eBPF probes as untrusted. This includes data from your own eBPF probes, which is also susceptible to accidental corruption. There should also be some application-level mechanism to detect missing or corrupted data. Pitfall #6: Page faults Memory that has not been accessed recently may be paged out to disk—be it a swap file, a backing file, or a more esoteric location. Normally, when this memory is needed, the kernel will issue a page fault, load the relevant content, and continue execution. For various reasons, eBPF runs with page faults disabled—if memory is paged out, it cannot be accessed. This is bad news for a security monitoring tool. Workarounds The only workaround is to hook right after a buffer is used and hope it does not get paged out before the probe reads it. This cannot be strictly guaranteed since there are no concurrency primitives, but the way the hook is implemented can increase the likelihood of success. Consider the following example: int syscall_name(const char *user_mode_ptr) { function1(); function2(user_mode_ptr); function3() return 0; } To make sure that user_mode_ptr can be accessed, this code first hooks into the entry of syscall_name and saves all of the pointer parameters in a map. It then searches for a place where user_mode_ptr is almost certainly accessible (i.e., anything past the call to function2) and sets an attach point there to read the data. The following are some options for the attach point:

1. On function2 exit
2. On function3 entry
3. On function3 exit
4. On syscall_name exit

You may be wondering why we don’t just hook function2 directly. While this can work occasionally, it is normally a bad idea:

1. function2 is often called outside of the context you are interested in (i.e., outside of syscall_name).
2. function2 may not have the same signature across kernel revisions. If we just use the function as an opaque breakpoint, signature changes do not affect our probe.

Also note that, at times, the parameter changes during a system call, and we need to read it before the data is gone. For example, the execve system call replaces the entire process memory, erasing all initial data before the call completes. Again, developers should assume that some memory may be unreadable by the eBPF probe and develop accordingly. Embracing benefits, addressing limitations eBPF is a powerful tool for Linux observability and monitoring, but it was not designed for security and comes with inherent limitations. Developers need to be aware of pitfalls like probe unreliability, data truncation, instruction limits, concurrency issues, event overload, and page faults. Workarounds exist, but they are imperfect and often add complexity. The bottom line is that while eBPF enables exciting new capabilities, it is not a silver bullet. Software using eBPF for security monitoring must be built to gracefully handle missing data and error conditions. Robustness needs to be a top priority. With care and creativity, eBPF can still be used to build next-generation security tools. But it requires acknowledging and working around eBPF’s constraints, not ignoring them. As with any technology, the most effective security monitoring solutions will embrace eBPF while being aware of how it can fail.

Authored by Joshua Kamp (main author) and Alberto Segura. Summary Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook was written from scratch [1]. In our research, we have analysed two samples of Hook and two samples of ERMAC to further examine the technical differences between these malware families. After our investigation, we concluded that the ERMAC source code was used as a base for Hook. All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also exist in Hook. The code implementation for these commands is nearly identical. The main features in ERMAC are related to sending SMS messages, displaying a phishing window on top of a legitimate app, extracting a list of installed applications, SMS messages and accounts, and automated stealing of recovery seed phrases for multiple cryptocurrency wallets. Hook has introduced a lot of new features, with a total of 38 additional commands when comparing the latest version of Hook to ERMAC. The most interesting new features in Hook are: streaming the victim’s screen and interacting with the interface to gain complete control over an infected device, the ability to take a photo of the victim using their front facing camera, stealing of cookies related to Google login sessions, and the added support for stealing recovery seeds from additional cryptocurrency wallets. Hook had a relatively short run. It was first announced on the 12th of January 2023, and the closing of the project was announced on April 19th, 2023, due to “leaving for special military operation”. On May 11th, 2023, the actors claimed that the source code of Hook was sold at a price of $70.000. If these announcements are true, it could mean that we will see interesting new versions of Hook in the future. The launch of Hook On the 12th of January 2023, DukeEugene started advertising a new Android botnet to be available for rent: Hook. Forum post where DukeEugene first advertised Hook. Hook malware is designed to steal personal information from its infected users. It contains features such as keylogging, injections/overlay attacks to display phishing windows over (banking) apps (more on this in the “Overlay attacks” section of this blog), and automated stealing of cryptocurrency recovery seeds. Financial gain seems to be the main motivator for operators that rent Hook, but the malware can be used to spy on its victims as well. Hook is rented out at a cost of $7.000 per month. Forum post showing the rental price of Hook, along with the claim that it was written from scratch. The malware was advertised with a wide range of functionality in both the control panel and build itself, and a snippet of this can be seen in the screenshot below. Some of Hook’s features that were advertised by DukeEugene. Command comparison Analyst’s note: The package names and file hashes that were analysed for this research can be found in the “Analysed samples” section at the end of this blog post. While checking out the differences in these malware families, we compared the C2 commands (instructions that are sent by the malware operator to the infected device) in each sample. This analysis did lead us to find several new commands and features on Hook, as can be seen just looking at the number of commands implemented in each variant. SampleNumber of commandsHook sample #158Hook sample #268Ermac sample #1 & #230 All 30 commands that exist in ERMAC also exist in Hook. Most of these commands are related to sending SMS messages, updating and starting injections, extracting a list of installed applications, SMS messages and accounts, and starting another app on the victim’s device (where cryptocurrency wallet apps are the main target). While simply launching another app may not seem that malicious at first, you will think differently after learning about the automated features in these malware families. Automated features in the Hook C2 panel. Both Hook and ERMAC contain automated functionality for stealing recovery seeds from cryptocurrency wallets. These can be used to gain access to the victim’s cryptocurrency. We will dive deeper into this feature later in the blog. When comparing Hook to ERMAC, 29 new commands have been added to the first sample of Hook that we analysed, and the latest version of Hook contains 9 additional commands on top of that. Most of the commands that were added in Hook are related to interacting with the user interface (UI). Hook command: start_vnc The UI interaction related commands (such as “clickat” to click on a specific UI element and “longpress” to dispatch a long press gesture) in Hook go hand in hand with the new “start_vnc” command, which starts streaming the victim’s screen. A decompiled method that is called after the “start_vnc” command is received by the bot. In the code snippet above we can see that the createScreenCaptureIntent() method is called on the MediaProjectionManager, which is necessary to start screen capture on the device. Along with the many commands to interact with the UI, this allows the malware operator to gain complete control over an infected device and perform actions on the victim’s behalf.
Controls for the malware operator related to the “start_vnc” command. Command implementation For the commands that are available in both ERMAC and Hook, the code implementation is nearly identical. Take the “logaccounts” command for example: Decompiled code that is related to the “logaccounts” command in ERMAC and Hook. This command is used to obtain a list of available accounts by their name and type on the victim’s device. When comparing the code, it’s clear that the logging messages are the main difference. This is the case for all commands that are present in both ERMAC and Hook. Russian commands Both ERMAC and the Hook v1 sample that we analysed contain some rather edgy commands in Russian, that do not provide any useful functionality. Decompiled code which contains Russian text in ERMAC and first versions of Hook. The command above translates to “Die_he_who_reversed_this“. All the Russian commands create a file named “system.apk” in the “apk” directory and immediately deletes it. It appears that the authors have recently adapted their approach to managing a reputable business, as these commands were removed in the latest Hook sample that we analysed. New commands in Hook V2 In the latest versions of Hook, the authors have added 9 additional commands compared to the first Hook sample that we analysed. These commands are: CommandDescriptionsend_sms_manySends an SMS message to multiple phone numbersaddwaitviewDisplays a “wait / loading” view with a progress bar, custom background colour, text colour, and text to be displayedremovewaitviewRemoves the “wait / loading” view that is displayed on the victim’s device because of the “addwaitview” commandaddviewAdds a new view with a black background that covers the entire screenremoveviewRemoves the view with the black background that was added by the “addview” commandcookieSteals session cookies (targets victim’s Google account)safepalStarts the Safepal Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)exodusStarts the Exodus Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)takephotoTakes a photo of the victim using the front facing camera One of the already existing commands, “onkeyevent”, also received a new payload option: “double_tap”. As the name suggests, this performs a double tap gesture on the victim’s screen, providing the malware operator with extra functionality to interact with the victim’s device user interface. More interesting additions are: the support for stealing recovery seed phrases from other crypto wallets (Safepal and Exodus), taking a photo of the victim, and stealing session cookies. Session cookie stealing appears to be a popular trend in Android malware, as we have observed this feature being added to multiple malware families. This is an attractive feature, as it allows the actor to gain access to user accounts without needing the actual login credentials. Device Admin abuse Besides adding new commands, the authors have added more functionality related to the “Device Administration API” in the latest version of Hook. This API was developed to support enterprise apps in Android. When an app has device admin privileges, it gains additional capabilities meant for managing the device. This includes the ability to enforce password policies, locking the screen and even wiping the device remotely. As you may expect: abuse of these privileges is often seen in Android malware. DeviceAdminReceiver and policies To implement custom device admin functionality in a new class, it should extend the “DeviceAdminReceiver”. This class can be found by examining the app’s Manifest file and searching for the receiver with the “BIND_DEVICE_ADMIN” permission or the “DEVICE_ADMIN_ENABLED” action. Defined device admin receiver in the Manifest file of Hook 2. In the screenshot above, you can see an XML file declared as follows: android:resource=”@xml/buyanigetili. This file will contain the device admin policies that can be used by the app. Here’s a comparison of the device admin policies in ERMAC, Hook 1, and Hook 2: Differences between device admin policies in ERMAC and Hook. Comparing Hook to ERMAC, the authors have removed the “WIPE_DATA” policy and added the “RESET_PASSWORD” policy in the first version of Hook. In the latest version of Hook, the “DISABLE_KEYGUARD_FEATURES” and “WATCH_LOGIN” policies were added. Below you’ll find a description of each policy that is seen in the screenshot. Device Admin PolicyDescriptionUSES_POLICY_FORCE_LOCKThe app can lock the deviceUSES_POLICY_WIPE_DATAThe app can factory reset the deviceUSES_POLICY_RESET_PASSWORDThe app can reset the device’s password/pin codeUSES_POLICY_DISABLE_KEYGUARD_FEATURESThe app can disable use of keyguard (lock screen) features, such as the fingerprint scannerUSES_POLICY_WATCH_LOGINThe app can watch login attempts from the user The “DeviceAdminReceiver” class in Android contains methods that can be overridden. This is done to customise the behaviour of a device admin receiver. For example: the “onPasswordFailed” method in the DeviceAdminReceiver is called when an incorrect password is entered on the device. This method can be overridden to perform specific actions when a failed login attempt occurs. In ERMAC and Hook 1, the class that extends the DeviceAdminReceiver only overrides the onReceive() method and the implementation is minimal:
Full implementation of the class to extend the DeviceAdminReceiver in ERMAC. The first version of Hook contains the same implementation. The onReceive() method is the entry point for broadcasts that are intercepted by the device admin receiver. In ERMAC and Hook 1 this only performs a check to see whether the received parameters are null and will throw an exception if they are. DeviceAdminReceiver additions in latest version of Hook In the latest edition of Hook, the class to extend the DeviceAdminReceiver does not just override the “onReceive” method. It also overrides the following methods: Device Admin MethodDescriptiononDisableRequested()Called when the user attempts to disable device admin. Gives the developer a chance to present a warning message to the useronDisabled()Called prior to device admin being disabled. Upon return, the app can no longer use the protected parts of the DevicePolicyManager APIonEnabled()Called after device admin is first enabled. At this point, the app can use “DevicePolicyManager” to set the desired policiesonPasswordFailed()Called when the user has entered an incorrect password for the deviceonPasswordSucceeded()Called after the user has entered a correct password for the device When the victim attempts to disable device admin, a warning message is displayed that contains the text “Your mobile is die”. Decompiled code that shows the implementation of the “onDisableRequested” method in the latest version of Hook. The fingerprint scanner will be disabled when an incorrect password was entered on the victim’s device. Possibly to make it easier to break into the device later, by forcing the victim to enter their PIN and capturing it. Decompiled code that shows the implementation of the “onPasswordFailed” method in the latest version of Hook. All keyguard (lock screen) features are enabled again when a correct password was entered on the victim’s device. Decompiled code that shows the implementation of the “onPasswordSucceeded” method in the latest version of Hook. Overlay attacks Overlay attacks, also known as injections, are a popular tactic to steal credentials on Android devices. When an app has permission to draw overlays, it can display content on top of other apps that are running on the device. This is interesting for threat actors, because it allows them to display a phishing window over a legitimate app. When the victim enters their credentials in this window, the malware will capture them. Both ERMAC and Hook use web injections to display a phishing window as soon as it detects a targeted app being launched on the victim’s device. Decompiled code that shows partial implementation of overlay injections in ERMAC and Hook. In the screenshot above, you can see how ERMAC and Hook set up a WebView component and load the HTML code to be displayed over the target app by calling webView5.loadDataWithBaseURL(null, s6, “text/html”, “UTF-8”, null) and this.setContentView() on the WebView object. The “s6” variable will contain the data to be loaded. The main functionality is the same for both variants, with Hook having some additional logging messages. The importance of accessibility services Accessibility Service abuse plays an important role when it comes to web injections and other automated feature in ERMAC and Hook. Accessibility services are used to assist users with disabilities, or users who may temporarily be unable to fully interact with their Android device. For example: users that are driving might need additional or alternative interface feedback. Accessibility services run in the background and receive callbacks from the system when AccessibilityEvent is fired. Apps with accessibility service can have full visibility over UI events, both from the system and from 3rd party apps. They can receive notifications, they can get the package name, list UI elements, extract text, and more. While these services are meant to assist users, they can also be abused by malicious apps for activities such as: keylogging, automatically granting itself additional permissions, and monitoring foreground apps and overlaying them with phishing windows. When ERMAC or Hook malware is first launched, it prompts the victim with a window that instructs them to enable accessibility services for the malicious app. Instruction window to enable the accessibility service, which is shown upon first execution of ERMAC and Hook malware. A warning message is displayed before enabling the accessibility service, which shows what actions the app will be able to perform when this is enabled. Warning message that is displayed before enabling accessibility services. With accessibility services enabled, ERMAC and Hook malware automatically grants itself additional permissions such as permission to draw overlays. The onAccessibilityEvent() method monitors the package names from received accessibility events, and the web injection related code will be executed when a target app is launched. Targeted applications When the infected device is ready to communicate with the C2 server, it sends a list of applications that are currently installed on the device. The C2 server then responds with the target apps that it has injections for. While dynamically analysing the latest version of Hook, we sent a custom HTTP request to the C2 server to make it believe that we have a large amount of apps (700+) installed. For this, we used the list of package names that CSIRT KNF had shared in an analysis report of Hook [2]. Part of our manually crafted HTTP request that includes a list of “installed apps” for our infected device. The server responded with the list of target apps that the malware can display phishing windows for. Most of the targeted apps in both Hook and ERMAC are related to banking. Part of the C2 server response that contains the target apps for overlay injections. Keylogging Keylogging functionality can be found in the onAccessibilityEvent() method of both ERMAC and Hook. For every accessibility event type that is triggered on the infected device, a method is called that contains keylogger functionality. This method then checks what the accessibility event type was to label the log and extracts the text from it. Comparing the code implementation of keylogging in ERMAC to Hook, there are some slight differences in the accessibility event types that it checks for. But the main functionality of extracting text and sending it to the C2 with a certain label is the same. Decompiled code snippet of keylogging in ERMAC and in Hook. The ERMAC keylogger contains an extra check for accessibility event “TYPE_VIEW_SELECTED” (triggered when a user selects a view, such as tapping on a button). Accessibility services can extract information about a selected view, such as the text, and that is exactly what is happening here. Hook specifically checks for two other accessibility events: the “TYPE_WINDOW_STATE_CHANGED” event (triggered when the state of an active window changes, for example when a new window is opened) or the “TYPE_WINDOW_CONTENT_CHANGED” event (triggered when the content within a window changes, like when the text within a window is updated). It checks for these events in combination with the content change type “CONTENT_CHANGE_TYPE_TEXT” (indicating that the text of an UI element has changed). This tells us that the accessibility service is interested in changes of the textual content within a window, which is not surprising for a keylogger. Stealing of crypto wallet seed phrases Automatic stealing of recovery seeds from crypto wallets is one of the main features in ERMAC and Hook. This feature is actively developed, with support added for extra crypto wallets in the latest version of Hook. For this feature, the accessibility service first checks if a crypto wallet app has been opened. Then, it will find UI elements by their ID (such as “com.wallet.crypto.trustapp:id/wallets_preference” and “com.wallet.crypto.trustapp:id/item_wallet_info_action”) and automatically clicks on these elements until it navigated to the view that contains the recovery seed phrase. For the crypto wallet app, it will look like the user is browsing to this phrase by themselves. Decompiled code that shows ERMAC and Hook searching for and clicking on UI elements in the Trust Wallet app. Once the window with the recovery seed phrase is reached, it will extract the words from the recovery seed phrase and send them to the C2 server. Decompiled code that shows the actions in ERMAC and Hook after obtaining the seed phrase. The main implementation is the same in ERMAC and Hook for this feature, with Hook containing some extra logging messages and support for stealing seed phrases from additional cryptocurrency wallets. Replacing copied crypto wallet addresses Besides being able to automatically steal recovery seeds from opened crypto wallet apps, ERMAC and Hook can also detect whether a wallet address has been copied and replaces the clipboard with their own wallet address. It does this by monitoring for the “TYPE_VIEW_TEXT_CHANGED” event, and checking whether the text matches a regular expression for Bitcoin and Ethereum wallet addresses. If it matches, it will replace the clipboard text with the wallet address of the threat actor. Decompiled code that shows how ERMAC and Hook replace copied crypto wallet addresses. The wallet addresses that the actors use in both ERMAC and Hook are bc1ql34xd8ynty3myfkwaf8jqeth0p4fxkxg673vlf for Bitcoin and 0x3Cf7d4A8D30035Af83058371f0C6D4369B5024Ca for Ethereum. It’s worth mentioning that these wallet addresses are the same in all samples that we analysed. It appears that this feature has not been very successful for the actors, as they have received only two transactions at the time of writing. Transactions received by the Ethereum wallet address of the actors. Since the feature has been so unsuccessful, we assume that both received transactions were initiated by the actors themselves. The latest transaction was received from a verified Binance exchange wallet, and it’s unlikely that this comes from an infected device. The other transaction comes from a wallet that could be owned by the Hook actors. Stealing of session cookies The “cookie” command is exclusive to Hook and was only added in the latest version of this malware. This feature allows the malware operator to steal session cookies in order to take over the victim’s login session. To do so, a new WebViewClient is set up. When the victim has logged onto their account, the onPageFinished() method of the WebView will be called and it sends the stolen cookies to the C2 server. Decompiled code that shows Google account session cookies will be sent to the C2 server. All cookie stealing code is related to Google accounts. This is in line with DukeEugene’s announcement of new features that were posted about on April 1st, 2023. See #12 in the screenshot below. DukeEugene announced new features in Hook, showing the main objective for the “cookie” command. C2 communication protocol HTTP in ERMAC ERMAC is known to use the HTTP protocol for communicating with the C2 server, where data is encrypted using AES-256-CBC and then Base64 encoded. The bot sends HTTP POST requests to a randomly generated URL that ends with “.php/” (note that the IP of the C2 server remains the same). Decompiled code that shows how request URLs are built in ERMAC. Example HTTP POST request that was made during dynamic analysis of ERMAC. WebSockets in Hook The first editions of Hook introduced WebSocket communication using Socket.IO, and data is encrypted using the same mechanism as in ERMAC. The Socket.IO library is built on top of the WebSocket protocol and offers low-latency, bidirectional and event-based communication between a client and a server. Socket.IO provides additional guarantees such as fallback to the HTTP protocol and automatic reconnection [3]. Screenshot of WebSocket communication using Socket.IO in Hook. The screenshot above shows that the login command was issued to the server, with the user ID of the infected device being sent as encrypted data. The “42” at the beginning of the message is standard in Socket.IO, where the “4” stands for the Engine.IO “message” packet type and the “2” for Socket.IO’s “message” packet type [3]. Mix and match – Protocols in latest versions of Hook The latest Hook version that we’ve analysed contains the ERMAC HTTP protocol implementation, as well as the WebSocket implementation which already existed in previous editions of Hook. The Hook code snippet below shows that it uses the exact same code implementation as observed in ERMAC to build the URLs for HTTP requests. Decompiled code that shows the latest version of Hook implemented the same logic for building URLs as ERMAC. Both Hook and ERMAC use the “checkAP” command to check for commands sent by the C2 server. In the screenshot below, you can see that the malware operator sent the “killme” command to the infected device to uninstall Hook. This shows that the ERMAC HTTP protocol is actively used in the latest versions of Hook, together with the already existing WebSocket implementation. The infected device is checking for commands sent by the C2 in Hook. C2 servers During our investigation into the technical differences between Hook and ERMAC, we have also collected C2 servers related to both families. From these servers, Russia is clearly the preferred country for hosting Hook and ERMAC C2s. We have identified a total of 23 Hook C2 servers that are hosted in Russia. Other countries that we have found ERMAC and Hook are hosted in are:

• The Netherlands
• United Kingdom
• United States
• Germany
• France
• Korea
• Japan

Popular countries for hosting Hook and ERMAC C2 servers. The end? On the 19th of April 2023, DukeEugene announced that they are closing the Hook project due to leaving for “special military operation”. The actor mentions that the coder of the Hook project, who goes by the nickname “RedDragon”, will continue to support their clients until their lease runs out. DukeEugene mentions that they are closing the Hook project. Note that the first post was created on 19 April 2023 initially and edited a day later. Two days prior to this announcement, the coder of Hook created a post stating that the source code of Hook is for sale at a price of $70.000. Nearly a month later, on May 11th, the coder asked if the thread could be closed as the source code was sold. Hook’s coder announcing that the source code is for sale. Observations In the “Replacing copied crypto wallet addresses” section of this blog, we mentioned that the first received transaction comes from an Ethereum wallet address that could possibly be owned by the Hook actors. We noticed that this wallet received a transaction of roughly $25.000 the day after Hook was announced sold. This could be a coincidence, but the fact that this wallet was also the first to send (a small amount of) money to the Ethereum address that is hardcoded in Hook and ERMAC makes us suspect this. Ethereum transaction that could be related to Hook. We can’t verify whether the messages from DukeEugene and RedDragon are true. But if they are, we expect to see interesting new forks of Hook in the future. In this blog we’ve debunked DukeEugene’s statement of Hook being fully developed from scratch. Additionally, in DukeEugene’s advertisement of HookBot we see a screenshot of the Hook panel that seemed to show similarities with ERMAC’s panel. Conclusion While the actors of Hook had announced that the malware was written from scratch, it is clear that the ERMAC source code was used as a base. All commands that are present in ERMAC also exist in Hook, and the code implementation of these commands is nearly identical in both malware families. Both Hook and ERMAC contain typical features to steal credentials which are common in Android malware, such as overlay attacks/injections and keylogging. Perhaps a more interesting feature that exists in both malware families is the automated stealing of recovery seeds from cryptocurrency wallets. While Hook was not written completely from scratch, the authors have added interesting new features compared to ERMAC. With the added capability of being able to stream the victim’s screen and interacting with the UI, operators of Hook can gain complete control over infected devices and perform actions on the user’s behalf. Other interesting new features include the ability to take a photo of the victim using their front facing camera, stealing of cookies related to Google login sessions, and the added support for stealing recovery seeds from additional cryptocurrency wallets. Besides these new features, significant changes were made in the protocol for communicating with the C2 server. The first versions of Hook introduced WebSocket communication using the Socket.IO library. The latest version of Hook added the HTTP protocol implementation that was already present in ERMAC and can use this next to WebSocket communication. Hook had a relatively short run. It was first announced on the 12th of January 2023, and the closing of the project was announced on April 19th, 2023, with the actor claiming that he is leaving for “special military operation”. The coder of Hook has allegedly put the source code up for sale at a price of $70,000 and stated that it was sold on May 11th, 2023. If these announcements are true, it could mean that we will see interesting new forks of Hook in the future. Indicators of Compromise Analysed samples FamilyPackage nameFile hash (SHA-256)Hookcom.lojibiwawajinu.gunac5996e7a701f1154b48f962d01d457f9b7e95d9c3dd9bbd6a8e083865d563622Hookcom.wawocizurovi.gadomid651219c28eec876f8961dcd0a0e365df110f09b7ae72eccb9de8c84129e23cbERMACcom.cazojowiruje.tutadoe0bd84272ea93ea857cc74a745727085cf214eef0b5dcaf3a220d982c89cea84ERMACcom.jakedegivuwuwe.yewo6d8707da5cb71e23982bd29ac6a9f6069d6620f3bc7d1fd50b06e9897bc0ac50 C2 servers FamilyIP addressHook5.42.199[.]22Hook45.81.39[.]149Hook45.93.201[.]92Hook176.100.42[.]11Hook91.215.85[.]223Hook91.215.85[.]37Hook91.215.85[.]23Hook185.186.246[.]69ERMAC5.42.199[.]91ERMAC31.41.244[.]187ERMAC45.93.201[.]92ERMAC92.243.88[.]25ERMAC176.113.115[.]66ERMAC165.232.78[.]246ERMAC51.15.150[.]5ERMAC176.100.42[.]11ERMAC91.215.85[.]22ERMAC35.91.53[.]224ERMAC193.106.191[.]148ERMAC20.249.63[.]72ERMAC62.204.41[.]98ERMAC193.106.191[.]121ERMAC193.106.191[.]116ERMAC176.113.115[.]150ERMAC91.213.50[.]62ERMAC193.106.191[.]118ERMAC5.42.199[.]3ERMAC193.56.146[.]176ERMAC62.204.41[.]94ERMAC176.113.115[.]67ERMAC108.61.166[.]245ERMAC45.159.248[.]25ERMAC20.108.0[.]165ERMAC20.210.252[.]118ERMAC68.178.206[.]43ERMAC35.90.154[.]240 Network detection The following Suricata rules were tested successfully against Hook network traffic: .gist table { margin-bottom: 0; } This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters Show hidden characters # Detection for Hook/ERMAC mobile malware alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT – Mobile Malware – Possible Hook/ERMAC HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/"; depth:5; content:".php/"; isdataat:!1,relative; fast_pattern; pcre:"/^\/php\/[a-z0-9]{1,21}\.php\/$/U"; classtype:trojan-activity; priority:1; threshold:type limit,track by_src,count 1,seconds 3600; metadata:ids suricata; metadata:created_at 2023-06-02; metadata:updated_at 2023-06-07; sid:21004440; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT – Mobile Malware – Possible Hook Websocket Packet Observed (login)"; content:"|81|"; depth:1; byte_test:1,&,0x80,1; luajit:hook.lua; classtype:trojan-activity; priority:1; threshold:type limit,track by_src,count 1,seconds 3600; metadata:ids suricata; metadata:created_at 2023-06-02; metadata:updated_at 2023-06-07; sid:21004441; rev:2;) view raw hook.rules hosted with ❤ by GitHub The second Suricata rule uses an additional Lua script, which can be found here List of Commands FamilyCommandDescriptionERMAC, Hook 1 & 2sendsmsSends a specified SMS message to a specified number. If the SMS message is too large, it will send the message in multiple partsERMAC, Hook 1 & 2startussdExecutes a given USSD code on the victim’s deviceERMAC, Hook 1 & 2forwardcallSets up a call forwarder to forward all calls to the specified number in the payloadERMAC, Hook 1 & 2pushDisplays a push notification on the victim’s device, with a custom app name, title, and text to be edited by the malware operatorERMAC, Hook 1 & 2getcontactsGets list of all contacts on the victim’s deviceERMAC, Hook 1 & 2getaccountsGets a list of the accounts on the victim’s device by their name and account typeERMAC, Hook 1 & 2logaccountsGets a list of the accounts on the victim’s device by their name and account typeERMAC, Hook 1 & 2getinstallappsGets a list of the installed apps on the victim’s deviceERMAC, Hook 1 & 2getsmsSteals all SMS messages from the victim’s deviceERMAC, Hook 1 & 2startinjectPerforms a phishing overlay attack against the given applicationERMAC, Hook 1 & 2openurlOpens the specified URLERMAC, Hook 1 & 2startauthenticator2Starts the Google Authenticator appERMAC, Hook 1 & 2trustLaunches the Trust Wallet appERMAC, Hook 1 & 2myceliumLaunches the Mycelium Wallet appERMAC, Hook 1 & 2piukLaunches the Blockchain Wallet appERMAC, Hook 1 & 2samouraiLaunches the Samourai Wallet appERMAC, Hook 1 & 2bitcoincomLaunches the Bitcoin Wallet appERMAC, Hook 1 & 2toshiLaunches the Coinbase Wallet appERMAC, Hook 1 & 2metamaskLaunches the Metamask Wallet appERMAC, Hook 1 & 2sendsmsallSends a specified SMS message to all contacts on the victim’s device. If the SMS message is too large, it will send the message in multiple partsERMAC, Hook 1 & 2startappStarts the app specified in the payloadERMAC, Hook 1 & 2clearcashSets the “autoClickCache” shared preference key to value 1, and launches the “Application Details” setting for the specified app (probably to clear the cache)ERMAC, Hook 1 & 2clearcacheSets the “autoClickCache” shared preference key to value 1, and launches the “Application Details” setting for the specified app (probably to clear the cache)ERMAC, Hook 1 & 2callingCalls the number specified in the “number” payload, tries to lock the device and attempts to hide and mute the applicationERMAC, Hook 1 & 2deleteapplicationUninstalls a specified applicationERMAC, Hook 1 & 2startadminSets the “start_admin” shared preference key to value 1, which is probably used as a check before attempting to gain Device Admin privileges (as seen in Hook samples)ERMAC, Hook 1 & 2killmeStores the package name of the malicious app in the “killApplication” shared preference key, in order to uninstall it. This is the kill switch for the malwareERMAC, Hook 1 & 2updateinjectandlistappsGets a list of the currently installed apps on the victim’s device, and downloads the injection target listsERMAC, Hook 1 & 2gmailtitlesSets the “gm_list” shared preference key to the value “start” and starts the Gmail appERMAC, Hook 1 & 2getgmailmessageSets the “gm_mes_command” shared preference key to the value “start” and starts the Gmail appHook 1 & 2start_vncStarts capturing the victim’s screen constantly (streaming)Hook 1 & 2stop_vncStops capturing the victim’s screen constantly (streaming)Hook 1 & 2takescreenshotTakes a screenshot of the victim’s device (note that it starts the same activity as for the “start_vnc” command, but it does so without the extra “streamScreen” set to true to only take one screenshot)Hook 1 & 2swipePerforms a swipe gesture with the specified 4 coordinatesHook 1 & 2swipeupPerform a swipe up gestureHook 1 & 2swipedownPerforms a swipe down gestureHook 1 & 2swipeleftPerforms a swipe left gestureHook 1 & 2swiperightPerforms a swipe right gestureHook 1 & 2scrollupPerforms a scroll up gestureHook 1 & 2scrolldownPerforms a scroll down gestureHook 1 & 2onkeyeventPerforms a certain action depending on the specified key payload (POWER DIALOG, BACK, HOME, LOCK SCREEN, or RECENTSHook 1 & 2onpointereventSets X and Y coordinates and performs an action based on the payload text provided. Three options: “down”, “continue”, and “up”. It looks like these payload texts work together, as in: it first sets the starting coordinates where it should press down, then it sets the coordinates where it should draw a line to from the previous starting coordinates, then it performs a stroke gesture using this informationHook 1 & 2longpressDispatches a long press gesture at the specified coordinatesHook 1 & 2tapDispatches a tap gesture at the specified coordinatesHook 1 & 2clickatClicks at a specific UI elementHook 1 & 2clickattextClicks on the UI element with a specific text valueHook 1 & 2clickatcontaintextClicks on the UI element that contains the payload textHook 1 & 2cuttextReplaces the clipboard on the victim’s device with the payload textHook 1 & 2settextSets a specified UI element to the specified textHook 1 & 2openappOpens the specified appHook 1 & 2openwhatsappSends a message through Whatsapp to the specified numberHook 1 & 2addcontactAdds a new contact to the victim’s deviceHook 1 & 2getcallhistoryGets a log of the calls that the victim madeHook 1 & 2makecallCalls the number specified in the payloadHook 1 & 2forwardsmsSets up an SMS forwarder to forward the received and sent SMS messages from the victim device to the specified number in the payloadHook 1 & 2getlocationGets the geographic coordinates (latitude and longitude) of the victimHook 1 & 2getimagesGets list of all images on the victim’s deviceHook 1 & 2downloadimageDownloads an image from the victim’s deviceHook 1 & 2fmmanagerEither lists the files at a specified path (additional parameter “ls”), or downloads a file from the specified path (additional parameter “dl”)Hook 2send_sms_manySends an SMS message to multiple phone numbersHook 2addwaitviewDisplays a “wait / loading” view with a progress bar, custom background colour, text colour, and text to be displayedHook 2removewaitviewRemoves a “RelativeLayout” view group, which displays child views together in relative positions. More specifically: this command removes the “wait / loading” view that is displayed on the victim’s device as a result of the “addwaitview” commandHook 2addviewAdds a new view with a black background that covers the entire screenHook 2removeviewRemoves a “LinearLayout” view group, which arranges other views either horizontally in a single column or vertically in a single row. More specifically: this command removes the view with the black background that was added by the “addview” commandHook 2cookieSteals session cookies (targets victim’s Google account)Hook 2safepalStarts the Safepal Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)Hook 2exodusStarts the Exodus Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)Hook 2takephotoTakes a photo of the victim using the front facing camera References
[1] – https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities
[2] – https://cebrf.knf.gov.pl/komunikaty/artykuly-csirt-knf/362-ostrzezenia/858-hookbot-a-new-mobile-malware
[3] – https://socket.io/docs/v4/

Cybercrime is on the rise. The number of ransomware attacks has increased by 18%, while the worldwide volume of phishing attacks doubled to 500 million in 2022. Depending on the size of the business, one-third to two-thirds of businesses suffer malware attacks in any given year. And those attacks are costing companies a lot of money. In 2022, American businesses lost $10.3 billion to data breaches and cybercrime. This is all happening while companies are spending trillions digitizing their business operations and trying to obtain secure cyber insurance while keeping up with regulatory changes in GDPR, HIPAA, and Sarbanes-Oxley. The best way to weather these challenges is to become a cyber resilient business. That means implementing a layered security and data management strategy that encompasses prevention, protection, and recovery so that your data, your bottom line, and your reputation remain secure. In this article, we’ll discuss the importance of data security and protection. How to protect your data A sophisticated, layered security strategy will already have prevention tools like endpoint and DNS protection in place as well as security awareness training to stop threats before they reach your network. Unfortunately, that’s not enough. Attacks are becoming increasingly sophisticated and complex, and that first line of defense may not catch them all. If a threat can penetrate the prevention layer, protection-layer tools kick in to neutralize the threat or minimize the damage of an attack. Here are two tools that can protect your data: 1.   Email threat protection and email continuity Email is one of the most common entry points for attacks, from phishing links to ransomware and business email compromise (BEC) to malicious attachments. Cyber criminals can mimic trustworthy senders so you need a tool that helps you tell the difference between a safe email and suspicious one. Tools like Webroot’s Advanced Email Threat Protection analyze the links and attachments in messages to detect malware and keep your systems secure against threats. Webroot Email Continuity can continue to send and receive emails for up to 30 days even if the infrastructure is down. 2.   Email encryption Companies rely on email to distribute important information, but when that information is confidential and sensitive, you need an encryption tool to protect it. If a cyber criminal gets access to emails, they won’t be able to access that sensitive data if it’s encrypted. Webroot Advanced Email Encryption powered by Zix is an industry-grade encryption tool that runs in the background, without disrupting workflows or requiring any input from the user. It’s invisible to the user and requires no extra training, while keeping your communications confidential. Also, default and customizable Data Loss Prevention (DLP) policies are available at no additional cost to prevent unauthorized users from emailing sensitive data to parties outside the organization. Customer stories When Spitzer Automotive’s new Chief Information Officer joined the company in 2019, he realized there was a big problem that affected the company’s security and employee productivity: employees were spending too much time reviewing emails for spam. One phishing attack slipping through human review could cause big problems for the company in downtime, financial loss, and reputational damage. Spitzer chose Webroot’s Advanced Email Threat Protection and Email Continuity as a cloud-based solution to pair with Microsoft 365. Not only were they able to save money by bundling the two together, but it also allowed the company to automate email protection by reducing the number of email threats and quarantining malicious emails. Allery, Asthma, and Sinus Center had a different reason for using Webroot Email Threat Protection and Email Continuity. As a healthcare group, they had sensitive patient data to protect and a ransomware attack from malicious emails could put that at risk. Once they put the Webroot system in place, they were able to focus on other IT matters while knowing that patient data was safe. It also allowed them to be HIPAA compliant. To learn more about building cyber resilience with layered security, download our guide. The post Building a Cyber Resilient Business: The Protection Layer appeared first on Webroot Blog.

When it comes to keeping sensitive data safe, email encryption is a necessity. But it doesn’t have to be a necessary evil. Too many employees and IT experts have experienced the pain of trying to use a needlessly complicated email encryption solution. There’s the endless steps, the hard-to-navigate portals, and the time-consuming processes that add up to a frustrating experience for most. If this is the experience you’ve come to expect, Webroot Email Encryption powered by Zix is here to surprise you. Webroot simplifies, streamlines, and secures the encryption process making email security easier than ever. Transparent Delivery Simplifies the Recipient Process The recipient process has historically been one of the biggest pain points for email encryption software customers. It’s often complicated and cumbersome, filled with portals, secret passwords, and extra steps. It shouldn’t be that difficult just to read an email, and now it doesn’t have to be. Webroot Email Encryption drastically simplifies the email recipient process. When both the sender and the recipient are Webroot clients, the software will encrypt the outgoing email from one customer, and send it to the recipient completely transparently—regardless of the email content. No portal, no passwords, no extra steps – just a blue bar at the top of the email confirming it was sent securely. From there, the recipient can reply to the email exactly as they would a regular email. Even without transparent delivery, Webroot’s Email Encryption makes the recipient process intuitive for non-Webroot clients. The recipient secure email portal is designed for non-technical people to be able to access, read, and reply to encrypted emails easily. State of the Art Filters Enable Automatic Encryption Security tools only work when people use them, and even with the best IT policies in place, it’s difficult to stop employees from sending sensitive information without encryption. While many organizations have increased their employee training amid an increased threat landscape, training only goes so far. Exposing sensitive information isn’t just an organizational problem, it’s also a regulatory one. The Health Insurance Portability and Accountability Act (HIPAA) requires that all patient data is kept secure and private. With traditional email encryption solutions, this burden falls on employees every time. For healthcare organizations, this is an added layer of complication on top of an often hectic landscape for employees. Thankfully, Webroot’s Email Encryption offers automatic encryption, removing the burden from employees of having to remember to encrypt sensitive emails every time they send one. Webroot Email Encryption provides out-of-the-box automatic policies for HIPAA, Social Security numbers, and financial information. When a policy is triggered—whether the sender has elected to encrypt the email or not—emails can be encrypted, blocked or quarantined. The result? Any email containing sensitive information is automatically encrypted, saving both employees and the organization at large from the threat of a security breach. Purpose-Built Add-Ons Make Integration Seamless Email encryption is just one piece of the cybersecurity puzzle. Every organization has a unique set of security needs, and a threat could severely affect operations at any time. That’s why it’s important to ensure your email encryption solution comes along with purpose-built add-ons and can also seamlessly integrate with other security solutions. Webroot Email Encryption can be easily integrated and is also part of a larger network of threat protection that keeps your organization safe. OpenText Cybersecurity brings together a number of product families (Webroot, Carbonite and Zix) that can be brought in to improve and enhance the overall user experience, like: Single Sign-On with SAML 2.0: Allows a user to login to their Webroot Secure Message Portal with their own credentials they’ve already created through the customer’s website. Without having to login again, users click a link to be taken directly to their secure inbox. This feature is implemented in using SAML 2.0, which authorizes user access to web services across organizations. Webroot Email Threat Protection:  Email Encryption provides multilayered filtering for both inbound and outbound emails that lets the right emails through while blocking malicious threats such as phishing, ransomware, impersonation, business email compromise (BEC) and spam. It also offers attachment quarantine, link protections, message retraction, and a round-the-clock live threat analyst team. Ready to Learn More? Seeing how simple email encryption can be is surprising, we know. And we’ve only just scratched the surface. If you want to learn more about how OpenText Cybersecurity can help make email surprisingly secure and simple, you can request a demo here. The post How Easy is Email Encryption? You’d Be Surprised. appeared first on Webroot Blog.