Download - Dragon lady
![Page 1: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/1.jpg)
DRAGON LADYAN INVESTIGATION OFRUSSIAN SMS FRAUD
RYAN W SMITH & TIM STRAZZERE
Lookout, Inc.
Read the re
port
![Page 2: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/2.jpg)
WHO ARE WE - RYAN W SMITH
• Senior Research and Response Engineer @ Lookout
• Contributing member of the Honeynet Project for more than 10 years
• Worked on automated x86/Windows shellcode deobfuscation and malware sandboxing and before starting Android reversing
• Previously spoke about scalable Android reversing @ AppSec USA and IEEE HICSS
Read the re
port
![Page 3: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/3.jpg)
WHO ARE WE - “DIFF” @TIMSTRAZZ
• Lead Research & Response Engineer @ Lookout
• Reversed the Android Market/Google Play Protocol
• Junkie for reversing mobile malware, creating write ups and teaching other to help raise the bar
• Spoke previously about anti-/analysis/decompilation/emulation at BH’11/12, EICAR’12, HiTCON13, SySCAN ’13 etc.
Read the re
port
![Page 4: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/4.jpg)
WHY DEEP DIVE?
• Stats are extremely misleading; but get headlines!
• Did it just go from 100 samples to 163?163 / 100 == 1.63 == 163%
• Different (zip) hash? Different (unique) sample?
• Correlation by SENDS_SMS is not good enough!
Read the re
port
![Page 5: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/5.jpg)
WHY DEEP DIVE?• New hash != new “sample” -- need context!
• Impressive... “server-side polymorphism”
bebop:alphasms tstrazzere$ shasum *apke780f49dd81fec4df1496cb4bc1577aac92ade65 mwlqythh.rwbkulojmti-1.apk8263d3aa255fe75f4d02d08e928a3113fa2f9e17 mwlqythh.rwbkulojmti-2.apk521d3734e927f47af62e15e9880017609c018373 mwlqythh.rwbkulojmti-3.apkbebop:alphasms tstrazzere$ shasum *.dex*14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-114e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-214e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-3
Read the re
port
![Page 6: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/6.jpg)
FAMILY INTEL.Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation
(non-commercial)
ALPHASMS BADNEWS
CONNECTSMS DEPOSITMOBI FAKEBROWS SMSACTOR
NOTCOMPATIBLE
Read the re
port
![Page 7: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/7.jpg)
FAMILY INTEL.Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation
(non-commercial)
ALPHASMS BADNEWS
CONNECTSMS DEPOSITMOBI FAKEBROWS SMSACTOR
NOTCOMPATIBLE
FakeInst / SMSSend /Other generic name
Read the re
port
![Page 8: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/8.jpg)
SAMPLE EVOLUTION IS IMPORTANT
e6d823...Packaged: 07-30-12
No obfuscation / cryptoDebug information available
ConnectSMS.a
00f35f...Packaged: 12-13-12
SMS Endpoints / URL cryptedDebug info stripped
Added contact exfiltration
ConnectSMS.f
355d6f...Packaged: 01-11-13
SMS Endpoints / URL cryptedDebug info stripped
Removed contact exfiltration
ConnectSMS.p
383069...Packaged: 04-03-13
SMS / URL remotely pull & decryptedDebug info re-added
ConnectSMS.s
SameCrypto
Read the re
port
![Page 9: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/9.jpg)
• Underlying code still similar
• “Polymorphism” easily confused with “omg sky is falling”
• Trends across different distributing organizations
DECIPHERING OBFUSCATION
AlphaSMS
Read the re
port
![Page 10: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/10.jpg)
AGILE THREAT RELEASES
Read the re
port
![Page 11: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/11.jpg)
BEYOND SMS FRAUD - NOTCOMPATIBLE• Interesting exercise in malware component
commoditization
• Relates directly to PC malware
• Used mass compromised web sites, compromised swaths of accounts (AOL, Yahoo, etc.) for distribution (likely purchased?)
• Actively used for evading fraud detection
DRAG + DROPIMAGE HERE
Attacker
in Europe
Purchasing Service,inside US
Block by fraud detection
Infected proxy device, inside USRead th
e report
![Page 12: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/12.jpg)
Read the re
port
![Page 13: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/13.jpg)
Read the re
port
![Page 14: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/14.jpg)
Read the re
port
![Page 15: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/15.jpg)
Read the re
port
![Page 16: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/16.jpg)
Read the re
port
![Page 17: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/17.jpg)
Read the re
port
![Page 18: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/18.jpg)
Read the re
port
![Page 19: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/19.jpg)
Read the re
port
![Page 20: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/20.jpg)
Read the re
port
![Page 21: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/21.jpg)
Read the re
port
![Page 22: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/22.jpg)
Read the re
port
![Page 23: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/23.jpg)
Read the re
port
![Page 24: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/24.jpg)
Read the re
port
![Page 25: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/25.jpg)
Read the re
port
![Page 26: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/26.jpg)
Read the re
port
![Page 27: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/27.jpg)
Read the re
port
![Page 28: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/28.jpg)
Read the re
port
![Page 29: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/29.jpg)
Read the re
port
![Page 30: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/30.jpg)
Read the re
port
![Page 31: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/31.jpg)
Read the re
port
![Page 32: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/32.jpg)
Read the re
port
![Page 33: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/33.jpg)
Read the re
port
![Page 34: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/34.jpg)
Read the re
port
![Page 35: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/35.jpg)
Read the re
port
![Page 36: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/36.jpg)
Read the re
port
![Page 37: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/37.jpg)
Read the re
port
![Page 38: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/38.jpg)
Read the re
port
![Page 39: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/39.jpg)
Read the re
port
![Page 40: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/40.jpg)
Read the re
port
![Page 41: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/41.jpg)
![Page 42: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/42.jpg)
![Page 43: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/43.jpg)
![Page 44: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/44.jpg)
![Page 45: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/45.jpg)
![Page 46: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/46.jpg)
![Page 47: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/47.jpg)
Read the re
port
![Page 48: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/48.jpg)
Read the re
port
![Page 49: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/49.jpg)
![Page 50: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/50.jpg)
CONCLUSIONS
• Top 10 Russian SMS fraud organizations account for over 30% of worldwide malware detections
• SMS Fraud is a diverse threat, and requires careful categorization
• SMS Fraud has effectively been commoditized in Russia and has a thriving support system
• By taking a “full-stack” approach to tracking these threats we avoid the typical “whack-a-mole” AV strategy
Read the re
port
![Page 51: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/51.jpg)
THE GIANTS ON WHICH WE STAND
• Thanks to:
• The entire R&R and security team at Lookout
• The Honeynet Project
• Mila @ Contagio Dump
• @jduck @pof @osxreverser @thomas_cannon @adesnos @Gunther_AR @TeamAndIRC @cryptax
Read the re
port
![Page 52: Dragon lady](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b719a44a795903798b45e4/html5/thumbnails/52.jpg)
Keep in touch with
@lookout
/mylookout
blog.lookout.com
http://bit.ly/dragon-lady