لرن سرا

برچسب: Malware

  • How Seqrite Endpoint Protection Blocks Bots, Scripts, and Malware


    In today’s hyper-connected digital world, the cybersecurity landscape is shifting dramatically. Gone are the days when cyberattacks primarily relied on human intervention. We’re now facing a new breed of silent, swift adversaries: non-human threats. These automated entities—bots, malicious scripts, and sophisticated malware—are designed to operate at machine speed, exploiting vulnerabilities, bypassing traditional defenses, and often remaining undetected until significant damage has occurred. So, how do you defend against something you can’t see, something that moves faster than human reaction? The answer lies in intelligent, automated endpoint security. Enter Seqrite Endpoint Protection (EPP), your robust shield against these invisible invaders. Available for both cloud-based and on-premise deployments, Seqrite EPP is engineered with cutting-edge technologies specifically designed to identify and neutralize these stealthy, non-human threats.

    Understanding the Enigma: What Exactly Are Non-Human Cyber Threats?

    When we talk about “non-human cyber threats,” we’re referring to automated programs and code snippets that launch attacks without requiring direct human interaction. These include:

    • Bots: Automated programs designed to perform repetitive tasks at scale. Think credential stuffing attacks where bots try thousands of username/password combinations, or Distributed Denial of Service (DDoS) attacks that flood a server with traffic.
    • Malicious Scripts: These are pieces of automated code, often hidden within legitimate-looking files or web pages, designed to exploit system weaknesses, exfiltrate sensitive data, or spread malware across your network.
    • Exploit Kits: These are sophisticated toolkits that automatically scan systems for unpatched vulnerabilities and then deploy exploits to gain unauthorized access or deliver payloads like ransomware.

    The key characteristic of these threats is their autonomy and speed. They operate under the radar, making traditional, reactive security measures largely ineffective. This is precisely why proactive, automated detection and prevention mechanisms are absolutely critical for modern businesses.

    Seqrite Endpoint Protection: Your Multi-Layered Defense Against Automation

    Seqrite’s EPP doesn’t just offer a single line of defense; it deploys a comprehensive, multi-layered security framework. This framework is specifically engineered to detect and block automation-driven threats using a powerful combination of intelligent rule-based systems, behavioral analysis, and advanced AI-powered capabilities.

    Let’s dive into the key features that make Seqrite EPP a formidable opponent against non-human threats:

    1. Advanced Device Control: Many non-human threats, especially scripts and certain types of malware, are delivered via external devices like USB drives. Seqrite’s Advanced Device Control enforces strict usage policies, allowing you to define what devices can connect to your endpoints and how they can be used. By controlling storage, network, and wireless interfaces, you effectively close off a major entry point for automated attacks.
    2. Application Control with Zero Trust: Imagine only allowing approved applications and scripts to run on your systems. That’s the power of Seqrite’s Application Control. By implementing a Zero Trust model, it blocks unknown or unapproved applications and scripts from executing. Through meticulous allowlisting and blocklisting, only trusted applications can operate, making it incredibly effective against stealthy automation tools that attempt to execute malicious code.
    3. Behavior-Based Detection (GoDeep.AI): This is where Seqrite truly shines. Leveraging cutting-edge AI and machine learning, GoDeep.AI continuously monitors endpoint activity to identify abnormal and suspicious behaviors that indicate a non-human threat. This includes detecting:
      • Repetitive access patterns: A hallmark of bots attempting to brute-force accounts or scan for vulnerabilities.
      • Scripted encryption behavior: Instantly flags the tell-tale signs of ransomware encrypting files.
      • Silent data exfiltration attempts: Catches automated processes trying to siphon off sensitive information. The system doesn’t just detect; it actively stops suspicious activity in its tracks before it can cause any harm.
    4. Intrusion Detection & Prevention System (IDS/IPS): Seqrite’s integrated IDS/IPS actively monitors network traffic for known exploit patterns and anomalous behavior. This robust system is crucial for blocking automation-based threats that attempt to infiltrate your network through known vulnerabilities or launch network-based attacks like port scanning.
    5. File Sandboxing: When a suspicious file or script enters your environment, Seqrite doesn’t let it run directly on your system. Instead, it’s whisked away to a secure, isolated virtual sandbox environment for deep analysis. Here, the file is allowed to execute and its behavior is meticulously observed. If it exhibits any malicious traits—like attempting to mimic user behavior, access restricted resources, or encrypt files—it’s immediately flagged and stopped, preventing any potential damage to your actual endpoints.
    6. Web Protection & Phishing Control: Many non-human threats, particularly bots and sophisticated malware, rely on communication with remote command-and-control (C2) servers. Seqrite’s Web Protection proactively blocks:
      • Access to known malicious domains.
      • Phishing sites designed to steal credentials.
      • Unauthorized web access that could lead to malware downloads.
      • Crucially, it cuts off botnet callbacks, effectively severing the communication lines between bots and their command centers, rendering them inert.

    Enhancing Your Defense: Essential Supporting Features

    Beyond its core capabilities, Seqrite Endpoint Protection is bolstered by a suite of supporting features that further strengthen your organization’s resilience against non-human threats and beyond:

    Feature Benefit
    Patch Management Automatically identifies and fixes software vulnerabilities that bots and scripts often exploit to gain entry. Proactive patching is key to prevention.
    Firewall Provides a critical layer of defense by filtering unauthorized network traffic and blocking communication with known botnet IP addresses.
    Data Loss Prevention (DLP) Prevents automated data theft by monitoring and controlling data in transit, ensuring sensitive information doesn’t leave your network without authorization.
    Centralized Log Management Offers a unified view of security events, allowing for rapid detection and auditing of unusual or suspicious behaviors across all endpoints.
    Disk Encryption Management Safeguards your data by encrypting entire disks, stopping automated decryption attempts even if data is stolen, and protecting against ransomware.

     

    The Future of Endpoint Security: Why Non-Human Threat Detection is Non-Negotiable

    As we move deeper into 2025 and beyond, cyber threats are becoming increasingly automated, sophisticated, and often, AI-driven. Relying on traditional, signature-based security solutions is no longer enough to match the speed, stealth, and evolving tactics of automation-based attacks.

    Seqrite Endpoint Protection is built for this future. It leverages intelligent automation to effectively combat automation—blocking bots, malicious scripts, advanced ransomware, and other non-human threats before they can execute and wreak havoc on your systems and data.

    Final Takeaway: Don’t Let Invisible Threats Compromise Your Business

    In a world where cyberattacks are increasingly executed by machines, your defense must be equally advanced. With its comprehensive suite of features—including cutting-edge device and application control, AI-driven behavioral detection (GoDeep.AI), robust network-level protection, and secure sandboxing—Seqrite Endpoint Protection ensures your endpoints remain locked down and secure.

    Whether your organization operates with a cloud-first strategy or relies on a traditional on-premise infrastructure, Seqrite provides the adaptable and powerful security solutions you need.

    Ready to Fortify Your Defenses?

    It’s time to upgrade your endpoint security and protect your organization from both human-initiated and the ever-growing wave of non-human cyber threats.

    Explore how Seqrite can secure your business today. Request a Free Trial or Schedule a Demo.

     



    Source link

  • Chinese Telecom Targeted by VELETRIX & VShell Malware

    Chinese Telecom Targeted by VELETRIX & VShell Malware


    Contents

    • Introduction
    • Initial Findings
    • Infection Chain.
    • Technical Analysis
      • Stage 0 – Malicious ZIP File.
      • Stage 1 – Malicious VELETRIX implant.
      • Stage 2 – Malicious V-Shell implant.
    • Hunting and Infrastructure.
    • Attribution
    • Conclusion
    • Seqrite Protection.
    • IOCs
    • MITRE ATT&CK.

    Authors: Subhajeet Singha and Sathwik Ram Prakki

    Introduction

    Seqrite Labs APT-Team has recently found a campaign, which has been targeting the Chinese Telecom Industry. The campaign is aimed at targeting China Mobile Tietong Co., Ltd. which is a well-known subsidiary of China Mobile, one of the major telecom companies in China. The entire malware ecosystem involved in this campaign is based on usage of VELETRIX malware and VShell malware a very well-known adversary simulation tool, which is also known for widely being adopted by threat actors from China to target various western entities in-the-wild.

    In this blog, we will explore the technical sophistication of the campaign, we encountered during our analysis. We will examine the various stages of this campaign, starting with deep dive into the initial infection stage to implants used in this campaign, ending with a final overview covering the campaign.

    Initial Findings

    Recently, on 13th of May, our team found a malicious ZIP file, which surfaced both on various sources like VirusTotal, where ZIP file has been used as preliminary source of infection, containing multiple EXE and DLLs inside the ZIP folder. The same file was also found by other threat researchers the very same day.

    The ZIP contains an interesting executable file known as 2025 China Mobile Tietong Co., Ltd. Internal Training Program is about to launch, please register as soon as possible.exewhich loads a bunch of interesting DLLs such as drstat.dll and much more. Then, we decided to look into the workings of these bunch of files.

    Infection Chain

    Technical Analysis

    We will break down analysis into three different parts, starting with looking into the malicious ZIP attachment, followed by malicious Veletrix implant and then we will look into some brief analysis into the VShell malware.

    Stage 0 – Malicious ZIP File.

    Initially, we found a malicious ZIP file, known as 附件.zip, also known as attachment.zip. Upon, looking into the contents of the ZIP file.

    We found a set of interesting EXE and DLL and XML files, amongst them most of them were legitimately Microsoft Signed binaries, whereas some of them had have code-signing certificate by Shenzhen Thunder Networking Technologies Ltd , while an interesting DLL file drstat.dll which is often associated with WonderShare RepairIt software.

    Upon confirming from an official website of Wondershare Repairit , we can confirm that an executable known as drstat.exe which have been renamed and packaged thrice with three different names, which are:

    • China Mobile Limited’s 2025 internal training program is about to begin. Please register as soon as possible.
    • Uninstall.
    • Registration-link.

    Next, we decided to confirm further that, either Wondershare does sign the actual binary, which is officially available from their website.

    Finally, we could confirm, that the threat entity used the same file, which is available for download from Wondershare’s official website. Looking into this code-signing maneuver from Wondershare, and post-analyzing this malicious we can confirm that the threat actor used DLL-Sideloading against the target to launch the implant, which we have decided to term as VELETRIX .

    Before, diving into the next section, we also confirm that the other code signing certificate packed into this compressed executable by ‘Shenzhen Thunder Networking Technologies Ltd’ has frequently been associated with malicious executables in various reports and discussions as abused by Chinese-origin threat entities.

    Stage 1 – Malicious VELETRIX Implant.

    Initially, looking into the implant, we figured out a few basic information about the implant, that is it is a 64-bit binary along with which it contains a few interesting export functions. Next, we will focus on the code analysis of this malicious implant.

    Upon checking into all the exports, out of all the exports, we found dr_data_stop to be the one containing interesting malicious code.

    Initially, the implant starts with a little anti-analysis trick, which uses a combination of Sleep & Beep Windows API, which basically runs inside a do-while loop, which basically runs inside a do-while loop that delays execution for ~10 seconds and plays a Beep noise to evade automated sandbox analysis. The loop sleeps for 1 second and beeps 10 times, this entire mechanism is caused to delay the analysis of the analyst or confuse the automated sandbox.

    This technique leverages NtDelayExecution at the system level – Beep internally call NtDelayExecution, which accepts a “DelayInterval” parameter specifying milliseconds to delay. When executed, NtDelayExecution pauses the calling thread, which causes sandbox timeouts or loss of debugger control making it a not so harmful, yet effective anti-sandbox technique. The Beep API is particularly clever because it serves dual purposes: creating execution delays through its internal NtDelayExecution calls while also generating audio artifacts that may trigger different behavior in analysis environments or alert researchers to active code execution.

    Then, it moves ahead with loading kernel32.dll , further once the DLL is being loaded using LoadLibraryA, once the DLL is loaded, further GetProcAddress is used to resolve some interesting set of APIs, which are VirtualAllocExNuma, VirtualProtect & EnumCalendarInfo.

    Similarly, it loads the ADVAPI32.dll and once the DLL is loaded, it resolves using the same technique, which are SystemFunction036, HeapAlloc and HeapFree.

    Finally, the ntdll.dll is loaded, and an interesting Windows API is resolved which is known as RtlIpV4StringToAddressA.

    Next, this malicious loader, uses a technique called IPFuscation, which basically converts the malicious shellcode into a list of IPV4 address.

    Further, a while-loop along with using the RtlIpv4StringToAddressA API is used to decode the obfuscated shellcode, which is done by converting the ASCII IP string to binary, where the binary further executes as a shellcode.

    Once the shellcode is extracted in form of binary, then VirtualAllocExNuma API is used to allocate a fresh memory block with only Read & Write permission into the current process.

    Now, once the memory is allocated, further using a simple XOR operation, the encoded blob which was de-obfuscated from the IpFuscation technique via the windows API, is used to further decode via XOR-operation and copied to the allocated memory.

    Then, it uses VirtualProtect to change the memory protection of the allocated memory to Execute-Read-Write.

    Then, finally, it uses a slightly innovative technique of shellcode execution via callback function, that is by using EnumCalendarInfoA API to execute the shellcode. This technique leverages the fact that EnumCalendarInfoA expects a callback function pointer as a parameter – the malware passes its shellcode address as this callback, causing Windows to unknowingly execute the malicious code when the API tries to call what it thinks is a legitimate calendar enumeration function, whereas in our case the shellcode, which is basically an windows implant of the VShell OST framework, is being executed.

    Finally, we can conclude that the Veletrix implant which performs code injection via callback mechanism. In, the next section, we will look into the Vshell implant, which is pretty well known, and look into the workings of it.

    Stage 2 – Malicious Vshell Implant.

    Well, VShell, is pretty well-known cross-platform OST framework developed in Golang, initially developed by a researcher, which was later taken-down mysteriously as mentioned in multiple research blogs by various researchers who have tracked various campaigns such as UNC5174 and similar have been used by threat actors originating from Chinese geosphere.

    As mentioned, in the previous section VELETRIX loads this windows implant into memory. Looking inside the file, we found that the specific implant, which have been dropped goes by the name tcp_windows_amd64.dll .As, this framework is well-researched, we will only look into the key-artefacts and more of a basic overview of the implant.

    Upon, looking into the implant, we have multiple functionalities of this implant such as connect, send, receive which is used to interact with the operator. All these functions use underlying code from multiple Windows APIs from WinSock library.

    Further, analyzing we uncovered the command-and-control server along with an import config I.e., the salt which is qwe123qwe . In, the next section, we will look into further, hunting and infrastructural artefacts.

    Hunting and Infrastructure.

    Upon looking into the previous implants, we hunted and found some interesting artefacts.

    Based on the analysis and extraction of the salt used in the campaign mentioned in this research, we found a total number of 44 implants, using the exact similar salt, that is qwe123qwe. Along, with that as Vshell is a cross-platform tool, we found, multiple EXEs, ELF, DLLs both signed and unsigned.

    We, also found a few samples whose C2s range from multiple locations such as US, Hong Kong and much more, along with which, we found that a few samples out of 44 implants using same salt, have co-relations with the APT group Earth Lamia which has targeted Indian entities in few cases. While, upon hunting, we also found, that a lot of similar implants, have multiple overlaps with UNC5174’s campaign abusing ScreenConnect CVE-2024-1709 reported by researchers.

    Now, looking into the infrastructural overlaps, the similar indicator has been attributed to the cluster of China-Nexus-State-Sponsored threat actor which have been abusing CVE-2025-31324 to target SAP NetWeaver Visual Composer.

    We also found that on the same infrastructure, a login-based webpage has been hosted which is related to the Asset Lighthouse System — an open-source asset discovery and reconnaissance platform developed by Tophant Competence Center (TCC). It is primarily used for mapping external attack surfaces by identifying exposed IPs, domains, ports, and web services. Therefore, we decided to pivot using these artefacts and found few interesting overlaps.

    Post-pivoting, we discovered multiple malicious webservers with similar port-configurations such as running ASL over port 5003, have had hosted Cobalt Strike and SuperShell, which have been known as go-to implants used by UNC5174 aka Uteus and along with that we also uncovered multiple webservers with similar port-configurations related to Earth Lamia.

    Well, the last but not the least, we also saw that the command-and-control server, has also been hosting Cobalt Strike to be used against the targets making it the second post-exploitation framework used by this threat entity.

    Attribution.

    Through analysis of implant usage and overlapping infrastructure patterns, we identified the threat actor leveraging VELETRIX, a relatively new loader designed to execute VShell in memory. Although VShell was initially released as an open-source project and later taken down by its original developer, it has since been widely abused by China-aligned threat groups.

    Further threat hunting revealed similar behavioral patterns that align with known activity from UNC5174 (Uteus) and Earth Lamia, as recently documented by researchers. The current infrastructure associated with this actor exhibits consistent use of tools such as SuperShell, Cobalt Strike, VShell, and the Asset Lighthouse System—an open-source platform for asset discovery and reconnaissance. These tools have previously been attributed to various China-based APT clusters and observed actively deployed in-the-wild (ITW).

    Given the technical and infrastructural overlaps, we assess with high confidence that this threat actor is part of threat entity belong to China-Nexus cluster.

    Conclusion.

    Upon carefully researching the campaign, we found that the China-nexus threat entity which we have termed as Operation DRAGONCLONE has been using DLL-Sideloading technique against Wondershare Recoverit software, along with loading VELETRIX DLL implant, which uses interesting techniques such as anti-sandbox, IPFuscation technique along with callback technique to execute Vshell malware, along with having multiple overlaps with UNC5174 and Earth Lamia and the recent campaign have been active since March 2025.

    Seqrite Protection.

    IOCs

    SHA-256 Filenames
    40450b4212481492d2213d109a0cd0f42de8e813de42d53360da7efac7249df4 \附件.zip
    ac6e0ee1328cfb1b6ca0541e4dfe7ba6398ea79a300c4019253bd908ab6a3dc0 drstat.dll
    645f9f81eb83e52bbbd0726e5bf418f8235dd81ba01b6a945f8d6a31bf406992 drstat.exe
    ba4f9b324809876f906f3cb9b90f8af2f97487167beead549a8cddfd9a7c2fdc tcp_windows_amd64.dll
    bb6ab67ddbb74e7afb82bb063744a91f3fecf5fd0f453a179c0776727f6870c7 mscoree.dll
    2206cc6bd9d15cf898f175ab845b3deb4b8627102b74e1accefe7a3ff0017112 tcp_windows_amd64.exe
    a0f4ee6ea58a8896d2914176d2bfbdb9e16b700f52d2df1f77fe6ce663c1426a memfd:a(deleted)

     

     

    IP/Domains

    IP
    62.234.24.38
    47.115.51.44
    47.123.7.206

    MITRE ATT&CK

    Tactic Technique ID Technique Name Sub-technique ID Sub-Technique Name
    Reconnaissance T1595 Active Scanning T1595.002 Vulnerability Scanning
    Reconnaissance T1588 Obtain Capabilities T1588.002 Tool
    Initial Access T1566 Phishing T1566.001 Spear phishing Attachment
    Execution T1204 User Execution T1204.002 Malicious File.
    Persistence
    Defense Evasion T1140 Deobfuscate/Decode Files or Information
    Defense Evasion T1574 Hijack Execution Flow T1574.001 DLL
    Defense Evasion T1027 Obfuscation Files or Information T1027.007 Dynamic API Resolution
    Defense Evasion T1027 Obfuscation Files or Information T1027.013 Encrypted/Encoded File
    Defense Evasion T1055 Process Injection
    Defense Evasion T1497 Virtualization/Sandbox Evasion T1497.003 Time Based Evasion
    Discovery T1046 Network Service Discovery

     



    Source link

  • Beware! Fake ‘NextGen mParivahan’ Malware Returns

    Beware! Fake ‘NextGen mParivahan’ Malware Returns


    Cybercriminals continually refine their tactics, making Android malware more insidious and challenging to detect. A new variant of the fake NextGen mParivahan malware has emerged, following its predecessor’s deceptive strategies but introducing significant enhancements.

    Previously, attackers exploited the government’s traffic notification system to distribute malware, sending fake messages that appeared to be official traffic violation alerts. These messages contained details like ticket numbers and vehicle registration information to appear legitimate, tricking users into downloading a malicious app. Once installed, the app requested extensive permissions, hid its icon, and silently exfiltrated sensitive data, including SMS messages—while communicating with attackers via a Telegram bot.

    Figure 1. WhatsApp message received by Victim

    In this latest variant, the malware is distributed under the guise of “NextGen mParivahan,” mimicking the official government application. It uses the same distribution method as before—leveraging fake traffic violation messages to lure users into installing the malicious app.

    The official NextGen mParivahan app, developed by the Ministry of Road Transport & Highways, provides digital access to driving licenses, vehicle registration certificates, and other transport services. Available on the Google Play Store, it replaces the earlier mParivahan app with improved features and user experience.

    However, cybercriminals have seized the opportunity presented by the app’s rebranding, distributing malware under the “NextGen mParivahan” name to deceive users. In this latest variant, the malware retains its SMS-stealing capabilities. It has significantly expanded its reach—now targeting messages from social media, communication, and e-commerce apps, posing an even more significant threat to user privacy.

    Moreover, some samples have employed a stealthier command-and-control (C2) mechanism by concealing its C2 details within a compiled .so file and dynamically generating them at runtime. This approach greatly complicates detection and analysis. Some samples are intentionally malformed to further hinder security efforts and leverage multi-stage dropper-payload architectures to bypass signature-based and heuristic detection systems.

    Our previous blog analyzed the earlier version’s infection chain and communication tactics (Beware! Malicious Android Malware Disguised as Government Alerts). These latest variants not only retain those functionalities but expand on them, increasing both their stealth and data theft capabilities.

    In this blog, we’ll explain how this new variant operates and why its new enhancements make it an even greater threat to Android users.

    Technical analysis:

    We came across two variants of the new version: one utilizing a malformed multi-stage dropper-payload architecture and another employing a stealthier C2 extraction method while stealing notification data from other apps.

    1. Malformed multi-stage dropper-payload

    First Stage – Dropper Second Stage – Payload
    File name e_challan_report parivahan
    MD5 ad4626eff5238ce7c996852659c527bc ae1f49bd14027c7adea18147cb02f72a
    App name NextGen mParivahan NextGen mParivahan
    Package Name com.xyz.dropper com.example.icici

    Anti-analysis technique

    The malware author intentionally crafted these dropper and payload APKs to hinder static analysis. Many open-source Android APK analysis tools failed to process this APK, making analysis more challenging. See below:

    Apktool failed to decompile the APK-

    Figure 2. Apktool Error

    Jadx failed to decompile –

    Figure 3. Jadx Error

    Androguard failed to decompile –

    Figure 4. Androguard Error

     

    Bytecode viewer failed to decompile –

    Figure 5. Bytecode viewer Error

    7zip also failed to extract APK file –

    Figure 6. 7zip Error

    Android build tools AAPT (Android Asset Packaging Tool) and AAPT2 (Android Asset Packaging Tool) are also unable to dump the AndroidManifest.xml file –

    Figure 7. AAPT Error

    Additionally, this malformed APK file fails to install on Android 8.1 and earlier versions due to a corrupt XML file, as the OS cannot extract it like later Android versions.

    Figure 8. Android 8.1 APK installation Error

    The error displayed by all these tools indicates an unsupported compression method, meaning the APK file uses an invalid compression technique. However, AAPT and Android OS 8.1 (API level 27) report a corrupt AndroidManifest.xml error unrelated to the unsupported compression method. Despite this, the malformed APK installs and runs smoothly on Android devices and emulators running Android OS 9 (API level 28) and above without any issues.

    Why Do Analysis Tools Fail While Android OS (9+) Runs This APK?

    An APK file is essentially a ZIP archive. Below is its header format, where the values at offsets 08 and 09 indicate the compression method used in the ZIP file.

    Figure 9. Structure of APK ZIP file (Reference: The structure of a PKZip file)

    Android APK files follow the ZIP format and typically use two compression methods:

    1. Store (No Compression) – Used for files that don’t need compression, such as pre-optimized binaries and some assets.
    2. Deflate (Standard Compression) – The most used method for compressing resources, XML files, and other non-executable content.

    The compression method used by most of the APK files –

    Figure 10. Normal file Hex

    The compression method used by this malformed dropper APK file is neither Deflate nor Store. Its value is 0x1998 (decimal 6552), which is not supported by the ZIP format.

     

    Figure 11. Malformed APK Hex
    • All analysis tools strictly follow the ZIP format and expect the compression method to be either Deflate or Store only. However, Android OS only checks whether the compression method is Deflate or not. If it is not Deflate, the OS assumes it to be Store (i.e., uncompressed).
    • Android 9 introduced a different method for parsing monolithic apps compared to Android 8. This new implementation handles asset access differently. As a result, certain APKs that caused manifest corruption errors in Android 8 and earlier versions no longer encounter this issue on Android 9.

    Extracting and decoding AndroidManifest file 

    I wrote a script to extract the raw AndroidManifest.xml from an APK by parsing its ZIP structure. It locates the Central Directory, finds AndroidManifest.xml, extracts its compression details and raw data, and then, by using Androguard, decodes the extracted raw AndroidManifest.xml into a readable XML format.

    Figure 12. Extraction and encoding AndroidManifest.xml

    Below is the decoded AndroidManifest.xml of the Dropper APK. It requests permissions for QUERY_ALL_PACKAGES to list installed apps and REQUEST_INSTALL_PACKAGES to install the payload application.

    Figure 13. Decoded AndroidManifest xml file of Dropper application.

    Below is the decoded AndroidManifest.xml of the Payload APK. It requests sensitive permissions such as RECEIVE_SMS, READ_SMS, and SEND_SMS to access and send SMS messages.

    Figure 14. Decoded AndroidManifest xml from payload application

    Malware execution

    After launch, the Dropper application prompts the user to update the app. Upon clicking “Update,” it requests permission to allow installations from unknown sources. Once granted, it installs the Payload APK, which uses the same icon as the Dropper but hides its icon from the app drawer.

    Figure 15. Dropper application execution

    Now, if the user clicks on the mParivahan app icon, it launches the Payload application. First, it requests SMS and Call permissions. Then, it displays a page asking the user to enter their vehicle and phone numbers to track challan status. Next, it prompts the user to pay ₹1 via PhonePe, Google Pay, or Paytm, requiring them to enter their payment PIN. After the transaction, it shows a confirmation page stating, “Payment completed, wait for 30 minutes, and do not delete the app from the device.”

    Figure 16. Payload application execution

    However, the application steals the entered information in the background and saves it to a Firebase database. Since the app has SMS access permissions, it also captures incoming SMS data and uploads it to Firebase.

    Figure 17. Pin and device info stealing code

    1. Stealthier native c2 extraction and notification stealer

    File name NextGen mParivahan.apk
    MD5 8bf7ea1c35697967a33c0876df5f30b9
    App name NextGen mParivahan
    Package name com.sakurai.endo3798132

     

    Upon launch, the second variant requests SMS and call management permissions. It then prompts the user to grant notification access to the malware. After obtaining all necessary permissions, the user is asked to enter a phone number. Once the user clicks “Continue,” it opens the Google homepage and hides its icon.

    Figure 18. App execution

    Malware, which has access to notification data, continuously monitors notifications. Whenever a new notification is posted, it captures the data and sends it to the C2 server.

    Figure 19. Notification stealer code

    The malware application maintains a list of apps targeted for notification theft. The targeted applications include WhatsApp, Facebook, Amazon, Zomato, Telegram, Google Messages, Gmail etc.

    Figure 20. Targeted application list

    C2 extraction from native code

    The malware dynamically generates the C2 server URL at runtime, avoiding plain-text storage to evade detection. The figure below shows code from the Java section, where the SecreatHeven class is responsible for loading the native library “libbunnycoban.so” and defining native functions. Here, the bunnylovesCarrot() function returns the C2 server URL. There are two additional functions, hiddendandelion() and SecreatAcron(), that return the IP info service URL and IP info token. The malware might use these functions during C2 server generation, as they are not referenced elsewhere in the code.

    Figure 21. Java code loading so file

    Here is a code snippet that shows the code for generating the C2 server from the .so file.

    Figure 22. Code used to construct c2 server from so file

    The logs clearly reveal the C2 server used by this malware –

    Figure 23. c2 mention in logcat

    Both variants also have SMS-stealing capabilities similar to the previous version. They access SMS data and send it to the extracted C2 server or Firebase. Additionally, they implement a bootloader broadcast receiver for persistence, which allows the application to start in the background after the device boots.

     

    MITRE ATT&CK Tactics and Techniques:

    Quick Heal Detection of Android Malware

    Quick Heal detects such malicious applications with variants of Android.Spyagent.A

    It is recommended that all mobile users should install a trusted Anti-Virus like “Quick Heal Mobile Security for Android” to mitigate such threats and stay protected. Our antivirus software restricts users from downloading malicious applications on their mobile devices. Download your Android protection here

    Conclusion:

    This malware variant demonstrates how cybercriminals continuously advance their techniques to evade detection and steal more user data. Leveraging malformed APKs, dynamic C2 generation, and anti-analysis methods makes it increasingly difficult for traditional security tools to identify their malicious activities. Additionally, their ability to access notifications, SMS, and sensitive app data poses a significant risk to user privacy.

    However, as threats evolve, so do analysis methodologies. Security solutions and threat intelligence efforts are improving detection techniques by deep-diving into obfuscation strategies, dynamic analysis, and advanced threat-hunting approaches. Strengthening security awareness, using trusted sources for app installations, and employing modern analysis tools are essential in combating these emerging threats.

    IOCs

    URLs:

    Https[:]//cyberdefensetech[.]cc/

     

    TIPS TO STAY DIGITALLY SAFE: 

    • Download applications only from trusted sources like Google Play Store.
    • Do not click on any links received through messages or any other social media platforms as they may be intentionally or inadvertently pointing to malicious sites.
    • Read the pop-up messages from the Android system before accepting or/allowing any new permissions.
    • Be extremely cautious about what applications you download on your phone, as malware authors can easily spoof the original applications’ names, icons, and developer details.
    • For enhanced phone protection, always use a good antivirus like Quick Heal Mobile Security for Android.

    Don’t wait! Secure your smartphones today with Quick Heal Total Security for Mobiles & Smartphones – Buy or Renew Today!

     



    Source link