Skygofree: New Government Malware for Android

Kaspersky Labs is reporting on a new piece of sophisticated malware:

We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy.

Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild.

It seems to be Italian. Ars Technica speculates that it is related to Hacking Team:

That's not to say the malware is perfect. The various versions examined by Kaspersky Lab contained several artifacts that provide valuable clues about the people who may have developed and maintained the code. Traces include the domain name h3g.co, which was registered by Italian IT firm Negg International. Negg officials didn't respond to an email requesting comment for this post. The malware may be filling a void left after the epic hack in 2015 of Hacking Team, another Italy-based developer of spyware.

BoingBoing post.

Posted on January 22, 2018 at 12:06 PM • 24 Comments

Comments

echoJanuary 22, 2018 12:30 PM

I keep a very small footprint with my mobile phones which helps mitigate threats but does not remove theoretical threats through subverting third parties.

This report was an educational run through the techniques they used which I have read or seen examples of in the past although in different forms and not all in one place. On Windows I noticed anti-virus software flag files generated with the Py2exe tool but no warnings are given on the actual payload itself. Is it possible that some form of checking is possible on the payload instead of generating suspicions that a warning may just be a false alarm?

Clive RobinsonJanuary 22, 2018 1:02 PM

@ Bruce,

It seems to be Italian. Ars Technica speculates that it is related to Hacking Team:

There is a certain logic to that argument.

To many people "Hacking Team" effectively imploded for various reasons.

However whilst the company may have gone belly up the personnel are as far as I know alive and well. Thus they are most likely working in a not to disimilar line of work. Even if not they may have carried on in what is effectively their own time.

But even if that is not the case the collapse of Hacking Team, would have created the equivalent of a vacuum that others who knew them or even worked with them have decided to fill.

hmmJanuary 22, 2018 1:17 PM

‘54.67.109.199’ = the hardcoded IP, Amazon in Seattle. But the C&C is actually in Italy.

It's interesting that it would be hardcoded to phone Amazon in the US for an Italy-aimed campaign.

echoJanuary 22, 2018 1:36 PM

@hmm

Oooooh THAT C&C. I though they were downlaoding an audio codec from a Command and Conquer server not a command and CONTROL server. I was thinking ooh this is enterprising I have never seen this before. I wouldn't be surprised if a hacker managed to exploit a game engine being present on a system in this or other ways given the more sophisticated engines can run scripted code sometimes otuside of the limitations of a game only sandbox mode.

Do these kinds of tools ever make use of multiple hops through different legal jurisdictions and different types of compromising or is this too sophisticated?

Clive RobinsonJanuary 22, 2018 2:59 PM

@ hmm,

It's interesting that it would be hardcoded to phone Amazon in the US for an Italy-aimed campaign.

Not as suprising as you might think.

A hardcoded IP address means very little when you canbot trust the network.

Look at it this way, you can as an attacker use the IP address to get the packets from the compramised hosts sent to the last router in Italy prior to disappearing through the gateway of to where ever the real host for that IP address is.

This being the expected behaviour it would not arouse suspicion in any way with those observing packet flows across the Italian networks.

However if I as the attacker have hacked, compromised and now own that last router all those packets from those compromised hosts will come into the router I now own. Importantly they will also be tagged with the compromised hosts IP address and port numbers etc. So as the attacker I know which packets are realy ment for Amazon and which are from my malware for me. One simple way to do that is to arange for say the TTL count to time out on the last router (so again the behaviour would be superficially correct).

If I as the attacker arange for the network packets ment for me to also be valid to Amazon even if I don't catch and divert them at the last router they will further not raise an alarm...

The problem is people are often trained incorrectly thus actually think IP addresses actually mean a packet is going to get to that host. The reality is it means nothing of the sort, only that it will get sent that way by honest routers... What owned routers do however is totally beyond what most users and network admins can actually do.

Such devious behaviour has been working for quite some time and will no doubt carry on working for some time to come...

hmmJanuary 22, 2018 3:11 PM

@ echo

It's not super sophisticated to bounce around IP's to obscure their location/origin, I just thought it was interesting it was seemingly an Italy-only campaign but the malware in question had a first hard-coded IP call to the US. That would imply Amazon is just too damn easy to set up a malware server on compared to smaller local alternatives, or there's some other reason for using a US IP. Maybe they were sold a turn-key service, who knows.

Most games run on Windows so you're fully in the security cesspool off the bat.
They know your platform, they have your IP, they know the specific .dll is /there/...
all they need is an unsanitized console input or xyz, evil server soundpacks, TMTL.

Absolutely internet games are chock full of vulns. There's an entire industry of cracking popular games even before the official launch date. The profit motive is strong, the security isn't usually. It's ye olde profitability tradeoff. They're more interested in DRM and protecting their IP than they care if end users are made less secure. Securom etc.

Clive RobinsonJanuary 22, 2018 3:24 PM

@ hmm,

It's interesting that it would be hardcoded to phone Amazon in the US for an Italy-aimed campaign.

Not as suprising as many might think. A hardcoded IP address means very little to nothing when you can not trust the network.

Look at it this way, you can as an attacker use the IP address to get the packets from the hosts you have compramised sent to the last router in Italy prior to disappearing through the gateway off to where ever the real host for that IP address is. This being the expected behaviour upto that router it would not arouse suspicion in any way with those observing packet flows across the Italian networks.

However if you as the attacker have hacked, compromised and now own that last router all those packets from those hosts you also compromised will come into the router you now own.

Importantly they will also be tagged with the compromised hosts IP address and port numbers etc. So as the attacker you know which packets are realy ment for Amazon and which are from your malware on the hosts you compronised.

One simple way to do that is to arrange for say the TTL count to time out on the last router (so again the behaviour would be superficially correct). This will trigger behaviour on the last router that you can then decide what to do with the data packets.

If you as the attacker arange for the network packets ment to be caught by you on the last router to also be valid for the Amazon server at that hard coded IP address. Then even if you don't catch and divert the packets at the last router they will further not raise an alarm when examined etc.

The problem is people are often trained incorrectly thus actually think IP addresses actually mean a packet is going to get to that host. The reality is it means nothing of the sort, only that it will get sent that way by honest routers... What owned routers do however is totally beyond what most users and network admins can actually do.

Such devious behaviour has been working for quite some time now and will no doubt carry on working for some time to come...

JordanJanuary 22, 2018 3:38 PM

54.67.109.199 is ec2-54-67-109-199.us-west-1.compute.amazonaws.com is an AWS EC2 instance, a rented virtual machine. It has nothing to do with Amazon other than that they own the hardware and one of their customers is renting it.

hmmJanuary 22, 2018 3:53 PM

@ Clive

"The reality is it means nothing of the sort, only that it will get sent that way by honest routers.."

That's true, I just saw a document from Hacking Team where they talk about attacking bypass taps/switches to get into the ISP ring so they can send their implants. I didn't realize there was a difference between bypass taps and bypass switches, apparently it's kind of subtle.

https://www.garlandtechnology.com/blog/is-there-a-difference-bypass-switch-vs.-bypass-tap

So if any ISP's are running insecure bypasses all bets are surely off down the IP chain.

HmmJanuary 22, 2018 4:04 PM

@Jorday

"It has nothing to do with Amazon other than that they own the hardware and one of their customers is renting it."

I'm aware of AWS, the point is they can set those up so quickly and easily (and apparently anonymously enough to often get away with it after the discovery) that AWS has become sort of a standard C&C platform for malware implementations. It was interesting that would be the choice to come back to the US (if the routing IP is to be believed, as Clive mentions) to access AWS for C&C rather than have some more obscure hosting in Italy, Balkans, etc.

It could maybe be a matter of which is more suspicious? AWS traffic could be anything and corporate clients might trust Amazon IP ranges whereas shadyhost.it might attract more eyeballs. Or perhaps AWS is just the new standard and the malware author includes a provisioning script/checklist or something specific for AWS to make it more turn-key.

Alyer BabtuJanuary 22, 2018 6:18 PM

Is it possible, with bounded resources, even in principle - secure computing over insecure systems (machines, networks), addressing confidentiality, integrity, and availability?

Claude Shannon, please update yiour communication diagram.

65535January 22, 2018 6:54 PM

@ Clive R., hmm, Jordan and others

Basically, IP address are becoming virtual not a physical location if you are looking at TLD registers – who blindly register a url and then error on the actual IP location.

“Not as suprising as many might think. A hardcoded IP address means very little to nothing when you can not trust the network. Look at it this way, you can as an attacker use the IP address to get the packets from the hosts you have compramised sent to the last router in Italy prior to disappearing through the gateway off to where ever the real host for that IP address is.”- Clive R

Yes, that is one way of stating the situation. The other is a little more simple – poor domain name to IP records… or even deceptive domains to IP address records. It happens all the time in South East Asia.

"54.67.109.199 is ec2-54-67-109-199.us-west-1.compute.amazonaws.com is an AWS EC2 instance, a rented virtual machine. It has nothing to do with Amazon other than that they own the hardware and one of their customers is renting it.”-Jordan

I believe you are correct. Except AWS knows who is renting and paying for the rental and probably their actual location.

“So if any ISP's are running insecure bypasses all bets are surely off down the IP chain.…AWS has become sort of a standard C&C platform for malware implementations. It was interesting that would be the choice to come back to the US (if the routing IP is to be believed, as Clive mentions) to access AWS for C&C rather than have some more obscure hosting in Italy, Balkans, etc.”-Hmm

That maybe an accurate statement. AWS is tied to the IC and does play both sides of the road.

I did take a look at the Garland Technology ad page an noticed SPAN mode which I thought was the old Cisco port mirror feature… use sometimes by NSA/CIA/FBI for pen tap style of listening in on some communication channel and recording it. I suppose it has ligitmate uses inside certain networks for monitoring purposes of all types.

Returning to the slip betwixed the lip regarding TDL and IP address, take .mu TDL, which according to Wikipedia is in the Island/country of Mauritius:

“Introduced 1995
“TLD type Country code top-level domain
“Status Active
“Registry MUNIC
“Sponsor Internet Direct Ltd.
“Intended use Entities connected with Mauritius
“Actual use Used by various sites, many (but not all) having something to do with Mauritius. (Ex.: used for MUsic and MUseum sites)
“Registration restrictions None
“Structure Can register at second level or at third level beneath various second-level labels; there is some redundancy (both .com.mu and .co.mu exist)
“Documents Policies… [Jumbled –Ed]

https://en.wikipedia.org/wiki/.mu

Next, I go to a Wonderfulxxx.mu website only to find =>

Flagfox warning:” Note Flagfox has determined that this webserver is in the USA, however the address ends in “.mu” (Niue). Flagfox locates servers using their IP address via and internal database and does not rely on TLD codes such as this. Servers need not be located in the origin nation of the site and thus this is not likely to be an error” –Flagfox

Firefox places the server in a large state and city in the southern border of the USA close to Mexico.

To repeat:

“if any ISP's are running insecure bypasses all bets are surely off down the IP chain.”-hmm

Yes, that is an understatement. You will find little comfort confirming TLD labeled countries with IP actual addresse locations.

Clive RobinsonJanuary 22, 2018 7:12 PM

@ Alyer Babtu,

Is it possible, with bounded resources, even in principle - secure computing over insecure systems (machines, networks), addressing confidentiality, integrity, and availability?

Long answer short "Yes to all".

The only thing you can not defend against is a full insider attack at the full system level.

I've discussed this at length in the past on this blog with various long time contributors. I called it "Castles-v-Prisons" @Wael shortened it to "C-v-P" and in the odd place it is just "CvP" or "Prison architecture".

One newer contributor @Thoth is designing a system around parts of the "Prison architecture"

And as we have found out a small team at University College London (UCL) many of whom came from the Cambridge Computer Lab have actually started building hardware you can buy based on @Thoth and my work (and no they have not acknowledged our "prior art" / work which is somewhat annoying).

As for,

Claude Shannon, please update yiour communication diagram.

Yes it's been done by several people to not just show the effects side channels have, but passive and active attacks and adversaries. The thing is each addition in of it's self is a Shannon Channel. Thus like the little old lady stating clearly to the learned gent whilst emphasizing with her umbrella handle "Sonney it's turtles all the way down!" ;-)

EvanJanuary 22, 2018 7:44 PM

Re: Amazon

I assume they simply chose a location that they expected would blend in with other traffic, and AWS's us-west-1 probably gets a lot of app traffic for it to blend in with.

Alyer BabtuJanuary 22, 2018 9:02 PM

@Clive Robinson

Many thanks ! I will start checking back through the blog. Are fhere also any books, academic style treatments, etc. ?

WaelJanuary 22, 2018 11:58 PM

@Alyer Babtu, CC: @Clive Robinson,

@[redacted] shortened it to "C-v-P"

That's right! All I did was to shorten the name; it wasted too much space. You might want to Start here, ma man. And just for the record... the discussion was killed by request from one of it's pioneers... None other than @Nick P :)

hmmJanuary 23, 2018 12:10 AM

"Except AWS knows who is renting and paying for the rental and probably their actual location."

They're in the stolen credential / malware business, fooling Amazon billing is not that difficult.

Clive RobinsonJanuary 23, 2018 2:39 AM

@ Alyer Babtu,

Are there also any books, academic style treatments, etc. ?

There may be now, as the idea is finaly coming into vogue. However I have not checked in a while.

But at the time I was "cutting a trail" through what appeared to be virgin jungle as there was nothing in the contemporary literature that came up when I searched.

The nearest stuff was the unrelated memory taging ideas of the CHERI project over at Cambridge Computer labs, which still appears even now to be academic only. CHERI it's self came out of another academic project "Capsicum" which looked into applying a hybrid capability model into the CPU architecture space. Supposedly allowing "fine-grained compartmentalisation within process address spaces".

All whilst continuing to support current Unix software designs thus fell in the "Castle" domain. Which I had repeatedly pointed out was insecure by design (thus got heckled ;-)

As such neither CHERI or Capsicum would not have provided protection against RowHammer or the recent Spector and Meltdown attacks. Because the latter two are a major failing of all "Castle" systems with cache timing side channels alowing "reach around" attacks. Whilst the former is a "reach down" attack from the ISA layer and above directly to a fault in the DRAM design. All three attacks are due to poor hardware design choices that try to be "to efficient" to get fractional speed improvments for "specmanship" reasons. Thus whilst the memory tagging might appear to be a hardware solution, it only applies to that thin security layer in the computing stack caused by the MMU that also gives the Virtual Memory capabilities. Which "reach around" and "reach down" attacks both bypass. Worse the MMU as curently used can not be used against "bubbling up" attacks that can alter the memory from any point in the computer stack below the CPU/MMU level. Thus realistically both CHERI and Capsicum were for protecting from software attacks above the CPU/MMU level which is CPU and up levels (this includes the Microcode level which converts the ISA instructions into the RTL hardware instructions as the back end of the instruction decode logic).

It has subsequently been pointed out to me via another "old Time" engineer, that some very early computer designs that pre-date "Vector Processing" to get "Super Computers" used some of the multi-processor tricks. That was there were a number of "Scalar" main Processing CPU blocks and I/O CPU blocks that communicated by a switching matrix or network. Both CDC and IBM had such designs (@Nick P has given some details on early CDC systems)

What I've been told is apparently Seymor Cray got his ideas for building massively parallel processing machines whilst working on the design of these CDC systems. But...

The "general knowledge" story is that Seymor Cray's ideas went on into some of the early Cray systems and then Sun purchased the switching matrix ideas and put them into high end Sun systems such as the Starfire 10000. With that architecture still in the 12K, 15K and 20K Starfire systems that were still production when Oracle took over Sun in 2010 after Sun managment "dropped the ball"...

However it appears the real story is a bit more complicated and much more interesting (which should interest @Nick P amongst others).

It involves another highly inovative company, Floating Point Systems (FPS) in the quaintly named Beaverton, Oregon. FPS as their name suggested designed Floating Point Vector Units that were added to interger scalar CPU systems such as DEC Vaxen to give a very significant performance boost. At some point the story goes they sold their switching matrix idea to Sun... However it appears it may have been much more of a "technology swap", because FPS went on to use Sun Spark station 2 ECL scalar CPU core designs in combination with their Vector Floating Point unit and a matrix switch chip in the Clark Masters design of CPU core for their FPS-500 parallel Vector processor system in the late 1980s.

When FPS got into financial troubles --as most Super Computer manufacturers did-- Seymore Cray bought FPS and the FPS-500 unit became quickly redesigned --still using the ECL Sun SPARK CPU-- into what became Cray's Symmetric multiprocessor (Cray S-MP) system which became a semi independent division of Cray under Clark Masters.

When Cray followed the trend of super computer manufactures and got into financial troubles it was purchased by Silicon Graphics International (SGI) and the S-MP division was sold to Sun. Sun had at the time the financial resources to allow Clark Masters to implement the latent features of the original FPS-500 / Cray S-MP and the original Starfire 10000, which gave the 12K / 15K / 20K Starfire systems.

Although Sun nolonger produced SPARC chips (Fujitsu had taken over that) Sun Fire systems based on SPARC were in production up until 2010. Due to some very strange goings on in Sun over SPARK-v-Intel hardware Sun just like preceading Super Computer manufacturers got into trouble and were bought out much to many peoples supprise by Oracle.

Intel x86-64 based machines were manufactured and marketed under the Sun Fire name until mid-2012, when Oracle stopped using the Sun Fire brand altogether.

What became of the Clark Masters matrix ideas is unclear. In 2016 Fujitsu anounced they were moving from SPARK to ARM.

As for Clark himself, he was Chairman and President of Sun Microsystems Federal for a while, but in late 2007 he became President and Chief Executive Officer of Astute Networks, Inc. Since 2012 amongst other things he is Senior Vice President, Hana Cloud Computing. Maybe one day soon he will tell his side of the story.

echoJanuary 23, 2018 8:53 AM

@clive

Microsoft published a white paper on internet security down to the bit level and submitted this to the UK government roughly five years ago. The scope of this paper is that a controlling force may permit or switch off the internet at any level and any breadth. I'm sorry I cannot remember the name of the whitepaper. If anyone is sufficiently interested they may contact Microsoft Research or possibly FOI request the UK Cabinet Office.

In theory this is a good idea but as always vested interests may do an end run of any laws in place. The DRM versus sending single mothers on benefits to jail for not buying a television licence is just one example.

(required)January 24, 2018 1:37 PM

"The scope of this paper is that a controlling force may permit or switch off the internet at any level and any breadth"

But isn't that an of course? I mean you just called it a controlling force. THEY have the means...
The threat threshold or purpose for which they'd use that is the question: 9/11, regime change, etc.

Another question is can Mos/Bei/Pyo/Teh or anyone else can do that without attribution also?
Economic weapon, lots of enemies to spread attribution around to.. it could get kinetic very fast.

"50 million people lost power for up to two days in the biggest blackout in North American history. The event contributed to at least 11 deaths and cost an estimated $6 billion."

That is absolutely NOTHING compared to what it could be.

echoJanuary 24, 2018 6:51 PM

@(required)

I don't always look on the bad side with things. I believe it is worth examining the positives too. This kind of bit level networked file system could help ensure FOI requests are not thwarted or prevent human rights abuses.

(required)January 25, 2018 12:41 AM

@ echo

We've also tried to dig artificial lakes with nuclear weapons but I get your meaning.

You're absolutely right of course.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.