Android Marcher posing as Flash update and Clash of Clans game trick

We observed a series of domains luring people to download a flash update or a Clash of Clans game trick for mobile phones running the Android platform.

We downloaded the same malicious apk file from both websites. The file name is flash_update.apk and SHA1 is dc42fcd427054227a6ee2dd92b8356e57f9ead77.

The malicious application requires the following permissions:

android.permission.CHANGE_NETWORK_STATE (change network connectivity)
android.permission.SEND_SMS (send SMS messages)
android.permission.USES_POLICY_FORCE_LOCK (Unknown permission from android
reference)
android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot)
android.permission.INTERNET (full Internet access)
android.permission.VIBRATE (control vibrator)
android.permission.WRITE_SMS (edit SMS or MMS)
android.permission.ACCESS_WIFI_STATE (view Wi-Fi status)
android.permission.WAKE_LOCK (prevent phone from sleeping)
android.permission.GET_TASKS (retrieve running applications)
android.permission.CALL_PHONE (directly call phone numbers)
android.permission.WRITE_SETTINGS (modify global system settings)
android.permission.ACCESS_NETWORK_STATE (view network status)
android.permission.READ_PHONE_STATE (read phone state and identity)
android.permission.CHANGE_WIFI_STATE (change Wi-Fi status)
android.permission.READ_SMS (read SMS or MMS)
android.permission.READ_CONTACTS (read contact data)
android.permission.RECEIVE_SMS (receive SMS)

We’ve found three malicious URL the application tries to beacon to:

 

screen-shot-2016-12-23-at-2-39-25-pm
Marcher C2 URL code

 

hxxps://playsstore[.]net/QUESTIONROADFAR/
hxxps://secure-ingdirect[.]top/QUESTIONROADFAR/
hxxps://playsstore[.]mobi/QUESTIONROADFAR/

The domains all use the same registration information as follow. We have verified the information, and we can confirm that the address and phone number don’t exist.

Registrant Name: joi frey
Registrant Organization:
Registrant Street: 12 mondo
Registrant City: paris
Registrant State/Province: Paris
Registrant Postal Code: 75014
Registrant Country: FR
Registrant
Phone: +33.0101256325
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: benoit.parene@laposte[.]net

The email address benoit.parene@laposte[.]net was used to register several domains related to the same threat:

Domain Contact Email Create Date IP Address ASN Country
cest-sure.com benoit.parene@laposte.net 12/17/16 146.0.79.171 57043 NL
clahs-clans-crack.com benoit.parene@laposte.net 12/18/16 185.70.184.176 57043 NL
clash-of-clans-crack.net benoit.parene@laposte.net 12/16/16 146.0.79.179 57043 NL
clashclanscrack.com benoit.parene@laposte.net 12/20/16 185.70.187.212 57043 NL
clashclanscrack.net benoit.parene@laposte.net 12/20/16 185.70.187.212 57043 NL
crackclashofclans.com benoit.parene@laposte.net 12/20/16 185.70.187.212 57043 NL
crackclashofclans.net benoit.parene@laposte.net 12/20/16 185.70.187.212 57043 NL
flash-play.com benoit.parene@laposte.net 12/18/16 146.0.79.226 57043 NL
hdi-porn.com benoit.parene@laposte.net 12/18/16 185.70.184.176 57043 NL
playsstore.mobi benoit.parene@laposte.net 11/24/16 5.188.228.253 48693 RU
playsstore.net benoit.parene@laposte.net 11/24/16 5.188.228.253 48693 RU
playystore.com benoit.parene@laposte.net 12/15/16 146.0.79.161 57043 NL

From the listed IP addresses, we were able to expand on your investigation and find more domains related to android Marche malware. The IP address 185.70.187[.]212 where a few of the Clash of Clans domains are hosted revealed another domain adkjah34[.]com.  This domain has been registered using the following details:

Registrant Name: JOSE NILSON ALVES PAMPLONA
Registrant Organization: JOSE NILSON ALVES PAMPLONA
Registrant Street: RUA DULCE TORRES BROCHADO  2441
Registrant City: UNAI
Registrant State/Province: MG
Registrant Postal Code: 38610000
Registrant Country: BR
Registrant Phone: +55.11943534986
Registrant Email: jose.nilsonalves@yahoo.com[.]br

Several other domains were registered with the same details, and at least 5 domains are known Banload C2s. Banload is a Brazilian banking Trojan. The domains are:

madimbu[.]com
alabeutum[.]com
babcxx22tu[.]com
alabeutres[.]com
baeroodum[.]com

Sample of forged websites – hxxp://flash-play[.]com

 

screen-shot-2016-12-23-at-2-09-03-pm
Flash update forged website

 

Sample of forged websites – hxxp://clashclanscrack[.]com

 

screen-shot-2016-12-23-at-2-08-33-pm
Clash of Clans forged website

 

IOCs:
SHA1(flash_mise_a_jour.apk)= d3ebdb1d4f73ed20d16489ef1a477a843d382edc
SHA1(flash_update.apk)= dc42fcd427054227a6ee2dd92b8356e57f9ead77
SHA1(myfile.apk)= da39a3ee5e6b4b0d3255bfef956018
SHA1(classes.dex)= 8af9b4e9b443a4668da6e715fa8a4e1e58fcff77

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s