Android新型木马'SoumniBot'攻击技巧揭秘

A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure.

一种名为SoumniBot的新Android木马已经在野外被检测到，通过利用manifest提取和解析过程中的弱点，针对韩国用户。

The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin said in a technical analysis.

卡巴斯基研究员Dmitry Kalinin在技术分析中表示，该恶意软件“以一种非常规的方式逃避分析和检测，即对Android清单进行混淆。”

Every Android app comes with a manifest XML file ("AndroidManifest.xml") that's located in the root directory and declares the various components of the app, as well as the permissions and the hardware and software features it requires.

每个Android应用程序都带有一个名为manifest XML文件（“AndroidManifest.xml”）的文件，位于根目录，声明应用程序的各个组件，以及它所需的权限、硬件和软件功能。

Knowing that threat hunters typically commence their analysis by inspecting the app's manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to make the process a lot more challenging.

了解到威胁猎人通常通过检查应用程序的清单文件来确定其行为，发现恶意软件背后的威胁行为者已经利用了三种不同的技术，使这一过程变得更加具有挑战性。

The first method involves the use of an invalid Compression method value when unpacking the APK's manifest file using the libziparchive library, which treats any value other than 0x0000 or 0x0008 as uncompressed.

第一种方法涉及在使用libziparchive库解压APK的清单文件时使用无效的压缩方法值，该库将除0x0000或0x0008之外的任何值视为未压缩。

"This allows app developers to put any value except 8 into the Compression method and write uncompressed data," Kalinin explained.

卡林宁解释说：“这允许应用程序开发人员将除8之外的任何值放入压缩方法并写入未压缩数据。”

"Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed."

“尽管任何正确实现压缩方法验证的解包器都会认为这样的清单无效，但Android APK解析器能够正确识别它并允许安装应用程序。”

It's worth pointing out here that the method has been adopted by threat actors associated with several Android banking trojans since April 2023.

值得指出的是，自2023年4月以来，与几种Android银行木马有关的威胁行为者已经采用了这种方法。

Secondly, SoumniBot misrepresents the archived manifest file size, providing a value that exceeds the actual figure, as a result of which the "uncompressed" file is directly copied, with the manifest parser ignoring the rest of the "overlay" data that takes up the rest of the available space.

其次，SoumniBot错误地表示存档的清单文件大小，提供的值超过实际数字，结果是“未压缩”文件被直接复制，清单解析器忽略了占用其余可用空间的“叠加”数据。

"Stricter manifest parsers wouldn't be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors," Kalinin said.

卡林宁说：“更严格的清单解析器无法读取这样的文件，而Android解析器在处理无效的清单时不会出现任何错误。”

The final technique has to do with utilizing long XML namespace names in the manifest file, thus making it difficult for analysis tools to allocate enough memory to process them. That said, the manifest parser is designed to ignore namespaces, and, as a result, no errors are raised when handling the file.

最后一种技术涉及在清单文件中使用长XML命名空间名称，从而使分析工具难以分配足够的内存来处理它们。也就是说，清单解析器设计成忽略命名空间，因此在处理文件时不会出现任何错误。

SoumniBot, once launched, requests its configuration information from a hard-coded server address to obtain the servers used to send the collected data and receive commands using the MQTT messaging protocol, respectively.

SoumniBot一旦启动，就会从硬编码的服务器地址获取其配置信息，以获取用于发送收集的数据和接收命令的服务器，分别使用MQTT消息传递协议。

It's designed to launch a malicious service that restarts every 16 minutes if it terminates for some reason, and uploads the information every 15 seconds. This includes device metadata, contact lists, SMS messages, photos, videos, and a list of installed apps.

它旨在启动一个恶意服务，如果由于某种原因终止，每16分钟重新启动一次，并且每15秒上传信息。这包括设备元数据、联系人列表、短信、照片、视频和已安装应用程序列表。

The malware is also capable of adding and deleting contacts, sending SMS messages, toggling silent mode, and enabling Android's debug mode, not to mention hiding the app icon to make it harder to uninstall from the devic

该恶意软件还能够添加和删除联系人、发送短信、切换静音模式、启用Android的调试模式，更不用说隐藏应用程序图标，使其更难以从设备中卸载。

One noteworthy feature of SoumniBot is its ability to search the external storage media for .key and .der files containing paths to "/NPKI/yessign," which refers to the digital signature certificate service offered by South Korea for governments (GPKI), banks, and online stock exchanges (NPKI).

SoumniBot的一个值得注意的特点是其能够搜索外部存储介质中包含“/NPKI/yessign”路径的.key和.der文件，该路径指的是韩国提供给政府（GPKI）、银行和在线证券交易所（NPKI）的数字签名证书服务。

"These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions," Kalinin said. "This technique is quite uncommon for Android banking malware."

卡林宁表示：“这些文件是韩国银行发放给其客户并用于登录在线银行服务或确认银行交易的数字证书。”“这种技术对于Android银行恶意软件来说是非常罕见的。”

Earlier this year, cybersecurity company S2W revealed details of a malware campaign undertaken by the North Korea-linked Kimusuky group that made use of a Golang-based information stealer called Troll Stealer to siphon GPKI certificates from Windows systems.

今年早些时候，网络安全公司S2W披露了与朝鲜有关的Kimusuky组织进行的一项恶意软件活动的细节，该组织利用了一种基于Golang的信息窃取者Troll Stealer，从Windows系统中窃取GPKI证书。

"Malware creators seek to maximize the number of devices they infect without being noticed," Kalinin concluded. "This motivates them to look for new ways of complicating detection. The developers of SoumniBot unfortunately succeeded due to insufficiently strict validations in the Android manifest parser code."

卡林宁总结道：“恶意软件创建者试图最大程度地感染设备而不被注意到。”“这激励他们去寻找使检测变得更加复杂的新方法。由于Android清单解析器代码中的验证不够严格，SoumniBot的开发者不幸成功了。”

参考资料

[1]https://thehackernews.com/2024/04/new-android-trojan-soumnibot-evades.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：Android新型木马'SoumniBot'攻击技巧揭秘