Copyright © 2018 - 2020 Center for International Cyber Intelligence, Inc. All rights reserved.

 

D&B Registered / SAMS, CAGE Compliant.

Sign Up For Our Mailing List

Donate to CI2!

The New Cyberscape! Cell Phone Hacking!

I received texts periodically into my SMS Messages…One of them is shown below.

First off, they got my first name, and secondly, I get these messages constantly now. The number 888-972-6267 surprisingly belongs to nobody. The address belongs to http://ttp/xw8.pw/xDa3OiOT. Which was detected malicious by 1 out of 71 VirusTotal scans! Doing a search on xw8.pw I found out it belonged to IP Address 159.65.76.79. This is where the rabbit hole begins.

Associated with this IP address are over several dozen domains, and DNS Servers, and IP Addresses! The bulk of the addressing and data comes out of China, though there is a lot of connections with US and European servers, probably pulling data and being the middle man in this venture. I found several attached malwares associated with this conglomerate.


Ulise / Chapak Malware – This malware actually is dropped by another malware. It automatically executes the batch file in the user’s temp folder. Activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.[1]


Ursu Malware - Ursu is a generic malware that has many functionalities. It contacts and C2 server and performs code injection in the address space of legitimate processes. It is able to achieve persistence, as well, and seeks to collect confidential information.[2]


Graftor Adware – This adware is created to auto direct the web browser to open to a designated URL upon opening. This is definitely a point to create a malware injection.


DarkKomet Backdoor Malware – Remote Access Trojan or RAT. Commonly used to spy on the victims by taking screen captures, key-logging, or password stealing.


A Classes.dex file, which .dex is Dalvik Executable Format, which is a set of class definitions and their associated adjunct data.[3] One can re inject this classes file into an Android and change their information around on their cell phone, or extract data. Within that same domain, there was a classes.dex for a program called KuGou and TenCent which are Chinese music streaming and download services. Probably used to extract data from the user’s Android Device.

There were several malware Crypters roaming around on the sites, which would make sense to protect information being exploited.


Another interesting find, is that the address was associated to a TTP or Time Triggered Protocol which in layman’s terms “consists of a single layer (unlike the multilayer OSI) that handles end-to-end data transport, clock synchronization, and membership management.[4]

Typical TTP Packet

The TTP Data Packets are often used in mission critical data communication applications where deterministic operation is a requirement. This could be why it stated I had 6 hours. Morale of the story, if you get a suspicious text nowadays, do not open it on your phone or computer! Report it to us! More to come as I receive more text messages :).

[1] Fortinet. FortiGuard Labs. W32/Chapak.BVLW!tr. Accessed on 3 October 2019 at https://fortiguard.com/encyclopedia/virus/7680909.


[2] Cisco. Cisco Talos. Threat Roundup Sept 21 – 28. Created 28 September 2018. Accessed on 3 October 2019 at https://blog.talosintelligence.com/2018/09/threat-roundup-0921-0928.html.


[3] Source. Dalvik Executable format. Accessed on 3 October 2019 at https://source.android.com/devices/tech/dalvik/dex-format.html


[4] EReading Club. The Time Triggered Protocol. Accessed on 3 October 2019 at https://www.e-reading.club/chapter.php/143358/166/Tanenbaum_-_Distributed_operating_systems.html.