Threat Hunting for Android MW – Gamaredon

Attacker is sending malicious links to mobile devices via SMS or social media posts. The links lead to the download of malicious apps that collect sensitive data.

Name:
Threat Hunting for Android MW – Gamaredon

TTP:
T1566.002 Phishing: Spearphishing Link

Hypothesis:

Attacker is sending malicious links to mobile devices via SMS or social media posts. The links lead to the download of malicious apps that collect sensitive data.

Campaign Type:
Data Driven

Data Sources:

  • Mobile device logs
  • Network traffic
  • SMS messages
  • Social media posts
  • App download history
  • App permission requests
  • Device logs (e.g., battery usage, CPU usage, data usage)
  • User reports of suspicious activity

Tools:

  • Lookout Security Platform
  • Mobile Device Management (MDM) solution
  • Threat Intelligence Platform (TIP)
  • Network traffic analysis tools
  • YARA
  • Sigma

Scenario:

  1. Initial Access: Attacker sends a spearphishing link via SMS or social media post to a targeted individual.

  2. Execution: The victim clicks on the link and is redirected to a malicious website or app download page.

  3. Defense Evasion: The malicious app may use various techniques to evade detection, such as obfuscation, anti-analysis checks, or impersonating legitimate apps.

  4. Persistence: The app may request excessive permissions to gain access to sensitive data and maintain persistence on the device.

  5. Collection: The app collects sensitive data such as SMS messages, call logs, contacts, location, photos, and audio recordings.

  6. Exfiltration: The app exfiltrates the collected data to the attacker’s C2 server.

  7. Impact: The attacker gains access to sensitive information, which could be used for espionage, identity theft, or other malicious purposes.

Hunting Strategy:

  1. Analyze mobile device logs for suspicious app activity, such as excessive permission requests, unusual network traffic, or access to sensitive data.

  2. Monitor network traffic for connections to known malicious domains or IP addresses associated with Gamaredon APT.

  3. Scan devices for the presence of malicious apps using YARA or Sigma rules based on known indicators of compromise (IOCs).

  4. Analyze SMS messages and social media posts for suspicious links or messages that may indicate a spearphishing attempt.

  5. Correlate events from different data sources to identify potential attacks and prioritize investigation.

  6. Investigate outliers and suspicious events using threat intelligence and device analysis tools.

  7. Validate potential threats by analyzing app behavior, network activity, and device artifacts.

  8. Remediate by removing malicious apps, blocking C2 communication, and revoking compromised credentials.

  9. Report findings and recommendations for improving security posture, such as user education on mobile threats and implementing stricter app vetting policies.

Recommendations:

  • Implement a robust Mobile Threat Defense (MTD) solution to detect and prevent mobile threats.
  • Educate users about mobile phishing attacks and the risks of clicking on suspicious links or downloading apps from untrusted sources.
  • Enforce strong password policies and multi-factor authentication to protect sensitive accounts.
  • Regularly update devices and apps to patch vulnerabilities and mitigate risks.
  • Implement network security controls to block access to known malicious domains and IP addresses.
  • Monitor device and network activity for suspicious behavior and investigate potential threats promptly.
  • Stay up-to-date on the latest mobile threat intelligence and security best practices.

False Positive Consideration:

  • Legitimate apps requesting similar permissions or exhibiting similar behaviors.
  • Network connections to legitimate domains that may be shared with malicious infrastructure.
  • User activity that mimics malicious behavior but is benign in nature.

D3 Diagram:

T1566.002: Phishing: Spearphishing Link

* Implementations

* Malicious link delivered via SMS message
* Observable: SMS message containing a suspicious link, Sender phone number, Link URL, SMS body content
* Robustness: Ephemeral Value (Level 1) - Easy to modify, can be obfuscated.
* Scoring Rationale: Attackers can easily change phone numbers, use URL shorteners, or obfuscate the link to evade detection. Content can vary widely.

* Malicious link delivered via social media post
* Observable: Social media post containing suspicious link, Author of the post, Link URL, Post content
* Robustness: Ephemeral Value (Level 1) - Easy to modify, accounts can be compromised.
* Scoring Rationale: Attackers can easily create fake accounts, modify post content, or use URL shorteners to evade detection. Content can vary widely.

* Malicious link delivered via email
* Observable: Email containing suspicious link, Sender email address, Link URL, Email subject, Email body content
* Robustness: Ephemeral Value (Level 1) - Easy to modify, accounts can be compromised.
* Scoring Rationale: Attackers can easily create fake accounts, modify email content, or use URL shorteners to evade detection. Content can vary widely.

* Data Sources

* Lookout Security Platform
* Mobile Device Management (MDM) solution
* Threat Intelligence Platform (TIP)
* Network traffic analysis tools
* YARA
* Sigma

* Modules

* Android Operating System components - Core to OS (Level 4)

* API Functions

* Android API calls related to network communication, SMS messaging, and app permissions - Core to OS (Level 4)

* Files

* Downloaded APK files - Domain/Program Specific (Level 3)

* Network

* TCP/UDP - Core to Technology (Level 5)
* HTTP - Core to Technology (Level 5)
* HTTPS - Core to Technology (Level 5)

* Detections

* Lookout Security Platform - Vendor Specific (Level 2)
* YARA - Tool Specific (Level 2)
* Sigma - Tool Specific (Level 2)

Leave a Reply