Carder
Professional
- Messages
- 2,635
- Reaction score
- 2,055
- Points
- 113
Since the appearance Of the rotexy Trojan, the BI.ZONE computer incident response center has blocked more than 1,000 domain names that attackers used as management servers. All this time, we have been closely monitoring the activities of the well-known malware for Android. In this article (hopefully epitaphs), we will talk about Rotexy's activity in recent years and see how It works.
Rotexy, a cross between a banker and a ransomware, appeared in 2018 and conducted tens of thousands of attacks on users in Russia. Throughout 2020, the activity of the malware was constantly decreasing, but in October-November we recorded an increase again. The question of whether one of the most prominent banking Trojans will ever be active again remains open.
The banker's functions consist in the fact that Rotexy encourages the victim to enter Bank card details on a phishing page. Troy also acts as an extortionist: he can block the screen of the victim's device on command from the management server. In most of these cases, a page is displayed with a message stating that to unlock the screen, you must "pay a fine" for viewing content (for example, pornographic content).
In addition, management servers are configured in such a way that they do not allow downloading malicious files more than 2000 times per mailing list. These restrictions are designed to prevent Trojan detection and domain blocking.
At the same time, activity began to grow again in October — we found 17 domains in a month, and in November — already 30.
Number of domains sent for blocking during 2020
The peak of the number of new domain registrations by Rotexy operators was recorded in 2019 (as can be seen in the figure below), since then mailing lists were massive and were observed throughout Russia. In 2018, the malware only appeared, and only in the second half of the year, but the number of detected domains during this time significantly exceeds the figure for eleven months of 2020. This can be attributed to the fact that Recently rotexy operators began to distribute malicious APK files more selectively and, as a rule, registered no more than two domains per day.
Number of domains that are sent to a lock in for three years
A distinctive feature of Rotexy is the ability to bypass anti‑fraud systems of banks. The program replenishes the mobile account balance from the victim's Bank card, and then transfers funds through the personal account to another number.
The original rotexy executable APK file is significantly obfuscated. Attackers use three methods of obfuscation::
An example of a dead code is shown in the figure below. The code between the comments "start of dead code" and "end of dead code" will never be executed.
Listing with an example of dead code
Sequence of calls before reaching the target method
Example of an encrypted string
Rotexy stores data about itself, its actions, and the infected device in a local SQLite database.
The malware requests administrator rights and the use of the accessibility service, and you can use them to get other rights. It needs privileges to ensure that the malicious app autoruns after the device is rebooted so that it can function continuously. Rotexy also requires privileges that allow you to work with Google Cloud Messaging and SMS, which are used to interact with the management server. In addition, the malware needs access to the contact list, as well as the ability to manage the Wi-Fi connection and change the network connection status, which also requires separate rights. An important privilege is the ability to create a window that is displayed on top of other applications, since this implements the main malicious functionality.
At startup, Rotexy checks which country it is being launched in. The malicious app is active only in Russia.
After launching, the Trojan sends to the control server information about the current state of the device, including SID, IMEI, availability of administrative privileges, screen blocking status, status of "immunity", type of network to which the smartphone is connected, screen status (enabled or not), access status to the accessibility service, status of SMS application privileges. A list of running processes and a list of installed applications can also be sent to the management server.
The data is transmitted as encrypted JSON. First, they are encoded in Base64 format, then encrypted using the AES-256 algorithm in CBC mode with zero padding and then converted to hexadecimal representation. The IP address of the management server, the encryption key, the initialization vector, and the identifier for GCM are stored in the application configuration. Part of the configuration for the example is shown in the figure below.
Rotexy Configuration
Each request to the management server generates a new URL in the form hxxp://213[.]166[.]68[.]138/repeater/getaway<случайное число от 1 до 10000>. Attackers probably use this approach to prevent researchers from reusing queries.
The URL generating code is shown in the figure below.
Code that generates THE url of the management server
The figure below shows a block of code that illustrates the formation of JSON for sending data to the control server.
Generating JSON data about the infected device
The request for new commands is made by Rotexy at the command of the bot owners.
At a command from the management server, the malware can save the HTML template for further processing.for use as a banker or ransomware, and data to fill it out. It can also enable or disable the display of generated HTML pages. Rotexy sends SMS messages to your contact list after receiving the appropriate command. If an additional command was received, the malware can manage the use of GCM, update the address of the management server, send an SMS, revoke administrator rights, send a list of contacts to the management server, enable the banker, ransomware or update modes,and terminate them.
Rotexy can intercept all incoming SMS messages and process them according to its own templates. The application communicates with the management server via HTTP or GCM, and also receives commands via SMS. Rotexy can receive the following commands via SMS::
Although rotexy operators have long since stopped using mass mailings to distribute their malware, it is worth paying more attention to the messages received.
Rotexy, a cross between a banker and a ransomware, appeared in 2018 and conducted tens of thousands of attacks on users in Russia. Throughout 2020, the activity of the malware was constantly decreasing, but in October-November we recorded an increase again. The question of whether one of the most prominent banking Trojans will ever be active again remains open.
HOW THE ATTACK WORKS
Rotexy is distributed by masquerading as applications of popular online trading platforms. The attack starts quite ordinary: a TEXT message comes to the phone of a potential victim, which invites you to open a malicious link that looks similar to the address of a particular trading platform. The link loads the banking Trojan. Interestingly, such phishing messages are distributed by previously infected devices at the command of intruders.The banker's functions consist in the fact that Rotexy encourages the victim to enter Bank card details on a phishing page. Troy also acts as an extortionist: he can block the screen of the victim's device on command from the management server. In most of these cases, a page is displayed with a message stating that to unlock the screen, you must "pay a fine" for viewing content (for example, pornographic content).
DISTRIBUTION
Recently, rotexy operators have been extremely selective about the distribution of their malware. After a user clicked on a malicious link from a text MESSAGE, the attackers checked the User-Agent of their device. And only if the device turned out to be mobile, the malware was downloaded.In addition, management servers are configured in such a way that they do not allow downloading malicious files more than 2000 times per mailing list. These restrictions are designed to prevent Trojan detection and domain blocking.
ACTIVITY STATISTICS
During almost the entire year, we saw a significant decrease in Rotexy activity. If at the beginning of 2020 BI. ZONE-CERT sent for blocking almost 50 domains registered by Rotexy operators, then in September we found only one.At the same time, activity began to grow again in October — we found 17 domains in a month, and in November — already 30.
Number of domains sent for blocking during 2020
The peak of the number of new domain registrations by Rotexy operators was recorded in 2019 (as can be seen in the figure below), since then mailing lists were massive and were observed throughout Russia. In 2018, the malware only appeared, and only in the second half of the year, but the number of detected domains during this time significantly exceeds the figure for eleven months of 2020. This can be attributed to the fact that Recently rotexy operators began to distribute malicious APK files more selectively and, as a rule, registered no more than two domains per day.
Number of domains that are sent to a lock in for three years
DETECTION
Fresh malware samples are not detected by antivirus programs, because they are obfuscated using private cryptors.A distinctive feature of Rotexy is the ability to bypass anti‑fraud systems of banks. The program replenishes the mobile account balance from the victim's Bank card, and then transfers funds through the personal account to another number.
BASIC FUNCTIONALITY
Let's look at the basic functionality of The rotexy Arsenal using the example of a file b848e1cfb58b6e6bdcd44104d04877bd.The original rotexy executable APK file is significantly obfuscated. Attackers use three methods of obfuscation::
- dead code;
- proxy methods;
- string encryption.
Dead code
The malware code is filled with a large amount of so-called dead code, which interferes with analysis. In most cases, this is implemented as follows: a null value is placed in the variable, after which it is checked whether the variable is really zero, and if the condition is true (and this condition is always true), the transition to a specific label is performed. Therefore, part of the code is missing.An example of a dead code is shown in the figure below. The code between the comments "start of dead code" and "end of dead code" will never be executed.
Listing with an example of dead code
Proxy methods
We called "proxy methods" methods that call each other sequentially in the chain until the target method is reached. An example of using a proxy method is shown in the figure below: when triggered, onTick()nine methods will be called in turn, and only the tenth will be the one that performs the desired action.
Sequence of calls before reaching the target method
String encryption
The lines in the file are encrypted using the AES-256 algorithm in CBC mode. Encrypted strings are stored as arrays, where the first element is the encrypted data, the second is the encryption key, and the third is the initialization vector. In the listing, the encrypted string looks like this.
Example of an encrypted string
WORK AND MALWARE
After launching, the malicious application tries to gain a number of privileges, and also sends information about the infected system to the management server.Rotexy stores data about itself, its actions, and the infected device in a local SQLite database.
Launch
Once started, Rotexy requests privileges that allow the Trojan to perform malicious actions on the infected device.The malware requests administrator rights and the use of the accessibility service, and you can use them to get other rights. It needs privileges to ensure that the malicious app autoruns after the device is rebooted so that it can function continuously. Rotexy also requires privileges that allow you to work with Google Cloud Messaging and SMS, which are used to interact with the management server. In addition, the malware needs access to the contact list, as well as the ability to manage the Wi-Fi connection and change the network connection status, which also requires separate rights. An important privilege is the ability to create a window that is displayed on top of other applications, since this implements the main malicious functionality.
At startup, Rotexy checks which country it is being launched in. The malicious app is active only in Russia.
Services
Some services may run in the background. The service for launching a banker, ransomware, or update shows the user an HTML page received from the management server and corresponding to the banker, ransomware, or update page (if the management server includes these modes). The malicious application has three possible sources of receiving commands from the management server: Google Cloud Messaging, HTTP requests, and SMS messages. Accordingly, the malicious application can run the Google Cloud Messaging (GCM) service, the Internet command processing service, and the SMS processing service, which will be responsible for interacting with the management server.Interaction with the management server
As already mentioned, interaction with the management server is possible using HTTP requests, SMS MESSAGES, and the GCM service.After launching, the Trojan sends to the control server information about the current state of the device, including SID, IMEI, availability of administrative privileges, screen blocking status, status of "immunity", type of network to which the smartphone is connected, screen status (enabled or not), access status to the accessibility service, status of SMS application privileges. A list of running processes and a list of installed applications can also be sent to the management server.
The data is transmitted as encrypted JSON. First, they are encoded in Base64 format, then encrypted using the AES-256 algorithm in CBC mode with zero padding and then converted to hexadecimal representation. The IP address of the management server, the encryption key, the initialization vector, and the identifier for GCM are stored in the application configuration. Part of the configuration for the example is shown in the figure below.
Rotexy Configuration
Each request to the management server generates a new URL in the form hxxp://213[.]166[.]68[.]138/repeater/getaway<случайное число от 1 до 10000>. Attackers probably use this approach to prevent researchers from reusing queries.
The URL generating code is shown in the figure below.
Code that generates THE url of the management server
The figure below shows a block of code that illustrates the formation of JSON for sending data to the control server.
Generating JSON data about the infected device
The request for new commands is made by Rotexy at the command of the bot owners.
At a command from the management server, the malware can save the HTML template for further processing.for use as a banker or ransomware, and data to fill it out. It can also enable or disable the display of generated HTML pages. Rotexy sends SMS messages to your contact list after receiving the appropriate command. If an additional command was received, the malware can manage the use of GCM, update the address of the management server, send an SMS, revoke administrator rights, send a list of contacts to the management server, enable the banker, ransomware or update modes,and terminate them.
Rotexy can intercept all incoming SMS messages and process them according to its own templates. The application communicates with the management server via HTTP or GCM, and also receives commands via SMS. Rotexy can receive the following commands via SMS::
- to withdraw administrator permissions;
- manage your Internet connection via a mobile network or Wi-Fi;
- send a text MESSAGE;
- change the address of the management server.
CONCLUSION
Rotexy appeared a long time ago and practically did not change its functionality, with the exception of the features of its distribution. Despite the fact that throughout 2020 we observed a significant decrease in the activity of SRWYana, it still hasn't disappeared: in the last two months, the number of domains registered by operators has been growing.Although rotexy operators have long since stopped using mass mailings to distribute their malware, it is worth paying more attention to the messages received.
