# Android Malware Appears Linked to Lazarus Cybercrime Group **[securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/](https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990)** November 20, 2017 [McAfee](https://www.mcafee.com/blogs/author/mcafee/) Nov 20, 2017 9 MIN READ _This blog was written by Inhee Han._ The McAfee Mobile Research team recently examined a new threat, Android malware that [contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to](https://en.wikipedia.org/wiki/Executable_and_Linkable_Format) [several executables that have been reported to belong to the Lazarus cybercrime group. (For](https://en.wikipedia.org/wiki/Lazarus_Group) [more on Lazarus, read this post from our Advanced Threat Research Team.)](https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-cybercrime-group-moves-to-mobile) The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild. ----- _Figure 1: Description of the legitimate app on Google Play._ ----- _Figure 2: An overview of the malware’s operation._ ## Comparing Certificates The repackaged APK has been signed by a different certificate from the legitimate APK. We can see the differences in the following two screen captures: _Figure 3: The certificate of the malicious, repackaged APK._ _Figure 4: The certificate of the legitimate APK._ Once the malicious APK installs its code, it attempts to execute the backdoor ELF from “assets/while.” If the ELF successfully executes, it turns the device into a bot. ----- _Figure 5. The main function for executing the backdoor ELF._ ## Analyzing the Backdoor Once the backdoor ELF starts, it turns into a zombie process to protect itself. It remains as a zombie even if the parent process terminates, as long as the “dex” execute() method has been implemented successfully. ----- _Figure 6. The malware turns itself into a zombie process._ The malware contains a list of IP addresses of control servers. The list is encoded and written to the file /data/system/dnscd.db. ----- The preceding table lists information for each of the IP addresses. None of these is available now. ----- _Figure 7. The flow of writing the encoded control server IPs to a file._ The IP address array is encoded by a simple routine when it is loaded into memory from the read-only data section; that encoded data is written to the file /data/system/dnscd.db. The decoded file is then loaded into memory to select an IP address to connect to. One of control servers is selected randomly immediately before the backdoor process attempts to connect to its address. The attempt is performed repeatedly to successfully connect with one of the control servers. ----- _Figure 8. The malware creates a socket and connects to a randomly selected control server._ ----- Once connected with a control server, the malware begins to fill the buffer using a callback beacon. Figure 9 shows a part of the message-generating code. Several fields of the packet are hardcoded, particularly the bytes at offsets 0, 4, and 5. After we realized that the message only pretended to use the SSL handshake protocol, we understood the meaning of the hardcoded bytes. The byte at offset 0 is the handshake type; offsets 4 and 5 are the SSL version of the handshake layer, a part of transport layer security. _Figure 9. A part of the function for generating a callback beacon._ ----- _Figure 10. Transferring data to be used as the callback beacon to the control server._ ----- After the message is generated, it sends the following packet (Figure 11) to the control server as a callback beacon. There is a randomly selected well-known domain in the packet where the server name indicator field is placed as a field of extension data. We suspect this is an evasion technique to avoid detection by security solutions looking for suspicious behaviors. _Figure 11. A captured packet from the callback beacon._ ----- _Figure 12. The list of legitimate (well-known) domains in the binary._ After sending the callback beacon, the malware assigns global variables that contain device information which is transferred to the control server once it receives the command code 0x5249. Figure 13 shows the jump table for implementing commands and its pseudo code. ----- _Figure 13. The jump table for implementing commands from the control server and the_ _structure for receiving data._ ----- The functions are described in the following table. Command code and arguments arrive as structured data from the control server, as shown in Figure 13. The command code and arguments are assigned, respectively, to the CMD and DATA member variables of the received data structure. ----- ----- After performing commands received from the control server, the malware returns the results to the control server using the codes in Figures 14 and 15. Before transferring the results, the return code and data are stored in a structure described in the following pseudo code. _Figures 14 and 15. The codes and data structure returned to the control server._ ## Similarities to Lazarus Malware In Figure 16, the function on the left is from the backdoor ELF we have analyzed. On the right, we see procedures found in several executables used by the Lazarus Group in various attacks. ----- _Figure 16. Similar functions to the executable used in the Sony Pictures attack._ Both functions look very similar. And the hexadecimal seeds for generating a key for encryption and decryption are the same. Both functions are also used to generate a message encryption and decryption key between the victim and control server. Figure 17 shows the functions of both the backdoor ELF and an executable recently used by the Lazarus Group. The function connects to the control server, and generates a disguised SSL ClientHello packet. Then the generated packet is sent to the control server as callback beacon. ----- _Figure 17. The functions to establish a connection to the control server (ELF on the left)._ The function in Figure 18 generates a disguised ClientHello packet to use as a callback beacon. ----- _Figure 18. Generating the disguised ClientHello packet (ELF on the left)._ Both backdoors use same protocol, as we confirmed when analyzing the function for receiving a message from the control server. Figure 19 shows the protocol for transferring a message between the backdoor and the control server. ----- _Figure 19. The receive message function included in the checking protocol (ELF on the left)._ To transfer a message from the source, the malware first sends a five-byte message to the destination. The message contains information on the size of the next packet, a hardcoded value, and the type of message. The hardcoded value is 0x0301 and the type of message can be between 0x14–0x17. The message type can also be used to check the validation of the received packet. The following is pseudo code from the receive function: ----- _Figure 20. The five-byte packet sent before the source sends its primary message._ ----- _Figure 21. Pseudo code from the receive message function._ ## Conclusion The security industry keeps an eye on the Lazarus Group, and McAfee Mobile Security researchers actively monitor for mobile threats by Lazarus and other actors. We compared our findings with the threat intelligence research of our Advanced Threat Research team, which studies several groups and their techniques. Due to the reuse of recent campaign infrastructure, code similarities, and functions such as the fake transport layer security, these tactics match many we have observed from the Lazarus Group. We do not know if this is Lazarus’ first activity on a mobile platform. But based on the code similarities we can say it with high confidence that the Lazarus Group is now operating in the mobile world. McAfee Mobile Security detects this malware as “Android/Backdoor.” Always keep your mobile security application updated to the latest version. And never install applications from unverified sources. This habit will reduce the risk of infection by malware. ## Indicators of Compromise: **_Hashes_** ----- 12cc14bbc421275c3c6145bfa186dff 24f61120946ddac5e1d15cd64c48b7e6 8b98bdf2c6a299e1fed217889af54845 9ce9a0b3876aacbf0e8023c97fd0a21d **_Domains_** mail[.]wavenet.com.ar vmware-probe[.]zol.co.zw wtps[.]org **_IP addresses_** 110[.]45.145.103 114[.]215.130.173 119[.]29.11.203 124[.]248.228.30 139[.]196.55.146 14[.]139.200.107 175[.]100.189.174 181[.]119.19.100 197[.]211.212.31 199[.]180.148.134 217[.]117.4.110 61[.]106.2.96 [McAfee Blog Archives](https://www.mcafee.com/blogs/author/mcafee/) We're here to make life online safe and enjoyable for everyone. ## More from McAfee Labs ----- [Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-scammers-exploit-talk-on-cryptocurrency/%20) By Oliver Devane Update: In the past 24 hours (from time of publication) McAfee has identified 15... May 05, 2022 | 4 MIN READ [Instagram Credentials Stealer: Disguised as Mod App](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealer-disguised-as-mod-app/%20) Authored by Dexter Shin McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who... May 03, 2022 | 4 MIN READ [Instagram Credentials Stealers: Free Followers or Free Likes](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealers-free-followers-or-free-likes/%20) Authored by Dexter Shin Instagram has become a platform with over a billion monthly active users. Many... May 03, 2022 | 6 MIN READ [Scammers are Exploiting Ukraine Donations](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/%20) Authored by Vallabh Chole and Oliver Devane Scammers are very quick at reacting to current events, so... Apr 01, 2022 | 7 MIN READ [Imposter Netflix Chrome Extension Dupes 100k Users](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/imposter-netflix-chrome-extension-dupes-100k-users/%20) Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi McAfee has recently observed several malicious Chrome Extensions... Mar 10, 2022 | 8 MIN READ ----- [Why Am I Getting All These Notifications on my Phone?](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/why-am-i-getting-all-these-notifications-on-my-phone/%20) Authored by Oliver Devane and Vallabh Chole Notifications on Chrome and Edge, both desktop browsers, are commonplace,... Feb 25, 2022 | 5 MIN READ [Emotet’s Uncommon Approach of Masking IP Addresses](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/emotets-uncommon-approach-of-masking-ip-addresses/%20) In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was... Feb 04, 2022 | 4 MIN READ [HANCITOR DOC drops via CLIPBOARD](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via-clipboard/%20) Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,... Dec 13, 2021 | 6 MIN READ ----- [‘Tis the Season for Scams](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tis-the-season-for-scams/%20) ‘Tis the Season for Scams Nov 29, 2021 | 18 MIN READ [The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/%20) Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors... Nov 10, 2021 | 4 MIN READ [Social Network Account Stealers Hidden in Android Gaming Hacking Tool](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/social-networks-account-stealer-hidden-in-android-gaming-hacking-tool/%20) Authored by: Wenfeng Yu McAfee Mobile Research team recently discovered a new piece of malware that specifically... Oct 19, 2021 | 6 MIN READ ----- [Malicious PowerPoint Documents on the Rise](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-powerpoint-documents-on-the-rise/%20) Authored by Anuradha M McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available... Sep 21, 2021 | 6 MIN READ -----