1/3 @cryptax January 25, 2022 BianLian C&C domain name cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221 @cryptax Jan 25 · 2 min read You might want to read my prior articles on Android/BianLian first: , , . There was a remaining point which was bugging me: how does the Android/BianLian bot know where to contact the C&C? Having worked on the samples for several days, I noticed they weren’t always heading to the same website: hxxp://rheacollier31532[.]website , hxxp://shanehook85484[.]website etc. So, where do those names come from? Is this from a Domain Generation Algorithm (DGA)? or are they hidden in an asset? Answer: the active C&C is returned by a malicious GitHub user account. The account name unfortunately varies from one sample to another: hxxps://gist.githubusercontent.com/ferrari458italy/4fe02ee186816abcfcc a6eaaed44659d/raw/helloworld.json hxxps://gist.githubusercontent.com/monopolyofficial/e0656a5a4d04af06e2 af9ed83aa0c868/raw/helloworld.json … The json page actually contains a Base64-encoded JSON object with the C&C’s URL: $ curl XX0K$ echo "eyJkb21haW5zIjpbImh0dHA6Ly9mdWxsdmVoZHZpZGVvaXpsZW1lYXlhcmxhcmk0NTQ1LnNpdGUiXX0K" | base64 -d{"domains":[""]} How does the code work? 1. At first, the code sets a Property with a decrypted admin URL. https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221 https://cryptax.medium.com/?source=post_page-----4f226a29e221-------------------------------- https://cryptax.medium.com/?source=post_page-----4f226a29e221-------------------------------- https://twitter.com/cryptax/status/1485565228339408900?s=20 http://rheacollier31532.websit/ https://gist.githubusercontent.com/ferrari458italy/4fe02ee186816abcfcca6eaaed44659d/raw/helloworld.json https://gist.githubusercontent.com/monopolyofficial/e0656a5a4d04af06e2af9ed83aa0c868/raw/helloworld.json 2/3 2. Actually, as the shared preferences file has no C&C yet, this will actually return a dummy C&C https://www.google.com 3. The real C&C is retrieved from the init procedure I have renamed methods for better readability. The original name of the method is com.pmmynubv.nommztx.bot.g.b 4. The code retrieves the “domains” parameter of the JSON 5. Finally, the code sets the URL in the shared preferences. 3/3 The code reads the “domains” part of the JSON object (readUrl), removes the trailing / if necessary, and finally writes the URL down in its configuration. The original name of this method is com.pmmynubv.nommztx.bot.g.a Conclusion: there is no DGA algorithm. It is just a hard-coded remote URL serving an updated C&C name. — the Crypto Girl