Social engineering used to trick Facebook users into downloading Advanced Persistent Threat disguised as Kik Messenger app.
A few months ago, one of our customers contacted us regarding strange messages he received on Facebook Messenger. The messages came from fake Facebook profiles belonging to attractive, but fictitious women. These women encouraged him to download another chat application to continue their conversations. The chat application the women referred him to was spyware, disguised as the Kik Messenger app, distributed through a very convincing fake site.
After analyzing the fake Kik Messenger app, we spotted the spyware, or Advanced Persistent Threat (APT). We are calling the APT “Tempting Cedar Spyware”. We dug deeper into our archives and found APKs belonging to several fake messenger and feed reader apps, all of which included the same malicious modules.
During our analysis, we also discovered that our customer was not the only person to encounter the Tempting Cedar Spyware, and, unfortunately, many fell for the trap.
Tempting Cedar Spyware was designed to steal information like contacts, call logs, SMS, and photos, as well as device information, like geolocation - in order to keep track of movements - and was capable of recording surrounding sounds, including conversations victims had while their phone was within range.
Based on various clues from the fake Facebook profiles and the campaign infrastructure, we believe the people behind the Tempting Cedar Spyware are Lebanese. The campaign was highly targeted and ran deep under the radar. At the moment, Avast is one of few mobile antivirus providers detecting the threat. Our detection is Android:SpyAgent-YP [Trj].
Due to the potential impact on the victims targeted with the malware, we contacted law enforcement agencies to help us with threat mitigation.
The malware was distributed using several fake Facebook profiles. After engaging in flirty conversations with their victims, which were most likely young men, the attackers offered to move the conversation from Facebook to a more “secure and private” platform, where they could have more intimate interactions. Then, the attackers sent a link to the victims, that led to a phishing website, which hosted a downloadable and malicious version of the Kik Messenger app. The victims had to adjust their device settings to install apps from unknown sources, before installing the fake messaging app. This should raise red flags for users, however, sometimes temptation trumps security.
Once the malware was installed, it immediately connected to a command and control (C&C) server.
The spyware was spread using at least the following three fake Facebook profiles. We have blurred the photos, as the photos used for the fake accounts were stolen from real people:
One interesting point to note is that the three girls interacted with one another on Facebook, perhaps to make their profiles appear a bit more credible:
Above: A screenshot of how the attackers convinced their victims to install the fake Kik Messenger application.
The website used to distribute a malicious copy of the Kik Messenger app, chat-messenger.site (126.96.36.199), operated until spring 2017 and was a very convincing copycat.
The Tempting Cedar Spyware is split into different modules with specific commands. There are several modules designed to gather personal information about the victim, including contacts, photos, call logs, SMS, as well as information about the mobile device, such as geolocation, Android version, device model, network operator, and phone numbers.
Other modules were created to record audio streams or gain access to the infected device’s file system.
All modules with commands:
|AUDIO||START, STOP, RECORD_START, RECORD_STOP|
|FS (File System)||APP, CD, DOWNLOAD, DOWNLOAD_STATUS, EXTERNAL, GET, INSTALL, INTERNAL, LS, MKDIR, PWD, RM|
|INFO / USER_INFO||PS (running apps process list)|
|PHOTOS||LSX, GETX, LSI, GETI, TAKEPIC_FRONT, TAKEPIC_BACK|
|TELEPHONE||COUNT_CALL_LOGS, COUNT_SMS, GET_CALL_LOGS, GET_SMS|
The spyware persisted as a service and ran after every reboot.
The fake Kik application contains the same injected malicious class eighty9.guru and a specific rsdroid.crt file with different certificates belonging to the C&C domain.
Through the reuse of the same rsdroid.crt certificate name, we were able to find additional C&C and data exfiltration servers.
All rsdroid.crt certificates from the fake APK:
|Issued to||Valid from||Valid to||Serial number|
The malware communicated on the TCP port 2020, but it is also worth mentioning that there was also a C&C console running on port 443 with a familiar certificate subject common name - rsdroid.
The C&C console allowed attackers to live track their victims. The image below does not include any data, as we don’t want to disclose any of the victims’ locations, but shows the region where Tempting Cedar was spread the most:
Other hosts with this common name are easy to find using open source tools:
Above: Open source data about the C&C server hosts
We created an image of the computer infrastructure used in the campaign:
It is always difficult to attribute persistent threat campaigns, like this one, to cybercriminals. However, pieces of information point to the cybercriminals behind this campaign being Lebanese.
The first clue that led us to this conclusion are the attackers’ working hours. We only saw about 30 logins in the SSH log we received. The user root logged on on workdays, occasionally on Saturdays, but never on Sundays.
The second breadcrumb we found was the infrastructure used in the campaign, which also points to Lebanon.
WHOIS data revealed that two domains used were registered by someone from Lebanon, whereas others were registered with fictitious registrant data.
Chat-world.site was registered by Jack Zogby, Beirut, Lebanon, email@example.com
Network-lab.info was registered by Jack Halawani, Beirut, Lebanon, firstname.lastname@example.org
Over the last two years, SSH logins were made from Lebanese ISPs’ IP ranges. ( 188.8.131.52/22, 184.108.40.206/24)
One of the fake Facebook profile’s likes are also interesting, and if any of the victims had taken a closer look at these, they may not have fallen for the scam. Rita, the petite brunette, seems to be interested in military groups, and a Lebanese and Israel friendship.
Above: Rita’s likes on Facebook
The Lebanon & Israel Friendship connection group is interesting when considering the the victims’ locations.
While we observed a low number of victims from the USA, France, Germany, and China, the majority of victims were from the Middle East, with most of the victims located in Israel:
Above: Map showing the countries most of the victims came from
The targeted Tempting Cedar campaign has been running under the radar since as far back as 2015, targeting people in Middle Eastern countries. The spyware’s infection vector involves social engineering using attractive, but fictitious Facebook profiles. The fake Kik APK sent to victims is masqueraded as a legitimate Kik Messenger app, however, after gaining access to victims’ phones, the spyware starts to exfiltrate sensitive data, sending data back to the attacker’s infrastructure. Evidence points to the attackers being a Lebanese hacking group; however, we cannot be 100% sure this is true. The social engineering part of the campaign seems to have targeted people in Eastern European and Middle Eastern countries.
Despite unsophisticated techniques and the level of operational security being used, the attack managed to remain undetected for several years.
The cybercriminals behind the Tempting Cedar Spyware were able to install a persistent piece of spyware by exploiting social media, like Facebook, and people’s lack of security awareness, and were thus able to gather sensitive and private data from their victims’ phones including real-time location data which makes the malware exceptionally dangerous.
Here are a few things you can do to avoid being manipulated like this into downloading spyware:
Fake Kik messenger SHA256:
Fake Datasettings SHA256:
Fake feedreader SHA256:
IPs (including historic records):
Rsdroid certificate serial numbers:
Fake FB profiles:
Unrelated to the CCleaner attack, Avast also found ShadowPad samples active in South Korea and Russia, logging a financial transaction
Close to 50,000 Minecraft accounts infected with malware designed to reformat hard-drives and more.