Malware: Research shows how Bit2MeProsih exploits victims with Trojan

Introduction

The malware analysis report you are about to read was conducted by me in collaboration with Taiwo Owolabi (A Nigerian Federal Law Enforcement Agent).

I decided to bring up this analysis report after an agent from the agency decided to give me an OSINT Report on a Pig Butchering Crypto Scam which I’ve written about on my Substack Article. If you’re interested to know more, I recommend you read the Substack Article before reading this article since this is just a simple presentation of the malware analysis of the software programs used by scammers.

As usual, I will always begin with analysis from Threat Intelligence Engines before beginning the actual static and dynamic analysis of the malware itself, so please stay tuned.

Threat Intelligence Report

We will be using two different Threat Intelligence Engines here. One of them is VirusTotal, which is the one I usually use and the other one is JoeSandBox which will give detailed analysis report of the malware before jumping into actual dynamic and static analysis; I just want to further clarify that there isn’t a report for the analysis for the iOS version of the program since it’s not really dubbed as malicious by most threat engines. Nonetheless, there is a final verdict from InQuest and other Threat Intelligence Engines after uploading to Malware Baazar, and the final verdict is either Malicious or Suspicious, as seen here:

Threat Intelligence Report after uploading to Malware Baazar (iOS Bookmark)

We further see that YARA Signatures point to the app having a Bitcoin Address attached to it, which is true since it’s a Pig Butchering Crypto Scam:

YARA Rule Pointing to a Valid Bitcoin Address (iOS Bookmark)

You can further access the SpamHose Report on your free time when possible from this link. Nonetheless, I’m sure it won’t have much for you to investigate, so you can just stick to the Joe Sandbox Report below for the Android Malware and see for yourself what this app is capable of.

Threat Intelligence Report (IOS)

Since the app for the iOS isn’t actually an app but rather a certificate that installs a bookmark, there’s not much that can be gotten from it using a Threat Intelligence Report. Nonetheless, we have given the SpamHose Threat Intelligence Report link above.

VirusTotal Report (IOS)

You can access this report from here.

As we can see, there’s not much that we can get from here except we understand that the certificate is built from a Microsoft Catalog Software and is identified as a Microsoft Catalog File. This further gives us information that the scammer is running Windows.

VirusTotal Report (Android)

You can access this report from here.

Over here, we see that only two Virus Engines have detected this program as malware. The file has a ELF File (Which is mainly used in Linux) and it has the ability to perform reflection and check the name of the CPU as well as perform Telephony Attacks such as SS7. We even see suspicious permissions that the ability has.

Over here, we see a suspicious URL that the app is able to communicate with as well as suspicious programs that are embedded in the app.

We see other things this app is able to do such as Command and Control, Discovery of Virtual Machines and Network Connections. We even see HTTP Requests to their website, which we will look into further when performing static analysis of the APK File and we even see that the file matches with rules provided by some Intrusion Detection Systems as well which is a clear indicator of a malicious threat.

Joe Sandbox Report (Android)

You can view the full report from here.

We can see from this analysis what this app has the potential to do. Classifications show that the app is able to evade itself, which means to remain undetected when in the victims device.

The app points to no valid Intrusion Detection System or YARA Rules.

The app has suspicious certificates and we further see what the app is capable of as well with the information from Mitre.

The app has no matches with Antivirus and we see what links it points to when using the app.

We can further see ASN’s tied to this application including malicious ones that ties to a company named Leonbro Industrial Construction, LLC. This further proves they are definitely using money mules from the United States.

We see some other APK Files matching with the same Digital Fingerprints and IP’s that match to the app

Here we see the same

Suspicious permissions and certificate

App has the ability to install other malicious programs, so it’s definitely a downloader for a worse malware. We can see information in reference to the app being able to send and receive text messages as well

You can view the rest of the report yourself on your own time because from this analysis, we can get the understanding of how malicious this program is.

Dynamic Analysis (IOS)

The dynamic analysis for the iOS App doesn’t reveal much except for the fact that it creates a web interface bookmark for the app to be accessed from the home screen using a certificate downloaded from their official website. The app itself isn’t actually an app but a bookmark to access the malicious big butchering scam website from the home screen through the Safari Browser.

Certificate Pointing to China

Over here, we see the same certificate pointing to a website, which we’ll further have a look at during the malware analysis from the Android Program

Static Analysis (IOS)

The static analysis for the iOS Certificate to install the apps configuration pretty much shows everything in Chinese. The whole program is written in Chinese as we shall see from the screenshot below:

Chinese Writings in App File Configuration

Chinese Writing in App File Configuration

This further gives confirmation as seen on the Substack Article that this scam actually originates from China as supposed. Inclusive to that, it’s quite clear that the Whois for the Website ties to China because it’s actually a crime to put false information on the Whois for a website and it could result to a website being taken down.

Dynamic Analysis (Android)

There’s not much to reveal with the Dynamic Analysis for Android since it’s the same thing basically. The app runs as normal and doesn’t show any suspicious activities since it’s mostly meant to be a form of spyware, I believe, for the scammers to see what their victims are doing so they can get to get information from them to know when to scam them again, or probably to steal from their banks and credit cards without them knowing. This app is very silent when it’s installed and doesn’t show any possible signs of infection. The app is basically a web interface for the website itself. It’s simply just a Web View for the Website, just like the iOS Mobile Configuration File.

Static Analysis (Android)

From here, we see the same suspicious permissions. We see the app has the ability to connect to the internet, un-mount filesystems, write to external storage and even read external storage, access to camera, access to the mobile launcher and more. This is very suspicious for a Web View Program to have these kind of permissions.

This only further indicates that the program is most likely malware and is used to perform malicious intent. From the left side, we further get to see that the program is based off of the Cordova Framework, which is the same Framework that I use to build games as a Game Developer. This Framework is used to easily build apps out of JSON File Extensions as long as all the elements of the app are present within the code and compile the apps into IOS Package, HTML Package, and even Android Package, so it’s used to build programs for all kinds of operating systems and web applications.

We can see from here that the APK Signature doesn’t really show much of anything.

Over here, we see the app trying to initiate a file transfer of some kind and install some kind of APK Package. We even see that the app has the ability to communicate and send back information to the Command and Control Server including Geolocation, Email, SMS, Telephone Number, and similar. We even see that it sends back the information as a debug log.

We see from here that the app creates files with the Chinese Locale, which further proves that the application behind the APK File is based off of China.

We see from here that the app has the ability to check if the phone is ringing, off the hook and even idle.

We see further that the app has the ability to send emails.

We further see that the app has the ability to make a HTTP Connection to a URL

We can further see that the app checks if the device is protected, if the RAM is low and even accesses the devices Policy Manager. It even has the ability to create a protection policy as well.

We further see that the app has the ability to access system services, and check the processes of system services as well.

The app has the ability to extract images and access images directory. It even has the ability to access the camera and create EXIF Metadata.

Conclusion:

This Malware Analysis Report should raise awareness about both the Pig Butchering Scam and the kind of malware (Specifically spyware in this case) that they spread around their apps. Further raises awareness that you shouldn’t install shady apps from the internet especially one from a third-party website hosted by scammers.