Malware: Research shows how Bit2MeProsih exploits victims with Trojan
Introduction
The malware analysis report you are about to read was conducted by me in collaboration with Taiwo Owolabi (A Nigerian Federal Law Enforcement Agent).
I decided to bring up this analysis report after an agent from the agency decided to give me an OSINT Report on a Pig Butchering Crypto Scam which I’ve written about on my Substack Article. If you’re interested to know more, I recommend you read the Substack Article before reading this article since this is just a simple presentation of the malware analysis of the software programs used by scammers.
As usual, I will always begin with analysis from Threat Intelligence Engines before beginning the actual static and dynamic analysis of the malware itself, so please stay tuned.
Threat Intelligence Report
We will be using two different Threat Intelligence Engines here. One of them is VirusTotal, which is the one I usually use and the other one is JoeSandBox which will give detailed analysis report of the malware before jumping into actual dynamic and static analysis; I just want to further clarify that there isn’t a report for the analysis for the iOS version of the program since it’s not really dubbed as malicious by most threat engines. Nonetheless, there is a final verdict from InQuest and other Threat Intelligence Engines after uploading to Malware Baazar, and the final verdict is either Malicious or Suspicious, as seen here:
We further see that YARA Signatures point to the app having a Bitcoin Address attached to it, which is true since it’s a Pig Butchering Crypto Scam:
You can further access the SpamHose Report on your free time when possible from this link. Nonetheless, I’m sure it won’t have much for you to investigate, so you can just stick to the Joe Sandbox Report below for the Android Malware and see for yourself what this app is capable of.
Threat Intelligence Report (IOS)
Since the app for the iOS isn’t actually an app but rather a certificate that installs a bookmark, there’s not much that can be gotten from it using a Threat Intelligence Report. Nonetheless, we have given the SpamHose Threat Intelligence Report link above.
VirusTotal Report (IOS)
You can access this report from here.
VirusTotal Report (Android)
You can access this report from here.
Joe Sandbox Report (Android)
You can view the full report from here.
You can view the rest of the report yourself on your own time because from this analysis, we can get the understanding of how malicious this program is.
Dynamic Analysis (IOS)
The dynamic analysis for the iOS App doesn’t reveal much except for the fact that it creates a web interface bookmark for the app to be accessed from the home screen using a certificate downloaded from their official website. The app itself isn’t actually an app but a bookmark to access the malicious big butchering scam website from the home screen through the Safari Browser.
Static Analysis (IOS)
The static analysis for the iOS Certificate to install the apps configuration pretty much shows everything in Chinese. The whole program is written in Chinese as we shall see from the screenshot below:
This further gives confirmation as seen on the Substack Article that this scam actually originates from China as supposed. Inclusive to that, it’s quite clear that the Whois for the Website ties to China because it’s actually a crime to put false information on the Whois for a website and it could result to a website being taken down.
Dynamic Analysis (Android)
There’s not much to reveal with the Dynamic Analysis for Android since it’s the same thing basically. The app runs as normal and doesn’t show any suspicious activities since it’s mostly meant to be a form of spyware, I believe, for the scammers to see what their victims are doing so they can get to get information from them to know when to scam them again, or probably to steal from their banks and credit cards without them knowing. This app is very silent when it’s installed and doesn’t show any possible signs of infection. The app is basically a web interface for the website itself. It’s simply just a Web View for the Website, just like the iOS Mobile Configuration File.
Static Analysis (Android)
This only further indicates that the program is most likely malware and is used to perform malicious intent. From the left side, we further get to see that the program is based off of the Cordova Framework, which is the same Framework that I use to build games as a Game Developer. This Framework is used to easily build apps out of JSON File Extensions as long as all the elements of the app are present within the code and compile the apps into IOS Package, HTML Package, and even Android Package, so it’s used to build programs for all kinds of operating systems and web applications.
Conclusion:
This Malware Analysis Report should raise awareness about both the Pig Butchering Scam and the kind of malware (Specifically spyware in this case) that they spread around their apps. Further raises awareness that you shouldn’t install shady apps from the internet especially one from a third-party website hosted by scammers.