Rewterz Threat Alert – Trickbot Malware- Active IOCs
April 12, 2021Rewterz Threat Advisory – CVE-2021-29302 – TP-Link TL-WR802N and Archer_C50v5_US devices buffer overflow
April 13, 2021Rewterz Threat Alert – Trickbot Malware- Active IOCs
April 12, 2021Rewterz Threat Advisory – CVE-2021-29302 – TP-Link TL-WR802N and Archer_C50v5_US devices buffer overflow
April 13, 2021Severity
Medium
Analysis Summary
Joker is a malicious code as a system app and allows attackers to perform a broad range of malicious operations, including damage the Google Play Protect service, install malicious apps, generate fake reviews. spyware successfully steal data of SMS messaging, contact list. Upon downloading and executing the apparently harmless apps, they worked as users would have expected to avoid raising suspicion. To pass the Google checks on apps, the author of Joker basically used an obfuscation technique to hide its malicious code in the application as Base64 encoded strings. Once the malware is executed it connects to the C&C server to receive the necessary configuration and download and launch one of the additional components. The example shown in researchers report is an app for providing images of flowers to use as wallpaper.
Impact
- Information theft
- Exposure of sensitive information
Indicators of Compromise
MD5
- 9e002e7ae6affb9884525460829f67f6
- 3563ba38e91b7cbc0881c658fcfc5c39
- a29a7defb272e28ee46dd98ea54f72da
- b371156bf3d2f009d8e9eb4c212c4669
- 49e0c708c9f3eee0bcfb4c3bf01730c3
- 94897962d82e1bd91c1a5dda8738a06a
- c053b986cd6ef5900aeaa8a7ddd2bc1b
- 72751e41f35487424249cd7373418076
- 7408a9d7b3dafae98184d5637769d88d
- 59371990093b2abd21857a56bc054b29
SHA-256
- 83ae26ab92cb5cc07a5216e1f537d22ca861703e91b8b155dfb9e8340e4dce9f
- ebb35e5de3f64c7abea33e70f9af1299fe2505b992a00e3836a54eeb320a4532
- 4c1c7a7ce82cbfd8a137fdeaf0ad082b6c625a6f29d1aa899f8cec4e45f9ccb8
- a439747209282f8c3e7df8675c9f65727039e96410d2522e7559ae7effaa7f81
- e7c7dd13997a470d8eee79b6f12949d19e5cae9b5dbf0a57694eeaa818e3f8dd
- 314de858ed8d816213020c71ef78a8c4616bac91a171349b703e44747832fca3
- bec337e7bf5fbd3cdd7afcae1fe977402594c8db8eb12b98d018a7da5eee1613
- 13b91058c2f4dcf2d4b715fb0f5a5315adf414879e275a2d0610d62f71b70700
- dd01578a84145d6348ae53e0155ce814002b5d64b742640ded8de3b037e5812c
- ac7020cb73b45076937ee1a6a38f4ab7a1e995e96dcff4eeb1f6585a4b4801de
SHA1
- 2349b2c0238dcc52e072500ea402128de0a216cf
- 0cfb4dd79fcfda7ecfcab7fd238f9f73ab8543d8
- 443c73e1ee2cc7c9301ac4dfe14411762689baf5
- ddebecf001fd0c7ce03bf4a3eb7b6abe779f0d2d
- f1b49a444f554bb942fd8f5a9ff2a212d8db6247
- 9dcc00513144612fdfcdb57278b2a54654b996ec
- 3950c89eb27c973dce8c1c0ea3ae30baa0f7544e
- 9d2337047ca59d1375c898cf7d0361fe56c3576c
- 57148c6e040fb15723e5ca040740ae8901fd2dae
- fb184efe017debc57eba118ab7aee17fd946e1ec
Remediation
- Block all threat indicators at your respective controls.
- Always download recommended/ legitimate applications from playstore.