Rewterz Threat Alert – New Versions of the Bazar Loader and Backdoor
July 21, 2020Rewterz Threat Advisory – CVE-2020-3345 – Cisco Webex Meetings and Cisco Webex Meetings Server HTML Injection Vulnerability
July 22, 2020Severity
High
Analysis Summary
Researchers reports on a banking Trojan that appears to be a derivative of Xerxes and LokiBot that they have dubbed “BlackRock”. The source code for Xerxes has been publicly available since around May of 2019. One change to the source code used to create BlackRock includes the list of targets. The additions include social media, networking, communication, and dating apps. After installation onto an Android device, BlackRock first hides its icon from the app drawer so that it is not visible to the user. It then asks for additional privileges, namely access to the Accessibility Service. The Accessibility Service is a known pathway to gaining additional privileges in the Android world. Once this privilege is granted by the user, BlackRock then provides additional privileges to itself so that further user interaction is no longer required. After this is accomplished, it waits for instructions from its command and control server. Should the user attempt to use any of a number of Android anti-virus software applications, it will lock the user to the home screen of the device. Some functions available to BlackRock include overlay attacks, steal SMS messages, hide notifications, and act as a keylogger.
Impact
- Keylogging
- Information theft
- Locks users out of the device
Indicators of Compromise
SHA-256
- 51f9c37c3eec0b6f8325aa1c8fe64a0615ab920584042df557426473b1270b40
- 6fa4baef8a811f429cee4b383d7a4776b7b363b62551c8d8e0f93bad33adefbd
- 7d34aaf84754fb247507681bcd821f9533f24c6d78aa6779a11f4d789d4822ee
- 81fda9ff99aec1b6f7b328652e330d304fb18ee74e0dbd0b759acb24e7523d8c
- fbaf785edfafa583ea61884d88f507a27154892a394e27d81102f79fe7eb5b8f
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.