Rewterz Threat Alert – Rogue RAT used for Android Device Takeover, Data Theft and Malware Delivery

Severity

Medium

Analysis Summary

As remote work continues, remote collaboration platforms are being targeted by cyber criminals. Meanwhile, other platforms are being used on smartphones to transfer data securely. In the midst of this, a Rogue RAT trojan is being used to steal data from android devices, to deliver further payloads and to takeover the device remotely. Researchers detail Rogue RAT which exploits Google’s Firebase development platform, targets Android devices to exfiltrate personal data and can deliver other malware, which provides even low-level cybercriminals with the ability to read your messages, steal your passwords, and even record your calls. A new combination of two older types of malware, which provides hackers with access to almost everything a user does on an Android smartphone, is up for sale on underground forums for as little as $29.99. The ‘Rogue’ remote administration tool (RAT) infects victims with a keylogger, allowing attackers to easily monitor the use of websites and apps in order to steal usernames and passwords, as well as financial data. Once a hacker uses the Trojan, portrayed to victims as a legitimate app, to infect a device, the malware can exfiltrate data, such as photos, location information, contacts and messages. It also can download additional malicious payloads, including mobile ransomware. Moreover, when Rogue successfully gains all of the required permissions on the targeted device, it hides its icon from the device’s user to ensure it will not be easy to get rid of it. If all of the required permissions are not granted, it will repeatedly ask the user to grant them. If the user tries to revoke the admin permission, an onscreen message designed to strike terror in the heart of the user appears: ‘Are you sure to wipe all the data?’ The Rogue RAT takes advantage of a targeted device’s Android Accessibility Services, which are designed to assist users with disabilities. These services generally run in the background but can access apps and other components within an Android device. By accessing these services, hackers can gain control over a device without the victim knowing.

Impact

• Credential Theft
• Data Exfiltration
• Device Takeover

Indicators of Compromise

Hostname

• bald-panel[.]firebaseio[.]com
• hawkshaw-cae48[.]firebaseio[.]com
• spitfirepanel[.]firebaseio[.]com
• phoenix-panel[.]firebaseio[.]com

MD5

• 9d8ae4d9ad837a7ce156eb4102faf5ad
• 19049050f5839625675b455449404016
• 09e3f63fe85169741c87083f00627668
• 967fb19666c70ab06cfcab14e67eea03
• 0dcfcd54e615730080549762096ca2b5
• ff57db66437032e18b7f2bf009beb52d
• 433831f94ab3400cab8ed4940322c7f4

SHA-256

• fa7fcbf01a252e1f0d3028512e5d58ab18674bc415d4956e28d1e3fea835d724
• f47d06ddf3525e244f5d58e9c3ea5f1977845c917b84fca28363d1797d70715e
• e2f611c47efd760a41090293792ad8ebe6ae972c75fe136639c4cc98561b4e98
• e0e1fb9d914d0626c4e7b4999afdd02f070cea1bc5a446f7073566d94493161f
• dfd18ac31b4b90ac72649de6ed663fa2fd8719606cd4da7126098e58288693ce
• d910ff3e1ff1c8355d603113dfdf6de3859e206bdd704b83a75c7efb7ab7a594
• cf519a751ea25f59f99d7f90dfba82c109b11725fe9cbeb479c3ec358f124e99
• cb1cbb2cadb2f265b38fae9bad0d622cdf4d7c071924a0346679fb3decafa95c
• caa38f6ae2969e885757ff0cfce69b7981d4c115740f12cd18b4088b47a97dee
• c2893c0cdb3e67f3052fe3f819f03f5d52610d0904dad11aa353db202ead6c00
• bcd53e2e363daf5eb719c0892d49d15261189fe8711adc9ad40fcbe646956622
• b93ba6614762120f200efdee98ba2f5f3f3f55f152279c70422d2014f770cf8e
• b790affd3fc6591779fa0c06f6c8e47fbc1b2b76399842f12fbd792edb8bb98c
• af89e25c4add8bc5a5d5cd1a16479ecd8f40577766d8ea8e42eb6bcae7d3ba9d
• ae3afac1ddbf6853845c8a62f9adaaa5ea872141da2dd8be5a6d61b84bf1da9a
• a4058e6e6f81ec4c8bb234b5df11ad9b459221cc7d1b0acba733ffd6e1f1f930
• a1002512a86d7af9c4fd5579f87baee7d377e84373cae475a83beb9438eb17e7
• a08db81e33f978da7b540228d04ddce47f447b4501b9f70fba46f5acf74e038a
• 9eb556a52bf26e284a6c333f09d576e61fad9f76d4d4b7abb86cfe099108b8a0
• 974615a4902d920895b4fe03e4f987f56471f003daf82d2930c9fdbdc56bc048
• 928cdc76250852b5161ca0ca418b82cf3033e1b21d419a9654a29a68b43e4aa5
• 901c93ee5bc2a474c20379bd07eac08cc27266a39b3b6b563c0ffa7dfcebec88
• 82c07ab7460204b60e4cd4c2f5e263db538e128382341f8dfa727800d3e0c980
• 7bea11940ef818db0b3284c5e6b651e8551b5f2662808e3c48e2e92a55156ff3
• 7a6c738f4bdecffcbfa8a29eae1091876f34d9c91cd21b51a7e51896a69be3ac
• 734c9146be56c9c1e1abb7dfa533d8ebec77ceae8550d7918dd7e38e4f4dc721
• 72c60de4ae67237bbcdc8d9bdda38c2374cb0d4a1364239ecb9ef4992a6253e2
• 71cc0cd5979cce2ee72073e81c47262465fd8158d10a7d29cd86cae6ffa12607
• 6e89e0e52fec1bff8175742570d9a40cb32be6c869e885077db9b13b1e39ef80
• 6ad406fa29e2f327d9672e1f8578d89aa1f1cc242c7a9ee83ede3cebd313ca09
• 64905ad7b0f635efb0402d57d0b0d7d31832ca66afac2fe17379877004a32e73
• 62078c7099dd3485b45ac8bec8fcecbc2662f6c21d3b309dc7a865df6a822794
• 5de7799e1d95daaaceb6e158dfb27e44fd93021c7676f728b0e157e1bd2099c7
• 5a8de8e601fb1577321ded7475b28f8c72157bb6bcf2857c99cbc7a39489c71a
• 4e0bcfc83f8a2714acbf1725262827ec17f61c5826cd5cf0837d1642fdc5b25e
• 4d24880ac70f7d7b3997316ca01854413de0d8df5bb30ce757280a28713ae7e4
• 4ad6b698cfd2af542fca2316b94e1f213025d48e0895f1a127dec789c4b4dded
• 49b353ac2ba897672644ea6aff8edc69ac7fc195b96c069c338f7da588674871
• 4478a2e8a952529bbe1bf0a1f1d98f197ff1717f1dab1635cfe151c4771d3561
• 41ad6c0c6eb93877adb8a319520bba43a334cae463379feccb5b6df3bb94b530
• 4105f8c46caa7b715d003a8d39ecf2d22b107000961a232538766830a741657b
• 3ead4a167d118105164e9c13de0fa14d06ea0dc32d02c861bde4c8bef4e0bd07
• 3dc2f2a200630294fc0af904ddf611f9ecfe8a4c65899aff8d6b56aed53177f8
• 36ebc45ee083d8478372916a7d9bf4f7f26bdd1cd8f10765ec6e375bf73962f4
• 2beb5e9d9ba93acc1d5f858c3e4fdeee04e0741eb44ab0a3a5a98ce2687f38a7
• 28a74b00f590cc85578dad296271ed0a91225b876c088a4fae2a7e9d06636347
• 1f5850b3a38df372cc40987b376cbf093ed5dd5d9e99e3ead61b24aa8cc82976
• 10988044a6db87ff8a526aa4a5004c9fafb8631d4373bf3e7ec76e5e47690eb9

SHA1

• 01345bb385d48cc102bc49a89164ab335ce87109
• 27bf41aaae857a13492f337db585bf6e764e5a76
• 4a2aa645419cb882ce324d4bd3bad75a973c3cf7
• b892b1b6ae7838252478f13aa512b64bf0b1e3ee
• 1adfad6a85f75ff215c96f19a186cea2558a855e
• a4348af90b3343111ff666299f08058946b06666
• 9a50a50f15ce38f57893758c1fd9a09ec97acadf

Remediation

• Block the threat indicators at their respective controls.
• Be careful when granting permissions to applications.