Η Kaspersky Lab έδωσε σήμερα στη δημοσιότητα μια νέα έρευνα που χαρτογραφεί μια μαζική, διεθνή υποδομή, η οποία χρησιμοποιείται για τον έλεγχο των malware εμφυτευμάτων “Remote Control System” (RCS). Παράλληλα, εντοπίστηκαν άγνωστα μέχρι σήμερα mobile devices Trojans που επιτίθενται σεAndroid καιiOS. Αυτές οι μονάδες είναι μέρος του αποκαλούμενου «νόμιμου» εργαλείου spyware RCS, γνωστού και ως Galileo, που αναπτύχθηκε από την ιταλική εταιρεία HackingTeam.
According to new research conducted by Kaspersky Lab, in collaboration with Citizen Lab, the list of victims includes human rights activists and advocates, as well as journalists and politicians.
Infrastructure RCS
Kaspersky Lab leveraged various security approaches to locate Galileo's Command & Control (C&C) servers around the world. For her procedure identification, Kaspersky Lab experts relied on special indicators and connectivity data obtained from existing reverse-engineered samples.
During the survey, Kaspersky Lab researchers recorded more than 320 RCS C&C servers in more than 40 countries. The majority of servers were located in the United States, Kazakhstan, Ecuador, the United Kingdom and Canada.
Commenting on the latest findings, Sergey Golovanov, Principal Security Researcher at Kaspersky Lab, said: “The presence of these servers in a particular country does not mean that they are used by the law enforcement authorities of that country. However, it makes sense for RCS users to deploy C&C servers in the regions they control, where the risks cross-border legal issues or possible server seizures are smaller."
ΜNoble implants RCS
Though previously known to have Mobile Trojans iOS and Android in HackingTeam, nobody has actually identified them - or no one noticed they were being used for attacks. Kaspersky experts have been investigating RCS malware for the last two years. Earlier this year, they were able to locate specific samples of mobile modules that fit with the settings of other malicious RCS software they had already collected. During the latest survey, they collected new sample variants from the victims, through Kaspersky Security Network, the cloud-based network of Kaspersky Lab. Additionally, company specialists worked closely with Morgan Marquis-Boire from Citizen Lab, who has extensively researched the malware developed by HackingTeam.
Bodies of "infection"
Administrators behind RCS Galileo develop a specific malignant implant for each specific target. Once the sample is ready, the attacker transfers it to the victim's mobile device. Known methods of "contamination" include spearphishing through social engineering. Often, this is combined with exploits such as zero-day exploits, and local "infections" over USB cables during the mobile device synchronization process.
One of Kaspersky Lab's most important discoveries concerns the exact way in which a Galileo mobile Trojan infects an iPhone. This is through the jailbreaking of the device. However, even iPhones that are not "broken" can become vulnerable. Specifically, an attacker can run a jailbreaking tool, such as "Evasi0n", through an already infected computer, to perform remote jailbreaking and "infect" the device. To avoid the risk of "infection", Kaspersky Lab specialists initially do not jailbreak iPhone from users, Secondly, users need to continuously upgrade the operating iOS to the latest version.
Custom Espionage
RCS mobile modules have been developed with great care to operate in a discreet way. For example, they pay special attention to the battery life of portable devices. This is achieved through carefully adapted spy capabilities or through special activation functions. For example, the recording process can only start when the victim connects to a particular Wi-Fi network (such as a media network) or when the SIM card is changed or the device is charging.
In general, RCS mobile Trojans can perform many different types of surveillance, such as reporting the location of the target, taking photos, copying notes from the calendar, recording new SIM cards entering the infected device, and intercepting phone calls, and messages. In addition to the classic SMS, spying on messages sent by specific applications, such as Viber, WhatsApp and Skype.
Localization
Kaspersky Lab products detect RCS/DaVinci/Galileo tools spyware, which are registered under the names: Backdoor.Win32.Corablin, Backdoor.Win64.Corablin, Backdoor.Multi.Corablin, Rootkit.Win32.Corablin, Rootkit.Win64.Corablin, Rootkit.OSX.Morcut, Trojan.OSX.Morcut, Trojan.Multi.Corablin, Trojan.Win32.Agent, Trojan-Dropper.Win32.Corablin, Trojan-PSW.Win32.Agent, Trojan-Spy.AndroidOS.Mekir and Backdoor.AndroidOS.Criag.
