Η Kaspersky Lab today announced a new survey mapping a massive, international infrastructure that is used to control Remote Control System (RCS) implants. At the same time, unidentified mobile Trojans attacking Android and iOS have been identified. These units are part of the so-called "legitimate" RCS spyware tool, also known as Galileo, developed by the Italian company HackingTeam.
According to new research conducted by Kaspersky Lab, in collaboration with Citizen Lab, the list of victims includes human rights activists and advocates, as well as journalists and politicians.
Infrastructure RCS
Kaspersky Lab leveraged various security approaches to locate Galileo's Command & Control (C&C) servers around the world. For the identification process, Kaspersky Lab experts relied on special indicators and data connectivity they obtained from existing reverse-engineered samples.
During the survey, Kaspersky Lab researchers recorded more than 320 RCS C&C servers in more than 40 countries. The majority of servers were located in the United States, Kazakhstan, Ecuador, the United Kingdom and Canada.
Σχολιάζοντας τα τελευταία ευρήματα, ο Sergey Golovanov, Principal Security Researcher της Kaspersky Lab, δήλωσε: «Η παρουσία αυτών των serversσε μια συγκεκριμένη χώρα δεν συνεπάγεται ότι χρησιμοποιούνται από τις διωκτικές αρχές της εν λόγω χώρας. Ωστόσο, είναι λογικό για τους χρήστες του RCSνα αναπτύσσουν C&C servers στις περιοχές που ελέγχουν, όπου οι κίνδυνοι διασυνοριακών νομικών ζητημάτων ή πιθανών κατασχέσεων των servers είναι μικρότεροι».
ΜNoble implants RCS
Though previously known to have Mobile Trojans iOS and Android in HackingTeam, nobody has actually identified them - or no one noticed they were being used for attacks. Kaspersky experts have been investigating RCS malware for the last two years. Earlier this year, they were able to locate specific samples of mobile modules that fit with the settings of other malicious RCS software they had already collected. During the latest survey, they collected new sample variants from the victims, through Kaspersky Security Network, the cloud-based network of Kaspersky Lab. Additionally, company specialists worked closely with Morgan Marquis-Boire from Citizen Lab, who has extensively researched the malware developed by HackingTeam.
Bodies of "infection"
Administrators behind RCS Galileo develop a specific malignant implant for each specific target. Once the sample is ready, the attacker transfers it to the victim's mobile device. Known methods of "contamination" include spearphishing through social engineering. Often, this is combined with exploits such as zero-day exploits, and local "infections" over USB cables during the mobile device synchronization process.
One of Kaspersky Lab's most important discoveries concerns the exact way in which a Galileo mobile Trojan infects an iPhone. This is through the jailbreaking of the device. However, even iPhones that are not "broken" can become vulnerable. Specifically, an attacker can run a jailbreaking tool, such as "Evasi0n", through an already infected computer, to perform remote jailbreaking and "infect" the device. To avoid the risk of "infection", Kaspersky Lab specialists initially do not jailbreak iPhone from users, Secondly, users need to continuously upgrade the operating iOS to the latest version.
Custom Espionage
Τα mobile modules RCS έχουν αναπτυχθεί με ιδιαίτερη σχολαστικότητα, ώστε να λειτουργούν με διακριτικό τρόπο. Για παράδειγμα, δίνουν ιδιαίτερη προσοχή στη διάρκεια ζωής της μπαταρίας των φορητών συσκευών. Αυτό επιτυγχάνεται μέσα από προσεκτικά προσαρμοσμένες δυνατότητες espionageς ή μέσω ειδικών λειτουργιών ενεργοποίησης. Για παράδειγμα, η διαδικασία ηχογράφησης μπορεί να ξεκινήσει μόνο όταν το θύμα συνδεθεί σε ένα συγκεκριμένο δίκτυο Wi-Fi (όπως το δίκτυο ενός media house) ή όταν αλλάξει την κάρτα SIMή όσο φορτίζεται η συσκευή.
In general, RCS mobile Trojans can perform many different kinds of tracking, such as reporting the target's location, taking photos, copying notes from calendar, recording new SIM cards entering the infected device and intercepting phone calls and messages. In addition to classic SMS, interception can also occur in messages sent by specific applications, such as Viber, WhatsAppand Skype.
Localization
Kaspersky Lab products detect RCS / DaVinci / Galileo spyware, registered under the names: Backdoor.Win32.Corablin, Backdoor.Win64.Corablin, Backdoor.Multi.Corablin, Rootkit.Win32.Corablin, Rootkit.Win64.Corablin, Rootkit.OSX.Morcut, Trojan.OSX.Morcut, Trojan.Multi.Corablin, Trojan.Win32.Agent, Trojan-Dropper.Win32.Corablin, Trojan-PSW.Win32.Agent, Trojan-Spy.AndroidOS.Mekir and Backdoor.AndroidOS.Criag.
