Summary:
The TheftCRow organization is involved in distributing voice phishing malware designed to deceive victims into installing malicious applications through phishing websites. These applications possess capabilities such as forced call connections, call recording, and real-time audio and video streaming, posing significant threats to users.
Keypoints:
- TheftCRow is a voice phishing distribution organization identified by S2W’s TALON team.
- They create phishing sites disguised as legitimate institutions to lure victims.
- The malware, TheftCalls Loader, forces the installation of another malicious app, TheftCalls.
- TheftCalls can manipulate call logs, record calls, and stream audio and video without user consent.
- The organization has been observed using multiple phishing themes and sites.
- They employ techniques to bypass security measures and delete security apps on victims’ devices.
MITRE Techniques
- Initial Access (T1660): Phishing to gain access to victim devices.
- Persistence (T1398): Using boot or logon initialization scripts to maintain presence.
- Defense Evasion (T1629.001): Preventing application removal to evade detection.
- Defense Evasion (T1655.001): Matching legitimate names or locations to avoid suspicion.
- Defense Evasion (T1406): Obfuscating files or information to conceal malicious activities.
- Discovery (T1418.001): Discovering security software to disable or bypass it.
- Collection (T1429): Capturing audio through malicious applications.
- Command and Control (T1437.001): Utilizing web protocols for communication with C2 servers.
- Exfiltration (T1646): Exfiltrating data over C2 channels.
- Data Manipulation (T1641): Manipulating data such as call logs and recordings.
IoC:
- [File hash] TheftCalls Loader: c097468c21c2c06618935b71c3b87d8c616531bce6b16a87d2938768560669c1491ecd5e942b7be42b5289d795d4783f2e303adc1e86e6c4066df7d9384fea13a813ba1c701b6df0e677e7abf1c297373b91ef23e6f3834edee818215b7327a02b5c02b885f27519823eb7d6a5b2e181ba45747eb05b56979938ff57f9ee3f77d98e1d89700c24cfee7fed75fc9ad3fac479cc2d20fcbfa3c708b52a5fd36eee01284d7c462168327746e20d6957167a422a16de81ee8d6a69e30524410f3fecfbd2c65fd3f41c5076a06de88873da0ccba0b1f7c1b316e2e6c8103dfa9be44daf34722ba078c5154c162d7094d665634d91684153d3594c5d2c2c5d55705a569a1f4a890add31768857cb4d6ca6b311f0c3f52914766a81c43f504b7b7e47741ed7ee105733903a4ff27c3e8b902b5c79957397fd5d0db83c761ae48d136b0c2ae624c4bf886c710af87b989634bea114982a61b5f8d8d4f8ebc226d2dcb90258efe840524e6394240592015c024d95466badd97fe8d50183ac47598c5f100ca7f65b7f346b23f0b5df969dc5a9450f7b1cec33e227917b0a77a3a7e33453a46abee5988a221008e96ccf92dc88cbed
- [File hash] TheftCalls: eac60d6754173230ca74b518af1e47127e52582ebd9c306edc2a86701d53ef2bf7ecff91f8df287ffe873d816b94b2f012e8ea40b05475478e833b4267c80bd452498a8497e21fb14051172fb7fadad5f09ad60bb343aa6fbc96e4afef25eafe47c2db5107394687b506dcf511fba92644c3dc041f56f338c714d35aaebb2fb35ebf709e3e5189a825d52fa5aa2dc3c5001e42de6e081fb820d7b020be5320093d7e7c1ebffd05534a699bd8e333c395900f3ed684af2043f9656ada708ee1379cb5291c880899c1e7e1ef3936ea169c525aa156c22e1132569bd103f7c029bcccc63cdf3dfe35724820c87e74416dd0fb045f3a09bd2c1337534ca455ef81061a176f58f6dd72afdcd4b23e4f980b9c61b6a0ef23461eafaf248b91878579c6da601e5bdf473306bf5680fb1ace100e228be7f0dbb2ea9f6f0b6816915732ebb9f9cf6e912d227ca67361791affd2d42e30ef73b304832b265e571573907ca4b680188014bcc498826869be17f0cb64e9ffb753c04208730fb908b2a297cf66258badcae77cf4d5ec7b94b5e0651669ef8e6d2a28858fef570fed45bb47fd1848d103b55d31337558e9b89b0a196119
- [Network C&C Server] hxxp://ppnwhbjy.agbrexi9ohfrx53m.com/web/OBQ/interface.html
- [Network C&C Server] hxxp://f6ewdnfmffcxwbvses[.]com:8388
- [Network C&C Server] hxxp://f2bkt3abwsjrtp8yuy[.]com:8388
- [WebView URL] 시티즌코난: hxxp://fnqh5qar.jbuvx6cshyvug9kk[.]com/web/OBQ/interface.html
Full Research: https://medium.com/s2wblog/detailed-analysis-of-theftcalls-impersonating-frequently-used-korean-apps-c3ebbfd7f746