Within a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Websites

The investigation identified two DDoS tools: ddos.py, a Python script launching basic HTTP floods against aisrael.org, and ddos.txt, a Bash script installing a pre-configured DDoS program (ZxCDDoS) from a public GitHub repository. 

While ddos.py is rudimentary, ddos.txt simplifies launching attacks by automating dependency installation (Git, Golang, Python libraries) and downloading the attack tool.

Both tools highlight the ease of acquiring and using DDoS tools, even for less skilled attackers. 

ZxCDDoS GitHub repository README
ZxCDDoS GitHub repository README

The malicious APKs, Chrome.apk, Telegram(3).apk, and rn.apk, exhibit typical SpyNote spyware characteristics and communicate with specific C2 servers.

While Chrome.apk and Telegram(3).apk were detected as SpyNote malware, rn.apk was flagged as riskware due to its potential for abuse. 

Despite rn.apk’s lack of C2 communication and SpyNote detection, its presence indicates a broader targeting strategy by the threat actor, aiming to compromise users of popular applications and those seeking educational resources, which increases the likelihood of compromising diverse user groups and expanding the overall attack surface.

kraken.html, malicious login page
kraken.html, malicious login page

The malicious server hosts phishing pages impersonating various popular services like Binance, WeChat, Coinbase, and Kraken, which are crafted to steal user credentials and sensitive information and often reference EagleSpy, a notorious Android RAT. 

Two pages mimic native mobile device unlock screens, aiming to steal device credentials for remote access or ransom purposes, where the attacker leverages these stolen credentials to manipulate the victim’s device, access sensitive data, or lock the device for ransom.

The ransomware attack appears to be a simple scare tactic, as the attackers have created a visually intimidating splash screen that falsely claims the victim’s phone has been hacked.

Upon clicking the “UNLOCK” button, users are redirected to a ransom note demanding a payment of $7,000 in Bitcoin. 

crypto.html ransom note displayed after clicking unlock
crypto.html ransom note displayed after clicking unlock

The note also threatens to upload stolen information to the Dark Web if the payment is not made within two hours.

However, the provided QR code and wallet address are invalid, suggesting that the attackers are likely inexperienced or may have abandoned the attack.

A suspicious network with an IP address of 137.184.53.152, belonging to DigitalOcean, was identified as hosting malicious files that have open ports beyond the standard HTTPS (443), indicating potential vulnerabilities. 

According to Hunt, a separate IP address (142.93.113.245) on the same network is functioning as a command and control server for malware disguised as a Chrome.apk file. 

Further analysis of the host revealed the presence of ransomware-related files, including ransom notes and a Python script designed for DDoS attacks, which suggest a malicious network infrastructure potentially involved in data extortion and website disruption. 

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here