Analysis Report on AI-Based Obfuscated Malicious Apps Using Compromised Legitimate Websites as C2 Servers
1. Overview
Malware impersonating a famous Korean delivery service has been continuously distributed, and the threat actor behind it is utilizing various techniques to evade anti-virus (AV) detection.
In particular, obfuscation and packing techniques are being used, and many malware strains leveraging these techniques have been discovered.
With the recent advancement of AI technology, there have been cases where AI has been integrated into existing obfuscation and packing solutions to create and distribute malware.
In addition, after stealing information, the threat actor uses a breached legitimate site as a C2 server to exfiltrate data. It is likely that the site has been breached, and the administrator is unaware that it is being used to perform the role of a C2 server through an external program.
Furthermore, the threat actor hardcodes the C2 server address into a blog hosted on a Korean portal and loads it when the app is executed, making it even more difficult to detect their activities.
This report covers the use of AI in ProGuard obfuscation, methods used to secure C2 servers, and data exfiltration.
2. Analysis
2.1. APK Information
The following is the metadata and key features of the APK analyzed in this post.
Figure 1. Metadata of the malicious app
2.2. Proguard Obfuscation Using AI
Information on classes, functions, and variables used outside of those specified in AndroidManifest.xml is composed of a meaningless eight-character Korean string, and as the resource names remain unchanged, it is presumed that Proguard obfuscation has been applied. It can also be assumed that the string used in Proguard obfuscation has been set to an eight-character meaningless Korean string.
Figure 2. Korean obfuscation of variable names
Figure 3. Class name obfuscated in Korean
Figure 4. Class and function names obfuscated in Korean
2.3. Static Analysis
If the permission is granted, the app displays a screen that looks like a legitimate app by connecting to a real delivery tracking website based on the randomly generated tracking number.
Figure 5. Accessing the random waybill number lookup page
2.4. Dynamic Analysis
When the app is launched, it requests the permissions required to perform malicious behaviors from the user.
Figure 6. Permission request
