¡¾Òƶ¯Í¨ÐÅÍø¡¿½üÈÕ£¬PaloAltoNetworksÍþвÇ鱨ÍŶÓUnit42Ðû²¼·¢ÏÖÒ»ÀàÐÂÐÍ°²×¿Ä¾ÂíSpyNote£¬¸ÃľÂí¿ÉÖ´ÐÐÔ¶³ÌÈëÇÖ¹¦ÄÜ£¬ÆäÉú³ÉÆ÷½üÈÕÔÚ¶à¸ö¶ñÒâÈí¼þÂÛ̳ÉÏÔâй¶¡£SpyNotedÓëÖªÃûµÄRAT(RemoteAdministrationTools,RAT)³ÌÐòOmniRatºÍDroidJackÏàÀàËÆ£¬Áî¶ñÒâÈí¼þËùÓÐÕßÄܹ»¶ÔAndroidÉ豸ʵʩԶ³Ì¹ÜÀí¿ØÖÆ¡£
ÓëÆäËûRATÒ»Ñù£¬SpyNoteÓÐÈçÏÂÖ÷ÒªÌØÕ÷£¬
ŸÎÞÐèRoot·ÃÎÊȨÏÞ
Ÿ°²×°ÐµÄAPK²¢¸üжñÒâÈí¼þ
Ÿ½«É豸ÉϵÄÎļþ¸´ÖƵ½µçÄÔÉÏ
Ÿä¯ÀÀÉ豸ÉÏÈ«²¿ÐÅÏ¢
Ÿ¼àÌýÉ豸À´µç
Ÿ»ñÈ¡É豸ÉϵÄÁªÏµÈËÁбí
Ÿ½èÖúÉ豸Âó¿Ë·ç¼àÌý»òÕß¼ÖÆÒôƵ
Ÿ¿ØÖÆÉ豸ÉãÏñÍ·
Ÿ»ñÈ¡IMEI´®ºÅ¡¢Wi-FiMACµØÖ·ÒÔ¼°ÊÖ»úÔËÓªÉÌÐÅÏ¢
Ÿ»ñÈ¡É豸×îºóÒ»¸öGPS¶¨Î»ÐÅÏ¢
Ÿ²¦´òµç»°
ͼһ£¬SpyNote¿ØÖÆÃæ°å
SpyNote°²×°°üÒªÇóÊܺ¦Õß½ÓÊܲ¢×¼ÐíSpyNoteÖ´ÐÐÖî¶à²Ù×÷£¬°üÀ¨£º±à¼Îı¾ÐÅÏ¢¡¢¶Áȡͨ»°¼Ç¼ºÍÁªÏµ·½Ê½¡¢Ð޸Ļòɾ³ýSD¿¨ÄÚÈÝ£¬ÒÑÓÐÖ¤¾ÝÏÔʾSpyNote½«ÄÚÈÝÉÏ´«ÖÁ¶ñÒâÈí¼þ·ÖÎöÍøÕ¾VirusTotalºÍKoodous£¬ÈçÏ£¬
https://www.virustotal.com/en/file/f0646b94f1820f36de74e7134d0bb9719a87afa9f30f3a68a776
d94505212cbd/analysis/
Ÿhttps://analyst.koodous.com/apks/f0646b94f1820f36de74e7134d0bb9719a87afa9f30f3a68a776d94
505212cbd
·ÖÎö
°²×°³É¹¦ºó£¬SpyNote±ã½«¸ÃÓ¦ÓõÄͼ±ê´ÓÊܺ¦ÕßÉ豸ÉÏĨȥ£¬Õâ³ä·Ö±íÃ÷SpyNoteµÄÉú³ÉÆ÷Ó¦ÓÃÊÇÓÃ.NET¿ª·¢µÄ¡£
¸ÃÓ¦ÓÃδ×öÑÚÊδ¦Àí£¬Ò²²»ÊÜÈκÎÑÚÊι¤¾ß»ò±£»¤¹¤¾ßµÄ±£»¤¡£
ͼ¶þ£¬·´±àÒëSpyNoteÉú³ÉÆ÷
¼øÓÚʹÓõĶ˿ڱàºÅÓëÊÓƵÖУ¨ÊÓƵµØַΪhttps://www.youtube.com/watch?v=E9OxlTBtdkA£©ËùÑÝʾµÄºÁÎÞ¶þÖ£¬ÒÔ¼°ÉÏ´«³ÌÐò½ö½öÐÞ¸ÄÁËAPKµÄͼ±ê¶øÒÑ£¬ÉÏ´«³ÌÐòÔÚʹÓÃSpyNoteʱ¿É°´ÕÕ¸ÃÊÓƵÖÐËùÃèÊöµÄ·½·¨È¥²Ù×÷¡£
´ËÍ⣬¾¹ýÅäÖ㬸ÃRAT¿Éͨ¹ýTCP¶Ë¿Ú2222½øÐÐC&CÔ¶³ÌÃüÁîÓë¿ØÖÆ£¨IPµØַΪ141.255.147.193£©µÄͨÐÅ£¬ÈçÏÂͼ£¬
ͼÈý£¬½èÖúCerberoprofilerʵÏÖDalvik×Ö½ÚÂëÊÓͼ
ͼËÄ£¬SpyNote¿ªÆôÌ×½Ó×ÖÁ´½Ó
»ùÓÚÎÒÃÇÒÑÕÆÎÕµÄÐÅÏ¢£¬ÏÖÔÚÎÒÃÇÒѾÁ˽⵽¸Ã¶ñÒâÈí¼þʹÓÃÓ²±àÂëSERVER_IPºÍSERVER_PORTvalues£¨ÈçͼËÄËùʾ£©À´ÊµÏÖÌ×½Ó×ÖÁ´½Ó¡£ÎÒÃÇÏÖÔÚ¿ÉÒÔ½èÖúAndroguard(https://github.com/androguard/androguard)À´Éè¼ÆÒ»¿îC2ÐÅÏ¢ÌáÈ¡³ÌÐò£¬ÈçÏÂͼËùʾ£¬spynote.C2.py½Å±¾½«ÕâЩÊýÖµ´ÓAPKÎļþÖнâÎö³öÀ´£¬²¢½«ÆäÓ¦ÓÃÓÚÃüÁîÐÐÖУ¬ÈçͼÎåËùʾ¡£
ͼÎ壬ÌáÈ¡³öµÄÃüÁîÓë¿ØÖÆ·þÎñÆ÷ÐÅÏ¢
#!/usr/bin/python
importsys
fromsysimportargv
fromandroguard.core.bytecodesimportapk
fromandroguard.core.bytecodesimportdvm
#---------------------------------------------------
#_log:Printsoutlogsfordebugpurposes
#---------------------------------------------------
def_log(s):
print(s)
if__name__=="__main__":
if(len(sys.argv)<2):
_log("[+]Usage:%s[Path_to_apk]"%sys.argv[0])
sys.exit(0)
else:
a=apk.APK(argv[1])
d=dvm.DalvikVMFormat(a.get_dex())
forclsind.get_classes():
#if¡¯Ldell/scream/application/MainActivity;¡¯.lower()incls.get_name().lower():
if¡¯dell/scream/application/MainActivity;¡¯.lower()incls.get_name().lower():
c2=""
port=""
string=None
formethodincls.get_methods():
ifmethod.name==¡¯
forinstinmethod.get_instructions():
ifinst.get_name()==¡¯const-string¡¯:
string=inst.get_output().split(¡¯,¡¯)[-1].strip("¡¯")
ifinst.get_name()==¡¯iput-object¡¯:
if"SERVER_IP"ininst.get_output():
c2=string
if"PORT"ininst.get_output():
port=string
ifc2andport:
break
server=""
ifport:
server="{0}:{1}".format(c2,str(port))
else:
server=c2
_log(¡¯C&C:[%s]¡¯%server)
½áÂÛ
°²×°µÚÈý·½Ó¦Óý«»áΣÏÕÖØÖØ£¬ÕâЩ×ÊԴȱÉÙÈçGooglePlayStoreÕâÑù¹Ù·½À´Ô´µÄ¼à¹Ü£¬¶øÇÒ£¬¼´Ê¹ÓÐÏ꾡µÄ²½ÖèºÍËã·¨À´È¥³ýÄÇЩ¶ñÒâÓ¦ÓóÌÐò£¬ÕâЩӦÓÃÒ²²¢·ÇÎÞи¿É»÷¡£ÅÔ¼ÓÔØÀ´×ÔÓÚÓÐÎÊÌâÀ´Ô´µÄÓ¦Ó㬻á°ÑʹÓÃÕßÒÔ¼°ËûÃÇʹÓõÄÒƶ¯É豸ÆضÓÚ¸÷Àà¶ñÒâÈí¼þºÍÊý¾Ý¶ªÊ§Î£ÏÕÖ®ÖС£
µ½ÏÖÔÚΪֹ£¬ÎÒÃÇ»¹Ã»Óп´µ½ÓÐÖ÷¶¯¹¥»÷ʹÓÃÁËSpyNote£¬µ«ÎÒÃǵ£ÐÄÍøÂç×ï·¸»áÒòΪSpyNoteµÄÇáËÉÒ׵öø¿ªÊ¼×÷¶ñ¡£ÏÖÔÚ£¬PaloAltoNetworksAutoFocusµÄÓû§¿ÉʹÓÃSpyNotetagÀ´¶Ô¸ÃľÂí½øÐÐÕç±ð¡£
ָʾÆ÷
SHA256ofSpyNoteSamples
85c00d1ab1905ab3140d711504da41e67f168dec837aafd0b6327048dd33215e
ed894f9c6f81e2470d76156b36c69f50ef40e27fd4e86d951613328cdbf52165
4fb2d8be58525d45684f9ffd429e2f6fe242bf5dbc2ed33625e3616d8773ed0d
98e2b14896e85362c31b1e05f73a3afddde09bd31123ca10ff1cc31590ac0c07
51e0d505fb3fba34daf4467ca496bca44e3611126d5e2709441756ba632487f0
4b60fff88949181e2d511759183cdf91578ece4a39cd4d8ec5da4015bb40cbed
c064679c42e31a4f340e6a1e9a3b6f653e2337aa9581f385722011114d00aa1e
3323ff4bcdb3de715251502dfb702547b6e89f7973104b3da648163b73b72eef
f0646b94f1820f36de74e7134d0bb9719a87afa9f30f3a68a776d94505212cbd
2ec734fd0f7320b32568ab9c229146a3dab08f951ca5c3114f6af6c77f621929
4e80d61994ee64dadc35af6e420230575553aba7f650bc38e04f3702b21d67c4
357ca2f1f3ea144bdd1d2122ec90ed187e8d63eb8a206794e249d5feb7411662
ac482e08ef32e6cb7e75c3d16a8ea31bcc9bf9400bd9f96b4ec6ed7d89053396
89a5ebf0317d9a3df545cfd3fbcb4c845ea3528091322fd6b2f7d84d7a7d8ae0