Malware

Dogspectus ransomware campaign relies on Leaked Hacking Team Exploits and Towelroot

Blue Coat spotted a new ransomware-based campaign serving the Dogspectus malware. Crooks combined a Hacking Team exploit and the Towelroot exploit.

Security experts at Blue Coat have spotted a new campaign spreading an Android Ransomware dubbed Dogspectus. The malicious code hijacks mobile advertisements to scam gift cards, it locks the device in a state that allows only victims to make payment.

The malicious code demands the payment of a $200 fee in iTunes gift cards. The experts at Blue Coat Labs first spotted the threat after a tablet running CyanogenMod 10 / Android 4.2.2 viewed an advertisement that silently served malicious payloads without any user interaction.

The Exploit Kit used by crooks in this campaign relies on a previously leaked Hacking Team exploit (lbxslt) to serve the Android exploit known as Towelroot. The tool was released by the popular hacker George Hotz in 2014, it is able to root Android devices exploiting a known Linux flaw (CVE-2014-3153).

The attack is very sophisticated and represents an evolution of the classic malvertising attack, as explained by Andrew Brandt from Blue Coat.

“This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal “application permissions” dialog box that typically precedes installation of an Android application.” wrote Brandt. “After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach.”

The operators behind the malware campaign used the Hacking Team exploit in conjunction with the Towelroot tool realizing a very stealth attack that is able to compromise almost every old device that has not been updated with the last release of the Google OS. Be careful, it does not matter if the mobile device is rooted or not to be compromised by the Dogspectus ransomware, bacause the Towelroot allows an attacker to escalate rivileged on the infected devices.

“The commoditized implementation of the Hacking Team and Towelroot exploits to install malware onto Android mobile devices using an automated exploit kit has some serious consequences. The most important of these is that older devices, which have not been updated (nor are likely to be updated) with the latest version of Android, may remain susceptible to this type of attack in perpetuity.” continues the post.

The experts determined that at least 224 unique device models running a range of Android versions between 4.0.3 and 4.4.4 (5.x or 6.x are not impacted) contected the command and control servers since February 22.

The problem is serious if we consider that 59.6 percent of the Android devices are currently running version 4.4 or lower.

The samples analyzed by the researchers allow the connection of the infected device to a computer and copy all the files still unlocked from both the internal memory and any additional storage card. The experts also noticed that flashing over the operating system with a newer build of Android doesn’t eliminate the Dogspectus ransomware, meanwhile, a factory reset will eradicate it.

In order to limit the effects of a ransomware infection, it is important to maintain an updated backup of any important data present on the device.

“As with other ransomware, the best way to defeat the criminals is to keep a backup of those precious photos, videos, and other data files somewhere other than on your phone or tablet’s internal memory or memory card. That way, you can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall your mobile device’s apps,” concludes Brandt.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Dogspectus ransomware, Android)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 46

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

5 hours ago

Security Affairs newsletter Round 525 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly Securitythe weekly Security Affairs newsletterAffairs newsletter arrived! Every week…

6 hours ago

Operation ENDGAME disrupted global ransomware infrastructure

Operation ENDGAME dismantled key ransomware infrastructure, taking down 300 servers, 650 domains, and seizing €21.2M…

9 hours ago

Silent Ransom Group targeting law firms, the FBI warns

FBI warns Silent Ransom Group has targeted U.S. law firms for 2 years using callback…

1 day ago

Leader of Qakbot cybercrime network indicted in U.S. crackdown

The U.S. indicted Russian Rustam Gallyamov for leading the Qakbot botnet, which infected 700K+ devices…

1 day ago

Operation RapTor led to the arrest of 270 dark web vendors and buyers

Law enforcement operation codenamed 'Operation RapTor' led to the arrest of 270 dark web vendors…

2 days ago