Threat Research

0wning Emmental

By Axelle Apvrille | October 21, 2014

A long time ago, I posted a video showing how to control Zitmo (the mobile component of ZeuS). It turns out you can (nearly) do exactly the same with Emmental. If you are not aware of Operation Emmental, please jump to this excellent white paper.

So, basically, this operation aims at compromising bank accounts, in particular (but not limited to) Swiss banks - where the naming Emmental comes from. Like ZeuS and Zitmo, or SpyEye and Spitmo, Emmental compromises the victim's PC and installs a trojan spyware on the Android phone. The scenario is well devised: the Android application looks like a secure SMS application that the bank would ask you to install.

0wning Emmental

The malware intercepts incoming SMS messages, and forwards them via SMS to a phone number controlled by the attackers or via HTTP to a remote C&C. But, we can 0wn Emmental and redirect SMS to our debug devices/URLs. This is how to do it.

The malware responds to SMS commands, that's how we control it. The body of the SMS must be formatted as: sCode sCommand optional-parameters

  • sCore is the fake security code generated by the malware. For example 664398. Actually, this code is selected randomly from a pool of hard-coded codes. You can use any of the hard-coded codes.
  • sCommand is the command to send: START, STOP, SETP, CLEARP, SETB, CLEARB, CLEAR, DEL.
  • optional parameters follow and depend on the command.

The command SETP sets the phone number to send SMS to. CLEARP erases the current value. The command SETB sets the URL to send information to. CLEARB erases the current value. The command CLEAR erases both phone number and URL. The command DEL uninstalls the malware :)

So, let's say for in-depth reverse engineering of the malware you want to redirect messages to 12345 and

  1. Send a SMS: 664398 SETP 12345. In response to that command, the malware sends SMS as Figure 1.
  2. Send a SMS: 664398 SETB In response to that command, the malware sends SMS as Figure 2.

Title Figure 1. SMS message sent by the malware in response to changing the attacker's phone number. The field "DA" indicates whether the malware has been set as the Default [SMS] Application or not. The field "I" is the phone's IMEI.

Title Figure 2. SMS message sent by the malware in response to changing the C&C URLs.

The malware's shared preferences get updated accordingly: intercepted or status SMS are sent to 12345, and HTTP messages are sent to the new C&C URL.

Don't forget to end by disinfecting your test phone by sending: 664398 DEL :)

-- the Crypto Girl

Join the Discussion