With malware evolving every day, we’re bound to come across new attack vectors and new types. In the latest, researchers from Checkpoint have discovered a new type of Android malware being spread on the dark web by a threat actor dubbed Triangulum.
Alleged to be a 25-year-old Indian man, he seems skilled in mathematics and a few details about his personal life are also known through his profile on dark web forums.
Delving into his malware, the very first one was in 2017, a remote administration tool for Android which could collect data from the victim’s smartphone and transmit it to a C2 server along with having the ability to destroy not only user data but the entire operating system in itself:
Soon, this product was offered for sale in the October of 2017 but shortly afterward as the researchers point out, he disappeared with no activity on the forums. Yet, in April 2019, he came back, this time offering 4 products for sale in a span of half a year.
These 4 products being developed and made available for sale in such a short time period is what made the researcher suspicious as it is not possible for an individual alone to do so. Investigating, it was found that he was collaborating with another actor named HeXaGoN Dev with whom he had dealings in the past.
This collaboration has now led the duo to create crypto miners, keyloggers, and additional types of malware.
Moreover, they offered different payment plans for the malware they created which initially included a one-time $60 price to subscription plans being offered eventually adopting a SaaS model (pretty entrepreneurial if you ask me).
Furthermore, the way they have marketed their malware is also impressive using attractive graphics as shown below:
The above advertisements relate to 2 different versions of the same product with Rogue being the updated one as in 6.2. It features the capability to do a range of things including “downloading additional payloads.”
As for if all of these were self-developed, some of the features have been copied from another open-source malware named Hawkshaw. Commenting on how it evades detection on one front, the researchers state in their research that:
The Rogue malware family adopted the services of the Firebase platform to disguise its malicious intentions and masquerade as a legitimate Google service.
Rogue uses Firebases services as a C&C (command and control) server, which means that all of the commands that control the malware and all of the information stolen by the malware is delivered using Firebases infrastructure
Apart from this, attempts have also been seen by Triangulum to sell to Russians on darknet forums but this failed pretty quickly due to a lack of a reputation in that particular community and therefore users would not trust him.
To conclude, this is a great example of a malware developer packaging their products in an attractive way like legitimate software developers would do. It shows another type of advancement in the black hat world apart from the obvious increasing technological prowess of attackers.