 All right, so there's some room at the front for those just coming in and You are in room two as you know, we're going to talk about x rat So a deeper dive into x rat monitoring China's interests Abroad with surveillance and with mobile surveillance where so our two speakers are a poover Kumar She's a security researcher at look out spends most of her time uncovering and exposing threats as he emerged in and around the mobile space And we also have a Rizu Osainzad Amirizi To security researcher and reverse engineer with experience working in different domains of security and I'll stop their bios there because I want to give them the floor and the time to speak to you guys Thank you very much. Thank you very much for coming. I know it's been a long conference. This is the second day This is a Friday afternoon. Everybody has enjoyed themselves last night at the party and our understandably quite tired, so I'd like to thank you for coming along and Melting your brains with some Android reversing So this talk is kind of linked to the previous talk and I see a couple of people that were there in the previous talk So I hope you enjoy that they're sort of attached to each other and you saw the big picture you saw all of the details of the context of some of our investigations last time and Right now. We're here to tell you about really just a particular mobile family mobile malware family and go really deep Into the Android reversing and into it all its technical capabilities And hopefully this is a good exercise for all our security researchers here So just to give you a quick overview of who we are my name is a purva This is our isu and we are security researchers at lookout Our focus is mobile malware, whether it be iOS or Android malware And we spend all of our time Just as Kristen showed in the last slide or in her last presentation that we spend all of our time looking at the malware Looking at its context understanding how it's being used But then also just immersing ourselves in each family and trying to understand why these malware Developers are doing what they do and why they do it how they do it So Today we're gonna talk to you about two different ones Kristen already mentioned Excessor em rats, so I hope you guys are taking notes. They will be a test And then we will start to deep dive into x-fat and we'll talk about its technical evolution How hard it was to actually see that evolution and categorize it talk about its Communication how it talks to its c2 infrastructure what the c2 infrastructure says to it As well as some of the context around its investigation and what that tells us really about the malware So this focus of this talk is really about what it can tell us about the malware How we can use that context to sort of flesh out more of the malware capabilities and details so Excessor em rat if anybody could stand up and just tell me what they remember about the previous slide, but Excessor em rat was discovered in 2014. It was widely reported. It had two components Android and iOS Kristen already went into a lot of detail as to why it was Built the way it was But I'll tell you a little bit about it again for the new people in the room So it had an iOS application, which we're not going to talk about at this point But it needed a jailbroken device. It was it was installed through a city a package But what we're going to focus on today is really the Android component And that was a two-stage application It had a sort of benign front and it posed as a code for HK application code for HK is a non-profit organization in Hong Kong and it advocates for transparency within Hong Kong, so it was off-interest to a particular set of people within Hong Kong as you can imagine It was discovered in 2014 as I said during the pro-democracy protests within that space And during the umbrella movement, so it was a two-stage Android application It contacted a C2 server called accessor comm which is exactly where it got its name Excessor em rat em rat is obviously mobile rat Rat for any beginners in the room is a remote access Trojan So it looked like this It was sort of when it was running it disguised itself and as soon as it got installed it asked to install a second application called system thread Basically posing as a system application on Android And then it would disappear into the background So as I said before it was widely Reported and this is an example of a message that was received by one of the pro-democracy protesters the people Part of the Occupy central movement And they received a link something like this which downloaded a sample of accessor em rat so there was a lot of Reporting around it. There was a lot of chatter around it at the time and this particular article goes into how the code for HK Organization claimed that it had nothing to do with this particular application So it it said we don't have an Android application and we know nothing about this particular application Which is how we know perhaps it was They didn't source it they didn't develop the application themselves So while this reporting was going on me and our zoo were looking at this rat And we were trying to understand it and break it apart and while we were doing that We came across a different variant now depending on who you speak to and how they classify malware. It's not Too much of a science. It's more of an art people see different similarities and different code structures and realize totally different things X rat is Can be considered a variant of accessor em rat, but we classify it as a different family Regardless of those very very specific details We're gonna go into why we think x rat is different how it's exactly different and explain to you You know, perhaps some of the motivations behind the actor and how they've changed throughout the years So we're talking about an application that started in 2014 We've also written a blog about this because I know all of you read our blog very very carefully and Have already caught up on this particular one in 2017 In the middle of 2017 and we've blogged about it Extensively, it's not a new family, but it's still worth talking about and I'll go through why the blog basically talked about really the high levels of this initial version of x rat that we saw and Some of its capabilities some of the interesting things were exactly what you expect a surveillance where family to be so surveillance where Kristen again went through that in her talk previously, but it is an application that sort of targets a particular group of people and Exfoliates as much information off a mobile device as they can Within the context of mobile malware, obviously Some people call it spyware, but don't get the two options confused It has to be I have to explain that distinction just because some people will call it spyware But look out and we we call it surveillance where The interesting thing that wasn't surveillance where like About x rat is that the last sort of set that you see over there Which says it repeatedly downloads and deletes large files trying to exhaust mobile data supposedly That's runs counter to a surveillance where you don't want the person to know that you're on their device But that seems to be quite a nuisance that it starts to raise red flags for the user So that's an interesting point to point out about x rat So let's take a look at one of the more recent versions and then we'll talk about the evolution as a whole x rat in the context of a sample that we received in May of 2019 Has sort of two main aspects of its Structure and functionality it has a class called a protocol class Which is basically an enumeration and it has two things in it. It has a set of things that That have a suffix c to s which we suspect is client to server and another set that is s to c Which is server to client so we call the c to s ones actions these are things that the client can execute actions that it can perform on an infected device and s to c which is Commands that it can receive from its server So the c to server or the command and control infrastructure can come back with 45 different commands And tell the client or the rat to do whatever it needs to do so some of these things overlap But they're not necessarily the same What's interesting on this slide is the icons that it uses so again just like its older cousin Excessor em rat X rat uses sort of the generic Android Android Application to try and blend in obviously that's the image for the operating system. So it can't be anything bad But there's two interesting samples that have a slightly different picture And the fact that they're so rare and have a different icon as well as separate titles May tell us something about where else we can find this Surveillance where and perhaps what it was used for The graph that you see is look out data for when samples were acquired by look out And you can see the different spikes In 2017 when our blog came out Again in 2018 and now we're seeing a much more consistent use of some malware So it's still being used is still being handled and and and that's interesting to take note of It is a surveillance where it is a spyware So it's going to take everything it can possibly take from your device And as we've already established as Eva has established in her keynote If you take control of a person's phone you take a control of their of their lives So it's got everything for you It's got exactly what websites you visited who you called what meetings you had what applications you have on your device What files you've downloaded all your passwords all the files and then passwords to unlock those files All the pictures that you've taken of your dog and your cat and your family and your co-workers Or your recordings of wherever you take your device These are not difficult to do that. We see these every day in every single surveillance where So this is just a wide range of things that x-rat can do and what generally applications can Surveillance where applications can do the interesting thing to look at the slide is the we chat databases in the QQ data So x-rat is particularly targeted to people who have those things on those devices So it could be people that are Inclined more inclined to use Applications such as we chat and QQ You can probably tell that there's a particular area of the world where these are more popular than others so Let's get to the the evolution of it and how we decide to categorize it again. It was very hard it's running for a long time and A lot of these categorizations was actually very hard to categorize Based on code structure for all the researchers in the room You know most of the time you look at the changes in code to try and classify and Categorize malware so but this was very hard to do with x-rat The code looks largely the same throughout all versions There are small minor differences in one or two samples and those are the ones that we want to focus on But it was easier actually to categorize them into three separate categories, which we call versions And it's based on the configuration files found in the malware so We're gonna look at dates of the configuration files that the date in which they were last modified Version one was a little more like a baby Its configuration files were very simple. They were plain text. They had no obfuscation They were found from they were last modified from sort of December 2014 To June 2018 so even you know fairly recently They were about three percent of the samples that we observed It had some interesting and human analysis mechanisms, which I'll go through and it had a second stage So version two which comes along next is more like a toddler I would say It was about 92 percent of observed samples. So this is the one that's really favored by The x-rat developers Its configuration files were DES encrypted If there was some sort of minor obfuscation and emulator detection within it, which again will go through It had some persistent mechanisms and it had some new commands and it we see this version up until today. It's Quite a detailed one and quite a change from version one now The thing that you have to realize about version one and version two you can see it some of the things have been have disappeared Version two doesn't have any anti-analysis mechanism. So this is interesting. Why did they move away from that? Then let's look out version three and version three is more like an angry teenager It's about five percent of the samples that we saw and the last modified dates of the configuration The configuration files were from October 2017 to April 2019. They were a in cut AES encrypted And they used multiple encryption keys not only one But you can see that actually some of the things were taken out and some of the things were put in It's not necessarily that it was just increasing its level of obfuscation every single time So with that let's deep dive into some of the technicalities And I'll start with sort of the quick ones, which are the anti-analysis and anti-detection mechanisms So the most interesting one was the self-destruct functionality of xFAT This I believe was also seen in Emirates and what it did was it clean cleaned up certain files and directories Depending on the sample it could basically wipe your phone if it wanted But depending on the sample that you looked at it cleaned up different files and directories And that's an interesting a point to make why was it different from it it almost appears like it wasn't mass produced, right? It was each sample was kind of Created that way for a reason It had antivirus checking So it had an antivirus check and if it found any of those Antiviruses on the infected device it would disable all of its rat functionality. It didn't want to be found It had some Emulated checks so blue stacks is a popular Android emulator. It looked for that it looked for particular IMEI numbers if if you're not into Mobile devices, that's the sort of unique identifier for mobile devices So it looked for particular IMEI numbers that are linked to particular emulators now while this isn't a complicated check and some Emulators probably can get around it This is pretty good for I don't know 90% of the dynamic analysis engines that are out there It also did the usual when I say usual. It's because we see it every day. It hides its icon. It hides activity There's nothing really on the screen that will let a lay user figure out that there's something running on their device The last thing is that it Put all of its exfiltrated data the updates Of its itself as well as its debugging logs all in hidden folders in the SD card probably due to size The last thing I want to talk about is the anti-analysis mechanism So this was really interesting the initial versions as well as accessor emrat crashed the popular tool dex to jar if you've never reversed an Android Application before dex to jar is a very popular tool used to convert a dex file Which is how an Android application code exists in an APK to a jar file, which can be easily reversed So what it did was it had a zero width instruction at the beginning which kind of threw off the tool and crashed it This was moved away from I It's interesting because maybe it it signaled that they didn't really care whether people were looking at it There are better tools out there as well. Perhaps the people who were trying to reverse them didn't use dex to jar It's just interesting to see And to get into the mind of the person developing this tool. Why did they get rid of that? I? Guess I'll we'll talk about the configuration files and sort of how they change now Hello everyone, so I'm going to just jump into the configuration file. I've probably mentioned them a couple of times now Let's see what do what what what are they? What do they include so basically configuration file as a file in the asset folder of the package? It will include information about the server or the c2 or the command of control It will include an IP and if I include Port I'm not going to talk about vision one of this family because as a prova said it was a baby and It was in plain text. So there's no reason to bother you with that It's readable. So everybody can just let go and look at it version two. However It starts encrypting these information in the in the asset file the asset file in this case is called string.xml The string that is used to generate the decryption key is a double base 64 encoded string It's hard coded in the function that does that Decryption and encryption. It's called this utl And the decryption algorithm that is used is DES encryption These are some of the samples of the double base 64 encoded DS keys that we observe through these families Gonna go move on to version three now so version three Takes it one level higher In terms of complications so In this case the file is called consata and I it's still located in the asset folder of The package it still includes the C2 information. However This time the decryption key is also included in the configuration file It's the first line of the file and second line is the IP address and the third line is the port of the C2 server Another thing to note about version three is some of the code is hidden in another file in the same asset folder This file is usually called base base that IPK base that BTC, but well the name can't change anytime and This asset file is XOR encoded. It can easily be Decoded using a key which varies across different samples These are the two a yes encryption key sets that we have observed through the samples that look at acquired Okay, so now let's talk about the more interesting stuff commands commands are what the server instructs the infected device to do and These are the common commands across this family We have reported these in details in the blog that we published in 2017 these are a typical surveillance work commands. You've seen them Approval talked about them Chris Kristen talked about them. So I'm not gonna repeat the information But just take a note that these are all surveillance for actions requested from the device So now let's move to more interesting stuff So I'm going to mention three sets of commands that approval and I thought we recently have seen them and We thought that they're interesting So my purpose of the talk is to walk you through them and hopefully at the end of my talk You will agree with me why they are interesting and then we are going to make a conclusion of how they can be used exactly Starting with the first command. It's called do intruder So do intruder the purpose of the command is to direct the infected device to make multiple HTTP or HTTPS request to an arbitrary host and port by changing arbitrary sequences in that request It also logs the request and response for certain keywords and if it founds them it would report to the server and Also logs the response from that request Syntax of the command is like that a Separator is used to separate the fields. I have memorized the name of this many times and I now forgot it So it just looks like that Section mark, okay so The first field so it has the command that comes from the server obviously it has certain fields The targeted host the targeted port that the request has to be sent to a Store path which is a string to a file system to which a string which is a path to a file system on the device keywords don't be misleaded with the S it's just one single Keyword There's a couple of flags in here is SSL is ran header and is safe response. They are all willy-n type and there are two fields in this request that in this command that Also include multiple fields. Those are request and var and they are both basic 60 basic 64 encoded So now let's deep dive in the function and Try to parse this command. We are the client. We have received this now. Let's take it step by step so first thing we want to separate the fields so we can take a look at them and Secondly, we want to start with the more complicated ones the ones that have multiple fields in them. So we're going to start with War variable is also separated by semicolons. So we are going to split it in the same way that we did for the command Then we are going to generate several dictionary lists zero to four dictionary lists basically from this war variable Dictionary list also is separated each field is separated by each dictionary separated by a column And it has two fields field zero and field one field zero is the string to be replaced and Field one is a string to replace that first field so field one if it starts with a File pass indicator, which is a slash that means that this is a file path This is not a string. Don't do not use this to replace the string. Just go search the device for this path obtained a file that is located there grab this and Just try every single string that is in that file and they're obviously delimited by new line Slash or slash in Okay, so now we have a dictionary list We know what strings to substitute what strings to use to do the substitution But where is this going to be applied? So we're going to now parse the second field of the request, which is called request It is a standard HTTP request. It is separated by Sierra of Two of them to separate URI and headers from the body If the body doesn't exist, that's fine, then the request just has one line So we are going to refer this to the original request or or I request as a malware calls it so now We are going to check how many dictionaries or substitution strings did we get If there is zero, we're just going to go move to the next function. It Interestingly is called Craig HTTP Then if it's not zero then we need to parse those fields replace the request with All the combinations of the dictionaries. This is going to be done in nested loop and the matter is going to make sure that All this all the strings are going to be replaced. So basically think of dictionaries as placeholders for the Strings to be replaced. So if there's four dictionary, that means there are four places in the original request that we can replace With any string that the server commands the device to do it So next a step We are going to call Craig HTTP. We're going to pass this modified request to it as a first parameter And then we're going to use Everything that we used to generate the current request as a second parameter for information So now let's dive into the Craig HTTP and see what happens after Remember there was a is rant header So this basically is going to be checked if the server wants to add random headers to the request we're going to do so by Generating an x4 the for and client IP and then populating it with random IP address the purpose of x4 the for and client IP usually an HTTP request is to signal the receiver of the request where this request is coming from is usually used for the devices that are coming from behind a proxy and So in this case, we are replacing it with random IP addresses. So obviously we want to hide where we're coming from If there's no random header generation required, then we're just going to dive into the next part which is Using that request that we generated and we will send it to the targeted host and a targeted port construct instructed by the server Now next part we had one string. It was called keywords and We are going to use that To search the response that we are receiving from that specific host and port Whether we find this keyword or not. We are going to Tell the command and control server about it. I did find it or I didn't find it and we're going to log it with the response and Then we're going to check is save response set or not if it is set We're going we're going to log this and store it on the path construct instructed by the server If it is not true, then we're going to move to see to To to log in everything for the C2 and this happens every a hundred times This whole function that I explained to you is called HTTP fuzz by Malware So we are going to call it a fuzzing attempt Okay, next command do port map this one The purpose of it is to direct the infected device to act as a proxy between two arbitrary hosts on port It's way simpler than the previous function It only has four parameters two IP addresses two ports What it's gonna do is to get the first IP and port generate socket socket listen at that port and Do the same thing with the other IP address and now all it needs to do is to transfer data between the two Okay, I was supposed to highlight it before explaining it but Next command and the last one that I'm going to speak about is do repeat this one directs the infected device to perform an HTTP or HTTP s request Optionally with a slightly randomized header and deliver the response back to the server in a form that is displayable in a web browser Do repeat is simple targeted host targeted port two flags is SSL and is random header and a request again Multi-fuel fields in a request and base 64 encoded So let's parse this command First thing what does request include and let's break it into a stand standard HTTP request We're gonna also do some trimming on it on it basically means that if the HTTP body does not exist We're just gonna treat it as one string or one line Then we're gonna check if is random header is set and we're gonna do exactly what we did for the first function that I explained adding x4 or the 4 or client IP and Populating both a firm with a random IP So the replace function here in the code that has user agent user agent random IP basically does nothing but generate the random IP So user agent is just a mislead so now We are going to send this request to the instructed host on instructed port if is SSL is set we're gonna do so in a HTTPS format and then we are gonna wrap all of the data that we sent and Processed in HD at HTML tags, and we are gonna call it final red valve And the next step we are going to report to the server that This was being processed and we're going to basically report that final red valve back to it So now I talked about these three commands and you already have Heard me saying HTTP HTTP request arbitrary fuzzing and these are the commands that we previously showed to you And these are all surveillance work commands. So one would think What does This set of command has anything to do with surveillance work commands. We're gonna wrap this up as my conclusion So new commands new purpose That's what we were a program I we were brainstorming about because so one thing that did not we could not get was Was receiving a response from server? So basically we don't we didn't have the server the C2s that we obtained from the malvers We tried to communicate with them But they did not reply back to us for any reason it could have been certain Conditions that we didn't meet it could have been our geolocation But for any reason we didn't get any data so because of that because I have not seen any data actual data or actual Strings coming from the server or in commands Coming from the server. I cannot be certain about what exactly is intended by these three commands. However Reverse engineers always say the code is there just go read it and we did read it So the next step for us is to conclude something. There are some potentially potential There's some potentials for these three commands the first important the first Theory that we have is that at an adversary can use these commands to gain access behind the firewall Now imagine you're an enterprise company You have all the securities and then one of your employees is just gonna Download one of these rats on their jailbroken Android device and not follow the policies of the company now That device is inside your firewalls Is able to tunnel every information outside your firewall and nobody's gonna know about it So this actually will be some will introduce introduces some enterprise risk Secondly with HTTP request multiple sending fuzzing everything that can be used to scan internal networks again You have a device inside the network You can just like try scanning sending arbitrary quiz the multiple hosts and ports around you Observe the response and try to get some information about what's around your device and basically just like gather information about okay So if in case of an enterprise what other devices are there who else can I get into or what else can I do with this information and After reconnaissance always comes Is there any wonder ability is there anything that I can exploit here What version of the IIS server or Apache server these hosts and ports are sent are using How can I engineer my requests to exploit them and the malware can't just like go and try it's luck for Theory which is not impossible is to send Multiple HTTP requests to single a single host and port to the extent to exhaust resources on that device So basically denial of service or dosing that device now. Let's take it one step further Let's assume that the malware has infected multiple device and now it's going to use all of these devices to send a request to one single host basically Distributing this denial of service attack and created DDoS attack So the questions are We think there are two scenarios possible here So number one, which is a stronger is that the authors are now changing their scope Authors of extract they're changing their scope Surveillance for is not sufficient enough anymore and they are adding new functionalities now They want to go beyond surveillance where and do other stuff as well theory number two Happens all the time especially when the malware has simple code Other threat actors steal the code and add their own functionalities to it so this could be totally a different actor and It's it's it has potential for more investigation and research basically Okay, so we process the commands now, let's look at the communication protocol what happens between client and server I'm going to take one of the client actions and Talk about connect, which is basically the send The first connection that happens between a client and server which is basically the malware is installed on the device Now the voice wants to check in with the C2 and say hey, I am here and this is the information that I have for example This is my IP. I'm in this network if you want to use this IP to tunnel to other hosts Do so so the connect sends gathers bunch of information about the device and constructs packet that has One opcode which is basically telling the server. Hey this heads up this type of information is coming your way Next field is zero It's referred to target form. Honestly. I'm not sure what it is for Third field is the length of the packet again this type of information is coming your way heads up this is the length of it be prepared and Information is going to be followed So be it final packet Shows the size of those fields opcode two bytes length target form two bytes Length four bytes and the rest of packet depends on how many what whatever bytes that is specified by the length This is the snapshot of the p-caps in version one and version two Those are the fields that I just talked about So in version one and version two the opcode of the connect server has changed The target form is the same the links varies. So they may not be Sending the same amount of information to the server in the connect function and the rest of it is just a packet This is version three the angry teenager so This one follows the same protocol has a command Target form length and final data, but for final data it takes takes it one step further and It is encrypted and then G zips that information and then sends it to the server Okay large amount of information and technical analysis so what we wanted to do what now was to Switch gears and talk about sort of a little bit of the context of this malware And when I mean context there's one apps aspect which we've spoken about before and which Kristen spoke about in the previous talk Which is attribution But what we also want to talk about is what all of this information and all those small little details Tell us about this the malware itself and also about what more you can find using this information So I wanted to give you an idea of what the C2 infrastructure looks like it's still live today And this is the one of the more recent ones that's still online Now the picture makes it look way more hectic than it really is it's not this Fantastic it looks like there's actually something hiding there And there's a picture and there's some restricted access and some target located and from translating very generally the Information at the top of the page and in the rest of the page if you keep scrolling down which isn't pictured here It seems to be just a blog site. It's it's a website that holds certain conversations between developers of different things Which doesn't really make sense, but it's it's live and it's working But and this is just the front if you take a look at some of the subdomains It's hiding some APKs and APKs obviously an application Android application And this was modified on the 4th of April of this year So even if we don't know much about what this malware is doing and how it's doing it We know it's still being handled. It's still being worked on it's still being Perhaps manipulated by the actors or by the developers whether it's the same ones or not and web config web.config didn't really come back to me with anything and This is a hallmark of XS or em rat and x rat The servers are very locked down. We don't hear much from them We can you can and this is like built into the code structure. You can send a lot of data that the Server will accept anything you give it all it all your data It'll take it, but it will never come back with something or it'll come back very rarely And and this is sort of consistent with most of the way that this The actor operates Or the actors The other thing that we can tell with the limited information that we have is a geolocation of some of those servers Of course, that doesn't tell you too much about Actually where the actors are they can easily use VPNs and connect through different areas But what we did notice is they were about 43 servers that we'd seen in total some were online and some were offline But 11 of those the vast majority of those were actually Located within Hong Kong and they were sort of a smattering around in the US now You might think well, this doesn't really tell me much the actors could be anywhere But the truth is that this is actually consistent with XS or em rat So for years since 2014 we're seeing the same pattern It could be that somebody's sort of trying to hide and things like that and these might be false flags But it is interesting that certain things remain the same There's some consistency there which may suggest that it's still the same actor employing and deploying these tools Then there's other smaller little things that I wanted to draw your attention to and I'm interested to see what you guys think And what your theories might be about these things But what's interesting is the titles of the applications when I say titles. I mean application names It's when you download something and install it on your Android device the sort of words that come below the icon These titles were particularly interesting and I'm gonna take a quick look at what XS or em rat titles said about The family and as you can see the titles are very like generic things system thread and System IM and system ADB, which isn't so weird, which is a little weird, but the others seem to be quite normal Right, they look like things that may perhaps be required by the operating system if you're not familiar with Android But the one that stood out especially to the researchers multiple researchers that were looking at XS or em rat Was the second one on the list there that says code for HK Those were about 11 samples out of the 11 one thought 114 samples that we saw and and that's the one that stood out everything else looks generic and looks Android II and then there's code for HK which is Probably particularly targeted at a certain set of people that are interested in that particular organization Which may lead you to believe how it was being used. So let's do the same thing With X rat and these are the titles that we saw we saw a lot more samples 328 And all of them are again. These are legitimate processes system UI is the thing that runs on Android So if even if you're quite a tech savvy person Maybe it might not raise that many red flags, but we'll go into that later The one that is really interesting are the last two at the bottom there and the rendering isn't perfect on the last one there, but It's difficult to say what those mean without the context of the people that are being targeted So code for HK was really popular, right? It the umbrella movement was going on in 2014 There was a lot of reporting around it There was so much context that you could see as an external observer But x rat had only two samples that were whose titles were in Mandarin or Taiwanese or Chinese some Chinese language And so what we did was we took one of those Let's say we took the last one and we threw it into lookouts data set And we saw what came back and we found four samples with that title alone and three of them were the legitimate application This is a legitimate application for a website called lion travel It's a company that specializes in travel tours around Taiwan and and What you have to realize is if you're not within the situation and if you're not within the context of where this malware is being used It probably doesn't ring too many bells but maybe you're the person who uses lion travel for your tours and travels and buys your parents a family trip to Taiwan and perhaps the people at the employees at lion travel use a particular airline or Have a certain set of people that they know quirks and ideas. Perhaps they Book travels for somebody important It would be interesting to go down these little small threads and pull them and see what comes out at the other end and that forces you to think a lot more and immerse yourself in where these Malware are being used So that's just like an interesting tidbit of information which I'm sure if you pull on that thread if you go home tonight and pull on That thread you might find something interesting Definitely reach out to us and let us know what you think So I'm gonna summarize our little talk today. I hope you really enjoyed it Exvessor em rat we talked a lot about it. It's been reported quite Quite a lot. It was a multi-platform tool and it masquerades code for HK. It was a multi-platform tool X rat isn't too different. It appears to be used by the same people Could there be an iOS component that we haven't seen yet? Maybe I haven't poked the servers long enough There's obviously code similarities. They're so similar. In fact, you can't you almost can't separate the samples looking at the code structure The infrastructure is still live and it has very recently uploaded an APK still being handled. It's still being used Let's find the links that link back to that. Perhaps there is a Twitter handle that's sending DMs to interesting people about. Hey, why don't you book your tours to the through this website or this app? So I guess the larger picture that I wanted to get Everybody to start thinking about is that the mobile field? We know changes a lot changes a lot more than any other field that we've seen in technology and Turns out that mobile authors may need to keep changing their tool set just as fast and the interesting thing looking at X rat, so there are many different mobile families that keep changing, right? But why we focused on X rat was that they didn't only just keep changing as an increase in complexity They kept moving laterally as well. They dropped some things that perhaps weren't interesting or weren't worth maintaining They added other things some of their particular applications had some commands some of them didn't so were they really Tailoring their applications to suit the people they were targeting But these lateral shifts turns out can be just as effective and the way that we know that is because it's still being used It's still being handled. It's still being worked on. It's not a dead malware family. We keep seeing new samples every single day We've seen six in the last 10 days So Thank you very much for sticking out with us. It was a lot to handle. So your prizes little puppies Thank you