Introduction

In May 2020, Bitdefender released a white paper containing a detailed analysis of Mandrake, a sophisticated Android cyber-espionage platform, which had been active in the wild for at least four years.

In April 2024, we discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any other vendor. The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment.

Our findings, in a nutshell, were as follows.

• After a two-year break, the Mandrake Android spyware returned to Google Play and lay low for two years.
• The threat actors have moved the core malicious functionality to native libraries obfuscated with OLLVM.
• Communication with command-and-control servers (C2) uses certificate pinning to prevent capture of SSL traffic.
• Mandrake is equipped with a diverse arsenal of sandbox evasion and anti-analysis techniques.

Kaspersky products detect this threat as
HEUR:Trojan-Spy.AndroidOS.Mandrake.*.

Technical details

Background

The original Mandrake campaign with its two major infection waves, in 2016–2017 and 2018–2020, was analyzed by Bitdefender in May 2020. After the Bitdefender report was published, we discovered one more sample associated with the campaign, which was still available on Google Play.

The Mandrake application from the previous campaign on Google Play

In April 2024, we found a suspicious sample that turned out to be a new version of Mandrake. The main distinguishing feature of the new Mandrake variant was layers of obfuscation designed to bypass Google Play checks and hamper analysis. We discovered five applications containing Mandrake, with more than 32,000 total downloads. All these were published on Google Play in 2022 and remained available for at least a year. The newest app was last updated on March 15, 2024 and removed from Google Play later that month. As at July 2024, none of the apps had been detected as malware by any vendor, according to VirusTotal.

Mandrake samples on VirusTotal

Applications

Mandrake applications on Google Play

We were not able to get the APK file for
com.brnmth.mtrx, but given the developer and publication date, we assume with high confidence that it contained Mandrake spyware.

Application icons

Malware implant

The focus of this report is an application named AirFS, which was offered on Google Play for two years and last updated on March 15, 2024. It had the biggest number of downloads: more than 30,000. The malware was disguised as a file sharing app.

AirFS on Google Play

According to reviews, several users noticed that the app did not work or stole data from their devices.

Application reviews

Infection chain

Like the previous versions of Mandrake described by Bitdefender, applications in the latest campaign work in stages: dropper, loader and core. Unlike the previous campaign where the malicious logic of the first stage (dropper) was found in the application DEX file, the new versions hide all the first-stage malicious activity inside the native library
libopencv_dnn.so, which is harder to analyze and detect than DEX files. This library exports functions to decrypt the next stage (loader) from the assets/raw folder.

Contents of the main APK file

Interestingly, the sample
com.shrp.sght has only two stages, where the loader and core capabilities are combined into one APK file, which the dropper decrypts from its assets.
While in the past Mandrake campaigns we saw different branches (“oxide”, “briar”, “ricinus”, “darkmatter”), the current campaign is related to the “ricinus” branch. The second- and third-stage files are named “ricinus_airfs_3.4.0.9.apk”, “ricinus_dropper_core_airfs_3.4.1.9.apk”, “ricinus_amber_3.3.8.2.apk” and so on.

When the application starts, it loads the native library:

Loading the native library

To make detection harder, the first-stage native library is heavily obfuscated with the OLLVM obfuscator. Its main goal is to decrypt and load the second stage, named “loader“. After unpacking, decrypting and loading into memory the second-stage DEX file, the code calls the method
dex_load and executes the second stage. In this method, the second-stage native library path is added to the class loader, and the second-stage main activity and service start. The application then shows a notification that asks for permission to draw overlays.
When the main service starts, the second-stage native library
libopencv_java3.so is loaded, and the certificate for C2 communications, which is placed in the second-stage assets folder, is decrypted. The treat actors used an IP address for C2 communications, and if the connection could not be established, the malware tried to connect to more domains. After successfully connecting, the app sends information about the device, including the installed applications, mobile network, IP address and unique device ID, to the C2. If the threat actors find their target relevant on the strength of that data, they respond with a command to download and run the “core” component of Mandrake. The app then downloads, decrypts and executes the third stage (core), which contains the main malware functionality.

Second-stage commands:

Third stage commands:

When Mandrake receives a
start_v command, the service starts and loads the specified URL in an application-owned webview with a custom JavaScript interface, which the application uses to manipulate the web page it loads.
While the page is loading, the application establishes a websocket connection and starts taking screenshots of the page at regular intervals, while encoding them to base64 strings and sending these to the C2 server. The attackers can use additional commands to adjust the frame rate and quality. The threat actors call this “vnc_stream”. At the same time, the C2 server can send back control commands that make application execute actions, such as swipe to a given coordinate, change the webview size and resolution, switch between the desktop and mobile page display modes, enable or disable JavaScript execution, change the User Agent, import or export cookies, go back and forward, refresh the loaded page, zoom the loaded page and so on.

When Mandrake receives a
start_i command, it loads a URL in a webview, but instead of initiating a “VNC” stream, the C2 server starts recording the screen and saving the record to a file. The recording process is similar to the “VNC” scenario, but screenshots are saved to a video file. Also in this mode, the application waits until the user enters their credentials on the web page and then collects cookies from the webview.
The
start_a command allows running automated actions in the context of the current page, such as swipe, click, etc. If this is the case, Mandrake downloads automation scenarios from the URL specified in the command options. In this mode, the screen is also recorded.
Screen recordings can be uploaded to the C2 with the
upload_i or upload_d commands.
The main goals of Mandrake are to steal the user’s credentials, and download and execute next-stage malicious applications.

Data decryption methods

Data encryption and decryption logic is similar across different Mandrake stages. In this section, we will describe the second-stage data decryption methods.

The second-stage native library
libopencv_java3.so contains AES-encrypted C2 domains, and keys for configuration data and payload decryption. Encrypted strings are mixed with plain text strings.
To get the length of the string, Mandrake XORs the first three bytes of the encrypted array, then uses the first two bytes of the array as keys for custom XOR encoding.

Strings decryption algorithm

The key and IV for decrypting AES-encrypted data are encoded in the same way, with part of the data additionally XORed with constants.

AES key decryption

Mandrake uses the OpenSSL library for AES decryption, albeit in quite a strange way. The encrypted file is divided into 16-byte blocks, each of these decrypted with AES-CFB128.

The encrypted certificate for C2 communication is located in the
assets/raw folder of the second stage as a file named cart.raw, which is decrypted using the same algorithm.

Installing next-stage applications

When Mandrake gets an
apk command from the C2, it downloads a new separate APK file with an additional module and shows the user a notification that looks like something they would receive from Google Play. The user clicking the notification initiates the installation process.
Android 13 introduced the “Restricted Settings” feature, which prohibits sideloaded applications from directly requesting dangerous permissions. To bypass this feature, Mandrake processes the installation with a “session-based” package installer.

Installing additional applications

Sandbox evasion techniques and environment checks

While the main goal of Mandrake remains unchanged from past campaigns, the code complexity and quantity of the emulation checks have significantly increased in recent versions to prevent the code from being executed in environments operated by malware analysts. However, we were able to bypass these restrictions and discovered the changes described below.

The versions of the malware discovered earlier contained only a basic emulation check routine.

Emulator checks in an older Mandrake version

In the new version, we discovered more checks.

To start with, the threat actors added Frida detection. When the application starts, it loads the first-stage native library
libopencv_dnn.so. The init_array section of this library contains the Frida detector function call. The threat actors used the DetectFrida method. First, it computes the CRC of all libraries, then it starts a Frida detect thread. Every five seconds, it checks that libraries in memory have not been changed. Additionally, it checks for Frida presence by looking for specific thread and pipe names used by Frida. So, when an analyst tries to use Frida against the application, execution is terminated. Even if you use a custom build of Frida and try to hook a function in the native library, the app detects the code change and terminates.
Next, after collecting device information to make a request for the next stage, the application checks the environment to find out if the device is rooted and if there are analyst tools installed. Unlike some other threat actors who seek to take advantage of root access, Mandrake developers consider a rooted device dangerous, as average users, their targets, do not typically root their phones. First, Mandrake tries to find a su binary, a SuperUser.apk, Busybox or Xposed framework, and Magisk and Saurik Substrate files. Then it checks if the system partition is mounted as read-only. Next, it checks if development settings and ADB are enabled. And finally, it checks for the presence of a Google account and Google Play application on the device.

C2 communication

All C2 communications are maintained via the native part of the applications, using an OpenSSL static compiled library.

To prevent network traffic sniffing, Mandrake uses an encrypted certificate, decrypted from the
assets/raw folder, to secure C2 communications. The client needs to be verified by this certificate, so an attempt to capture SSL traffic results in a handshake failure and a breakdown in communications. Still, any packets sent to the C2 are saved locally for additional AES encryption, so we are able to look at message content. Mandrake uses a custom JSON-like serialization format, the same as in previous campaigns.
Example of a C2 request:
node #1
{
uid "a1c445f10336076b";
request "1000";
data_1 "32|3.1.1|HWLYO-L6735|26202|de||ricinus_airfs_3.4.0.9|0|0|0||0|0|0|0|Europe/Berlin||180|2|1|41|115|0|0|0|0|loader|0|0|secure_environment||0|0|1|0||0|85.214.132.126|0|1|38.6.10-21 [0] [PR] 585796312|0|0|0|0|0|";
data_2 "loader";
dt 1715178379;
next #2;
}
node #2
{
uid "a1c445f10336076b";
request "1010";
data_1 "ricinus_airfs_3.4.0.9";
data_2 "";
dt 1715178377;
next #3;
}
node #3
{
uid "a1c445f10336076b";
request "1003";
data_1 "com.airft.ftrnsfr\n\ncom.android.calendar\n\[redacted]\ncom.android.stk\n\n";
data_2 "";
dt 1715178378;
next NULL;
}
Example of a C2 response:
node #1
{
response "a1c445f10336076b";
command "1035";
data_1 "";
data_2 "";
dt "0";
next #2;
}
node #2
{
response "a1c445f10336076b";
command "1022";
data_1 "20";
data_2 "1";
dt "0";
next #3;
}
node #3
{
response "a1c445f10336076b";
command "1027";
data_1 "1";
data_2 "";
dt "0";
next #4;
}
node #4
{
response "a1c445f10336076b";
command "1010";
data_1 "ricinus_dropper_core_airfs_3.4.1.9.apk";
data_2 "60";
dt "0";
next NULL;
}
Mandrake uses opcodes from 1000 to 1058. The same opcode can represent different actions depending on whether it is used for a request or a response. See below for examples of this.

• Request opcode 1000: send device information;
• Request opcode 1003: send list of installed applications;
• Request opcode 1010: send information about the component;
• Response opcode 1002: set contact rate (client-server communication);
• Response opcode 1010: install next-stage APK;
• Response opcode 1011: abort next-stage install;
• Response opcode 1022: request user to allow app to run in background;
• Response opcode 1023: abort request to allow app to run in background;
• Response opcode 1027: change application icon to default or Wi-Fi service icon.

Attribution

Considering the similarities between the current campaign and the previous one, and the fact that the C2 domains are registered in Russia, we assume with high confidence that the threat actor is the same as stated in the Bitdefender’s report.

Victims

The malicious applications on Google Play were available in a wide range of countries. Most of the downloads were from Canada, Germany, Italy, Mexico, Spain, Peru and the UK.

Conclusions

The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion and bypassing new defense mechanisms. After the applications of the first campaign stayed undetected for four years, the current campaign lurked in the shadows for two years, while still available for download on Google Play. This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces.

Indicators of Compromise

File Hashes
141f09c5d8a7af85dde2b7bfe2c89477
1b579842077e0ec75346685ffd689d6e
202b5c0591e1ae09f9021e6aaf5e8a8b
31ae39a7abeea3901a681f847199ed88
33fdfbb1acdc226eb177eb42f3d22db4
3837a06039682ced414a9a7bec7de1ef
3c2c9c6ca906ea6c6d993efd0f2dc40e
494687795592106574edfcdcef27729e
5d77f2f59aade2d1656eb7506bd02cc9
79f8be1e5c050446927d4e4facff279c
7f1805ec0187ddb54a55eabe3e2396f5
8523262a411e4d8db2079ddac8424a98
8dcbed733f5abf9bc5a574de71a3ad53
95d3e26071506c6695a3760b97c91d75
984b336454282e7a0fb62d55edfb890a
a18a0457d0d4833add2dc6eac1b0b323
b4acfaeada60f41f6925628c824bb35e
cb302167c8458e395337771c81d5be62
da1108674eb3f77df2fee10d116cc685
e165cda25ef49c02ed94ab524fafa938
eb595fbcf24f94c329ac0e6ba63fe984
f0ae0c43aca3a474098bd5ca403c3fca

Domains and IPs
45.142.122[.]12
ricinus[.]ru
ricinus-ca[.]ru
ricinus-cb[.]ru
ricinus-cc[.]ru
ricinus[.]su
toxicodendron[.]ru

securelist.com/mandrake-apps-r…

Introduction

Cybercriminals who specialize in ransomware do not always create it themselves. They have many other ways to get their hands on ransomware samples: buying a sample on the dark web, affiliating with other groups or finding a (leaked) ransomware variant. This requires no extraordinary effort, as source code is often leaked or published. With a set of standard tools and a freshly built (and sometimes slightly altered) ransomware sample, victims can be sought, and the malicious activity can spread.

In the past months, we released several private reports detailing exactly this. You will find a few excerpts from these below. To learn more about our crimeware reporting service, contact us at crimewareintel@kaspersky.com.

SEXi

This past April, IxMetro was hit by an attack that used a still-new ransomware variant dubbed “SEXi”. As the name suggests, the group focuses primarily on ESXi applications. In each of the cases we investigated, the victims were running unsupported versions of ESXi, and there are various assumptions about the initial infection vector.

The group deploys one of two types of ransomware variants depending on the target platform: Windows or Linux. Both samples are based on leaked ransomware samples, namely Babuk for the Linux version and Lockbit for Windows. This is the first time we’ve seen a group use different leaked ransomware variants for their target platforms.

Another thing that sets this group apart is their contact method. Attackers will typically leave a note with an email address or leak site URL in it, but in this case, the note contained a user ID associated with the Session messaging app. The ID belonged to the attackers and was used across different ransomware attacks and victims. This signifies a lack of professionalism, as well as the fact that the attackers did not have a TOR leak site.

Key Group

While the SEXi group has employed leaked ransomware variants from two malware families, other groups have taken this approach to a whole different level. For example, Key Group, aka keygroup777, has used no fewer than eight different ransomware families throughout their relatively short history (since April 2022) – see the image below.

Use of leaked ransomware builders by Key Group

We were able to link different variants to Key Group by their ransom notes. In a little over two years that the group has been active, they have adjusted their TTPs slightly with each new ransomware variant. For example, the persistence mechanism was always via the registry, but the exact implementation differed by family. Most of the time, autorun was used, but we’ve also seen them using the startup folder.

For example, UX-Cryptor added itself to the registry as shown below.
HKU\$usersid\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" = "$selfpath"
HKU\$usersid\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsInstaller" = "$selfpath -startup"
"MSEdgeUpdateX" = "$selfpath"
HKU\$usersid\Software\Microsoft\Windows\CurrentVersion\RunOnce
"System3264Wow" = "$selfpath --init"
"OneDrive10293" = "$selfpath /setup"
"WINDOWS" = "$selfpath --wininit"
While the Chaos ransomware variant copied itself to
$user\$appdata\cmd.exe and launched a new process, the new process in turn created a new file in the startup folder: $user\$appdata\Microsoft\Windows\Start Menu\Programs\Startup\cmd.url. This contained the path to the ransomware file: URL=file:///$user\$appdata\cmd.exe.
Russian-speaking groups typically operate outside of Russia, but Key Group is an exception to this rule. Their operations are not very professional, as well as SEXi’s, and show a lack of comprehensive skills. For example, the main C2 channel is a GitHub repository, which makes them easier to track, and communication is maintained over Telegram rather than a dedicated server on the TOR network.

Mallox

Mallox is another relatively new ransomware variant that first came to light in 2021 and kicked off an affiliate program in 2022. The way the authors obtained the source code is unclear — they could have written it from scratch, used a published or a leaked one, or purchased it, as they claim. Since Mallox is a lesser-known and hence, also less-documented, ransomware variant compared to the likes of Lockbit and Conti, we decided to cover Mallox in this post.

Although starting as a private group conducting their own campaigns, Mallox launched an affiliate program shortly after inception. Interestingly, the group only wants to do business with Russian-speaking affiliates and not with English-speaking ones, they do not welcome novices as well. They are also very explicit about what types of organizations affiliates should infect: no less than $10 million in revenue and no hospitals or educational institutions.

Mallox uses affiliate IDs, making it possible to track affiliate activity over the course of time. In 2023, there were 16 active partners, which explains the spike in activity, most notably in the spring and autumn of 2023 as evidenced by the PE timestamp.

Number of discovered Mallox samples by PE timestamp (download)

In 2024, only eight of the original affiliates were still active, with no newcomers. Aside from this, Mallox has all the typical Big Game Hunting attributes that other groups also have, such as a leak site, a server hosted on TOR, and others.

Conclusion

Getting into the ransomware business has never been too difficult. Of-the-shelf solutions have been available, or else one could become an affiliate and outsource many tasks to others. Initially, with tools like Hidden Tear, the impact was relatively low: the tools were easy to detect and contained implementation errors, which helped decryption. They targeted regular consumers rather than large organizations. This has changed these days, as the impact can be much bigger with the advent of the Big Game Hunting era and the release of “professional” ransomware variants, which can affect entire companies, organizations, hospitals and so on. Such samples are more efficient in terms of speed, configurability, command line options, platform support and other features. That said, while getting your hands on a “professional” ransomware variant might be easy, the whole process of exploiting and exploring an organization can be quite time consuming, if not impractical, for newbies.

We also see that groups using leaked variants seldom look professional, with Key Group and SEXi among the examples of this. The reason why they are effective is either that they are able to set up a successful affiliate scheme (Key Group), or that they have found a niche where they can deploy their ransomware effectively (SEXi). In these two scenarios, the leaking or publication of ransomware variants can be considered a threat to organizations and individuals.

If you would like to stay up to date on the latest TTPs being used by criminals, or if you have questions about our private reports, contact us at crimewareintel@kaspersky.com.

Indicators of compromise

SEXi
4e39dcfb9913e475f04927e71f38733a
0a16620d09470573eeca244aa852bf70

Key Group
bc9b44d8e5eb1543a26c16c2d45f8ab7
acea7e35f8878aea046a7eb35d0b8330

Mallox
00dbdf13a6aa5b018c565f4d9dec3108
01d8365e026ac0c2b3b64be8da5798f2

securelist.com/sexi-key-group-…

Photons are particles of light, or waves, or something like that, right? [Mithuna Yoganathan] explains this conundrum in more detail than you probably got in your high school physics class.

While quantum physics has been around for over a century, it can still be a bit tricky to wrap one’s head around since some of the behaviors of energy and matter at such a small scale aren’t what we’d expect based on our day-to-day experiences. In classical optics, for instance, a brighter light has more energy, and a greater amplitude of its electromagnetic wave. But, when it comes to ejecting an electron from a material via the photoelectric effect, if your wavelength of light is above a certain threshold (bigger wavelengths are less energetic), then nothing happens no matter how bright the light is.

Scientists pondered this for some time until the early 20th Century when Max Planck and Albert Einstein theorized that electromagnetic waves could only release energy in packets of energy, or photons. These quanta can be approximated as particles, but as [Yoganathan] explains, that’s not exactly what’s happening. Despite taking a few classes in quantum mechanics, I still learned something from this video myself. I definitely appreciate her including a failed experiment as anyone who has worked in a lab knows happens all the time. Science is never as tidy as it’s portrayed on TV.

If you want to do some quantum mechanics experiments at home (hopefully with more luck than [Yoganathan]), then how about trying to measure Planck’s Constant with a multimeter or LEGO? If you’re wondering how you might better explain electromagnetism to others, maybe this museum exhibit will be inspiring.

youtube.com/embed/Z8Fo2xZjpiE?…

Standardization might sound boring, but it’s really a great underlying strength of modern society. Everyone agreeing on a way that a certain task should be done saves a lot of time, energy, and money. But it does take a certain amount of consensus-building, and at the time [JC]’s HVAC system was built the manufacturers still hadn’t agreed on a standard control scheme for these machines yet. But with a little ingenuity and an Arduino, the old HVAC system can be given a bit of automatic control.

The original plan for this antiquated system, once off-the-shelf solutions were found to be incompatible, was to build an interface for the remote control. But this was going to be overly invasive and complex. Although the unit doesn’t have a standard remote control system, it does have extensive documentation so [JC] was able to build a relay module for it fairly easily with an Arduino Nano Matter to control everything and provide WiFi functionality. It also reports the current status of the unit and interfaces with the home automation system.

While some sleuthing was still needed to trace down some of the circuitry of the board to make sure everything was wired up properly, this was a much more effective and straightforward (not to mention inexpensive) way of bringing his aging HVAC system into the modern connected world even through its non-standardized protocols. And, although agreeing on standards can sometimes be difficult, they can also be powerful tools once we all agree on them.

Many makers start by building mock-ups from cardboard, but [Alex-08] has managed to build an R/C plane that actually flies, out of cardboard.

If you’ve been thinking of building an R/C plane from scratch yourself, this guide is an excellent place to start. [Alex-08] goes through excruciating detail on how he designed and constructed this marvel. The section on building the wings is particularly detailed since that’s the most crucial element in making sure this plane can get airborne.

Some off-the-shelf R/C parts and 3D printed components round out the parts list to complement the large cardboard box used for most of the structural components. The build instructions even go through some tips on getting that vintage aircraft feel and how to adjust everything for a smooth flight.

Need a wind tunnel instead? You can build that out of cardboard too. If paper airplanes are more your thing, how about launching them from space? And if you’re just trying to get a head start on Halloween, why not laser cut an airplane costume from cardboard?