www.lookout.com Open in urlscan Pro
2600:9000:26e8:aa00:8:1c11:1200:93a1  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Lookout ResearchThreat GuidancesThreat DataResourcesAbout Us
Contact Us


Android
Lookout
Spyware
WyrmSpy and DragonEgg
APT41
In-Depth Analysis

July 19, 2023



LOOKOUT ATTRIBUTES ADVANCED ANDROID SURVEILLANCEWARE TO CHINESE ESPIONAGE GROUP
APT41


SUMMARY

 * Lookout attributes WyrmSpy and DragonEgg to infamous Chinese espionage group
   APT41, which has not slowed down since recent indictments by the U.S.
   government.
 * APT41 is known to target a wide range of public and private sector
   organizations, including nation-state governments, software development
   companies, computer hardware manufacturers, telecommunications providers,
   social media companies, and video game companies.
 * An established threat actor like APT41 turning their focus to mobile devices
   shows that mobile endpoints are high-value targets with coveted data.
 * WyrmSpy and DragonEgg use modules to hide their malicious intentions and
   avoid detection.
 * WyrmSpy and DragonEgg were first reported to Lookout Threat Intelligence
   Services subscribers in October 2020 and January 2021 respectively in full
   write-ups that included IOCs, YARA rules, and additional threat analysis.
 * Contact us if you have been targeted or would like to consult with our
   research team on mobile threats.




WHAT ARE WYRMSPY AND DRAGONEGG SURVEILLANCEWARE?

WyrmSpy and DragonEgg are two advanced Android surveillanceware that Lookout
attributes to high-profile Chinese threat group APT41, also known as Double
Dragon, BARIUM, and Winnti. 

While APT41 is mostly known for exploiting web-facing applications and
infiltrating traditional endpoint devices, these malware are rare reported
instances of the group exploiting mobile platforms.

Lookout Threat Lab researchers have been actively tracking both spyware and
providing coverage to Lookout Mobile Endpoint Security customers. We provided
the first detailed write-up of WyrmSpy to our Threat Intelligence Services
subscribers in October 2020. The Lookout Security Graph first ingested samples
of WyrmSpy in 2017, while DragonEgg was first detected in early 2021 and our
latest example dates to April 2023.

Both surveillanceware appear to have sophisticated data collection and
exfiltration capabilities and hide those functions in additional modules that
are downloaded after they are installed. WyrmSpy primarily masquerades as a
default operating system app, while DragonEgg pretends to be third-party
keyboard or messaging apps.

‍


WHAT IS THE APT41 ESPIONAGE GROUP?

APT41 is a state-sponsored APT espionage group based in the People’s Republic of
China that has been active since 2012. Unlike many nation-state-backed APT
groups, APT41 has a track record of compromising both government organizations
for espionage, as well as different private enterprises for financial gain. 

According to U.S. grand jury indictments from 2019 and 2020, the group was
involved in compromising over 100 public and private organizations, and
individuals in the United States and around the world, including Australia,
Japan, India, South Korea, Singapore, and Taiwan. These companies include
software development companies, computer hardware manufacturers,
telecommunications providers, social media companies, video game companies,
universities, think tanks, and foreign governments, as well as pro-democracy
politicians and activists in Hong Kong.

The U.S Department of Justice’s indictment named five individuals associated
with APT41, three of whom — Jiang Lizhi (蒋立志), Qian Chuan (钱川), and Fu Qiang
(付强) — are publicly listed in leadership positions of Chinese company Chengdu
404 Network Technology Co., Ltd., a.k.a “Chengdu 404.”

The indictment charges the men with conspiracy, racketeering, money laundering,
fraud, identity theft, access device fraud, unauthorized access to protected
computers and wire fraud in association with Chengdu 404.


The FBI notice poster with images of the individuals charged in connection to
APT41’s cyber espionage activities. 





A Chinese business directory listing for Chengdu 404 lists Qian Chuan as
“Managing Director” and Jiang Lizhi as “Manager.” Chengdu 404 is described as “a
network technology company.”





APT41’S CONNECTION WITH WYRMSPY AND DRAGONEGG

DragonEgg and WyrmSpy are connected to each other through their use of
overlapping Android signing certificates. Some versions of WyrmSpy introduced
unique signing certificates that were later observed in use by DragonEgg
developers.

It was through WyrmSpy that Lookout was able to attribute the two malware to
APT41 due to a link between the command-and-control (C2) infrastructure
hard-coded into the malware’s source code and Chengdu 404. Early samples use IP
address “121.42.149[.]52” as part its C2 infrastructure, which was the resolving
IP for a subdomain, “vpn2.umisen[.]com,” a part of the hacking infrastructure
APT41 used between May 2014 until August 2020, as revealed in the U.S.
Department of Justice’s indictment.



WyrmSpy includes a hard-coded C2 IP address, “121.42.149[.]52”, used as a
resolving IP for a known APT41 domain.





“Vpn2.umisen[.]com” is a subdomain of umisen[.]com, which itself resolved only
to 121.42.149[.]52 from the end of 2015 through late 2017. A total of 14 samples
that Lookout researchers analyzed that communicated with this IP address, which
appeared to have been packaged between March and July 2017.



The IP address found in earlier WyrmSpy samples was the resolving IP for
“umisen[.]com” between December 2015 and August 2017, when malware samples
containing this C2 were created and distributed.





A WHOIS record for “umisen[.]com” from 2015 and 2016 lists one of the
individuals named in the indictment, Jiang Lizhi, as the registrant for the
domain. The email listed in the WHOIS record, “huliwahaha@gmail[.]com,”
resembles a password ”wahaha@20170”, which is also mentioned in the indictment.



The IP address found in earlier WyrmSpy samples was the resolving IP for
“umisen[.]com” between December 2015 and August 2017, when malware samples
containing this C2 were created and distributed.






HOW ARE WYRMSPY AND DRAGONEGG DEPLOYED

It appears that the targeting of WyrmSpy and DragonEgg varies greatly.

WyrmSpy primarily masquerades as a default Android system app used for
displaying notifications to the user. Later variants package the malware into
apps masquerading as adult video content, “Baidu Waimai” food delivery platform,
and Adobe Flash. 

DragonEgg has been observed in apps purporting to be third-party Android
keyboards and messaging apps like Telegram.

Lookout researchers have not yet encountered samples in the wild and assess with
moderate confidence that they are distributed to victims through social
engineering campaigns. Google confirmed that based on current detection, no apps
containing this malware are found to be on Google Play.

‍


NOTABLE CAPABILITIES OF WYRMSPY AND DRAGONEGG

The two malware request extensive device permissions while relying on modules
that are downloaded after the apps are installed to enable data-exfiltration
capabilities. 


WYRMSPY CAPABILITIES

After it’s installed and launched, WyrmSpy uses known rooting tools to gain
escalated privileges to the device and perform surveillance activities specified
by commands received from its C2 servers. These commands include instructing the
malware to upload log files, photos stored on the device, and acquire device
location using the Baidu Location library.

Although we were not able to acquire additional modules from the C2
infrastructure at the time of discovery, we assess with high confidence that a
secondary payload is used by the malware to perform additional surveillance
functionality. This is based on the permissions that WyrmSpy obtains but does
not use in the code contained in the app, which indicates abilities to
exfiltrate additional data, such as SMS and audio recordings.

Configuration files used by the malware to execute instructions received by the
C2 further support this hypothesis, with references to “AudioRecord” and “Files”
set to true or false based on received commands.

POTENTIAL DATA THAT WYRMSPY COLLECTS

 * Log files
 * Photos
 * Device location
 * SMS messages (read and write)
 * Audio recording


DRAGONEGG CAPABILITIES

Similar to WyrmSpy, DragonEgg appears to rely on additional payloads to
implement the full scale of its surveillance functionality. 

At launch, the malware acquires — either from C2 infrastructure or a bundled
file within the APK — a payload often named “smallmload.jar” which attempts to
acquire and launch additional functionality. Like WyrmSpy, the DragonEgg samples
request extensive permissions for services that are not directly exploited in
the core app. 

We suspect that by trojanizing legitimate chat apps like Telegram, APT41 is
trying to remain inconspicuous while requesting access to extensive device data.
Messaging apps typically request access to sensitive device data, and by hiding
its surveillance functionality within a large, fully-functional app, the threat
actor is better able to remain inconspicuous while the app is running on the
device or statically analyzed by a researcher.

POTENTIAL DATA THAT DRAGONEGG COLLECTS

 * Device contacts
 * SMS messages
 * External device storage files
 * Device location
 * Audio recording
 * Camera photos


WYRMSPY TECHNICAL ANALYSIS


COMMUNICATIONS WITH C2 AND CONFIGURATION FILES

WyrmSpy relies on commands received from C2, as well as configuration files to
determine the actions it takes against the compromised device and the data it
exfiltrates. As server-side code is not accessible from the C2, it is not yet
clear whether a threat actor has automated the commands sent to the malware
client, or whether direct human interaction is required. 

The configuration files are created and populated by WyrmSpy on startup and form
the basis of the behavior on an infected device. As the malware interacts with
the device and receives instructions from its C2, it modifies the configuration
files accordingly.

Additional configuration files contain information about the C2, metadata and
identifiers that were initially collected about the infected device. A file
named “ManifestFile.json” is acquired from the C2 and specifies C2 beaconing
intervals, lists of files for upload and download, and a list of shell commands
to execute on the device.



WyrmSpy relies on commands received from its C2, as well as configuration files
to determine the actions it takes against the compromised device and the data it
exfiltrates.




ROOTING THE DEVICE

WyrmSpy leverages well known rooting tools such as KingRoot11 and
IovyRoot/IvyRoot12. It’s also able to disable SELinux on appropriate versions of
Android, an action attackers sometimes take in order to access data they might
not otherwise be able to.

If the packaged rooting tool does not work or does not exist, and if the device
is not already rooted, the malware queries the C2 infrastructure with the model
and kernel version of the infected device. It then receives a response
containing a file name which the malware uses to download additional rooting
binaries from C2 infrastructure if one exists for the specified device.



The malware attempts to acquire an additional rooting tool to gain root
privileges if the bundled tools, like KingRoot, are unsuccessful.





DRAGONEGG TECHNICAL ANALYSIS

Similar to WyrmSpy, DragonEgg relies on a secondary payload often named
“smallmload.jar” to load a tertiary module.



DragonEgg relies on a secondary payload that’s often named “smallmload.jar.”

In DragonEgg’s logging messages, the developers refer to the tertiary module
acquired by the “smallmload” class files as “forensics program (T1 version)”.
Naming surveillance tools as “forensics program” is common amongst
Chinese-speaking defense or software development firms. This is in contrast to
the use of “trojan” or other malware-related moniker that independent developers
of surveillance tools would use.

By the time we analyzed DragonEgg, its C2 infrastructure was already offline,
which prevented Lookout researchers from acquiring this “T1” forensics tool
loaded by the core application.



DragonEgg developers refer to the tertiary payload as the “forensics program (T1
version)”.





INDICATORS OF COMPROMISE


WYRMSPY

SHA1

92ddbe438c8c8c1ef82fa5bb02e526db10829736

0b4a9a3f167178054ef9f9a97463cbe31f078c2f

d713b8b0f3764157cc18d5dc1cb0f9c558067728

589d88093dad377d46f34415a7f9df11d65b81ed

ab560af6bafff8f58ea5bc53c0391501415aed14

5891fa6a3a8232192ebd57a171bad29f53c7598c

4405af38c4a6b6130fcf242a11b0ce7963a1be28

5c16637848d6f1eb4aa6c5b2a4928a1144cd2113

2fbd56b1f3859c6d03dec47f8fcee7e37dc303a1

085191fb59d3933f8447610126600754b35697d4

d634a548973c7931e224a41201be0a273d561cff

971f4cd569ad9f84e654b62bffdba3a4aa21d4e9

331acbdd270acecfa80bc7b4e37629611593de0a

215847e4c41144365b94cb924d969dbc5e69052b

cc351ffbe748b1db43de6dcd40934fe23986e753

85ca8cd21d70668bd2aab9c53163f5e03a0e1a8b

6dd20f7b9ccbd961d155fff78452303a54714841

d02f548d354adff645318de6edc45dff23170241

2438069c43771f0011da2f22b57b8336aaa7562c

5c2fc57609ee28753b78a0f33ba7519fc9fbb6f8

53c745956c3501d1daf232aeea5edfb52168c6b4

dfff9ae245cc0beed8fdf409c00ec758d7d2678f

517ec909bc9e308b44d59dfd144188d1e23f57bc

232b868e36f064b4151e4386835642fc8bf07e0b

92ddbe438c8c8c1ef82fa5bb02e526db10829736

9b6297825a6c00b3af16748684d4de551cc7be75

0b4a9a3f167178054ef9f9a97463cbe31f078c2f

d713b8b0f3764157cc18d5dc1cb0f9c558067728

589d88093dad377d46f34415a7f9df11d65b81ed

ab560af6bafff8f58ea5bc53c0391501415aed14

5891fa6a3a8232192ebd57a171bad29f53c7598c

e514042565ffb2811f780227fee5ed5683925d49

4405af38c4a6b6130fcf242a11b0ce7963a1be28

17e6bbed5e43ec5b8d2821e0145da7ee32a58ea6

5c16637848d6f1eb4aa6c5b2a4928a1144cd2113

2fbd56b1f3859c6d03dec47f8fcee7e37dc303a1

085191fb59d3933f8447610126600754b35697d4

d634a548973c7931e224a41201be0a273d561cff

971f4cd569ad9f84e654b62bffdba3a4aa21d4e9

331acbdd270acecfa80bc7b4e37629611593de0a

58cda5e4607557d79bc5e36764b577f17e77af49

a9d2f59b8457c6998b654054084b102adfcf3306

215847e4c41144365b94cb924d969dbc5e69052b

cc351ffbe748b1db43de6dcd40934fe23986e753

85ca8cd21d70668bd2aab9c53163f5e03a0e1a8b

6dd20f7b9ccbd961d155fff78452303a54714841

d02f548d354adff645318de6edc45dff23170241

2438069c43771f0011da2f22b57b8336aaa7562c

5c2fc57609ee28753b78a0f33ba7519fc9fbb6f8

53c745956c3501d1daf232aeea5edfb52168c6b4

INFRASTRUCTURE

116.205.4[.]18

dns.win10micros0ft[.]com

www.andropwn[.]xyz

121.42.149[.]52

update.umisen[.]com


DRAGONEGG

SHA1

b456a61a3e0ac6073a716b06293a3295a261de56

209567f4f28c5c8abcbe56d789e558aa64239534

b456a61a3e0ac6073a716b06293a3295a261de56

cab70e99516a36ab0f0d3851375adf0740f4bd5e

81762cfae0bd5585e8c0c86e4fdbbe47d2dd614a

fbda76a2c2834f89d642a72c24b1988a1f56e4b8

INFRASTRUCTURE

118.193.39[.]165

121.201.109[.]98

alxc.tbtianyan[.]com

yxwasec[.]com

smiss.imwork[.]net

huaxin-bantian.duckdns[.]org

103.43.17[.]99

‍

Lookout would like to thank former Lookout researcher Apurva Kumar for her
extensive contribution to this research. 




AUTHORS




KRISTINA BALAAM


Staff Security Intelligence Engineer


Kristina is a Staff Security Intelligence Engineer at Lookout where she reverse
engineers mobile malware. Prior to Lookout, she worked as an Application
Security Engineer at Shopify focusing mostly on Android mobile security.
Kristina graduated with a Bachelor of Computer Science from McGill University in
2012, and is currently pursuing a MSc. in Information Security Engineering from
the SANS Institute of Technology. She blogs about computer security on
Instagram, Twitter and Youtube under the handle @chmodxx.”


JUSTIN ALBRECHT


Global Director, Mobile Threat Intelligence


Justin Albrecht is the Global Director of Mobile Threat Intelligence. He works
with his team to uncover new mobile threats, track actors and targets, and
provide accurate research and reporting on these issues. Justin has over 20
years of experience tracking cyber threat actors, terrorists, and intelligence
activities in both the intelligence community, and more recently as a member of
Lookout’s Threat Intelligence Team.

Platform(s) Affected
Android
Discovered By
Lookout
Threat Type
Spyware
Threat Name
WyrmSpy and DragonEgg
Adversary Group
APT41
Entry Type
In-Depth Analysis
Platform(s) Affected
Android
Lookout
Spyware
WyrmSpy and DragonEgg
APT41
In-Depth Analysis




RELATED CONTENT





CHROME & FIREFOX VULNERABILTIES



Google and Mozilla have both recently disclosed critical vulnerabilities in
their respective Chrome and Firefox web browsers.


Read Threat Article



CVE-2024-36971



Google recently disclosed a new zero-day affecting all devices running its
Android operating system. It exists in the Linux kernel’s network route
management capabilities.


Read Threat Article



EVILVIDEO TELEGRAM EXPLOIT



Researchers recently disclosed their discovery of a zero-day vulnerability in
the Telegram app for Android.


Read Threat Article



IDENTIFY AND PREVENT THREATS WITH LOOKOUT THREAT ADVISORY


STOP CYBERATTACKS BEFORE THEY START WITH INDUSTRY-LEADING THREAT INTELLIGENCE.



Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging
millions of devices in our global network and top security research insights to
protect your organization.


Learn More Today

Schedule Demo
LegalPrivacy PolicyCookie PolicyTransparency Report
Do not sell or share my personal information
Compliance InfoCompliance Info (Gov)Sitemap

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield
Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered
trademarks of Lookout, Inc. in the United States and other countries. DAY OF
SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered
trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common
law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and
the 4 Bar Shield Design.
Lookout Cloud Security
Cloud SecurityLookout Secure Cloud AccessLookout Secure Internet AccessLookout
Secure Private Access


Lookout Endpoint Security
Endpoint SecurityLookout Mobile Endpoint SecurityLookout Threat Intelligence
Solutions
Zero Trust SecurityVPN AlternativesMobile Device SecurityData ComplianceCloud
Data ProtectionAdvanced Threat Protection
Industries
HealthcareEducationFederal GovernmentState & Local GovernmentFinancial
ServicesManufacturing
Support
Enterprise Support LoginEnterprise Support ProgramsProduct Documentation

Contact Us
How to Reach Us

(844) 371-5665

HeaderHeaderHeaderHeaderCellCellCellCellCellCellCellCellCellCellCellCellCellCellCellCell

By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.

Accept All Cookies Reject All
Cookies Settings



PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

Strictly necessary cookies are classified as cookies that must be present for
the website to provide the basic functions of the website. They are essential to
be able to access features of the website and could include signing in, adding
items to a cart, or e-billing.

PERFORMANCE COOKIES

Performance Cookies

Performance cookies are cookies used specifically for gathering data on how
visitors use a website, which pages of a website are visited most often, or if
they get error messages on web pages. These cookies monitor only the performance
of the site as the user interacts with it. These cookies don’t collect
identifiable information on visitors, which means all the data collected is
anonymous and only used to improve the functionality of a website.

FUNCTIONAL COOKIES

Functional Cookies

Functional cookies allow websites to remember the user’s site preferences and
choices they make on the site including username, region, and language. This
allows the website to provide personalized features like local news stories and
weather if you share your location. They are anonymous and don’t track browsing
activity across other websites.

DO NOT SELL OR SHARE MY PERSONAL INFORMATION

Do not sell or share my personal information

You have the right to opt-out of the sale of your personal information to third
parties. These cookies collect information for analytics and to personalize your
experience with targeted ads. You may exercise your right to opt out of the sale
of personal information by using this toggle switch. If you opt out we will not
be able to offer you personalised ads and will not hand over your personal
information to any third parties. Additionally, you may contact our legal
department for further clarification about your rights as a California consumer
by using this Exercise My Rights link. If you have enabled privacy controls on
your browser (such as a plugin), we have to take that as a valid request to
opt-out. Therefore we would not be able to track your activity through the web.
This may affect our ability to personalize ads according to your preferences.

 * TARGETING COOKIES
   
   Switch Label label
   
   Targeting cookies are specifically designed to gather information from you on
   your device to display advertisements to you based on relevant topics that
   interest you. Advertisers will place these cookies on a website with the
   website operator’s permission. The information the cookies gather on you can
   be shared with other advertisers to measure the performance of their
   advertisements. Additionally, another purpose of targeting and advertising
   cookies is to build user profiles from visitors to the website to gather
   statistics on the performance of the advertisements that can carry across
   many websites.

Back Button


BACK



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Reject All Confirm My Choices