zoom 用戶被鎖定

With working from home on the rise, Zoom and other video conference applications have been in heavy use, by employees but also by malicious threat actors. On Apr 1st, Security Week wrote about a re-packaged version of Zoom targeting teleworking users on Android. In this blog, we will take a closer look at what this malicious APK looks to achieve and how it achieves it.

隨著在家辦公的興起，Zoom和其他視頻會議應用程序被員工以及惡意威脅參與者廣泛使用。 4月1日，《 安全周刊》撰寫了針對Android上遠程辦公用戶的Zoom的重新打包版本。 在此博客中，我們將仔細研究該惡意APK的目標以及實現方式。

This malicious APK takes a legitimate Zoom APK, release 4.1.35374.1217 version 41021, and introduces new permissions and a new package that utilizes AES encryption to remain hidden. As seen in the first image, on first upload only eight security vendors detected this APK as malicious.

此惡意APK帶有一個合法的Zoom APK，版本4.1.35374.1217版本41021，并引入了新的權限以及一個使用AES加密保持隱藏的新程序包。 如第一張圖片所示，在第一次上傳時，只有八家安全廠商檢測到此APK為惡意軟件。

We will first look at the data around the APK itself. When compiling this APK the malicious actor used a signing certificate with the Owner and Issuer matching the original Zoom APK in order to appear to be signed by Zoom Video Communications Inc.

我們將首先查看APK本身周圍的數據。 編譯此APK時，惡意行為者使用了具有與原始Zoom APK匹配的所有者和發行者的簽名證書，以便看上去由Zoom Video Communications Inc.簽名。

App Signing Certificate (With the Owner and Issuer spoofed to Zoom Video Communications Inc.)應用程序簽名證書(以欺騙所有人和發行人為目的的Zoom Video Communications Inc.)

The core functionality of the APK is unchanged, you are able to sign-in to accounts, join meetings as you expect from the Zoom APK.

APK的核心功能保持不變，您可以登錄帳戶，并按預期從Zoom APK中加入會議。

On initial load, this APK appears to be a clone of the official Zoom APK, and retains original functionality.初始加載時，此APK似乎是官方Zoom APK的克隆，并保留了原始功能。 This APK is using 4.1.35374.1217 which was released in December of 2018該APK使用的是4.1.35374.1217，該版本于2018年12月發布

In Android Studio, the original Zoom APK file is compared to this malicious APK file. Most of the files appear to be unchanged, there is more data in the AndroidManifest, as well as more data in the classes.dex where the java classes are stored. Near the bottom of this comparison, we can confirm that the signing certificate used by the malicious APK file is not the official Zoom certificate which was originally used.

在Android Studio中，原始的Zoom APK文件會與此惡意APK文件進行比較。 大多數文件似乎保持不變，AndroidManifest中有更多數據，而存儲Java類的classes.dex中也有更多數據。 在此比較的底端附近，我們可以確認惡意APK文件使用的簽名證書不是最初使用的官方Zoom證書。

Comparison between the malicious Zoom APK and the original Zoom APK惡意Zoom APK和原始Zoom APK之間的比較

The first item that has changed that we see in this comparison is the AndroidManifest.xml. Upon deeper dive, we see that this malicious APK has added new permissions in the manifest; including the ability to read, send and receive SMS messages, meaning that the app has the ability to read all the SMSs that are received on the user’s phone as well as sending SMS messages. Along with the additional permissions, the app has a new package inside, us.zoom.videomeetings.byfsl. We can see this package is defined as a BroadcastReceiver as well as an android service allowing this package to run in the background with no visual interface and allowing communication.

在此比較中看到的第一處發生變化的項是AndroidManifest.xml。 深入研究后，我們發現該惡意APK已在清單中添加了新權限； 包括讀取，發送和接收SMS消息的能力，這意味著該應用程序能夠讀取用戶手機上接收到的所有SMS以及發送SMS消息。 除其他權限外，該應用程序還具有一個新包us.zoom.videomeetings.byfsl。 我們可以看到此程序包被定義為BroadcastReceiver以及一個android服務，從而允許該程序包在沒有可視界面的情況下在后臺運行并允許通信。

References to the new SMS permissions對新的SMS權限的引用 References to the malicious package in Manifest.xml對Manifest.xml中惡意軟件包的引用

Expanding into classes.dex, there is a new package under us.zoom.videomeetings call byfsl. Inside this folder, there are 11 new classes that are not in the original Zoom APK, and this is where the malicious code is present.

擴展到classes.dex中，在us.zoom.videomeetings下有一個名為byfsl的新包。 在此文件夾中，有11個新類不在原始的Zoom APK中，這是存在惡意代碼的地方。

The Malicious Package byfsl in classes.dexclasses.dex中的惡意軟件包byfsl

This new package, us.zoom.videomeetings.byfsl, includes several java classes that use AES encrypted strings to try and mask functionality.

這個新程序包us.zoom.videomeetings.byfsl包括幾個Java類，這些類使用AES加密的字符串嘗試掩蓋功能。

The main method is in the Pkipn class, the first thing this method does is get the absolute path of the application, this is the first of the AES encrypted strings, which we will look at in the next paragraph(the decrypted string is . ). The package also stores the malicious domain (bytearray[] a) and stores it along with the absolute path in the object h.

主要方法是在Pkipn類中，此方法要做的第一件事是獲取應用程序的絕對路徑，這是AES加密字符串的第一個，我們將在下一段中介紹(解密的字符串是。)。 。 程序包還存儲惡意域(bytearray [] a)，并將其與絕對路徑一起存儲在對象h中。

Getting the absolute path with the const-string of .使用的const字符串獲取絕對路徑。

In the byfsl package, there are roughly 25 AES/CTR/NoPadding encrypted strings. The method for decrypting the strings is Qwkso.qdyiu, in this method, there is a check against the method initialize to determine if the DECODED_KEY has been stored yet. The DECODED_KEY is stored after the initialize method takes the ENCODED_KEY of peRcpinr/9e0CLOGnNg0kA==, converts this into a UTF-8 byte array and finally, base64 decodes this byte array to get the 16-byte DECODED_KEY. After the DECODED_KEY is stored this key is then used when outside classes call Qwkso.qdyiu.

在byfsl軟件包中，大約有25個AES / CTR / NoPadding加密字符串。 解密字符串的方法是Qwkso.qdyiu，在此方法中，將對初始化方法進行檢查以確定DECODED_KEY是否已存儲。 在初始化方法采用peRcpinr / 9e0CLOGnNg0kA ==的ENCODED_KEY之后，將DECODED_KEY存儲起來，將其轉換為UTF-8字節數組，最后base64對該字節數組進行解碼以獲取16字節的DECODED_KEY。 存儲DECODED_KEY之后，在外部類調用Qwkso.qdyiu時將使用此密鑰。

Initialize method in class Qwkso, this is where the ENCODED_KEY is initially decodedQwkso類中的Initialize方法，這是對ENCODED_KEY進行初始解碼的地方 A snippet of the byte array which contains the malicious domain tcp://googleteamsupport.ddns.net:4444包含惡意域tcp：//googleteamsupport.ddns.net：4444的字節數組的代碼段

The next method that follows storing the domain and absolute path queries the PowerManager and creates a new WakeLock to keep the screen on allowing the malicious activity to continue as long as the app is open.

存儲域和絕對路徑之后的下一個方法將查詢PowerManager并創建一個新的WakeLock，以保持屏幕打開狀態，只要打開應用程序，惡意活動就可以繼續。

PowerManager getSystemService(Power).NewWakeLock(appname)PowerManager getSystemService(電源).NewWakeLock(應用程序名稱)

Finally, after setting the WakeLock the malicious connection is started. The bytearray a[] contains the tcp:// link that is used by this application tcp://googleteamsupport.ddns.net:4444, there are 3 if statements to determine if str starts with tcp or : or // (FJkiDDu3jjSJwK+ywmx09KXl4A== decodes to tcp, VnZnQoIx85b5BMH7EqtiNF4= decodes to : and TmXCTCW5NWLpz3dpWTyg4PU= decodes to /). Once this is determined the socket is opened and communication with the malicious domain begins.

最后，在設置了WakeLock之后，惡意連接就會啟動。 字節數組a []包含此應用程序tcp：//googleteamsupport.ddns.net：4444使用的tcp：//鏈接，共有3條if語句來確定str是否以tcp或：或//開頭(FJkiDDu3jjSJwK + ywmx09KXl4A ==解碼為tcp，VnZnQoIx85b5BMH7EqtiNF4 =解碼為：，TmXCTCW5NWLpz3dpWTyg4PU =解碼為/)。 一旦確定，將打開套接字并開始與惡意域的通信。

A few if statements to determine if the URL is in the correct format一些if語句，用于確定URL是否采用正確的格式

This domain has been linked to a previously used IP address used as a command control for SandoRAT / DroidJack by BitDefender.

該域已鏈接到先前使用的IP地址，該IP地址被BitDefender用作SandoRAT / DroidJack的命令控件。

Going through the malicious package, we can see the effort used to try and stay hidden, providing an APK that is signed with a certificate that closely resembles the original APK and retaining the core functionality of the original APK. Though the difference in size may be small, the additional capabilities of being able to read SMS messages, as well as setting up a malicious backdoor potentially allowing malicious actors to spy on your device.

通過惡意程序包，我們可以看到用于隱藏嘗試的工作，提供了一個經過簽名的APK，該證書與原始APK非常相似，并且保留了原始APK的核心功能。 盡管大小差異可能很小，但是能夠讀取SMS消息以及設置惡意后門的其他功能可能會允許惡意參與者在您的設備上進行監視。

This APK can only be installed by sideloading, it is recommended to only install the Zoom android app from the PlayStore and keep your apps updated, do not install APK files onto your device from third party sources.

此APK只能通過側面加載進行安裝，建議僅從PlayStore安裝Zoom android應用并保持您的應用更新，請勿從第三方來源將APK文件安裝到設備上。

IOCs:

國際奧委會：

Network: tcp://googleteamsupport.ddns.net:4444

網絡：tcp：//googleteamsupport.ddns.net：4444

Hash: 232ec4629458b1df0e3ef934365cd0cede498205409db31b4701223fa80c31bb

哈希： 232ec4629458b1df0e3ef934365cd0cede498205409db31b4701223fa80c31bb

翻譯自: https://medium.com/deep-learning-for-cybersecurity/deep-dive-into-a-repackaged-apk-targeting-zoom-users-7a7bbea0efc4

zoom 用戶被鎖定

總結

以上是生活随笔為你收集整理的zoom 用户被锁定_深入研究针对Zoom用户的重新打包的APK的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。