BlackRock Malware Attacks
I. Targeted Industries
- Social Media
BlackRock is malware that recently emerged and derives from the leaked source code of the Xerxes malware. Although BlackRock was initially discovered in May 2020 by ThreatFabric, the malware strains can be traced back to LokiBot, MysteryBot, Parasite, and of course, Xerses. These malware strains have been wreaking havoc since 2016. BlackRock has targeted over 337 Android applications to exert its data theft capabilities. These applications range from financial apps to social apps such as Facebook, TikTok, Instagram, and Tinder.
To view a list of the targeted applications, click here.
III. Background Information
Compared to other Android banking trojans, BlackRock can perform overlay attacks, utilize the command and control center to send spam, steal SMS messages, and hide notifications. Also, BlackBox can execute a command to restrict the victim’s access solely to their home screen, enabling the attacker to steal personal information which could then be used to perform other nefarious tasks, such as stealing banking information.
BlackRock operates similarly to its predecessors, except for its ability to target many more applications. This Trojan steals credentials and prompts users to enter card payment details before allowing entry to applications. BlackRock gains Accessibility Service privileges from the end-user upon installation, allowing it to grant itself additional permissions. These permissions will then allow the malware to communicate with a C2 server that will send commands and perform overlay attacks. These overlay attacks allow the bot to phish data from applications, including but not limited to, dating, news, shopping, lifestyle, and productivity apps.
Additional operations that BlackRock can carry out include interception of SMS messages, the ability to perform SMS floods, spamming of personal contacts, keylogging, sending custom notifications, and sabotaging antivirus applications. BlackRock disguises itself as a Google update offered by third-party sites but has not yet been identified in the Google Play Store. However, it is presumed to possibly be deployed in the Play Store since in the past Android malware families have bypassed Google’s application review process.
IV. MITRE ATT&CK
- T1412- Capture SMS Messages
A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.
- T1041- Exfiltration Over C2 Channel
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
- T1027- Obfuscated Files or Information
Adversaries may attempt to make an executable or file difficult to discover and/or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is a common behavior that can be used across different platforms and the network to evade defenses.
- T1417- Input Capture
Adversaries may capture user input to obtain credentials or other information from the user through various methods.
- T1446- Device Lockout
An adversary may seek to lock the legitimate user out of the device, for example, to inhibit user interaction or to obtain a ransom payment.
- Use Multi-Factor Authentication
Use a form of multi-factor authentication (2FA) as an additional barrier to prevent hackers from moving around a network.
- Malware Monitoring
Continuously monitor new and existing types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
- Strong Cyber Hygiene
Users need to be wary of the validity of emails, links, downloads, etc. All sources should be verified.
VI. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) “BlackRock – The Trojan That Wanted to Get Them All.” ThreatFabric, July 2020. https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html.
(2) Cimpanu, Catalin. “New BlackRock Android Malware Can Steal Passwords and Card Data from 337 Apps.” ZDNet. ZDNet, July 16, 2020. https://www.zdnet.com/article/new-blackrock-android-malware-can-steal-passwords-and-card-data-from-337-applications/.
(3) Humphries, Matthew. “BlackRock Malware Steals Data From 337 Android Apps.” PCMAG. PCMag, July 16, 2020. https://www.pcmag.com/news/blackrock-malware-steals-data-from-337-android-apps
(4) Montalbano, Elizabeth. “LokiBot Redux Attacks Massive List of Common Android Apps.” Threatpost English Global threatpostcom, July 16, 2020. https://threatpost.com/lokibot-redux-common-android-apps/157458/.