noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

NYPA - New York Power Authority

NYC DOT and TLC Unveil Next Phase of Public Electric Vehicle Fast[...]
Doctors Hospital of Augusta LLC

Doctors Hospital of Augusta welcomes Jeffrey Harden as New Chief Nursing...
DEM - Florida Division of[...]

Florida Division of Emergency Management Encourages Residents to[...]

Finance

Zscaler Inc.

08/21/2024 | News release | Distributed by Public on 08/22/2024 10:43

Technical Analysis of Copybara

Upon launching the application, the user is shown an attacker-defined message screen asking the user to enable the Accessibility Service permission for the application, as shown in the figure below. The Accessibility Serviceis a legitimate feature on Android phones to assist users with disabilities, however due to the inherent nature of the service, the feature may provide a threat actor with highly granular control over a victim's phone if enabled. If Copybara is installed and not granted the accessibility permission, the malware repeatedly shows notifications and toast messages (as shown in the figure below) to coerce the victim into enabling the service.

Figure 3 : Example Copybara launch screen without the accessibility permission enabled.

If the service is enabled, the user is shown another attacker-defined screen, as shown in the figure below.

Figure 4: Example screenshot of Copybara after the Accessibility Service feature is enabled.

Once the Accessibility Service feature is enabled, the application prevents the user from accessing some options in the Settings menu, ensuring they are unable to uninstall Copybara. In the background, the malware's behavior is determined by its configuration. Copybara is designed to download a list of phishing pages from the C2 server. The Copybara C2 responds with a ZIP file containing counterfeit login pages that mimic popular cryptocurrency exchanges and financial institutions. During our analysis, we discovered the existence of two operational C2 servers that were actively serving the phishing pages.

The figure below shows an open directory of a live C2 server hosting Copybara phishing pages.

Figure 5: Open directory of a live Copybara C2 server hosting phishing pages.

These phishing pages are designed to deceive unsuspecting users into entering their sensitive information. As depicted in the figure below, an example of one such phishing page imitates a login page for a prominent cryptocurrency exchange.

Figure 6: An example Copybara phishing page designed to look like a popular cryptocurrency exchange.

Finally, the application initiates a connection to an MQTT server on port 52997. Copybara subscribes to a specific queue named on this server. This connection enables the application to listen for and receive various commands sent by the C2 server.

The specific commands and their descriptions are provided in the table below.

Command	Functionality
	Opens Settings for the application (otherwise blocked for the user via the Settings menu).
	Checks if the device admin feature is enabled. If it is not enabled, the user is prompted to enter a new lock screen password. Subsequently, the malware proceeds to lock the device screen.
	The malware receives a list of package and filenames associated with injects from the C2 server. If a file with a matching name already exists, the malware first deletes the existing file. Subsequently, it proceeds to download a new file from the C2 server. The downloaded file is then written to disk.
	Initializes an MQTT connection to the C2 server and then starts the device's rear camera.
	Initializes an MQTT connection to the C2 server and then starts the device's front camera.
	Ends camera activity.
	Maximizes screen brightness.
	Minimizes screen brightness.
	Transmits audio from the microphone to the C2 server.
	Stops transmitting microphone audio to the C2 server.
	Deletes all notifications from the victim's device.
	Stops deleting notifications.
	Creates a custom view using settings from the object received from the C2 server. The object contains parameters specifying field types and text specifications to construct a custom webview on-the-fly.
	Clicks on the screen at the location specified by , which is received from the C2 server.
	Closes the connection to the MQTT server and stops the background service.
	Shows an overview of recent applications.
	Downloads an application from an parameter provided by the C2 server, saves it under the filename , and installs it.
	Opens a URL provided by the C2 server.
	Dismisses open notifications.
	Performs an action specified by the C2 server. The IDs specified by the C2 server correspond to the global actionsprovided by the Accessibility Service.
	Based on the value of the flag received from the server, the malware dismisses notifications.
	Based on the value of the flag received from the server, the malware takes measures to restrict access to certain options in the Settings menu. This is done to prevent the uninstallation of the malware by the user.
	Turns off the screen capture feature on the victim's device.
	Streams the screen activity of the infected device to the MQTT server. The stream is published to the MQTT server in a queue named .
	Downloads an image from the C2 server. The specific image name, referred to as , is provided by the server. Once downloaded, the image is saved as a file named . However, this functionality is not currently being utilized in the code.
	Minimizes screen brightness and sets a black background.
	Displays a webview that opens a specific URL provided by the server through the parameter.
	Displays a webview containing HTML content that is determined by objects received from the server, such as , , and . The object can either be a local file path or the name of a URI located on the server. In the case of a URI, it is fetched from the C2 server.
	Removes an overlay from the screen.
	Sets a flag value based on the parameter received from the server. However, this functionality is not currently utilized in the code.
	Retrieves a list of installed packages on the infected device and sends this information to the MQTT server by publishing it to a queue called .
	Enables or disables the keylogger functionality based on the value of the parameter received from the C2 server.
	Carries out a gesture on the screen based on the values , , , and which are provided by the C2 server.
	Sets the text value, as specified by the parameter, to the currently focused node on the screen (equivalent to injecting keystrokes).
	Sets a flag based on the value of the parameter received from the C2 server. However, this flag is not currently utilized in the code.
	Clears browser history and wipes data on the device.
	Initiates a phone call to a specific number provided by the C2 server through the parameter.
	Adjusts the image quality of screenshots sent to the C2 server based on the value provided by the parameter received from the C2 server.
	Publishes contact information from the device to the MQTT server at a queue named .
	Executes an Accessibility Service action on the phone, depending on the value of the parameter received from the C2 server.
	Adjusts the frames per second (fps) value based on the parameter received from the C2 server. This adjustment is made when sending images to the server.
	Hides or displays the application icon in the phone menu based on the value of the parameter received from the C2 server.
	Disables the lock screen.
	Requests a specific permission based on the value of the parameter received from the C2 server.
	Initiates the launch of a specific application as indicated by the parameter received from the C2 server.
	Deletes a specific application, as indicated by the parameter received from the C2 server.
	Enables the blocking of notifications for a specific application as indicated by the parameter received from the C2 server.
	Blocks the user from opening a specific application as indicated by the parameter received from the C2 server.
	Performs a swipe action using the values , , , , and provided by the C2 server.
	Performs a swipe action using the values for firstX, firstY, secondX, secondY, and intSpeed provided by the C2 server.
	Performs a swipe action using the values for , , , , and provided by the C2 server.
	Enters a pattern using the values , , , and provided by the C2 server.
	Performs a gesture using the values for , , , , , , , , and provided by the C2 server.
	Creates a notification using the data received from the C2 server through the parameters , , , and . The object is utilized to download an icon image from the C2 server.
	Sets a flag based on the value of the parameter received from the C2 server. However, this flag is not currently used in the code.
	Publishes SMS messages collected from the infected device to the MQTT server at a queue named .
	Deletes a specific SMS from the phone as indicated by the parameter received from the server.
	Sends an SMS using the phone number and SMS body specified by the and parameters received from the C2 server.
	Sends a heartbeat message to the C2 server.

Table 1: Copybara commands and functionalities.

Sharing and Personal Tools

Please select the service you want to use: