Meet Black Rose Lucy; Checkpoint says ‘she’ is latest Russian MaaS botnet

Everyone loves roses; meaning the flower, in red, pink, yellow, or white.

Black Rose Lucy

But surely you are not going to love “Black Rose Lucy.”

For after all, Black Rose Lucy, according to a report by Check Point Software Technologies, Ltd. is the “latest Russian MaaS (malware-as-a-service) Botnet.”

What’s a botnet? said “a botnet is a collection of internet-connected devices, which may include PCs, servers, and Internet of Things (IoT) devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system.”

McGallen and Bolden informed SDN — Scitech and Digital News on Tuesday, September 25, that Check Point’s team of researchers, some of them in Asia has uncovered and named the latest MaaS botnet going by the name “Black Rose Lucy” designed to target and infect Android phones.

How bad is that?

McGallen and Bolden noted the scores of Android smartphones being used by many people of which 60 percent in Singapore and more than 70 percent Android users in China.

In relation with this, said that in 2017 around 32 percent of Filipinos have smartphones.

Thus, certainly, from across the world millions then could be potential targets for Black Rose Lucy and other botnets lurking on the world wide web, or the internet.

Users of Android phones “make prime targets for hackers” who “no longer just write malware themselves, but can simply ‘buy’ MaaS (malware-as-a-service) from other bad actors out there, and use such ‘subscription malware’ to attack others.”

Check Point researchers said that Black Rose Lucy “can target and infect Android phones, collect personal data, and listen to remote commands from botnet C&C (command and control) servers, and install extra malware.”

Unknown to and not known enough by many Android phone users, the malware is executing the attack through the Accessibility functions of Android smartphones.

Here’s the report from Check Point:

Meet Black Rose Lucy, the Latest Russian MaaS Botnet

Research By: Feixiang He, Bogdan Melnykov, Andrey Polkovnichenko

An organization needs to have a collaborative hiring process, advised Steve Jobs. Always a group to follow mainstream trends closely, in recent years we’ve seen cyber criminals take greater heed of this advice by increasingly hiring cyber mercenaries and Malware-as-a-Service (MaaS) providers as a way to carry out their malicious activities.

Instead of gathering an all-around team that possesses the required skillset necessary for initiating an attack completely from scratch, many threat actors prefer hiring smaller groups with a much more specialized skill set. Indeed, such threat actors buy malware services from MaaS providers in a similar way as legitimate organizations purchase cloud services, for example.

Recently, with the help of David Montenegro, the Check Point Research intercepted a new MaaS product, Black Rose Lucy, developed by a Russian speaking team whom we have dubbed ‘The Lucy Gang’.

At the time of writing, we believe the Lucy Gang has already conducted various demos to potential malicious clients and while it may well still be in its early stages, given time it could easily become a new cyber swiss army knife that enables worldwide hacker groups to orchestrate a wide range of attacks. Our analysis of this product below reveals the latest trends in the underground MaaS market.

First Glance

The Black Rose Lucy MaaS product is a malware bundle consisting of:

Lucy Loader – a remote control dashboard, which controls an entire botnet of victim devices and hosts and deploys additional malware payloads.
Black Rose Dropper – a dropper that targets Android phones, collects victim device data, listens to a remote command and control (C&C) server and installs extra malware sent from a C&C server.

The modern Android system allows users only to manually enable sensitive capabilities to activate an application, such as making an application device admin. In order to become a device system admin, an application needs to explicitly ask for user consent in a pop-up window, or ask the user to navigate through a series of system settings then grand such privilege. On the other hand, the Android accessibility service, which mimics a user’s screen click, could be abused by malware to walk around such security restrictions. An accessibility service is introduced so that users can automate and simplified certain repeated tasks. For Black Rose, though, it is the Achilles’ heel in Android’s defense. Once it has successfully tricked victims to enable accessibility service for Black Rose, it carries out APK file installation and self-protection setup without victim consent.

Close-Up:  The Lucy Loader Dashboard

In the Lucy Loader instance we discovered, we observed it to currently control 86 devices from Russia with the dates of infection being very recent, starting from early August this year.

Lucy Loader

Figure 1: The Lucy Loader dashboard.

The Lucy Loader dashboard also gives hackers a quick overview of geo-locations of infected devices in its botnet.

Figure 2

Figure 2: An overview of geo-locations of infected devices.

Hackers can upload malware to the dashboard which can late be pushed en masse to the devices on an entire botnet according to the threat actor’s requirements.

Figure 3.png

Figure 3: Payload upload and management.

The Black Rose dropper family samples we acquired disguise either as an Android system upgrade or image files. Samples primarily leverage Android’s accessibility service to install their payload without any user interaction and forge an interesting self-protection mechanism.

Monitor Service

Upon installation, the Black Rose dropper immediately hides its icon and registers the Monitor service.

Figure 4

Figure 4: Initial malicious activities.

For complete information, this article/report first appeared on:

(Courtesy of Check Point via McGallen and Bolden Asia.)

Don't be shy, comments are welcome! Thank you.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: