BianLian C&C domain name

You might want to read my prior articles on Android/BianLian first: unpacking, payload, fake server.

There was a remaining point which was bugging me: how does the Android/BianLian bot know where to contact the C&C?
Having worked on the samples for several days, I noticed they weren’t always heading to the same website: hxxp://rheacollier31532[.]website, hxxp://shanehook85484[.]website etc.

So, where do those names come from? Is this from a Domain Generation Algorithm (DGA)? or are they hidden in an asset?

Answer: the active C&C is returned by a malicious GitHub user account. The account name unfortunately varies from one sample to another:

The json page actually contains a Base64-encoded JSON object with the C&C’s URL:

How does the code work?

  1. At first, the code sets a Property with a decrypted admin URL.

2. Actually, as the shared preferences file has no C&C yet, this will actually return a dummy C&C https://www.google.com

3. The real C&C is retrieved from the init procedure

I have renamed methods for better readability. The original name of the method is com.pmmynubv.nommztx.bot.g.b

4. The code retrieves the “domains” parameter of the JSON

5. Finally, the code sets the URL in the shared preferences.

The code reads the “domains” part of the JSON object (readUrl), removes the trailing / if necessary, and finally writes the URL down in its configuration. The original name of this method is com.pmmynubv.nommztx.bot.g.a

Conclusion: there is no DGA algorithm. It is just a hard-coded remote URL serving an updated C&C name.

— the Crypto Girl

--

--

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.