#0 [7e5be357-7543-4530-a375-a540e5eef7a3] Ctraf Cordova EN

Introduction

In this research we describing one of the maskware families inside multi.app(more about service)

All applications are of the same family and are written using Apache Cordova using the Crypt File. This article helped us.

List of applications:

com.sdzsama.noblessejoker
com.wolfrunner.bunnyrunny
com.predictionwheel.alwayswin
com.asamuinc.asamulockee
com.heycompany.hollowroll
com.calctime.sudzucalc

All of the above applications have the same features:

Applications are written using Apache Cordova
At startup, requests are made to one of the addresses: http://ctraf.com/adspect, http://78.47.187.129/Z4ZvXH31, or http://78.47.187.129/PtSwvYGN
All addresses from point 2 have Location: https://nobot or Location: https://bot in response headers
Using dropbox file sharing to receive scripts with business logic
Apps use different cloaking links: privatlyrics.site, notrelated.site, chooseit.site, sunbath.site. When clicking on them, the answer will be different depending on the user's IP. In the case of using USA IP, all of the above links redirect to google.com.
Applications have the same token in their manifest:
<meta-data android:name="onesignal_app_id" android:value="7e5be357-7543-4530-a375-a540e5eef7a3"/>

All of the above points allow you to assign applications to one family, called Ctraf (one of the sites that the group uses) subgroup Cordova. Also, the presence in these and other applications of different families of the onesignal_app_id metadata parameter with the value 7e5be357-7543-4530-a375-a540e5eef7a3 allows them to be referred to the same group of cyber criminals

Analysis of traffic and code by example com.sdzsama.noblessejoker

The main script is in resources along the path \assets\www\cordova.js

Application screenshot and traffic sniffer (Fullsize)

The cordova.js file has at the end the code that loads the business logic script from the dropbox file hosting service.

Screenshot of code and traffic sniffer (Fullsize)

Link to the script loaded by the application: https://dl.dropboxusercontent.com/s/6gmxmz5dwgzgr8t/noblessejoker.js

The script sends data about the device using one of the links http://ctraf.com/adspect, http://78.47.187.129/Z4ZvXH31, or http://78.47.187.129/PtSwvYGN and checks the path to which this link redirected.

Screenshot of traffic sniffer and business logic code downloaded from file hosting (Fullsize)

From the screenshot, you can see that in this case the link http://ctraf.com/adspect is used in response to which an HTML page with Base64 encoded javascript comes in. Javascript collects information about the environment in which it is launched and sends this information to the root link by Post request.

Screenshot of the decoded script highlighting important sections of the code (Fullsize)

The following screenshot shows in red the data that is sent by the post request and where it is located in the sending method.

Collecting data and circled in blue and an arrow shows where this data is passed to the sending method.

The sending method itself is highlighted in green and its call is shown below.

The title in the response to the post-request that appears in the main javascript is shown in orange at the bottom left.

Screenshot of the device data collection code (Fullsize)

A request from the link http://ctraf.com/adspect redirects to https://bot or https://nobot.

In the case of a redirect to https://bot, the check does not work and the startGame method is executed, which shows the game itself shown in the screenshot of the application and the traffic sniffer.

If redirected to https://nobot, different functionality will be shown.

To show the hidden functionality of the application, you need to configure the redirection of the request from ctraf.com/adspect to the local server.

Setting up request redirection to the local server using Charles program (Fullsize)

After replacing just one parameter in the response to the ctraf.com/adspec request using the local server, the application shows a completely different functionality(well known scam casino - Vulcan).

Screenshot of the result of replacing the Location header from https://bot to https://nobot (Fullsize)

Thus, it is the developer's site (http://ctraf.com/adspect) that decides which functionality will be shown to a particular user.

When the application uses a link that differs from http://ctraf.com/adspect, for example, http://78.47.187.129/Z4ZvXH31 or http://78.47.187.129/PtSwvYGN, the post request for them will not be sent but will be immediately made redirect https://bot or https://nobot

Analysis of application scripts operation

All applications have the initialize method in their scripts downloaded from the file hosting service, which can be clearly seen in the following screenshot. This method will be shown in the example of the com.asamuinc.asamulockee application.

Screenshot of the script and the initialize method (Fullsize)

All advertising is taken from the link https://notrelated.site/click.php with different parameters depending on the application. To create a link from where the advertisement is taken, MAPP_URL is used, which has a key parameter that varies from application to application. APP_ID which corresponds to a specific application. CLICK_ID which is generated by a random house.

In its parameters, the initialize method accepts deeplinkparam and convparams arguments that also take part in creating the link. After the link with all the tender information has been created on line 111, the opening of this link is called. The link itself saves the data that is transmitted to it on the server and redirects the user to the advertising link needed by the creators, in the latter case it was a forwarder.

For example, you can try to open the link https://privatlyrics.site/click.php?key=dbl4svSha2fP2zqdtSNn&source=com.asamuinc.asamulockee&click_id=fb00221e-6daf-40d1-a91c-a9ef43a655e6

In the browser, we immediately see a redirect to http://forabet.top/PL?link=101

Advertising link redirect screenshot (Fullsize)

Cloaking in redirect links

The links that the application opens in the event of passing the check on https://nobot are redirected to different links depending on the user's IP.

List of redirection chain with screenshots:

com.asamuinc.asamulockee: privatlyrics.site → forabet.top

Initial link: https://privatlyrics.site/click.php?key=dbl4svSha2fP2zqdtSNn&source=com.asamuinc.asamulockee&click_id=7db58a43-f0dd-4621-bbf8-2bcbfdc24ba5

UA IP: Screenshot → casiono

USA IP: Screenshot → google

com.sdzsama.noblessejoker: notrelated.site → agencyhead.com → cakeglobaloffers.com → vulkan777.life

Initial link: https://notrelated.site/click.php?key=HS88Uh7_sX4PQPMbj_wf&source=com.sdzsama.noblessejoker&click_id=723af654-b9b3-4b55-a9fc-208dff6539cd

UA IP: Screenshot → casino

USA IP: Screenshot → google

com.wolfrunner.bunnyrunny: chooseit.site → agencyhead.com → cakeglobaloffers.com → vulkan777.life

Initial link: https://chooseit.site/click.php?key=cp5XpdBsOLot43PhxLWN&source=com.wolfrunner.bunnyrunny&click_id=a50214b2-cfb8-4dcc-a92a-c6317656ef56

UA IP: Screenshot → casino

USA IP: Screenshot → google

com.predictionwheel.alwayswin: sunbath.site → gmdvg.com → cakeglobaloffers.com → vulkan777.life

Initial link: https://sunbath.site/click.php?key=nT2KJC0Xj9AuEVBPUqfB&source=com.predictionwheel.alwayswin&click_id=5e268ee8-bbdc-40b7-b65b-31d1485408d1

UA IP: Screenshot → casino

USA IP: Screenshot → google

com.heycompany.hollowroll: hellsong.site → 2020pnpon.com → puopenme.com → pin-upua.com

Initial link: https://hellsong.site/click.php?key=AtSQXZ3Q5VmiXVu7XOAS&source=com.heycompany.hollowroll&click_id=c76d02ac-5cf0-4a0f-8f7d-f4f4423c6bfa

UA IP: Screenshot → casino

USA IP: Screenshot → google

Analysis of the work of advertising sites

Vulkan777.life

Registration window:

http://i.prntscr.com/ZiSuIV_YTt2ch4W8Mr5YdQ.png

Application view after registration:

http://i.prntscr.com/VKv9R7gyS1OR23AWgILfIA.png

Window after clicking on the "Top up" button:

http://i.prntscr.com/T96u0ns4Qb2b2I_N7n7UdA.png

The window after selecting the Privat24 payment method, the site suggested entering the bank card details:

http://i.prntscr.com/pGkgvdilQ0GAB7jBKftpkQ.png

http://i.prntscr.com/nlDwnYn4QN_ZN1DMn1ePwQ.png

Forabet.org

Registration window:

http://i.prntscr.com/_luAvxlUTKiEWMImHOOIBQ.png

Application view after registration:

http://i.prntscr.com/_KbkblHaQeGmHJdBESU-OQ.png

Window after clicking on balance:

http://i.prntscr.com/Owhef2eqR0mh8kz5J6veWw.png

The window after clicking on the "Top up" button was redirected to a third-party payment site:

http://i.prntscr.com/ZsshTxnxQ32JoFDW__pEKg.png

http://i.prntscr.com/lFEqdONRQSeBUk6TkefSvw.png

Website: forabet.org

Payment site: https://business.netdevtech.xyz/p/0b2f80364ee653a5f6273e139c6439bc/mastercard

Redirects to:

http://business.netdevtech.xyz/checkout/0b2f80364ee653a5f6273e139c6439bc/bank_card

pin-upua.com

Registration window:

http://i.prntscr.com/20GbHn4MSCuJENHJWp7s1w.png

After registration, I immediately showed the balance replenishment window:

http://i.prntscr.com/sITdSpc9T1mU99Y-m9f7Mg.png

After clicking on the "Deposit" button, it redirects to the payment page:

http://i.prntscr.com/W7Q3QaNKSsSzZejuT9czzQ.png

Conclusion

All these applications have a built-in browser in their functionality, which, under certain conditions, opens betting sites or casinos. The sites themselves have a built-in payment system, which does not depend on the application in which they are open, and work bypassing the Google payment system.

Other materials on these applications

com.wolfrunner.bunnyrunny

http://i.prntscr.com/SKDJsItbQxS7orT0zxrlEw.png

Link to the script in the code:

http://i.prntscr.com/xxLKq_JfSI2BDo23lyQykA.png

The loaded script has exactly the same functionality.

http://i.prntscr.com/ZRB8EO2lSs_rK4at0jjV_A.png

When replacing the title with the one that appears in the code, the application shows the casino advertisement just like the previous one

http://i.prntscr.com/pxspQEd0RbqDh8sN2cQLLw.png

com.predictionwheel.alwayswin

An application from the same family is true, the link for checking a bot or nobot is different there and it worked immediately without replacing the content, apparently, the checks on this server are slightly different, or the IP came up, we do not know exactly what checks are taking place on the servers and what selection criteria they have

http://i.prntscr.com/R0-dcNvQSJKqfatSZxkS-g.png

The type of advertisement in the screenshot differs from previous copies because this is not the first launch of the application, but the subsequent one after scrolling the wheel in the advertisement window. The original type of advertising is identical to my case.

Code with a link to the script from dropbox: http://i.prntscr.com/TSTRAP8KT1_sgvJvtFbpJQ.png

The code of the script loaded from dropbox:

http://i.prntscr.com/Qtsxb6isSDGYl7wivoX4VA.png