MoqHao: Targeted Attacks on Android and iOS in Japan

Dhanalakshmi Velusamy/K7 Computing

Japanese users, both Android and iOS, have been constantly and aggressively targeted by MoqHao, a sophisticated and evolving cross-platform phishing campaign, for quite some time now, despite notifications to law enforcement and JP-CERT. The latest strike, on August 6th 2019, was on users of DHL and JPPost in Japan, lining up Sagawa and Softbank.

TTPs of MoqHao include the spreading channels of smishing or DNS hijacking, exploiting Cross-Site Request Forgery (CSRF) vulnerabilities like CVE-2018-20872, CVE-2017-7404, CVE-2017-6334 in unpatched DrayTek and D-link routers, and a game-changing script-laced browser component, a critical attribute of MoqHao, that directs the victim to a platform-specific payload. The payload on Android, a spoofed APK (with base64 encoded objects and/or a native binary component) can be downloaded either from the Google Play Store or a third party server located in Taiwan, China, and most recently in Germany. On iOS, the payload has involved a landing page that either forces a victim to install a signed malicious .mobileconfig xml that collects and sends device information to the URL pointed at in the mobileconfig or runs a browser-based cryptomining script in the background. The Android MoqHao payload’s ultimate goal has so far been data infiltration, including banking credentials, and spying on the victim’s activities.

MoqHao’s attack pattern thus far indicates that it targets diverse conglomerates in Japan’s logistics and telecommunications industries, and that it periodically refreshes or re-attacks its target lists. Sagawa, a Japanese logistics company, users have been targeted in April & August 2019, while the first spot of MoqHao’s activities was back in October 2018.

This paper explains the end-to-end TTPs of on-going MoqHao campaigns to reveal current attack patterns to identify the next potential target in advance. We dissect the various stages of this campaign, for both iOS and Android, throughout its evolution. We also provide detection methodologies at all security layers on an Android device. Finally, we will also explain the social engineering, anti-reversing and modular approach techniques in the Android payload, along with an insight on how the MoqHao payloads for iOS works, with a view to devising possible detections and remediations.

November 8 at 11:40 - 12:00, Stage A

V. Dhanalakshmi, Senior Threat Researcher, has been with K7 Computing, Chennai, India in K7’s Threat Control Lab. She started her career as Technical Support Executive - Virus Removal Team with Sutherland Global Services, Chennai. Later, she joined Technosoft Global Services, Chennai, and served as Threat Research Analyst. She has presented papers at AVAR 2011,AVAR 2013, AVAR 2018 conferences and at the National Cyber Safety Summit conferences organised by the Government of India. Her interests include listening to music and gardening.