Improving Azure Security by Detecting the DualToy Trojan

DualToy Trojan may sound like a children’s toy, but rest assured, it is not taken lightly. It is a nasty command and control attack that could wreak havoc upon your mobile enterprise security if proper detection steps are not taken. Being able to effectively identify legitimate C2 activity within your azure instance and quickly isolate it is the only way to defend against DualToy. This blog will cover the primary objective for each mobile operating system and review an Azure Sentinel Query that can be used to correctly identify Trojan and protect your mobile devices.

Android Key Events

Originating with the Android operating systems, it can initiate several malicious actions to control any device. The following are some of the key events to look for:

• ADB driver downloads to set up a Command and Control Server
• Installs Chinese game apps that are no longer supported in Google play store
• Execute binary code from appdata.exe file
• Misspelling of the name Microsoft within the Apps

It is often hard for the end-user to even know that they have been compromised, as the apps downloaded tend to be well hidden and not front-facing in the phone.

iPhone/iOS Key Events

DualToy has continued to evolve its practices and has made strides on infections within the iOS platform. Below are some of the key events noted as a takeover event in preparation or taking place.

• Download/Install Itunes and execute msiexec.exe in the background.
• Tunnel in and Operate iOS devices.
• iOS information harvesting the following information:
  • Device information (name, UUID, serial, version, type, model, IMEI, and firmware)
  • Phone number
  • SIM card data
• Install a malicious app (disguised as a game) with outbound attempts to malicious DNS

The Rule for Azure Sentinel

If you utilize Azure Sentinel to monitor your mobile workforce, proper visibility must be installed around any DualToy activity. It can be tricky to manage mobile devices as they tend to be used for personal and work-related functions, so the lines of clarity can be blurred. The following search string can be used directly with the Azure Sentinel SIEM solution to effectively identify any known DNS lookups performed to DualToy related entities.

Proxy | where (r-dns == 'www.zaccl.com' or ro-dns == 'pack.1e5.com' or r-dns == 'rsys.topfreeweb.net' or r-dns == 'abc.yuedea.com' or r-dns == 'report.boxlist.info' or r-dns == 'tt.51wanyx.net' or r-dns == 'hk.pk2012.info' or r-dns == 'center.oldlist.info' or r-dns == 'up.top258.cn' or r-dns == 'dl.dswzd.com')

A best practice with this search would be either set it as a daily dashboard check or just an alert whenever this activity occurs. Some tuning may be required, and a remediation procedure should be created to ensure security teams are informed on how to handle these events. Since all of your mobile workforces may not be managed by the IT staff, it will be important that proper guidance is in place to direct end-users on how to remove any software install and even run a virus scan to clean the device thoroughly. In some situations, a full reset may be required depending on how far the Trojan could spread. This is where having an MDM in place will significantly help provide your IT staff the ability to protect the mobile workforce as required.

Conclusion

With Remote work from home becoming a new trend moving into the future, we must continue to protect the mobile workforce. Corporations have been forced into utilizing BYOD to keep business operations running smoothly, thus opening a security gap in visibility and response. Enforcing an MDM for any personal devices and implementing searches like the one provided above are two significant steps in locking down your mobile perimeter. Azure security best practices should be at the forefront of mobile development. To understand more about implementing them across the board, check out some of the on-hand courses Cybrary offers. Get trained today so you can stay protected tomorrow.