Black Rose Lucy Botnet Returns, Pushing Ransomware
The cybercriminal group known as the Lucy Gang was first spotted by Check Point researchers in 2018 when their Black Rose Lucy (a/k/a Lucy) malware botnet first started targeting Android devices with cyber threats.
Back then, the Lucy threat had two main components. The first element to an attack from the Russian-speaking cyber gang was called the Lucy Loader and served as a remote control dashboard that would help incorporate the targeted Android device into the Lucy botnet and allow for the installation of additional malware payloads. The second element was the Black Rose Dropper, which worked like an info-stealer, collecting user and device data and sending it back to the botnet's command and control (C2) servers.
Table of Contents
Lucy Paves The Way For Mobile Ransomware
Ransomware has become the favorite money-making tool in a cybercriminal's arsenal of malware threats when it comes to personal computers. Still, it's just starting to enter the world of mobile devices.
The attack usually starts on social media, where the victim is enticed to click on a bogus video link, which presents a pop-up that informs them that ''to continue watching, you must enable Streaming Video Optimization (SVO), select it in the menu and turn it on!''
There is, however, no menu to select anything from, and the user is presented with an ''OK'' button which, if clicked, will grant the malware dropper permission to exploit the Android Accessibility Service to install its malicious payload without any user interaction.
Malware pop-up message. Source: Check Point
Android's Accessibility Service was designed to help disabled users interact with their Android devices by mimicking user screen clicks and automating user interactions. ''With Lucy, it's the Achilles Heel in the Android's defensive armor,'' Check Point noted in a recent report.
Masquerading As The FBI
Once the Lucy ransomware has established itself on the Android device, it will encrypt important data and present a ransom note that informs the user that the device's ''encryption was carried out by the Federal Bureau of Investigation (FBI) due to pornographic content found on the device,'' according to an alert posted by New Jersey's Cybersecurity & Communications Integration Cell (NJCCIC).
Victims are then instructed to pay a $500 fine for the dismissal of their offense and the decryption of their files. In this case, the attackers have ditched the preferred method of receiving the ransom in the form of cryptocurrency and directly ask for the victim's credit card information.
Ransom note. Source: Check Point
Other Improvements
The Lucy gang has also fortified Black Rose Lucy's C2 infrastructure. According to the Check Point report, the threat actors have switched from using an IP address to a domain. ''Although the server can be taken down, it can easily be resolved into a new IP address, which makes it much harder to neutralize the malware,'' the analysts noted.
Security researchers say that incidents involving mobile malware are starting to become more common. The level of sophistication is also increasing, and we're likely just going to see an increase in ransomware threats targeting the devices that people tend to use to store their most private data.
The researchers conclude that: ''Sooner or later, the mobile world will experience a major destructive ransomware attack.''