Hi, I've been on the forum for quite some time and a few years back I ran into an unexpected and unusual situation where a former business partner stole over $500K from my company, rendering it insolvent and then proceeded to steal, embezzle and hack everything that I owned including my new business.
It began with a series of obvious hacks against my home and office, but there were a few things that stood out. I previously worked as an MCSE certified network engineer, so I wasn't completely in the dark about computers. The initial hack impacted my work and personal mobile phones, an iPhone and Android with different providers. I wasn't familiar with APT Models nor up to speed on all of the advancements in cyber security. The stand out aspect of the malware was its use of Bluetooth to spread fast, ultrasonic communications and specific techniques that were well thought out. This meant that I had to get up to speed extremely fast if I were to be able to explain what was happening. Because the model utilizes techniques that leave some trace evidence I was able to gather some basic information, such as registry changes, bluetooth aspects, etc.
I have extensive knowledge on this now. This includes analysis, tool sets, techniques, sub-techniques, ultrasonic and harmonics, speaker to speaker communication, impacts to devices, etc.
This malware looks similar enough when viewing an infected iPhone, Android, Windows, Chromebook or Macbook. It changes many of the folders such as the /proc/ folder in an android or chromebook. The dates are changed to 2008-12-31 1600 and 1969-12-31 1600. The malware has a self removal feature that will remove if your battery life drops below 5% or if you are detected trying to copy the files from the device, so I had to come up with a specific process to successfully remove it.
If there is active monitoring of the phone it can be triggered and it will self removal will occur. What this means is that if there is active monitoring of your device, which is creepy I know, then it can be triggered.
To retrieve copies of the device files that are affected you must disengage all signal such as Bluetooth, WiFi, etc. Set the security settings so that the phone doesn't try to connect to a device such as laptop, etc. when detected, turn down and off all of the volume settings. Once the device is off place a piece of masking tape over camera lens area and speaker output areas. Place it in a EM protected bag while you complete the next steps. Keep in mind that an APT Model is advanced, so when a remote activated malware of this kind is on your device you have to assume it has impacted all other devices in the proximity, and it does.
Once an impacted device is brought into an office or home environment it will use several means of communications to connect with everything on your network such as XBox, other PC's, MicroSoft, iPhones, Televisions, etc. Basically all Media devices will be contacted. If communication is established between these devices, then those devices are now infected and also gives the attacker a great deal of recon information. Over time, the attacker is able to build a profile on the victim such as living or work space, list of devices and contacts, schedule and habits. This malware, without your knowledge, will infect any phone that you text from the point of your phone being infected. This means that although those contacts are now infected, they may or may not be attacked. In most cases it is used in the profiling of victim and allows the attackers the necessary information in case you lose your phone or leave it somewhere. They can activate the most commonly contacted phones, or people that you hang out with the gain location on you as a target. At this point, if you were to replace your phone it won't really help because once you bring your device home where all of your home devices are infected it will reinfect your phone or one of your contacts that has been impacted can reinfect your device.
Now, this sounds like you are trapped with no options. That was previously true until they attacked me. I now have a complete working knowledge of their entire model, techniques, capabilities, and the whole nine yards. Knowing this has allowed me to develop a long list of techniques and tools that can allow you to identify and mitigate. I was able to identify the specific signal range that their attack works in through testing, jamming and proofing. I developed some early detection appliances that are low cost and work against what was formerly unstoppable malware package. The final aspect to completely combating this requires early indicators and specific software that will render the attackers software unusable. There are advanced signal science aspects that I won't go into now, but the over use of harmonics in their attacks cause extreme issues with Direct Current and can and will crash appliances such as refridgerators, water cooler and any electronic device plugged into an AC wall unit that has a screen and/or speaker.
I must point out that this malware spreads fast and it's likely that more people than not have it or something similar on their devices. Hopefully not, but the package can be removed fast enough by the attacker which allows them to attempt to avoid detection and would not be the best strategy to leave active on large numbers of devices. Moving on.
Next, you'll need to root the phone. This is where you give yourself admin rights to the whole phone and all files. You'll want to set up a laptop or desktop without a WiFi card or Bluetooth to remove the files from your infected Android. You will need to load Android Debug Bridge on the desktop which is free.
Depending on how bad your devices have been impacted, it is recommended that you get a battery power supply to plug the desktop into for a short period of time (30 minutes) and disable all USB communication such as WiFi to Bluetooth. Finally, bring the phone online, but not connected to any signal, open ADB (Android Debug Bridge) and copy everything off. You can find videos on youtube for this process. I would recommend making several copies for obvious reasons.
The reason that this is so important is because without proof you'll run into dead ends. Keep in mind that most local law enforcement does not have a cyber division and even if you take to an agency, not all of them are tech related. They'll need to take the proof to their tech people. It is an eye opener when you realize how unprepared in regards to cyber security. It's a bit embarrassing and scary.
The use of harmonics such as ultrasonic is extremely dangerous when coupled with a cyber weapon because you can be physically impacted. This is something very new in regards to cyber. We hired a spectrum analysis team to come to the office to help us understand where the attack was coming from and what specific communications protocols were being used. We happened to get measurements in our conference room of 171dB. You couldn't hear anything, but if you stood in the conference room for a few minutes you immediately felt head pressure, body aches and short term memory issues along with extreme fatigue. That explanation should be enough, because the other things that we discovered were very scary. Laptops were destroyed, overheated, damage to electrical equipment, etc. Keep in mind, that once an attack like this occurs, every device in the network can be used by the attacker. We started measuring everything from a harmonics standpoint and got readings coming from a device that was an ultrasonic 90 second repeating pattern running between 17.2 hz and 19.3 hz. After researching further, we found that those specific ranges cause extreme irritability and anxiety.
Those are only 2 examples of what was discovered. It's already a horrible thought that at this day in age we have this threat running wild in the US and it is unchecked. This is why I'm posting this information to help.
In closing, I would recommend doing this for all of the people that you are representing (those in your office or household). If they are feeling out of sorts, then their phone or all of their devices are affected.
The only sure fire way to prevent reinfection is a custom install package that can identify all of the malware's behaviors and will set off an early warning or shut down all affected services and lock the files for review.
I've attached a screenshot below of one of my infected devices as I was copying the files off of it. You'll see the weird dates on the folders. It will create a large number of folders in your /proc/ folder as well. Make sure to copy everything off. I would also recommend taking photographs and screen capture video as you go through the removal process. Again, you have to be extremely thorough because no one wants to deal with cyber issues and even worse, they are likely not skilled at it and will have to pass the issue to another department.
I have a ton of information on this and would be happy to post anything regarding answers, findings, etc. This topic is extensive and complex, but I'm up to speed on everything, including model of use, other uses, findings, spec analysis and other reports that may help.
Edited by hamluis, 05 September 2023 - 07:24 PM.
Moved from Gen Sec to Tips/Tricks - Hamluis.
Back to top
