Businesses in Trouble!  Milky Door Targeting Enterprise Secure Network

Businesses in Trouble! Milky Door Targeting Enterprise Secure Network

The hackers are always looking for new ways to target organizations. Sometimes they use the vulnerabilities which exist in the enterprise network and sometimes use malware, adware, and phishing to target organizations. Targeting Organizations is not new for us; organizations are targeted by various malware but this time a new form of Android malware has been introduced. The name of the malware is Milky door.  According to researchers this malware accesses secure network by using SSH tunneling. SSH tunnel consists of an encrypted tunnel created through SSH protocol connection. SSH tunnel can be used to transfer unencrypted traffic over a network through an encrypted channel. According to the researcher around 200 unique Android applications with installs ranging between 500,000 and a million on Google Play have been found embedded with the malware. According to researcher hundreds of other programs, including books for children and doodle applications, have also been infected by MilkyDoor malware.

Working of MilkyDoor: MilkyDoor uses remote port 22 SSH (Secure Shell) tunnel to encrypt the malicious payloads. Once an attacker is able to hide malicious traffic then it could allow an attacker to access to firewall-protected networks to a variety of an enterprise services from web and FTP to SMTP. Then the attacker can scan all available internet IP addresses. According to the researcher, MilkyDoor is similar to DressCode in routines and techniques. DressCode was from Android malware family that adversely affected enterprises security by infecting mobile devices connected to it. But one difference between these two types of malware is that DressCode relied on SOCKS proxies servers to allow attackers access to internal company networks, while MilkyDoor creates an SSH tunnel.

The process runs a malicious code known as android.process.s. During the Trojanized application installation, MilkyDoor requests a third-party server, which we’ve tracked as freegeoip.net, to obtain the device’s local IP address, including the country, city, and its longitude /latitude.  Then it uploads information to its command and control (C&C) server, which replies with data in JavaScript Object Notation (JSON) format that contains an SSH server’s user, password, and host.  After the successful exploitation, it could allow an attacker to evade security solutions set up by an organization and leverage infected devices to breach the company’s internal network.

Cyber Security Mitigation: Mobile malwares create disruptive impact on business continuity. Mobile devices become an increasingly preferred platform to flexibly access and manage data. Following are some mitigations to protect from MilkyDoor malware:

  1. Enterprises are advised to deploy firewalls on BYOD devices to prevent accessing pot 22.
  2. Users are advised to keep their smartphones up-to date.
  3. Keep using reputed security solution in your smartphone.
  4. Never install applications from untrusted sources
  5. Users should exercise caution about suspicious application
  6. Be careful when connected to the enterprise network.

Leave a Reply