According to security researchers, the “Black Rose Lucy” malware botnet has incorporated ransomware capabilities into its attack toolkit.

Check Point Research learned of the return of Black Rose Lucy, also referred to as Lucy, after an Android malware researcher tweeted about it. The security firm subsequently collected some samples and found that the malware was masquerading as a video player application. Under that disguise, the malicious app attempted to trick users into enabling Accessibility Services for the purpose of minimizing the amount of user interaction needed to ultimately install the ransomware payload. It also used two commands that instructed the device to keep both its screen and its Wi-Fi connectivity on.

Upon connecting to one of four of its command-and-control (C&C) servers, the malware received a string called “Key” as a response. The threat then used a service to fetch an array of the infected device’s directories. Using this information, Lucy set to work encrypting all of the files stored in the identified arrays. It’s at that point that it displayed a ransom note that appeared to come from the Federal Bureau of Investigation (FBI). This message informed victims that law enforcement officials had found pornographic content on their device and that they needed to pay a fine of $500 for investigators to dismiss their offense.

A Look Back at Black Rose Lucy

Black Rose Lucy malware did not have ransomware capabilities at the time of its discovery by Check Point back in 2018. At that time, the malware-as-a-service (MaaS) botnet relied on two components for its malicious activity. Lucy Loader acted as the first element in serving as a remote control dashboard for the purpose of incorporating infected devices into a botnet and installing additional malware payloads. The second resource, Black Rose Dropper, targeted Android devices by collecting their information and retrieving secondary malware from the botnet’s C&C servers.

Securing the Business From Black Rose Lucy Malware

Security professionals can help defend their organizations against Lucy malware by leveraging robust policies to enforce mobile security best practices. Those guidelines should include limiting the types of locations and developers from which employees can install apps onto their work devices. Additionally, infosec personnel should consider using tools powered by artificial intelligence (AI) to help defend against sophisticated threats such as Android ransomware.

More from

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes. Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued. While this novel notes approach will eventually be phased out as phishing defenses catch up,…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…