Summary:
The CYFIRMA team investigated a malicious Android sample targeting high-value individuals in Southern Asia, attributed to an unknown threat actor using the Spynote Remote Administration Tool. The payloads were delivered via WhatsApp, and the analysis revealed various permissions that could compromise the victim’s device. The report highlights the ongoing threat posed by SpyNote and its variants, which have been utilized by APT groups for espionage and data theft.
#AndroidMalware #SpyNote #APTThreats
The CYFIRMA team investigated a malicious Android sample targeting high-value individuals in Southern Asia, attributed to an unknown threat actor using the Spynote Remote Administration Tool. The payloads were delivered via WhatsApp, and the analysis revealed various permissions that could compromise the victim’s device. The report highlights the ongoing threat posed by SpyNote and its variants, which have been utilized by APT groups for espionage and data theft.
#AndroidMalware #SpyNote #APTThreats
Keypoints:
Malicious Android sample analyzed by CYFIRMA targeting high-value assets in Southern Asia.
Payload delivered via WhatsApp, with four different app names indicating a targeted attack.
Apps were obfuscated and concealed, operating in the background after installation.
Permissions requested by the apps included access to location, contacts, camera, SMS, and device storage.
SpyNote RAT has evolved, with various versions used by individual hackers and APT groups for espionage and fraud.
APT groups like OilRig and APT-C-37 have utilized SpyNote in their campaigns against critical sectors.
The attack is suspected to be orchestrated by an unidentified APT group or unknown threat actor.
MITRE Techniques:
Foreground Persistence (T1541): The app utilizes the startForeground() API method to continue running in the foreground.
Obfuscated Files or Information (T1406): Uses obfuscation techniques to hide malicious code within the APK.
Input Capture (T1417): Captures keystrokes to steal sensitive credentials like usernames and passwords.
File and Directory Discovery (T1420): Enumerates files and directories on the device to locate valuable information.
System Information Discovery (T1426): Collects device information, such as device model, and user details.
Data from Local System (T1533): Extracts data such as contacts, messages, photos, and videos from the infected device.
Screen Capture (T1513): Takes screenshots of the infected device to capture sensitive information.
Exfiltration Over C2 Channel (T1646): Sends stolen data (e.g., contacts, messages, credentials) to the C2 server.
IoC:
[IP Address] 182.191.122.219
[SHA256] 8AA1A66E03596C0EBA6F91FB081DDB4081F43B02D421E069C6BE8BBF5D399B89
[SHA256] 0552137AAA2C9419C8843D50BCB15A4C80913ED47EB71C5E5AB9B5AC257944ED
[SHA256] 6127DAF756865EE089BA83EFDADEBDA2C047026A698759DE09127D0DFE630E8D
[SHA256] A70089301FF628F09B90B269F6E8F5C6B5AE0B3073028ABCC62FEC9D2F1C954C
Full Research: https://www.cyfirma.com/research/unidentified-threat-actor-utilizes-android-malware-to-target-high-value-assets-in-south-asia/