Advanced Persistent Threat (APT) attackers are being tracked in a new campaign to deploy Android malware through Syria’s e-government web portal, with upgraded weapons designed to endanger victims. is showing. “As far as we know, this is the first time this group has been publicly observed using a malicious Android application as part of an
Advanced Persistent Threat (APT) attackers are being tracked in a new campaign to deploy Android malware through Syria’s e-government web portal, with upgraded weapons designed to endanger victims. is showing.
“As far as we know, this is the first time this group has been publicly observed using a malicious Android application as part of an attack,” said Trend Micro researchers Zhengyu Dong, Fyodor Yarochkin, and Steven Du. Says. Said With a technical writer released on Wednesday.
StrongPity, Codename promethium According to Microsoft, it is believed to have been active since 2012 and usually focuses on targets across Turkey and Syria. In June 2020, spy threat actors Connected For a series of activities using watering hole attacks and tampered installers that exploit the popularity of legitimate applications to infect targets with malware.
“Promethium is resilient for years,” says Cisco Talos. Disclosure last year. “The campaign has been published several times, but that wasn’t enough to stop the actors behind it. The fact that the group isn’t ready to launch a new campaign after it’s been published makes their mission. It shows the determination to achieve. “
The latest operations are no different in that they emphasize the threat actor’s tendency to repackage benign applications into Trojanized variants to facilitate attacks.
Malware disguised as a Syrian e-Gov Android application is said to have been created in May 2021 using the app’s manifest file (“”AndroidManifest.xml“) Read contacts, write to external storage, keep devices up and running, access information about mobile phones and Wi-Fi networks, accurate location information, and even allow the app to have itself Changed to explicitly request additional permissions on the phone, such as features, which will start as soon as the system boot is complete.
In addition, malicious apps are designed to perform long-running tasks in the background and trigger requests to remote command and control (C2) servers. Update the C2 server address, “This server responds with an encrypted payload that contains a configuration file that allows malware. Please change the behavior according to your configuration.”
Last but not least, “highly modular” implants include contacts, Word and Excel documents, PDFs, images, security keys, files saved using the Dagesh Pro word processor (.DGS), etc. , Has the ability to hoover the data stored on the infected device. ), Above all, they are all returned to the C2 server.
There are no known public reports of StrongPity using a malicious Android application for the attack, but Trend Micro’s attribution to the attacker is due to the use of the C2 server previously used in the hacking group-linked intrusion. To do. Malware campaign Documented by AT & T’s Alien Labs in July 2019, it used a contaminated version of WinBox router management software, WinRAR, and other trusted utilities to compromise the target.
“Attackers use applications to potential victims, such as using fake apps or using compromised websites as a drinking fountain to trick users into installing malicious applications. We believe we are looking for multiple ways to deliver, “says the researchers.
“Usually, these websites require users to download applications directly to their devices. To do so, they need to be able to install applications on their devices from” unknown sources. ” This bypasses “trust”. It’s a chain of Android ecosystems that makes it easy for attackers to deliver additional malicious components, “they added.
Source link APT hackers distribute Android Trojans via Syria’s e-government portal