Unknown Nation-Based Threat Actor Using Android RAT to Target Indian Defence Personnel

Unknown Nation-Based Threat Actor Using Android RAT to Target Indian Defence Personnel

Executive Summary

The CYFIRMA research team recently detected a malicious android APK targeting Indian Defence Personnel. Our research revealed that the attack has been active since July 2021.

The APK file in this case is a decoy copy of a promotion letter to the “Subs Naik” rank. Once the victim falls prey to this malicious APK, and upon installation, this app appears as an Adobe reader application icon (look-alike) on the device. Further research revealed that the threat actors were using a variant of publicly available Spymax RAT since its source code is already available on underground forums. Spymax offers different android package builds – and one of the builds has a web view feature that allows the threat actors to inject any web link into the web view module. After the successful installation of the generated APK, it takes the shape of an actual android app. In this occurrence, the threat actors injected a google drive link where-in the threat actor deployed a pdf file containing a list of Indian defense personnel who were awarded promotions to a higher rank.

The threat actors behind the attack are using strategic social engineering techniques, to deliver this and other malicious APK files through WhatsApp as a delivery mechanism. For more details on social engineering tactics, we recommend reading one of our research reports: (Advanced Social Engineering Attacks).

ETLM Attribution

Threat actors are luring Indian Defence Personnel with decoy promotion letters to install malicious android-based Spyware with the aim to exfiltrate confidential information from their devices. The malicious applications obtain several permissions to device resources like – access camera, audio, internet, Wi-Fi, and storage – access to any one of these can be dangerous and catastrophic for national security.

As the target is specifically the defense personnel and since the campaign has been running for quite some time, it is suspected that nation-state threat actor groups are behind the attack to exfiltrate sensitive information. At this moment and with the data analyzed, the CYFIRMA research team cannot attribute the current attack to a specific nation-state threat actor group. What we can infer is that the threat actors involved are less equipped and use easily available RAT. The social engineering techniques used to deliver the malicious APK seem not well-planned.

Analysis of the Sample

Below is a screenshot related to a WhatsApp chat that reveals how the threat actors have used social engineering techniques to deliver the malicious APK via WhatsApp as a delivery medium.

Upon installation of this malicious APK, it disguises itself as a PDF application and appears as a PDF icon on the device.

On clicking the App, it opens a google drive link using the web view module which leads to a letter related to the promotion of defense personnel in pdf format as shown below.

Code Review

CYFIRMA Research team performed a code review of the malicious APK file. Details as below.

Sample Details:
MD5: 8A5C06AE6FD206CEF418BE4B21180F41
SHA1: 54d4f70a9a1d2163d69159f796bb04ced2e68e77,

SHA256: f1fed8fe6c00d3924f65f76e246d1024e51acf096c4388ffdc618086474a2edc

We analyzed the malicious APK file and observed the following code in the “AndroidManifest.xml file.

The code above indicates that the malicious APK used to acquire many dangerous permissions and the permissions mentioned indicate that the malicious APK has the following capabilities:

The source code is highly obfuscated to evade detection and thwart the analysis process as shown in the code snippet.

The package is using com.acrobat.flyunwsaqdzzenrtssfurrxpmnfspvawaqgeppkyqpnlnrfzpo301 name to uniquely identify the app in the device. As part of making the app fully undetectable, the package name was also wrapped with a layer of encryption.

The threat actor has obfuscated class names to avoid detection from virus protection algorithms as observed in the screenshot above.

Below is the code snippet for controlling the camera application. The app allows threat actors to use front and back cameras to access the video feeds which can be used to carry out a breach of confidential visuals and video content at will.

This module allows the app to open a landing page that works as a web view.

The malicious app allows the threat actors to access the victim’s precise location. The logic defined below is used to access the location of the victim and allows threat actors to keep live track of the victim’s location.

Upon launching, this malicious file, opens a Google Drive URL “https[:]//drive[.]google[.]com/drive/folders/1a9kw9u_YGjBpgjoNd1FEWmEiwA-Gyyi0?usp=sharing” which is hardcoded in the app’s “strings.xml” file as shown above. Also, the string.xml mentioned above contains one IP address “5[.]189[.]136[.]230” which belongs to C2 Server using port number 7860.

Further as shown below, the IP is associated with other malicious APKs, HTML, and URLs.

The associated URLs have been used for malicious/phishing purposes in past and the associated communicating APK files are also malicious and detected as spyware by different security solutions.

Following are the hashes corresponding to the communicating files mentioned above:

  • 3abb8ccfe3333af5ea76017ffd75ebe542abdb954a58f110c9c7e833c2dfa8c4
  • 4b63fb26f5ef0792d0232cdcd2b1ac6bc8fed9c8247d124754dfa7930edf2f24
  • 5a8fab25ab66f06d8f78fd7abc72a564bf23a55848f0b276f411df22ee4cb6cc
  • 262fd1463ec69e228c9d1a46ef1a4fd41cf0ed529e394a042dac539b529df918
  • 1bef8c987402f52545624fff21009ff702e59d05c629ba52d53a7c1e96e57298
  • ebdc1cd4be98866b7735568094b287a0122bc6b276f77bc6dea8b476435c0cd1
  • a01635cb3bf070b036fd24833c3628b8f289d4175f1c7dddca56de4e412da63a

C&C Server:
5.189.136.230
Following are the names, types, detections, and dates corresponding to the associated communicating files with the IP address “5[.]189[.]136[.]230”. It seems the files are part of the same campaign active since Jan-2022.

Below is the network traffic captured during the opening of the google drive link.

From captured traffic, we observed the C2 server being active and exfiltrating the data from mobile. Below is captured raw data in HEX value:

Mitre ATT&CK Tactics and Techniques

Sr.no Tactics Technique ID Technique Name
1 Initial Delivery T1476 Deliver Malicious Apps via Other Means
2 Initial Access T1268 Conduct social engineering
3 Initial Access T1444 Masquerade as a Legitimate Application
4 Execution T1436 Commonly Used Port
5 Collections T1433, T1412, T1432, T1429, T1512, T1533, T1430 Access Call Log, Capture SMS, Messages Access, Contact List, Capture Audio, Capture Camera, Data from Local System & Location Tracking

List of IOCs

Sr.no Tactics Technique ID Technique Name
1 67dcf9607cdc1966d64aadb3c25d6a08
4dfa877800d0ce233e75b8fc2e41e89a
dea441cfaae7a9f86080f3cf34c7f47b
bee5884c10f50f094a810cb592fe83db
93d3b042e9121a871e8a023f05d3477b
de8b063d405ee5bf715fc1053e0a2a03
bf2187a03fdc0e7c8999d2e1cdeae6d4
MD5 Samples
2 5.189.136.230 IP C&C Server