Self Assessment

Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia

Published On : 2024-12-06
Share :
Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia

EXECUTIVE SUMMARY

The team at CYFIRMA analyzed a malicious Android sample designed to target high-value assets in Southern Asia. This sample, attributed to an unknown threat actor, was generated using the Spynote Remote Administration Tool. While the specifics of the targeted asset remain confidential, it is likely that such a target would attract the interest of APT groups. However, we are restricted from disclosing further details about the actual target and its specific region. For a comprehensive analysis, please refer to the detailed report.

INTRODUCTION

The team received a malicious Android sample for investigation. The sample was part of a targeted attack on highly valued individuals in southern Asia. The team observed that the unknown actor tried to deliver the Android payload via WhatsApp which seems like a terrible move from the threat actor’s viewpoint. The victim received a total of four payloads with different names, three of which were the same size, hinting at an effort by the threat actor to compromise the victim. The apps were named “Best Friend, Best-Friend 1, Friend, best”. All four apps had the same command and control server. During analysis, it was found that the code for the Android payloads was obfuscated. The app was installed and was concealed within seconds while operating in the background.

TECHNICAL ANALYSES

The snippet shows the Android Manifest file of one of the payloads we decompiled.

The table below covers important permissions with descriptions that apps take use for malicious activity.

Sr.no Permissions Descriptions
1. ACESS_FINE_LOCATION Allows the threat actor to fetch precise locations and track the live movement of mobile phones.
2. READ_CONTACTS This permission allows the threat actor to read and fetch contacts.
3. CAMERA This permission helps the app to interact with the Camera
4. READ_SMS This permission helps the App to read and access the SMS.
5. WRITE_EXTERNAL_STORAGE This permission allows the app to interact with device storage

The snippet below shows the code that interacts with Android’s file system and helps the attacker explore the file storage and initiate data extraction.

This snippet from the module allows an attacker to monitor the incoming and outgoing calls.

The snippet below shows code from a module tasked to fetch the victim’s precise location.

The code below shows that the app tries to open the Accessibility Settings page. Once enabled, the threat actor will be able to monitor user activity on the mobile screen, potentially leading to more disastrous outcomes for the victim. Enabling accessibility for the maliciously installed app allows the attacker to perform dangerous maneuvers, such as screen capture and keystroke capturing, restricting the victim from uninstalling the app.

The snippet below shows the code part of a module that fetches detailed information about the compromised device, such as the IMEI number, SIM, Android version, Network type, IMSI, etc.

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM)

The SpyNote Remote Administration Tool (RAT) has evolved over time, with various updated versions designed to compromise Android devices. Threat actors ranging from individual hackers to organized APT (Advanced Persistent Threat) groups have leveraged various versions of SpyNote for espionage, financial fraud, and even personal vendettas. Over the years, SpyNote has emerged with modified versions, such as SpyMax, Crax RAT, and Eagle Spy, each equipped with enhanced and increasingly dangerous capabilities.

APT groups, including OilRig (APT34), APT-C-37 (also known as Pat-Bear), and OilAlpha, have utilized SpyNote in their malicious campaigns. These operations have often targeted critical sectors, such as government agencies, NGOs, media organizations, financial institutions, and even individual activists. These tools enable attackers to compromise Android devices to spy on communications, steal sensitive data, and maintain persistence in their victims’ systems. The tool has the potential to be exploited by other APT groups, as evidenced in this incident, where we suspect the attack may have been orchestrated by an unidentified APT group or an unknown threat actor.

Diamond Model

APPENDIX I

Indicators of Compromise

Indicator Type Remarks
182.191.122.219 IP Address Command and Control
8AA1A66E03596C0EBA6F91FB081DDB4081F43B02D421E069C6BE8BBF5D399B89 SHA256 Android package
0552137AAA2C9419C8843D50BCB15A4C80913ED47EB71C5E5AB9B5AC257944ED SHA256 Android package
6127DAF756865EE089BA83EFDADEBDA2C047026A698759DE09127D0DFE630E8D SHA256 Android package
A70089301FF628F09B90B269F6E8F5C6B5AE0B3073028ABCC62FEC9D2F1C954C SHA256 Android package

APPENDIX II

MITRE ATT&CK Technique
MITRE ATT&CK framework for Android malware payload in a table format

Tactics Technique ID Description
Persistence T1541 – Foreground Persistence The app utilizes the startForeground() API method to continue running in the foreground.
Defense Evasion T1406 – Obfuscated Files or Information Uses obfuscation techniques to hide malicious code within the APK.
Credential Access T1417 – Input Capture Captures keystrokes to steal sensitive credentials like usernames and passwords.
Discovery T1420 – File and Directory Discovery Enumerate files and directories on the device to locate valuable information.
Discovery T1426 – System Information Discovery Collects device information, such as device model, and user details.
Collection T1533 – Data from Local System Extracts data such as contacts, messages, photos, and videos from the infected device.
Collection T1513 – Screen Capture Takes screenshots of the infected device to capture sensitive information.
Exfiltration T1646 – Exfiltration Over C2 Channel Sends stolen data (e.g., contacts, messages, credentials) to the C2 server.

CONCLUSION

The attack was aimed at high-value targets in the Southern Asian region. Based on the knowledge we gained about the victim; we believe it was carried out by an APT group that remains unidentified or if not then an unknown threat actor. The continued use of SpyNote is notable, as it highlights the threat actors’ preference for leveraging this tool to target high-profile individuals despite being publicly available on various underground forums and telegram channels.