Monday, July 15, 2024

DoNot APT Hackers Attack Individuals Using Android Malware via Chatting Apps

CYFIRMA recently detected a cyber-attack on a person living in Kashmir, India, and obtained two malware pieces from the victim’s mobile download folder.

The investigation of these samples links the recent cyber-attack to DoNot APT, which has a long-standing record of activity in the area.

It seems the perpetrator behind the cyber-attack exploited third-party file-sharing websites to distribute malware to the victim’s mobile device. 

Due to this, the downloaded files get saved in the main download folder of the victim’s device. It’s might be possible that the attacker created their file-sharing website to deploy the malware. 

Interestingly, the malware samples were disguised as chat apps named:- 

  • Ten Messenger.apk
  • Link Chat QQ.apk

This threat actor has carried out cyber attacks in the South Asian region since 2016 when it was first found to be active.

External threat landscape management

The earlier campaign’s Android samples had encrypted strings that utilized the Base64 algorithm.

Unlike the previous campaign’s samples, the team discovered that the strings in the current sample had two encryption layers with CBC mode and PKCS padding:-

  • Base64
  • AES256

The code was hard to comprehend because it was obfuscated and safeguarded using Pro Guard.

According to the CYFIRMA technical analysis report of the attack shared with GBHackers, it aligns with DoNot APT’s modus operandi, as they have previously targeted entities in this region.

The threat actor has employed spear-phishing tactics against their adversaries in various industries and locations in the past. However, it’s unclear what the motive was behind the recent attack.

The recent attack by DoNot APT on an individual in Kashmir does not surprise the threat intelligence community.

Since this group has repeatedly targeted NGOs and other entities in the following regions in the past:-

  • Kashmir
  • India
  • Bangladesh
  • Pakistan

It is possible that the threat actor used popular messaging apps such as WhatsApp to initiate a social engineering attack and deliver the malicious app.

In contrast to other messaging apps, WhatsApp does not save attachments to the download folder, instead, they are saved in the WhatsApp media location.

Technical Analysis

The victim will be prompted to open the application as soon as the Android Malware Sample has been installed.

Once the victim opens the app, it prompts them to enable the accessibility service through a repeated alert every time they open the app, until the victim enables it.

Once the victim clicks on “Ok,” the app directs them to the Accessibility settings page and requests that they enable Accessibility by turning on “Link Chat.”

The app then conceals itself from the main menu and limits the victim’s ability to uninstall it.

The malicious app’s Android Manifest file contains a snippet revealing its attempt to acquire various permissions.

By doing so, the app could execute malicious activities, harming the victim’s device and privacy.

Here below we have mentioned all the permissions it asks for:-

  • READ_CALL_LOG: This enables actors to read and fetch call logs.
  • READ_CONTACTS: This permission allows TA to read and fetch contacts.
  • READ_SMS: This permission enables the threat actor to read the victim’s received and sent SMSs.
  • READ_EXTERNAL_STORAGE: This allows threat actors to explore and fetch data from the file manager.
  • WRITE_EXTERNAL_STORAGE: This allows threat actors to delete and move files.
  • STORAGE: This gives access to mobile internal storage, to view and access files.
  • ACCESS_FINE_LOCATION: Allows the threat actor to fetch precise locations and track the live movement of mobile phones.
  • WRITE_CALL_LOG: This allows the threat actor to delete numbers from call logs.
  • GET_ACCOUNTS: This allows the threat actor to extract emails and usernames, used for login into various internet platforms.

In order to decrypt the string, it was determined that the playstoree[.]xyz domain is involved.

In addition to being one year old, the suspected IOC is part of the notorious Do Not APT group.

DoNot APT Hackers

The string is encrypted and decrypted by a class using a secret key. Monitoring of compromised victims’ outgoing and incoming calls is performed using the following permissions:-

  • android.intent.action.NEW_OUTGOING_CALL
  • android.intent.extra.PHONE_NUMBER 
DoNot APT Hackers

A new sample with a different name was discovered during the analysis carried out by security experts.

However, except the command and control domain, the code used in the present sample is the same as the code they have previously analyzed.

The attackers continuously focus on individuals in Kashmir, using relatively unsophisticated attack methods. 

Apart from this, the threat actors have been observed using the same TTPs for the past two years, and this indicates a lack of innovation in their attacks.

Building Your Malware Defense Strategy – Download Free E-Book

Also Read:

Winnti APT Hackers Attack Linux Servers With New Malware ‘Mélofée’

Hackers Compromised CircleCI Employee’s Laptop to Breach the Company’s Systems

North Korean APT37 Hackers Exploited IE Zero-Day Vulnerability Remotely

U.S. Federal Network Hacked – Iranian APT Hackers Compromised Domain Controller


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles