CYFIRMA recently detected a cyber-attack on a person living in Kashmir, India, and obtained two malware pieces from the victim’s mobile download folder.
The investigation of these samples links the recent cyber-attack to DoNot APT, which has a long-standing record of activity in the area.
It seems the perpetrator behind the cyber-attack exploited third-party file-sharing websites to distribute malware to the victim’s mobile device.
Due to this, the downloaded files get saved in the main download folder of the victim’s device. It’s might be possible that the attacker created their file-sharing website to deploy the malware.
Interestingly, the malware samples were disguised as chat apps named:-
- Ten Messenger.apk
- Link Chat QQ.apk
This threat actor has carried out cyber attacks in the South Asian region since 2016 when it was first found to be active.
External threat landscape management
The earlier campaign’s Android samples had encrypted strings that utilized the Base64 algorithm.
Unlike the previous campaign’s samples, the team discovered that the strings in the current sample had two encryption layers with CBC mode and PKCS padding:-
The code was hard to comprehend because it was obfuscated and safeguarded using Pro Guard.
According to the CYFIRMA technical analysis report of the attack shared with GBHackers, it aligns with DoNot APT’s modus operandi, as they have previously targeted entities in this region.
The threat actor has employed spear-phishing tactics against their adversaries in various industries and locations in the past. However, it’s unclear what the motive was behind the recent attack.
The recent attack by DoNot APT on an individual in Kashmir does not surprise the threat intelligence community.
Since this group has repeatedly targeted NGOs and other entities in the following regions in the past:-
It is possible that the threat actor used popular messaging apps such as WhatsApp to initiate a social engineering attack and deliver the malicious app.
In contrast to other messaging apps, WhatsApp does not save attachments to the download folder, instead, they are saved in the WhatsApp media location.
The victim will be prompted to open the application as soon as the Android Malware Sample has been installed.
Once the victim opens the app, it prompts them to enable the accessibility service through a repeated alert every time they open the app, until the victim enables it.
Once the victim clicks on “Ok,” the app directs them to the Accessibility settings page and requests that they enable Accessibility by turning on “Link Chat.”
The app then conceals itself from the main menu and limits the victim’s ability to uninstall it.
The malicious app’s Android Manifest file contains a snippet revealing its attempt to acquire various permissions.
By doing so, the app could execute malicious activities, harming the victim’s device and privacy.
Here below we have mentioned all the permissions it asks for:-
- READ_CALL_LOG: This enables actors to read and fetch call logs.
- READ_CONTACTS: This permission allows TA to read and fetch contacts.
- READ_SMS: This permission enables the threat actor to read the victim’s received and sent SMSs.
- READ_EXTERNAL_STORAGE: This allows threat actors to explore and fetch data from the file manager.
- WRITE_EXTERNAL_STORAGE: This allows threat actors to delete and move files.
- STORAGE: This gives access to mobile internal storage, to view and access files.
- ACCESS_FINE_LOCATION: Allows the threat actor to fetch precise locations and track the live movement of mobile phones.
- WRITE_CALL_LOG: This allows the threat actor to delete numbers from call logs.
- GET_ACCOUNTS: This allows the threat actor to extract emails and usernames, used for login into various internet platforms.
In order to decrypt the string, it was determined that the playstoree[.]xyz domain is involved.
In addition to being one year old, the suspected IOC is part of the notorious Do Not APT group.
The string is encrypted and decrypted by a class using a secret key. Monitoring of compromised victims’ outgoing and incoming calls is performed using the following permissions:-
A new sample with a different name was discovered during the analysis carried out by security experts.
However, except the command and control domain, the code used in the present sample is the same as the code they have previously analyzed.
The attackers continuously focus on individuals in Kashmir, using relatively unsophisticated attack methods.
Apart from this, the threat actors have been observed using the same TTPs for the past two years, and this indicates a lack of innovation in their attacks.
Building Your Malware Defense Strategy – Download Free E-Book