Tuesday, April 16, 2024

DoNot APT Hackers Attack Individuals Using Android Malware via Chatting Apps

CYFIRMA recently detected a cyber-attack on a person living in Kashmir, India, and obtained two malware pieces from the victim’s mobile download folder.

The investigation of these samples links the recent cyber-attack to DoNot APT, which has a long-standing record of activity in the area.

It seems the perpetrator behind the cyber-attack exploited third-party file-sharing websites to distribute malware to the victim’s mobile device. 

Due to this, the downloaded files get saved in the main download folder of the victim’s device. It’s might be possible that the attacker created their file-sharing website to deploy the malware. 

Interestingly, the malware samples were disguised as chat apps named:- 

  • Ten Messenger.apk
  • Link Chat QQ.apk

This threat actor has carried out cyber attacks in the South Asian region since 2016 when it was first found to be active.

External threat landscape management

The earlier campaign’s Android samples had encrypted strings that utilized the Base64 algorithm.

Unlike the previous campaign’s samples, the team discovered that the strings in the current sample had two encryption layers with CBC mode and PKCS padding:-

  • Base64
  • AES256

The code was hard to comprehend because it was obfuscated and safeguarded using Pro Guard.

According to the CYFIRMA technical analysis report of the attack shared with GBHackers, it aligns with DoNot APT’s modus operandi, as they have previously targeted entities in this region.

The threat actor has employed spear-phishing tactics against their adversaries in various industries and locations in the past. However, it’s unclear what the motive was behind the recent attack.

The recent attack by DoNot APT on an individual in Kashmir does not surprise the threat intelligence community.

Since this group has repeatedly targeted NGOs and other entities in the following regions in the past:-

  • Kashmir
  • India
  • Bangladesh
  • Pakistan

It is possible that the threat actor used popular messaging apps such as WhatsApp to initiate a social engineering attack and deliver the malicious app.

In contrast to other messaging apps, WhatsApp does not save attachments to the download folder, instead, they are saved in the WhatsApp media location.

Technical Analysis

The victim will be prompted to open the application as soon as the Android Malware Sample has been installed.

Once the victim opens the app, it prompts them to enable the accessibility service through a repeated alert every time they open the app, until the victim enables it.

Once the victim clicks on “Ok,” the app directs them to the Accessibility settings page and requests that they enable Accessibility by turning on “Link Chat.”

The app then conceals itself from the main menu and limits the victim’s ability to uninstall it.

The malicious app’s Android Manifest file contains a snippet revealing its attempt to acquire various permissions.

By doing so, the app could execute malicious activities, harming the victim’s device and privacy.

Here below we have mentioned all the permissions it asks for:-

  • READ_CALL_LOG: This enables actors to read and fetch call logs.
  • READ_CONTACTS: This permission allows TA to read and fetch contacts.
  • READ_SMS: This permission enables the threat actor to read the victim’s received and sent SMSs.
  • READ_EXTERNAL_STORAGE: This allows threat actors to explore and fetch data from the file manager.
  • WRITE_EXTERNAL_STORAGE: This allows threat actors to delete and move files.
  • STORAGE: This gives access to mobile internal storage, to view and access files.
  • ACCESS_FINE_LOCATION: Allows the threat actor to fetch precise locations and track the live movement of mobile phones.
  • WRITE_CALL_LOG: This allows the threat actor to delete numbers from call logs.
  • GET_ACCOUNTS: This allows the threat actor to extract emails and usernames, used for login into various internet platforms.

In order to decrypt the string, it was determined that the playstoree[.]xyz domain is involved.

In addition to being one year old, the suspected IOC is part of the notorious Do Not APT group.

DoNot APT Hackers

The string is encrypted and decrypted by a class using a secret key. Monitoring of compromised victims’ outgoing and incoming calls is performed using the following permissions:-

  • android.intent.action.NEW_OUTGOING_CALL
  • android.intent.extra.PHONE_NUMBER 
DoNot APT Hackers

A new sample with a different name was discovered during the analysis carried out by security experts.

However, except the command and control domain, the code used in the present sample is the same as the code they have previously analyzed.

The attackers continuously focus on individuals in Kashmir, using relatively unsophisticated attack methods. 

Apart from this, the threat actors have been observed using the same TTPs for the past two years, and this indicates a lack of innovation in their attacks.

Building Your Malware Defense Strategy – Download Free E-Book

Also Read:

Winnti APT Hackers Attack Linux Servers With New Malware ‘Mélofée’

Hackers Compromised CircleCI Employee’s Laptop to Breach the Company’s Systems

North Korean APT37 Hackers Exploited IE Zero-Day Vulnerability Remotely

U.S. Federal Network Hacked – Iranian APT Hackers Compromised Domain Controller


Latest articles

Hacker Customize LockBit 3.0 Ransomware to Attack Orgs Worldwide

Cybersecurity researchers at Kaspersky have uncovered evidence that cybercriminal groups are customizing the virulent...

Microsoft .NET, .NET Framework, & Visual Studio Vulnerable To RCE Attacks

A new remote code execution vulnerability has been identified to be affecting multiple Microsoft...

LightSpy Hackers Indian Apple Device Users to Steal Sensitive Data

The revival of the LightSpy malware campaign has been observed, focusing on Indian Apple...

LightSpy Malware Attacking Android and iOS Users

A new malware known as LightSpy has been targeting Android and iOS users.This sophisticated...

This Startup Aims To Simplify End-to-End Cybersecurity, So Anyone Can Do It

The Web3 movement is going from strength to strength with every day that passes....

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles