CYFIRMA recently detected a cyber-attack on a person living in Kashmir, India, and obtained two malware pieces from the victim’s mobile download folder.
The investigation of these samples links the recent cyber-attack to DoNot APT, which has a long-standing record of activity in the area.
It seems the perpetrator behind the cyber-attack exploited third-party file-sharing websites to distribute malware to the victim’s mobile device.
Due to this, the downloaded files get saved in the main download folder of the victim’s device. It’s might be possible that the attacker created their file-sharing website to deploy the malware.
Interestingly, the malware samples were disguised as chat apps named:-
This threat actor has carried out cyber attacks in the South Asian region since 2016 when it was first found to be active.
The earlier campaign’s Android samples had encrypted strings that utilized the Base64 algorithm.
Unlike the previous campaign’s samples, the team discovered that the strings in the current sample had two encryption layers with CBC mode and PKCS padding:-
The code was hard to comprehend because it was obfuscated and safeguarded using Pro Guard.
According to the CYFIRMA technical analysis report of the attack shared with GBHackers, it aligns with DoNot APT’s modus operandi, as they have previously targeted entities in this region.
The threat actor has employed spear-phishing tactics against their adversaries in various industries and locations in the past. However, it’s unclear what the motive was behind the recent attack.
The recent attack by DoNot APT on an individual in Kashmir does not surprise the threat intelligence community.
Since this group has repeatedly targeted NGOs and other entities in the following regions in the past:-
It is possible that the threat actor used popular messaging apps such as WhatsApp to initiate a social engineering attack and deliver the malicious app.
In contrast to other messaging apps, WhatsApp does not save attachments to the download folder, instead, they are saved in the WhatsApp media location.
The victim will be prompted to open the application as soon as the Android Malware Sample has been installed.
Once the victim opens the app, it prompts them to enable the accessibility service through a repeated alert every time they open the app, until the victim enables it.
Once the victim clicks on “Ok,” the app directs them to the Accessibility settings page and requests that they enable Accessibility by turning on “Link Chat.”
The app then conceals itself from the main menu and limits the victim’s ability to uninstall it.
The malicious app’s Android Manifest file contains a snippet revealing its attempt to acquire various permissions.
By doing so, the app could execute malicious activities, harming the victim’s device and privacy.
Here below we have mentioned all the permissions it asks for:-
In order to decrypt the string, it was determined that the playstoree[.]xyz domain is involved.
In addition to being one year old, the suspected IOC is part of the notorious Do Not APT group.
The string is encrypted and decrypted by a class using a secret key. Monitoring of compromised victims’ outgoing and incoming calls is performed using the following permissions:-
A new sample with a different name was discovered during the analysis carried out by security experts.
However, except the command and control domain, the code used in the present sample is the same as the code they have previously analyzed.
The attackers continuously focus on individuals in Kashmir, using relatively unsophisticated attack methods.
Apart from this, the threat actors have been observed using the same TTPs for the past two years, and this indicates a lack of innovation in their attacks.
Building Your Malware Defense Strategy – Download Free E-Book
Winnti APT Hackers Attack Linux Servers With New Malware ‘Mélofée’
Hackers Compromised CircleCI Employee’s Laptop to Breach the Company’s Systems
North Korean APT37 Hackers Exploited IE Zero-Day Vulnerability Remotely
U.S. Federal Network Hacked – Iranian APT Hackers Compromised Domain Controller
Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify a…
Researchers have identified a rise in malicious activity on the VSCode Marketplace, highlighting the vulnerability…
TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email containing…
BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with malware…
Europol has published a groundbreaking report titled "Leveraging Legitimacy: How the EU’s Most Threatening Criminal Networks…
The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a proposed update to the National…