Rewterz Threat Alert – APT C-35 (Donot Team) Tageting Government Officials in Pakistan
January 14, 2021Rewterz Threat Alert – Rogue RAT used for Android Device Takeover, Data Theft and Malware Delivery
January 14, 2021Rewterz Threat Alert – APT C-35 (Donot Team) Tageting Government Officials in Pakistan
January 14, 2021Rewterz Threat Alert – Rogue RAT used for Android Device Takeover, Data Theft and Malware Delivery
January 14, 2021Severity
High
Analysis Summary
Researchers have discovered a small cluster of Trojanized versions of Android apps, mainly marketed to people who live in Pakistan. Someone has modified these otherwise legitimate apps (clean versions are available for download on the Google Play Store) to add malicious features that seem completely focused on covert surveillance and espionage. The modified apps look identical to their legitimate counterparts, and even perform their normal functions, but are designed to, initially, profile the phone, and then download a payload in the form of an Android Dalvik executable (DEX) file. The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user’s contact list and the full contents of SMS messages. The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe.
There are many errors in the splash page along with the copyrights section has a different take.
Impact
- Information theft and espionage
- Exposure of sensitive data
- Credential theft
Indicators of Compromise
Filename
- pak_citizen_portal_219[.]apk
MD5
- 176df6ce5cd78189a3f554961ef226fa
SHA-256
- 0785e57d59fe9651ac7452ec9c4b04dec2185dfcefad10ce9b0fa077c4aaac02
- 0785e57d59fe9651ac7452ec9c4b04dec2185dfcefad10ce9b0fa077c4aaac02
- 139d59594d40def4d4036427f6529fe1d67de9862f7caca2d7ccf33b7fb72bfb
- 21e1af612302288812ab92f1786739e1877c278c520ed26e247f9b6536d0fe4b
- 25444f614123d80c6dbfde4947a7af2c0ae3ce57ffbbafa7af7ff1aa8e65b77c
- 2bb5041907b8d74f2c123de67175a6da8747a3c1a817d006a797e863ef2f82d2
- 333603e999459ab1ba6f3b2b95a44d06f16abf9bbd3afbd80790ea9f88b24c83
- 385ef5bc6e02d7438e3c7f4b77030560435f2bf186de1d949a0855824cd88df0
- 6af0070f460effd0610939dda17429740d07d3d5ac496de88870b6160bb93224
- 6bc9cf05d24024bf47bf6f3afddf62768bf99a065114a069674f5a0f8218b0c4
- 77b6efb8d3e2be11da3d87dc18aa65e69d02f6615762dd62a15c40cae69dc421
- 89630dcc54e2d0f76bee8ece998b3daebee16a429309950576548ee343723cda
- 9ad611b1b01be253d460c33c673fd9270daba6af323c3a216ca7f2cf1f298443
- bbe147df50234100c7d47b8a26cb3675484c2661bf2554ec327a58f37493a86b
- be8250766f6669f84a4a73471fea6605a7a54ac255f601aefbc0ce810e11e858
- dd2efee37ca82813bc1948aaeccbda4b6c025b5ba9c1c5f0ddbf590c6c5d0ac8
- df8c823f648fd33236955d47a9c4b15e320fbd9d031516b6985441b527e888a8
- e93b499f7b286bac53b1d39b25caa5d6ab0cabe30393e23b0946ebba49d34d53
- ec776cdf07bfc3d153dbb94c975e0e5bf5bd7ebd1558994ea7ce765ec9561d9f
- fd91516432e63b0a100059ed2de0ed559965ee24c9aee37ec4b9146e0d0a4ed1
SHA1
- 27da49adc6c40601a8cad3d0bd4a6a98f51d6f99
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always download legitimate/ recommended applications from play store.