Rewterz Threat Alert – Pakistani Individuals Targeted In Advanced Espionage Campaign Through Malicious Android Apps – Active IOCs

Severity

High

Analysis Summary

A targeted campaign has been uncovered, specifically targeting individuals in Pakistan through two deceptive Android apps found on the Google Play Store. The campaign has been attributed to a threat actor known as DoNot Team or APT-C-35. The main objective of this attack is to collect personal data from unsuspecting victims by disguising a malicious program as a legitimate app. The extracted information, including contact details and location data, is likely intended for future attacks involving more destructive malware.

Based on technical analysis, it has been determined that the primary objective of the attack is to gather information using a stager payload. This collected information is likely intended for use in a second-stage attack, which would involve deploying malware with more destructive capabilities.

DoNot Team, a suspected threat actor with connections to India, has been active in carrying out cyber attacks in South Asian countries since 2016. Their tactics involve using spear-phishing emails with misleading documents and deploying malicious Android apps to propagate their malware. Once installed on a victim’s device, these apps enable remote control capabilities and the theft of confidential information.

The recently discovered rogue apps, named iKHfaa VPN and nSure Chat, were developed by “SecurITY Industry” and masquerade as VPN and chat apps. While the VPN app is no longer available on the Play Store, evidence suggests it was accessible until June 12, 2023. The low download counts indicate a highly targeted operation, likely conducted by a nation-state actor. The apps trick users into granting invasive permissions to access their contact lists and precise locations.

The victims targeted by these rogue apps are mainly located in Pakistan. It is believed that users may have been approached through Telegram and WhatsApp messages to lure them into installing the apps. By utilizing the Google Play Store as a distribution channel, the threat actors exploit the trust users place in the platform, making the apps appear legitimate. It is crucial to carefully scrutinize apps before downloading them to avoid falling victim to such attacks.

The purpose of this Android malware is primarily information gathering, allowing the threat actor to strategize future attacks and employ advanced Android malware to exploit the victims.

“It appears that this Android malware was specifically designed for information gathering. By gaining access to victims’ contact lists and locations, the threat actor can strategize future attacks and employ Android malware with advanced features to target and exploit the victims”, researchers conclude.

Impact

• Information Theft and Espionage

Indicators of Compromise

Domain Name

• appnsure.com
• ikhfaavpn.com

IP

• 193.149.176.226

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Raise awareness among users about the risks associated with downloading apps from unknown or untrusted sources is crucial. Users should be educated about the importance of verifying app permissions and conducting background research on developers before installing apps.
• Implement reputable mobile security solutions on devices which can help detect and block malicious apps. Mobile antivirus and anti-malware software can provide an additional layer of protection against potential threats.