An advanced persistent threat (APT) player has been followed in a new campaign deploying Android malware through the Syrian government e-government web portal, indicating an improved arsenal designed to compromise victims.
“To our knowledge, this is the first time the group has been publicly observed using malicious Android apps as part of their attacks,” said Zhengyu Dong, Fyodor Yarochkin and Steven Du, researchers at Trend Micro. mentionned in a technical article published Wednesday.
FortPitoyage, also code name Promethium by Microsoft, is said to have been active since 2002 and generally focuses on targets in Turkey and Syria. In June 2020, the actor of the spy threat was bound to a wave of activity that has leveraged waterhole attacks and spoofed installers, who abuse the popularity of legitimate apps, to infect targets with malware.
“Promethium has been resilient over the years,” Cisco Talos disclosed Last year. “Its campaigns have been exposed several times, but that was not enough to stop the actors behind. The fact that the group does not refrain from launching new campaigns even after being exposed shows its determination to accomplish its goal. mission.”
The last operation is no different in that it underlines the propensity of the threat actor to repackage benign applications into trojanized variants to facilitate attacks.
The malware, masquerading as the Syrian e-Gov Android app, was reportedly created in May 2021, along with the app’s manifest file (“AndroidManifest.xml“) changed to explicitly request additional permissions on the phone, including the ability to read contacts, write to external storage, keep the device awake, access information on cellular and Wi-Fi networks , precise location and even allow the application started as soon as the system has finished booting.
Additionally, the malicious application is designed to perform long-running background tasks and trigger a request to a remote Command and Control (C2) server, which responds with an encrypted payload containing a settings file that allows “malware to modify its behavior depending on the configuration” and update its C2 server address.
Last but not least, the “highly modular” implant has the ability to suck up data stored on the infected device, such as contacts, Word and Excel documents, PDFs, images, security keys and files. recorded using Dagesh Pro (.DGS) word processor, among others, all of which are exfiltrated to the C2 server.
Despite no known public reports of StrongPity using malicious Android apps in their attacks, Trend Micro’s attribution to the adversary stems from the use of a C2 server that has previously been used in hacking group-related intrusions, including a malware campaign documented by AT & T’s Alien Labs in July 2019 which used corrupted versions of WinBox router management software, WinRAR, and other trusted utilities to breach targets.
“We believe the threat actor is exploring multiple ways of delivering the apps to potential victims, such as using bogus apps and using compromised websites as watering holes to trick users into installing apps. malicious, ”the researchers said.
“Typically, these websites would require their users to download the apps directly to their devices. To do this, these users would have to allow the installation of apps from “unknown sources” on their devices. This bypasses the “trust” chain of the Android ecosystem and makes it easier for an attacker to deliver additional malicious components, ”they added.