The pandemic theme has become a heavily exploited subject by threat actors launching social engineering attacks. This was the technique that Transparent Tribe, a threat actor tracked by Kaspersky for more than four years, began adopting in its campaigns. Recent findings show that the group has been actively working to improve its toolkit and expand its reach to include mobile device threats, starting with its spyware-type malware.
During its investigation of Transparent Tribe, Kaspersky discovered a new Android implant used by this group to spy on mobile devices, distributed in India as fake pornographic applications and COVID-19 tracking apps. The connection between the group and those two applications was made possible through the related domains the actor used to host malicious files employed in different campaigns.
Both applications, once downloaded, attempt to install another Android package file — a modified version of the Android remote access tool AhMyth (RAT) — an open-source malware that can be downloaded from GitHub, created by embedding a malicious payload inside other legitimate applications.
The modified version of the malware differs in functionality from the standard version. It includes new features added by the attackers to improve data exfiltration, but lacks some basic functions, such as stealing photos from the camera. The application is capable of downloading new applications to the phone, accessing SMS messages, the microphone and call logs, tracking the device's location, and enumerating and uploading files to an external server from the phone.
"The new findings underscore the efforts of Transparent Tribe members to add new tools that further expand their operations and reach their victims through different attack vectors, which now include mobile devices. We also see that the actor is constantly working to improve and modify the tools it uses. To stay protected against these threats, users must be more careful than ever when evaluating the sources from which they download content and ensuring their devices are protected. This is especially relevant for those who know they could become the target of an APT attack," commented Giampaolo Dedola, Senior Security Researcher at Kaspersky.
Leave a Comment
Comments are reviewed before publishing.