Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware

    justmattgBy justmattgJuly 19, 2023No Comments4 Mins Read

    [ad_1]

    Jul 19, 2023THNSpyware / Mobile Security

    WyrmSpy and DragonEgg Spyware

    The prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg.

    “Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value targets with coveted corporate and personal data,” Lookout said in a report shared with The Hacker News.

    APT41, also tracked under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, is known to be operational since at least 2007, targeting a wide range of industries to conduct intellectual property theft.

    Recent attacks mounted by the adversarial collective have leveraged an open-source red teaming tool known as Google Command and Control (GC2) as part of attacks aimed at media and job platforms in Taiwan and Italy.

    The initial intrusion vector for the mobile surveillanceware campaign is not known, although it’s suspected to have involved the use of social engineering. Lookout said it first detected WyrmSpy as early as 2017 and DragonEgg at the start of 2021, with new samples of the latter spotted as recently as April 2023.

    WyrmSpy primarily masquerades as a default system app used for displaying notifications to the user. Later variants, however, have packaged the malware into apps impersonating as adult video content, Baidu Waimai, and Adobe Flash. On the other hand, DragonEgg has been distributed in the form of third-party Android keyboards and messaging apps like Telegram.

    There is no evidence that these rogue apps were distributed through the Google Play Store.

    WyrmSpy and DragonEgg’s connections to APT41 arise from the use of a command-and-server (C2) with the IP address 121.42.149[.]52, which resolves to a domain (“vpn2.umisen[.]com”) previously identified as associated with the group’s infrastructure.

    Once installed, both strains of malware request intrusive permissions and come fitted with sophisticated data collection and exfiltration capabilities, harvesting users’ photos, locations, SMS messages and audio recordings.

    The malware has also been observed relying on modules that are downloaded from a now-offline C2 server after the installation of the app to facilitate the data collection, while simultaneously avoiding detection.

    WyrmSpy, for its part, is capable of disabling Security-Enhanced Linux (SELinux), a security feature in Android, and making use of rooting tools such as KingRoot11 to obtain elevated privileges on the compromised handsets. A notable feature of DragonEgg is that it establishes contact with the C2 server to fetch an unknown tertiary module that poses as a forensics program.

    UPCOMING WEBINAR

    Shield Against Insider Threats: Master SaaS Security Posture Management

    Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

    Join Today

    “The discovery of WyrmSpy and DragonEgg is a reminder of the growing threat posed by advanced Android malware,” Kristina Balaam, a senior threat researcher at Lookout, said. “These spyware packages are highly sophisticated and can be used to collect a wide range of data from infected devices.”

    The findings come as Mandiant disclosed the evolving tactics adopted by Chinese espionage crews to fly under the radar, including weaponizing networking devices and virtualization software, employing botnets to obfuscate traffic between C2 infrastructure and victim environments, and tunneling malicious traffic inside of victim networks through compromised systems.

    “Use of botnets, proxying traffic in a compromised network, and targeting edge devices are not new tactics, nor are they unique to Chinese cyber espionage actors,” the Google-owned threat intelligence firm said. “However, during the last decade, we have tracked Chinese cyber espionage actors’ use of these and other tactics as part of a broader evolution toward more purposeful, stealthy, and effective operations.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Previous ArticlePakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware
    Next Article How to Manage Your Attack Surface?
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑