A prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented types of Android spyware called WyrmSpy and DragonEgg.
“Established threat actors like APT 41, known for exploiting web-enabled applications and infiltrating traditional endpoint devices, are including mobile in their malware arsenal, highlighting how coveted mobile endpoints are for enterprises. It shows whether it is a high-value target dealing with data or personal data,” said Lookout. In a report shared with The Hacker News.
APT41, also tracked under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, has been known to have been active since at least 2007, targeting a wide range of industries. and conduct intellectual property theft. .
Recent attacks by adversaries utilized an open-source red team tool known as Google Command and Control (GC2) as part of attacks targeting media and recruitment platforms in Taiwan and Italy.
The initial vector of entry for the mobile surveillanceware campaign is unknown, but it is believed to have involved the use of social engineering. According to Lookout, WyrmSpy was first detected in early 2017 and DragonEgg in early 2021, with new samples of the latter discovered in April 2023.
WyrmSpy mainly disguises itself as a default system app used to display notifications to users. However, later variants packaged the malware in apps masquerading as adult video content, Baidu Waimai, and Adobe Flash. DragonEgg, on the other hand, is distributed in the form of third-party his Android keyboard and messaging apps such as Telegram.
There is no evidence that these rogue apps were distributed through the Google Play Store.
WyrmSpy and DragonEgg’s connection to APT41 originates from the use of a command and server (C2) with IP address 121.42.149.[.]52, which resolves to the domain (“vpn2.umisen”).[.]com”) was previously identified as being associated with the Group’s infrastructure.
Both malware request intrusion permissions once installed and have advanced data collection and extraction capabilities to collect user photos, location information, SMS messages and voice recordings.
The malware has also been observed to rely on modules downloaded from offline C2 servers after app installation to facilitate data collection while evading detection.
WyrmSpy can disable Security-Enhanced Linux (SELinux), an Android security feature, and leverage rooting tools such as KingRoot11 to gain elevated privileges on compromised devices. A notable feature of DragonEgg is establishing connections with C2 servers to retrieve his unknown third-order modules disguised as forensic programs.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
“The WyrmSpy and DragonEgg findings are a reminder of the growing threat posed by advanced Android malware,” said Kristina Balaam, senior threat researcher at Lookout. “These spyware her packages are very sophisticated and can be used to collect a wide range of data from infected devices.”
The findings of this study include the weaponization of networking devices and virtualization software, the employment of botnets to obfuscate traffic between the C2 infrastructure and the victim environment, and the tunneling of malicious traffic inside compromised victim networks. , announced after Mandiant revealed evolving tactics employed by Chinese spies to stay under the radar. system.
“The use of botnets, proxying traffic on compromised networks, and targeting edge devices are not new tactics or unique to Chinese cyber espionage,” said a Google-owned threat intelligence firm. rice field. “However, over the past decade, we have observed the use of these and other tactics by Chinese cyber espionage as part of a broader evolution towards more purposeful, stealthy and effective operations. I have tracked what is going on.”
