APT Hackers Distributed Android Trojan via Syrian e-Government Portal

APT Hackers
Share It On:

26th July 2021, Kathmandu

An advanced persistent threat (APT) actor has been tracked in an incipient campaign deploying Android malware via the Syrian e-Regime Web Portal, denoting an upgraded arsenal designed to compromise victims.

“To the best of our erudition, this is the first time that the group has been publicly optically canvassed utilizing malevolent Android applications as a component of its attacks,” Trend Micro researchers Zhengyu Dong, Fyodor Yarochkin, and Steven Du verbalized in a technical inscribe-up published Wednesday.

StrongPity, withal codenamed Promethium by Microsoft, is believed to have been active since 2012 and has typically fixated on targets across Turkey and Syria. In June 2020, the espionage threat actor was connected to a wave of activities that banked on watering aperture attacks and tampered installers, which abuse the popularity of legitimate applications, to infect targets with malware.

“Promethium has been resilient over the years,” Cisco Talos disclosed last year. “Its campaigns have been exposed an abundance of times, but that was not enough to make the actors behind it make them stop. The fact that the group does not forbear launching incipient campaigns even after being exposed shows their resolve to accomplish their mission.”

The latest operation is no different in that it underscores the threat actor’s propensity towards repackaging benign applications into trojanized variants to facilitate the assailants.

The malware, masquerading as the Syrian e-Gov Android application, is verbalized to have been engendered in May 2021, with the app’s manifest file (“AndroidManifest.xml”) modified to explicitly request supplemental sanctions on the phone, including the faculty to read contacts, inscribe to external storage, keep the contrivance aroused, access information about cellular and Wi-Fi networks, precise location, and even sanction the app to have itself commenced as anon as the system has culminated booting.

Supplementally, the malignant app is designed to perform long-running tasks in the background and trigger a request to a remote command-and-control (C2) server, which responds back with an encrypted payload containing a settings file that sanctions the “malware to transmute its deportment according to the configuration” and update its C2 server address.

Last but not least, the “highly modular” implant has the capacity to hoover data stored on the infected contrivance, such as contacts, Word and Excel documents, PDFs, images, security keys, and files preserved utilizing Dagesh Pro Word Processor (.DGS), among others, all of which are exfiltrated back to the C2 server.

Despite no kenned public reports of StrongPity utilizing malevolent Android applications in their assailants, Trend Micro’s attribution to the adversary stems from the utilization of a C2 server that has antecedently been utilized in intrusions linked to the hacking group, eminently a malware campaign documented by AT&T’s Alien Labs in July 2019 that leveraged tainted versions of the WinBox router management software, WinRAR, and other trusted utilities to breach targets.

“We believe that the threat actor is exploring multiple ways of distributing the applications to potential victims, such as utilizing fake apps and utilizing compromised websites as watering apertures to chicane users into installing malevolent applications,” the researchers verbalized.

“Typically, these websites would require its users to download the applications directly onto their contrivances. In order to do so, these users would be required to enable the installation of the applications from ‘unknown sources’ on their contrivances. This bypasses the ‘trust chain of the Android ecosystem and makes it more facile for an assailant to distribute supplemental malignant components,” they integrated.


Share It On:

Recent Posts

Hero Xtreme 160R 4V & 125R: Price, Features, and Launch Details

Hero Xtreme 160R 4V & 125R: Price, Features, and Launch

Share It On:19th January 2025, Kathmandu CG Motors introduced two new motorcycles, the Xtreme 125R and Xtreme 160R 4V, in

NCIT Hult Prize: Empowering Entrepreneurship for Innovation, Social Impact, & Global Change

NCIT Hult Prize: Empowering Entrepreneurship for Innovation, Social Impact, &

Share It On:19th January 2025, Kathmandu The Hult Prize, a global platform dedicated to encouraging students to develop impactful social

Public-Private Partnerships Key to Nepal’s IT Sector Growth: NCC

Public-Private Partnerships Key to Nepal’s IT Sector Growth: NCC

Share It On:19th January 2025, Kathmandu The Nepal Chamber of Commerce (NCC) has taken a significant step to boost Nepal’s

Sajilo Sathi Ride Launch in Kathmandu: New Ride-Sharing Platform with Geo-Fencing and Insurance

Sajilo Sathi Ride Launch in Kathmandu: New Ride-Sharing Platform with

Share It On:19th January 2025, Kathmandu Sajilo Sathi, Nepal’s new ride-sharing platform, officially launched in Kathmandu on Thursday. This service

  • by Mina Aryal
  • January 19, 2025
Mero Microfinance 12th AGM: Bonus Shares and Shareholders Benefit from Cash Dividend

Mero Microfinance 12th AGM: Bonus Shares and Shareholders Benefit from

Share It On:19th January 205, Kathmandu Mero Microfinance Laghubitta Bittiya Sanstha Limited successfully held its 12th Annual General Meeting (AGM)

  • by Mina Aryal
  • January 19, 2025
Nepal Marine Insurance Workshop 2025: Key to Enhancing Industry Standards and Best Practices

Nepal Marine Insurance Workshop 2025: Key to Enhancing Industry Standards

Share It On: 19th January 2025, kathmandu Insurance Protective Services organized a two-day Marine Insurance workshop from January 2 to

  • by Mina Aryal
  • January 19, 2025