The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy.
众所周知的威胁行为者Patchwork可能利用恋爱诈骗的诱饵来陷害巴基斯坦和印度的受害者,并通过名为VajraSpy的远程访问特洛伊木马感染其Android设备。
Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023.
斯洛伐克网络安全公司ESET表示,他们发现了12个间谍应用,其中六个可以从官方Google Play商店下载,并在2021年4月至2023年3月期间共计下载超过1400次。
"VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code," security researcher Lukáš Štefanko said. "It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera."
"VajraSpy具有一系列间谍功能,可以根据与其代码捆绑的应用程序授予的权限进行扩展,"安全研究员Lukáš Štefanko说。"它窃取联系人、文件、通话记录和短信,但其某些实现甚至可以提取WhatsApp和Signal消息、录制电话通话并使用摄像头拍照。"
As many as 148 devices in Pakistan and India are estimated to have been compromised in the wild. The malicious apps distributed via Google Play and elsewhere primarily masqueraded as messaging applications, with the most recent ones propagated as recently as September 2023.
据估计,巴基斯坦和印度境内有多达148台设备被悄悄攻击。通过Google Play和其他途径分发的恶意应用主要伪装成消息应用,其中最新的一批在2023年9月份推广。
-
Privee Talk (com.priv.talk)
Privee Talk(com.priv.talk)
-
MeetMe (com.meeete.org)
MeetMe(com.meeete.org)
-
Let's Chat (com.letsm.chat)
Let's Chat(com.letsm.chat)
-
Quick Chat (com.qqc.chat)
Quick Chat(com.qqc.chat)
-
Rafaqat رفاق (com.rafaqat.news)
Rafaqat رفاق(com.rafaqat.news)
-
Chit Chat (com.chit.chat)
Chit Chat(com.chit.chat)
-
YohooTalk (com.yoho.talk)
YohooTalk(com.yoho.talk)
-
TikTalk (com.tik.talk)
TikTalk(com.tik.talk)
-
Hello Chat (com.hello.chat)
Hello Chat(com.hello.chat)
-
Nidus (com.nidus.no or com.nionio.org)
Nidus(com.nidus.no或com.nionio.org)
-
GlowChat (com.glow.glow)
GlowChat(com.glow.glow)
-
Wave Chat (com.wave.chat)
Wave Chat(com.wave.chat)
Rafaqat رفاق is notable for the fact that it's the only non-messaging app and was advertised as a way to access the latest news. It was uploaded to Google Play on October 26, 2022, by a developer named Mohammad Rizwan and amassed a total of 1,000 downloads before it was taken down by Google.
Rafaqat رفاق值得注意的是,它是唯一一个非消息应用,被宣传为访问最新新闻的途径。它于2022年10月26日由开发者Mohammad Rizwan上传到Google Play,并在被Google下架之前总共下载了1000次。
The exact distribution vector for the malware is currently not clear, although the nature of the apps suggests that the targets were tricked into downloading them as part of a honey-trap romance scam, where the perpetrators convince them to install these bogus apps under the pretext of having a more secure conversation.
目前尚不清楚恶意软件的确切传播途径,尽管应用程序的性质表明目标被欺骗下载这些应用程序作为蜜罐恋爱诈骗的一部分,而攻击者则通过说服他们安装这些虚假应用程序,以更安全地进行对话。
This is not the first time Patchwork – a threat actor with suspected ties to India – has leveraged this technique. In March 2023, Meta revealed that the hacking crew created fictitious personas on Facebook and Instagram to share links to rogue apps to target victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.
这不是Patchwork第一次利用这种技术。在2023年3月,Meta透露这个黑客组织在Facebook和Instagram上创建虚假身份,分享链接到伪造的应用程序,以针对巴基斯坦、印度、孟加拉国、斯里兰卡、西藏和中国的受害者。
It's also not the first time that the attackers have been observed deploying VajraRAT, which was previously documented by Chinese cybersecurity company QiAnXin in early 2022 as having been used in a campaign aimed at Pakistani government and military entities. Vajra gets its name from the Sanskrit word for thunderbolt.
这也不是被观察到的攻击者第一次部署VajraRAT,该RAT在2022年初由中国网络安全公司QiAnXin记录,被用于瞄准巴基斯坦政府和军事实体的一场活动。Vajra得名于梵文单词"Vajra",意为雷霆。
Qihoo 360, in its own analysis of the malware in November 2023, tied it to a threat actor it tracks under the moniker Fire Demon Snake (aka APT-C-52).
Qihoo 360在2023年11月对该恶意软件的分析将其与其跟踪的威胁行为者(代号APT-C-52)联系在一起。
Outside of Pakistan and India, Nepalese government entities have also been likely targeted via a phishing campaign that delivers a Nim-based backdoor. It has been attributed to the SideWinder group, another outfit that has been flagged as operating with Indian interests in mind.
在巴基斯坦和印度之外,尼泊尔政府实体也可能通过一场传递Nim后门的网络钓鱼活动成为目标。它已被归因于SideWinder组,这是另一个被认为以印度利益为中心运作的组织。
The development comes as financially motivated threat actors from Pakistan and India have been found targeting Indian Android users with a fake loan app (Moneyfine or "com.moneyfine.fine") as part of an extortion scam that manipulates the selfie uploaded as part of a know your customer (KYC) process to create a nude image and threatens victims to make a payment or risk getting the doctored photos distributed to their contacts.
这一发展发生在巴基斯坦和印度的金融动机的威胁行为者发现以一款虚假贷款应用(Moneyfine或"com.moneyfine.fine")为工具的敲诈骗局中。
"These unknown, financially motivated threat actors make enticing promises of quick loans with minimal formalities, deliver malware to compromise their devices, and employ threats to extort money," Cyfirma said in an analysis late last month.
"这些未知的、有金融动机的威胁行为者承诺通过最简单的手续提供快速贷款,传递恶意软件来感染其设备,并使用威胁来勒索钱财,"Cyfirma在上个月的一份分析中说。
It also comes amid a broader trend of people falling prey to predatory loan apps, which are known to harvest sensitive information from infected devices, and employ blackmail and harassment tactics to pressure victims into making the payments.
这也是人们日益成为掠夺性贷款应用的受害者的更广泛趋势的一部分,这些应用以从受感染设备中收集敏感信息而闻名,并采用勒索和骚扰手法向受害者施压。
According to a recent report published by the Network Contagion Research Institute (NCRI), teenagers from Australia, Canada, and the U.S. are increasingly targeted by financial sextortion attacks conducted by Nigeria-based cybercriminal group known as Yahoo Boys.
根据Network Contagion Research Institute(NCRI)最近发表的一份报告,澳大利亚、加拿大和美国的青少年越来越受到尼日利亚网络犯罪团伙(称为Yahoo Boys)进行的金融色情勒索攻击的影响。
"Nearly all of this activity is linked to West African cybercriminals known as the Yahoo Boys, who are primarily targeting English-speaking minors and young adults on Instagram, Snapchat, and Wizz," NCRI said.
"几乎所有这些活动都与被称为Yahoo Boys的西非网络犯罪分子有关,他们主要以英语为母语的未成年人和年轻成年人为目标,主要在Instagram、Snapchat和Wizz上进行攻击,"NCRI说。
Wizz, which has since had its Android and iOS apps taken down from the Apple App Store and the Google Play Store, countered the NCRI report, stating it's "not aware of any successful extortion attempts that occurred while communicating on the Wizz app."
Wizz已经从Apple App Store和Google Play Store中下架其Android和iOS应用程序。反驳NCRI的报告,Wizz表示"我们不知道有任何在Wizz应用上通信时成功进行勒索的案例。"
原文始发于微信公众号(知机安全):VajraSpy恶意软件利用浪漫诈骗诱饵感染Android设备
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论