Kaspersky researchers
have uncovered a previously unknown Android
espionage campaign dubbed SandStrike. The
actor targets a Persian-speaking religious minority, Baháʼí, by distributing a
VPN app that contains highly sophisticated spyware.
The
finding is part of Kaspersky's latest
quarterly threat intelligence summary.
During
Q3, 2022, Kaspersky experts also discovered an advanced upgrade of DeathNote
cluster and, together with SentinelOne, investigated never-seen-before Metatron
malware. These, and other discoveries, are revealed in the quarterly
report.
To lure victims into downloading spyware implants, the SandStrike
adversaries set up Facebook and Instagram accounts with more than 1,000
followers and designed attractive religious-themed materials, setting up an
effective trap for adherents of this belief. Most of these social media
accounts contain a link to a Telegram channel also created by the attacker.
In this channel, the actor behind SandStrike distributed a
seemingly harmless VPN application to access sites banned in certain regions,
for example, religious-related materials. To make this application fully
functional, adversaries also set up their own VPN infrastructure.
However, the VPN client contained fully-functioning spyware with
capabilities allowing threat actors to collect and steal sensitive data,
including call logs, contact lists, and also track any further activities of
persecuted individuals.
Throughout
the third quarter of 2022, APT actors were continuously changing their tactics,
sharpening their toolsets and developing new techniques. The most significant
findings included:
- A new sophisticated malware platform targeting telecom
companies, ISPs and universities - Together with SentinelOne,
Kaspersky researchers analyzed a never-seen-before sophisticated malware
platform dubbed Metatron. Metatron primarily targets telecommunications,
internet service providers, and universities in Middle Eastern and African
countries. Metatron is designed to bypass native security solutions while
deploying malware platforms directly into memory.
- The upgrade of advanced and sophisticated tools - Kaspersky experts observed Lazarus use the DeathNote cluster against
victims in South Korea. The actor possibly used a strategic web
compromise, employing an infection chain similar to that which Kaspersky
researchers have previously reported, attacking an endpoint security
program. However, experts discovered that the malware and infection
schemes have also been updated. The actor used malware that hadn't been
seen before, with minimal functionality to execute commands from the C2
server. Using this implanted backdoor, the operator lay hidden in the
victim's environment for a month and collected system information.
- Cyber
espionage continues to be a prime goal of APT campaigns - In the third quarter of 2022, Kaspersky researchers detected numerous APT
campaigns targeting governmental institutions. The recent investigations
found that this year, from February onward, HotCousin has attempted to
compromise foreign affairs ministries in Europe, Asia, Africa and South
America.
"As we can see from the analysis of the last
three months, APT actors are now strenuously used to create attack tools and
improve old ones to launch new malicious campaigns," said Victor Chebyshev,
lead security researcher at Kaspersky's GReAT. "In their attacks, they use
cunning and unexpected methods: SandStrike, attacking users via VPN service,
where victims tried to find protection and security, is an excellent example.
Today it is easy to distribute malware via social networks and remain
undetected for several months or even more. This is why it is so important to
be as alert as ever and make sure you are armed with threat intelligence and
the right tools to protect from existing and emerging threats."