Jump to content
  • New SandStrike spyware infects Android devices via malicious VPN app

    alf9872000

    • 413 views
    • 2 minutes
     Share


    • 413 views
    • 2 minutes

    Threat actors are using newly discovered spyware known as SandStrike and delivered via a malicious VPN application to target Android users.

     

    They focus on Persian-speaking practitioners of the Baháʼí Faith, a religion developed in Iran and parts of the Middle East.

     

    The attackers are promoting the malicious VPN app as a simple way to circumvent censorship of religious materials in certain regions.

     

    To spread it, they use social media accounts to redirect potential victims to a Telegram channel that would provide them with links to download and install the booby-trapped VPN.

     

    "To lure victims into downloading spyware implants, the SandStrike adversaries set up Facebook and Instagram accounts with more than 1,000 followers and designed attractive religious-themed materials, setting up an effective trap for adherents of this belief," Kaspersky said.

     

    "Most of these social media accounts contain a link to a Telegram channel also created by the attacker."

     

    While the app is fully functional and even uses its own VPN infrastructure, the VPN client also installs the SandStrike spyware, which scours their devices for sensitive data and exfiltrates it to its operators' servers.

     

    This malware will steal various types of information like call logs and contact lists and will also monitor compromised Android devices to help its creators keep track of the victims' activity.

    Middle East malicious activity recap

    Security researchers who spotted the malware in the wild are yet to pin its development on a specific threat group.

     

    On Tuesday, Kaspersky also published its APT trends report for Q3 2022, highlighting more interesting discoveries linked to malicious activity in the Middle East.

     

    The company highlights a new IIS backdoor known as FramedGolf deployed in attacks targeting Exchange servers not patched against ProxyLogon-type security flaws.

     

    "The malware has been used to compromise at least a dozen organizations, starting in April 2021 at the latest, with most still compromised in late June 2022," Kaspersky revealed.

     

    In September, the company also shared analysis on a newly found malware platform dubbed Metatron used against telecom companies, internet service providers, and universities across Africa and the Middle East.

     

    Kaspersky says Metatron "is a modular implant boot-strapped through a Microsoft Console Debugger script" that comes with "multiple transport modes and offers forwarding and port knocking features."

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...