Military, Nuclear Entities Under Target By Novel Android Malware

[mood]

Military, Nuclear Entities Under Target By Novel Android Malware

 

 

The two malware families have sophisticated capabilities to exfiltrate SMS messages, WhatsApp messaging content and geolocation.

 

Researchers have uncovered two novel Android surveillanceware families being used by an advanced persistent threat (APT) group to target military, nuclear and election entities in Pakistan and Kashmir.

 

The two malware families, which researchers call “Hornbill” and “SunBird,” have sophisticated capabilities to exfiltrate SMS messages, encrypted messaging app content and geolocation, as well as other types of sensitive information.

 

Researchers first saw Hornbill as early as May 2018, with newer samples of the malware emerging on December 2020. They said the first Sunbird sample dates back to 2017 and was last seen active on December 2019.

“Hornbill and SunBird have both similarities and differences in the way they operate on an infected device,” said Apurva Kumar, staff security intelligence engineer, and Kristin Del Rosso, senior security intelligence researcher, with Lookout, on Thursday. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.”

Malware Attack Targeting Military, Nuclear, Election Entities

The malware strains were seen in attacks targeting personnel linked to Pakistan’s military and various nuclear authorities, and Indian election officials in Kashmir. Kashmiris are a Dardic ethnic group native to the disputed Kashmir Valley (and a previous target for other Android malware threat actors).

“While the exact number of victims is not known across all campaigns for SunBird and Hornbill, at least 156 victims were identified in a single campaign for Sunbird in 2019 and included phone numbers from India, Pakistan, and Kazakhstan,” Kumar told Threatpost. “According to the publicly exposed exfiltrated data we were able to find, individuals in at least 14 different countries were targeted.”

 

For instance, attackers targeted an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force, as well as officers responsible for electoral rolls located in the Pulwama district of Kashmir.

 

Sunbird samples hosted on third-party app stores. Credit: Lookout

 

In regards to the initial attack vectors for the malware samples, researchers pointed to samples of SunBird found hosted on third-party app stores, providing a clue for one possible distribution mechanism. However, researchers have not yet found SunBird on the official Google Play marketplace.

 

SunBird has been disguised as applications such as security services (including a fictional “Google Security Framework”), apps tied to specific locations (like “Kashmir News”) or activities (“including “Falconry Connect” or “Mania Soccer”). Researchers said the majority of these applications appear to target Muslim individuals. Meanwhile, Hornbill applications impersonate various chat (such as Fruit Chat, Cucu Chat and Kako Chat) and system applications.

“Considering many of these malware samples are trojanized – as in they contain complete user functionality – social engineering may also play a part in convincing targets to install the malware,” said Kumar and Del Rosso. “No use of exploits was observed directly by Lookout researchers.”

Malware Cybersecurity Surveillance Capabilities

Both malware families have a wide range of data exfiltration capabilities. They are able to collect call logs, contacts, device metadata (such as phone numbers, models, manufacturers and Android operating system version), geolocation, images stored on external storage and WhatsApp voice notes.

 

Credit: Lookout

 

In addition, both families can request device administrator privileges, take screenshots of whatever victims are currently viewing on their devices, take photos with the device camera, record environment and call audio and scrape WhatsApp message and contacts and WhatsApp notifications (via the Android accessibility service feature).

 

SunBird has a more extensive set of malicious functionalities than Hornbill, with the ability to upload all data at regular intervals to its C2 servers. For instance, SunBird can also collect a list of installed applications on the victims’ devices, browser history, calendar information, WhatsApp Audio files, documents, databases and images and more. And, it can run arbitrary commands as root or download attacker-specified content from FTP shares.

“In contrast, Hornbill is more of a passive reconnaissance tool than SunBird,” said Kumar and Del Rosso. “Not only does it target a limited set of data, the malware only uploads data when it initially runs and not at regular intervals like SunBird. After that, it only uploads changes in data to keep mobile data and battery usage low.”

 

Researchers named Hornbill after the Indian Grey Hornbill, which is the state bird of Chandigarh in India, where they believe the developers of Hornbill are located. SunBird’s name, meanwhile, stemmed from the malicious services within the malware called “SunService” – and the sunbird is also native to India, they said.

State-Sponsored APT Behind The Cyberattack

The malware families have been linked “with high confidence” to the APT Confucius. This APT has been on the cybercrime scene since 2013 as a state-sponsored, pro-India actor. The APT has previously targeted victims in Pakistan and South Asia.

“We are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance purposes,” said Kumar and Del Rosso.

 

 

Source: Military, Nuclear Entities Under Target By Novel Android Malware

[aum]

 

Two new Android surveillanceware families have been found to target military, nuclear, and election entities in Pakistan and Kashmir as part of a pro-India, state-sponsored hacking campaign.

 

Dubbed Hornbill and Sunbird, the malware impersonates legitimate or seemingly innocuous services to cover its tracks, only to stealthily collect SMS, encrypted messaging app content, and geolocation, among other types of sensitive information.

 

The findings published by Lookout is the result of an analysis of 18GB of exfiltrated data that was publicly exposed from at least six insecurely configured command-and-control (C2) servers located in India.

 

"Some notable targets included an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force (PAF), as well as officers responsible for electoral rolls (Booth Level Officers) located in the Pulwama district of Kashmir," the researchers said in a Wednesday analysis.

 

In all, the attacks targeted 156 victims with phone numbers from India, Pakistan, and Kazakhstan over the last several years.

 

Lookout attributed the two tools to an advanced persistent threat (APT) tracked as Confucius, a group known for its attacks on South Asian countries at least since 2013. The cybersecurity firm called Hornbill a "passive reconnaissance tool."

 

 

While Hornbill appears to be derived from the same code base as a previously active commercial surveillance product known as MobileSpy, SunBird has been traced to a group of Indian developers behind another mobile tracking software called BuzzOut. Clues uncovered by the Lookout also point to the fact the operators of Hornbill worked together at various Android and iOS app development companies registered and operating in or near the Indian city of Chandigarh.

 

Both the pieces of spyware are equipped to amass a wide range of data, such as call logs, contacts, system information, location, photos stored on external drives, record audio and video, capture screenshots, with a particular focus on plundering WhatsApp messages and voice notes by abusing Android's accessibility APIs.

 

 

SunBird also differs from Hornbill in that the former features remote access Trojan (RAT) functionality, allowing the attackers to execute arbitrary commands on the target device. In addition, it's capable of exfiltrating browser histories, calendar information, and even siphoning content from BlackBerry Messenger and IMO instant messaging apps.

 

"Samples of SunBird have been found hosted on third-party app stores, indicating one possible distribution mechanism," the researchers detailed. "Considering many of these malware samples are trojanized – as in they contain complete user functionality — social engineering may also play a part in convincing targets to install the malware."

 

Lookout identified Hornbill samples as recently as December 2020, indicating an active use of the malware since their discovery in 2018. On the other hand, Sunbird seems to have been actively deployed in 2018 and 2019, before the threat actor shifted to another Android-based spyware product called ChatSpy last year.

 

Interestingly, the C2 infrastructure shared by Hornbill and SunBird reveals further connections with other stalkerware operations conducted by the Confucius group — including a publicly-accessible 2018 Pakistani government advisory warning of a desktop malware campaign targeting officers and government personnel — implying that the two tools are used by the same actor for different surveillance purposes.

 

Although India has been a relatively new entrant in the spyware and surveillance sector, Citizen Lab researchers last June outed a mercenary hack-for-hire group based in Delhi called BellTroX InfoTech that aimed to steal credentials from journalists, advocacy groups, investment firms, and an array of other high-profile targets.

 

Source

 

[Karlston]

Similar topics merged.