VTA-004450 – Hackers Utilize WhatsApp for Phishing Messages to Distribute Malware

The researchers recently obtained advanced Android malware through a deceptive chat app. The suspicious Android malware is disguised as a dummy chatting app. The initial technical analysis revealed that APT Bahamut is behind the attack. The malware exhibits a similar operational mechanism to another identified malware known as “DoNot”, which was distributed through the Google Play Store. However, this malware has more permissions, presenting a higher level of threat due to the acquisition of permissions to use accessibility services in Android. This could enable the spyware to access the victim’s contact list, SMS, call logs, external device storage or GPS location data.

The malicious payload was delivered to victims via phishing messages on WhatsApp chat and was found to be disguised as a dummy chatting application named “SafeChat”. The user interface of this app successfully deceives users into believing its authenticity, allowing the threat actor to extract all the necessary information before the victim realizes that the app is a dummy. The malware cleverly exploits unsuspecting Android libraries to extract and transmit data through the C2 server.

Furthermore, the threat actor utilized encryption techniques to secure the data and network traffic, and they used the Ktor Library to efficiently fetch and transfer data to the C2 server, a tactic similar to how the DoNot APT group used retrofit for a similar data retrieval function.

Severity:
Medium

Attack Surfaces:
Mobile Application, Mobile OS

Tactics:
Collection, Command and Control, Initial Access

Mitre Engage Tactics:
Detect, Prevent

Techniques:
T1430 – Location Tracking
T1437 – Standard Application Layer Protocol
T1521 – Encrypted Channel
T1560 – Archive Collected Data
T1566 – Phishing

Technical Impact Analysis:
Loss of Confidentiality

Business Impact Analysis:
Financial Damage, Privacy Violation, Reputation Damage

Indicator of Compromise:
https://otx.alienvault.com/pulse/64c8d9b27a595fa161bc3ee5

References:
1. https://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/

SuperPRO’s Threat Countermeasures Procedures: 
1. Exercise caution when granting permissions to applications.
2. Raise awareness of phishing attacks especially with messages from unknown senders.
3. Uses reputable antivirus or security apps to provide an additional layer of protection against malware.
4. Add the IOC signature into endpoint security protection as the custom threat detection rules.
5. Regularly update your devices, operating systems and applications to the latest versions.

Contributed by:  ZheAn