India-linked highly targeted mobile malware campaign, first unveiled two weeks ago, has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.
As reported in our previous article, earlier this month researchers at Talos threat intelligence unit discovered a group of Indian hackers abusing mobile device management (MDM) service to hijack and spy on a few targeted iPhone users in India.
Operating since August 2015, the attackers have been found abusing MDM service to remotely install malicious versions of legitimate apps, including Telegram, WhatsApp, and PrayTime, onto targeted iPhones.
These modified apps have been designed to secretly spy on iOS users, and steal their real-time location, SMS, contacts, photos and private messages from third-party chatting applications.
During their ongoing investigation, Talos researchers identified a new MDM infrastructure and several malicious binaries – designed to target victims running Microsoft Windows operating systems – hosted on the same infrastructure used in previous campaigns.
- Ios-update-whatsapp[.]com (new)
“We know that the MDM and the Windows services were up and running on the same C2 server in May 2018,” researchers said in a blog post published today.
“Some of the C2 servers are still up and running at this time. The Apache setup is very specific, and perfectly matched the Apache setup of the malicious IPA apps.”
Possible Connections with “Bahamut Hacking Group”
Besides this, researchers also found some potential similarities that link this campaign with an old hacking group, dubbed “Bahamut,” an advanced threat actor who was previously targeting Android devices using similar MDM technique as used in the latest iOS malware campaign.
The newly identified MDM infrastructure, which was created in January 2018, and used from January to March of this year, targeted two Indian devices and one located in Qatar with a British phone number.
According to the researchers, Bahamut also targeted similar Qatar-based individuals during their Android malware campaign, as detailed by Bellingcat in a blog post.
“Bahamut shared a domain name with one of the malicious iOS applications mentioned in our previous post,” researchers said.
“The new MDM platform we identified has similar victimology with Middle Eastern targets, namely Qatar, using a U.K. mobile number issued from LycaMobile. Bahamut targeted similar Qatar-based individuals during their campaign.”
Apart from distributing modified Telegram and WhatsApp apps with malicious functionalities, the newly-identified server also distributes modified versions of Safari browser and IMO video chatting app to steal more personal information on victims.
Attackers Using Malicious Safari Browser to Steal Login Credentials
According to the researchers, the malicious Safari browser has been pre-configured to automatically exfiltrate the username and the password of the users for a variety of other web services, Yahoo, Rediff, Amazon, Google, Reddit, Baidu, ProtonMail, Zoho, Tutanota and more.
“The malware continuously monitors a web page, seeking out the HTML form fields that hold the username and password as the user types them in to steal credentials. The names of the inspected HTML fields are embedded into the app alongside the domain names,” the researchers said.
The malicious browser contains three malicious plugins—Add Bookmark, Add To Favourites, and Add to Reading List—that just like the other apps, send stolen data to a remote attacker-controlled server.
At this time, it’s unclear who is behind the campaign, who was targeted in the campaign, and what were the motives behind the attack, but the technical elements suggest the attackers are operating from India, and are well-funded.
Researchers said that those infected with this kind of malware need to enroll their devices, which means “they should be on the lookout at all times to avoid accidental enrollment.”
The best way to avoid being a victim to such attacks is to always download apps from official app store.