APT hackers spread Android malware through Syrian e-Gov portal

The Syrian e-Government Web Portal was used by an APT actor to launch a new campaign using Android malware, revealing an updated arsenal targeted to compromise victims.


According to Trend Micro researchers Zhengyu Dong, Fyodor Yarochkin, and Steven Du, this is the first time the group has been publicly discovered using malicious Android apps in its attacks.


StrongPity, also termed as Promethium by Microsoft, has been operating since at least 2012, with a focus on targets in Turkey and Syria.


The cyber threat actor was linked to a wave of operations in June 2020 that relied on watering hole attacks and altered installers to infect targets with malware by exploiting the popularity of legitimate software.


Despite the fact that Promethium campaigns have been uncovered multiple times, the actors behind them have not stopped.


Even after being discovered, the gang continues to launch further operations, demonstrating their commitment to accomplish their mission.


The malware masquerading as the Syrian e-Gov Android application, was thought to have been created in May 2021, with the app’s manifest file (“AndroidManifest.xml”) modified to explicitly request additional permissions on the phone, including the ability to read contacts, write to external storage, keep the device awake, access information about cellular and Wi-Fi networks, access precise location, and even enable the app to have itself started as soon as the system has finished booting.


The malicious app is also designed to run background tasks and send a request to a remote command-and-control (C2) server, which responds with an encrypted payload containing a settings file that allows the “malware to change its behavior according to the configuration” and update its C2 server address.


The malware can also steal data from the infected device, including contacts, Word and Excel documents, PDFs, images, security keys, and files saved with Dagesh Pro Word Processor (.DGS), among other factors, and send it back to the C2 server.


According to the researchers, the threat actor is experimenting with a variety of methods for delivering the apps to potential victims, including employing fake apps and hijacked websites as watering holes to lure users into installing harmful Android malware apps.


Users would have to download the apps straight to their smartphones from these websites.


Users must enable installation of software from “unknown sources” on their devices in order to do so.


This bypasses the Android ecosystem’s “trust-chain,” making it easier for an attacker to deliver further malicious components.


You might also like:


Joker Trojan discovered in 11 Android apps: Reports

XLoader windows info-stealer malware now designed to attack macOS

WiFiDemon – iPhone Wi-Fi bug could also enable RCE