DCHSpy is an Android surveillanceware attributed to the MuddyWater threat group, targeting government and private sectors across multiple regions using malicious VPN apps and political lures. The malware has evolved with new capabilities including file and WhatsApp data exfiltration, sharing infrastructure with another malware named SandStrike. #DCHSpy #MuddyWater #SandStrike #EarthVPN #ComodoVPN
Keypoints
- DCHSpy is Android surveillanceware likely developed by the MuddyWater group, linked to Iran’s Ministry of Intelligence and Security (MOIS).
- The malware targets diverse sectors such as telecommunications, local governments, defense, and oil and gas across the Middle East, Asia, Africa, Europe, and North America.
- DCHSpy disguises itself as legitimate apps including VPN and banking apps, using political lures and spreading via malicious URLs shared on messaging apps like Telegram.
- The malware collects extensive data including device accounts, contacts, SMS, files, location, call logs, microphone audio, camera photos, and WhatsApp data.
- DCHSpy shares command and control infrastructure with SandStrike, another Android surveillanceware targeting Baháʼí practitioners and linked to MuddyWater activity.
- New samples show enhanced capabilities such as identifying and exfiltrating specific files and WhatsApp data, deployed using new lures like Starlink-themed VPN apps.
- The malicious VPN services EarthVPN and ComodoVPN are advertised on Telegram targeting English and Farsi speakers with fake business details tied to Canada and Romania.
MITRE Techniques
- [T1560] Archive Collected Data – DCHSpy compresses and encrypts collected data before exfiltration. (“Once data is collected off of an infected device, it is compressed and encrypted with a password it receives from the command and control (C2) server.”)
- [T1041] Exfiltration Over C2 Channel – Data is uploaded to Secure File Transfer Protocol (SFTP) servers via commands from the C2 server. (“Following additional commands from the C2 server, the data is uploaded to the destination Secure File Transfer Protocol (SFTP) server.”)
- [T1598] Phishing: Spearphishing Link – Distribution occurs through malicious URLs sent over messaging apps such as Telegram. (“It is distributed to targeted groups and individuals by leveraging malicious URLs shared directly over messaging apps such as Telegram.”)
- [T1204] User Execution – Victims are lured into installing malicious VPN applications disguised with political and Starlink themes. (“New samples show… starlink_vpn(1.3.0)-3012 (1).apk”)
- [T1125] Video Capture – The malware takes control of the device camera to capture photos. (“Photos by taking control of the camera”)
- [T1123] Audio Capture – The malware takes control of the microphone to record audio. (“Audio by taking control of the microphone”)
- [T1115] Clipboard Data – The malware collects contacts, SMS messages, call logs, and WhatsApp data from the infected device. (“This modular malware collects… Contacts, SMS messages, Call logs, WhatsApp data”)
Indicators of Compromise
- [File Hashes] Examples of malicious APK samples – 9dec46d71289710cd09582d84017718e0547f438 (Earth VPN sample), 556d7ac665fa3cc6e56070641d4f0f5c36670d387010e2b424eadfa261483ebb (and multiple others)
- [Domains] Command and Control servers – it1.comodo-vpn.com:1953, r1.earthvpn.org:3413, hs1.iphide.net:751 (and multiple others)
- [URLs] Malicious URLs used for deployment and C2 communication – http://192.121.113.60/dev/run.php, http://79.132.128.81/dev/run.php
- [File Names] Examples of malicious APK files – starlink_vpn(1.3.0)-3012 (1).apk
Read more: https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware