This article discusses the use of newly registered deceptive websites designed to impersonate the Google Play Store to deliver AndroidOS SpyNote malware. Victims are tricked into downloading the malware, which is a powerful remote access trojan (RAT) enabling extensive surveillance and data theft. The report highlights the tactics used by threat actors, including the technical details of the malwareβs operation and its implications. Affected: Android devices, Google Play Store users
Keypoints :
- Deceptive websites are created on newly registered domains mimicking the Google Play Store.
- The malware delivered, SpyNote, is an Android remote access trojan (RAT) used for surveillance and data exfiltration.
- The threat actors utilize a mix of English and Chinese-language delivery sites.
- Common techniques include an image carousel that portrays fake app installation pages.
- SpyNote has been linked to sophisticated APT groups and targets entities such as Indian Defence Personnel.
- The installation process involves a two-stage installation method using an APK dropper followed by a core SpyNote RAT.
- The malware aggressively requests intrusive permissions and can exfiltrate sensitive data.
- SpyNote is designed to maintain persistence, often requiring factory resets for removal.
- The capabilities of SpyNote include remote access, keylogging, and data manipulation.
MITRE Techniques :
- TA0001 β Initial Access: Deceptive websites lure users to download malware mimicking legitimate apps.
- TA0002 β Execution: JavaScript downloads the SpyNote APK upon user interaction with mimicked installation buttons.
- TA0003 β Persistence: The dropper installs a second APK, ensuring the RAT persists on the compromised device.
- TA0006 β Credential Access: SpyNote captures sensitive data, such as SMS messages and credential data.
- TA0008 β Collection: SpyNote collects user data from contacts, call logs, and location information.
- TA0011 β Command and Control: The compromised device connects to hardcoded C2 servers to exfiltrate data and receive commands.
Indicator of Compromise :
- [Domain] bafanglaicai888[.]top
- [Domain] kmyjh[.]top
- [IP Address] 156.244.19[.]63
- [Hash β MD5] (no valid hash patterns identified)
- [Hash β SHA-1] (no valid hash patterns identified)
Full Story: https://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/