Threat Research

Two Tales and One Antidote – A New Mobile Malware Campaign in Poland

iocOne
Two Tales and One Antidote – A New Mobile Malware Campaign in Poland

This article discusses the rise of malicious mobile applications targeting Polish users, particularly the Antidot malware which disguises itself as legitimate software updates. The malware employs keylogging and remote access capabilities, providing attackers with control over infected devices. The article highlights a new campaign utilizing fake Google Chrome update alerts which ultimately lead to the installation of malicious applications. Affected: mobile devices, Polish users, online shopping platforms, Polish banking sector

Keypoints :

  • The Polish cyber threat landscape is experiencing an increase in malicious mobile applications.
  • Antidot malware masquerades as legitimate Google Play updates.
  • The malware includes overlay and keylogging capabilities, as well as a VNC module for remote control.
  • Cybercriminals are exploiting compromised Polish websites to prompt users to download infected files.
  • Two types of malware are involved: Lumma Stealer and Antidot.
  • The fake applications request permissions to install additional applications and to send notifications.
  • Once installed, the malware engages in background malicious activities while locking the victim’s screen.
  • The malware is obfuscated with custom encryption and connected to a command-and-control server (C2).
  • Specific compromised websites have been identified in Poland.

MITRE Techniques :

  • TA0001 – Initial Access: Exploitation of compromised websites to deliver malware under the guise of updates.
  • TA0002 – Execution: Installation of malicious applications by tricking users into allowing third-party app installations.
  • TA0003 – Persistence: Creation of a fake application icon that mimics Google Chrome to maintain a presence on the victim’s device.
  • TA0004 – Privilege Escalation: Requesting Accessibility permissions to control the victim’s device.
  • TA0006 – Credential Access: Keylogging capabilities of the Antidot malware to capture sensitive information.
  • TA0008 – Command and Control: Connecting to a malicious C2 server for receiving commands.

Indicator of Compromise :

  • [Application] com.hilabilu.device
  • [Application] com.rocanoji.platform
  • [Application] com.zabogutajo.associative
  • [Application] com.fagulave.data
  • [C2] https://gofromstr.store:8501

Full Story: https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f?source=rss——malware-5

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint