Kaspersky researchers discovered SandStrike, a previously unknown Android espionage campaign, in the third quarter of 2022. The actor distributes a VPN app containing highly sophisticated spyware to a Persian-speaking religious minority, the Bahá. Kaspersky researchers also discovered an advanced upgrade of the DeathNote cluster and investigated never-before-seen malware Metatron in collaboration with SentinelOne. This, and other findings, are detailed in Kaspersky’s most recent quarterly threat intelligence summary.
Adversaries set up Facebook and Instagram accounts with over 1,000 followers and designed appealing religious-themed graphic materials to entice victims into downloading the spyware implants, creating an effective trap for adherents of this belief. The majority of these social media accounts include a link to a Telegram channel that the attacker also created.
The actor behind SandStrike distributed a seemingly harmless VPN application in this channel to access sites banned in certain regions, such as religious-related materials. Adversaries must also set up their own VPN infrastructure in order for this application to function properly.
However, the VPN client includes fully functional spyware that allows threat actors to collect and steal sensitive data such as call logs and contact lists, as well as track any further activities of persecuted individuals.
Throughout the third quarter of 2022, APT actors were continuously changing their tactics, sharpening their toolsets and developing new techniques. The most significant findings include:
Experts from Kaspersky Lab observed Lazarus using the DeathNote cluster against victims in South Korea. The actor may have used a strategic web compromise, employing an infection chain similar to that previously reported by Kaspersky researchers, to attack an endpoint security program. Experts discovered, however, that the malware and infection schemes had also been updated. The actor used previously unseen malware with limited functionality to execute commands from the C2 server. The operator remained hidden in the victim’s environment for a month while collecting system information using this implanted backdoor.
Kaspersky researchers discovered numerous APT campaigns targeting governmental institutions in the third quarter of 2022. HotCousin has attempted to undermine foreign affairs ministries in Europe, Asia, Africa, and South America this year, according to our recent investigations.
“As we can see from the analysis of the last three months, APT actors are now strenuously used to create attack tools and improve old ones to launch new malicious campaigns. In their attacks, they use cunning and unexpected methods: SandStrike, attacking users via VPN service, where victims tried to find protection and security, is an excellent example. Today it is easy to distribute malware via social networks and remain undetected for several months or even more. This is why it is so important to be as alert as ever and make sure you are armed with threat intelligence and the right tools to protect from existing and emerging threats,” comments Victor Chebyshev, lead security researcher at Kaspersky’s GReAT.To read the full APT Q3 2022 trends report, please visit Securelist.com
