Cybersecurity researchers have revealed that Russian military personnel are targets for a new malicious campaign that distributes Android Spyware in the guise of Alpine Quest Mapping software.
“The attacker will hide this Trojan within the modified alpine est mapping software and distribute it in a variety of ways, including one of the Russian Android app catalogs,” Doctor Web said in its analysis.
The Trojan horse is found to be built into older versions of the software and is propagated as a freely available variant of the Alpine Quest Pro, a highly functional program.
The Russian cybersecurity vendor also observed a malware called Android.spy.1292.origin, saying it was distributed in the form of APK files via fake telegraph channels.
Threat Actors first provided a link to download the app to one of the Russian app catalogs via the Telegram Channel, but the Trojanized version was later distributed directly as an APK as an app update.
What is noteworthy about the attack campaign is that Russian soldiers take advantage of the fact that alpine ests are used by russian soldiers in special military operations zones.
Once installed on an Android device, apps with malware look and function similar to the original app, stay undetected for a long time, collecting sensitive data while collecting sensitive data.
Current date and geolocation information for mobile phone numbers and their accounts’ contact lists Saved files, and app version
In addition to sending victim locations every time you change to Telegram Bot, Spyware supports the ability to download and run additional modules that can remove files sent via Telegram and WhatsApp, especially files of interest.
“Android.spy.1292.Origin not only monitors user locations, but also hijacks sensitive files,” Doctor Web said. “In addition, that functionality can be extended via downloading new modules, allowing you to perform a spectrum of malicious tasks.”
To mitigate the risk poses by such threats, we recommend downloading Android apps only from the reliable app market and avoiding downloading paid versions of the software from suspicious sources.
The Russian organization targeted by the new Windows Backdoor
The disclosure reveals that Kaspersky has revealed that various large Russian organisations are being targeted by sophisticated backdoors by decorating them as updates to secure networking software called VIPNET, across government, finance and industrial sectors.
“The backdoor targets computers connected to the VIPNET network,” the company said in its preliminary report. “The backdoor was distributed within the LZH archive, which has a structure typical of updating the software product in question.”
Residing in the archive is a malicious executable (“msinfo32.exe”) that acts as a loader of the encrypted payload contained in the file.
“The loader processes the contents of the file to load the backdoor into memory,” says Kaspersky. This backdoor is versatile. It can connect to the C2 server via TCP, allowing an attacker to steal files from an infected computer, launching especially malicious components. ”
Source link
