The Gilgit-Baltistan region has recently experienced a new Android spyware called Kamran that targets people who speak Urdu. The attackers employed a watering hole attack, exploiting the Hunza News website (urdu.hunzanews.net) to distribute the malicious app. This report is an overview of Kamran malware, features of the malware and measures on how to stop it.
The method used to deliver the Android spyware Kamran was to use a compromised regional news website. The malware has been active from January 7, 2023, to March 21, 2023 during which users are prompted to install the malicious app directly from the site. One of its first requests upon installation is intrusive permissions that allow it to collect sensitive information such as contacts, call logs, GPS location data among others. The captured data is then sent to Firebase where a command-and-control (C2) server is hosted.
Upgrade and new threat vector:
Although Kamran has a simple design without remote control functionality and retransmits same information once activated each time it poses an overwhelming risk since it can compromise at least twenty mobile phones. By attacking through regional readership of news, strategic targeting of specific audience when there is heightened tensions in regions
SIEM rules refinement:
To make SIEM systems more effective, Kamran should refine them to include detection rules made specifically for him. The focus is on monitoring of network traffic for communication with the identified domains such as hunzanews.com and hunzanews.net, IP addresses 220.127.116.11 and 18.104.22.168 and URL https://hunzanews.net/wp-content/uploads/apk/app-release.apk. In addition, mobile devices should have rules that identify unusual permissions requests and data exfiltration activities
To defend against the likes of GootLoader organizations should consider a multi-faceted approach. This includes URL analysis, using decoy files, analyzing client-server payload profiles, employing file hashing, searching file contents with pattern matching, setting system configuration permissions, monitoring process spawn analysis, and filtering network traffic. By doing this organizations can avoid falling victim to these threats.
Indicators of Compromise (IOCs):
dcc1a353a178abf4f441a5587e15644a388c9d9c, bc2b7c4df3b895be4c7378d056792664fceec591, 0f0259f288141edbe4ab2b8032911c69e03817d2
- Block the identified domains and IP addresses.
- Monitor network traffic for communicating with these entities.
- Install an effective endpoint protection solution to find and eliminate Kamran spyware.
- Run regular scans for Kamran file hashes.
- Teach users about the dangers of downloading applications from untrusted sources.
- Encourage immediate reporting of suspicious activities on their devices.
SIEM and Monitoring:
- Modify SIEM rules to capture Kamran-specific activities.
- Observe mobile device permissions and exfiltration patterns.
The coming up of Kamran shows an advancing landscape in mobile threats that underlines the necessity of proactive cyber security measures. The Gilgit-Baltistan organizations and users should be watchful and use the recommended preventive measures while keeping in touch with a wider community on cyber security to track the emergence of any new threat. To prevent such threats like Kamran, continuous monitoring and sharing of threat intelligence are indispensable.
This threat bulletin was researched and created by Arunagiri S, a SOC analyst at Positka.