Introduction:
The Gilgit-Baltistan region has recently experienced a new Android spyware called Kamran that targets people who speak Urdu. The attackers employed a watering hole attack, exploiting the Hunza News website (urdu.hunzanews.net) to distribute the malicious app. This report is an overview of Kamran malware, features of the malware and measures on how to stop it.
Malware overview:
The method used to deliver the Android spyware Kamran was to use a compromised regional news website. The malware has been active from January 7, 2023, to March 21, 2023 during which users are prompted to install the malicious app directly from the site. One of its first requests upon installation is intrusive permissions that allow it to collect sensitive information such as contacts, call logs, GPS location data among others. The captured data is then sent to Firebase where a command-and-control (C2) server is hosted.
Upgrade and new threat vector:
Although Kamran has a simple design without remote control functionality and retransmits same information once activated each time it poses an overwhelming risk since it can compromise at least twenty mobile phones. By attacking through regional readership of news, strategic targeting of specific audience when there is heightened tensions in regions
SIEM rules refinement:
To make SIEM systems more effective, Kamran should refine them to include detection rules made specifically for him. The focus is on monitoring of network traffic for communication with the identified domains such as hunzanews.com and hunzanews.net, IP addresses 34.120.160.131 and 191.101.13.235 and URL https://hunzanews.net/wp-content/uploads/apk/app-release.apk. In addition, mobile devices should have rules that identify unusual permissions requests and data exfiltration activities
Preventive measures:
To defend against the likes of GootLoader organizations should consider a multi-faceted approach. This includes URL analysis, using decoy files, analyzing client-server payload profiles, employing file hashing, searching file contents with pattern matching, setting system configuration permissions, monitoring process spawn analysis, and filtering network traffic. By doing this organizations can avoid falling victim to these threats.
Indicators of Compromise (IOCs):
Domains:
- hunzanews.com
- hunzanews.net
URL:
- https://hunzanews.net/wp-content/uploads/apk/app-release.apk
IPv4 Addresses:
- 34.120.160.131
- 191.101.13.235
File Hashes:
SHA256:
016c602caf1731d2d53e7f93dd41c04b26778a65c5c27e64a2f0c2c8d5fb87e0
SHA1:
dcc1a353a178abf4f441a5587e15644a388c9d9c, bc2b7c4df3b895be4c7378d056792664fceec591, 0f0259f288141edbe4ab2b8032911c69e03817d2
MD5:
8d5e680e5a026b0e8198a34c1fbc6275
Hostname:
- urdu.hunzanews.net
Preventive measures:
Network Security:
- Block the identified domains and IP addresses.
- Monitor network traffic for communicating with these entities.
Endpoint Protection:
- Install an effective endpoint protection solution to find and eliminate Kamran spyware.
- Run regular scans for Kamran file hashes.
User Awareness:
- Teach users about the dangers of downloading applications from untrusted sources.
- Encourage immediate reporting of suspicious activities on their devices.
SIEM and Monitoring:
- Modify SIEM rules to capture Kamran-specific activities.
- Observe mobile device permissions and exfiltration patterns.
Conclusion:
The coming up of Kamran shows an advancing landscape in mobile threats that underlines the necessity of proactive cyber security measures. The Gilgit-Baltistan organizations and users should be watchful and use the recommended preventive measures while keeping in touch with a wider community on cyber security to track the emergence of any new threat. To prevent such threats like Kamran, continuous monitoring and sharing of threat intelligence are indispensable.
Reference:
https://thehackernews.com/2023/11/stealthy-kamran-spyware-targeting-urdu.html
https://otx.alienvault.com/pulse/654de908df5bc0af52268f65
This threat bulletin was researched and created by Arunagiri S, a SOC analyst at Positka.