Pierluigi Paganini April 17, 2020

Syrian-linked APT group SEA recently used COVID-19-themed lures as part of a long-running surveillance campaign, security researchers warn.

Syrian hackers are behind a long-running campaign that has been active since January 2018 and that targets Arabic-speaking Android users.

The campaign aimed at users in Syria and surrounding regions was spotted by experts from mobile security firm Lookout, threat actors employed tens of Android apps, none of which is available in the official Google Play Store.

“Lookout researchers have uncovered a long-running surveillance campaign tied to Syrian nation-state actors, which recently started using the novel coronavirus as its newest lure to entice its targets to download malware.” reads the analysis published by the Lookout.

“This campaign appears to have been active since the start of January 2018, and targets Arabic-speaking users, likely in Syria and the surrounding region.”

The malicious apps employed by Syria-linked hackers have names such as “Covid19”, “Telegram Covid_19”, “Android Telegram”, and “Threema Arabic,” among others.

The experts found 71 malicious Android applications that were connecting to the same C2 server having an IP address linked to the Syrian Telecommunications Establishment (STE).

STE was used by the notorious Syria-linked APT group tracked as Syrian Electronic Army (SEA) to host its C2 infrastructure.

“The IP address of the C2 server is located in a block of addresses held by Tarassul Internet Service Provider, an ISP owned by – and sharing network infrastructure with – the Syrian Telecommunications Establishment (STE) (Freedom House, 2018).” continues the expert. “STE has a history of hosting infrastructure for the Syrian Electronic Army (SEA), a Syrian state-sponsored hacking group. Notably, the C2 servers of SilverHawk, an Android malware family previously reported on by Lookout researchers, were located on IP addresses belonging to STE.”

Most of the apps discovered by the researchers are SpyNote samples (64 out of 71), the analysis of the code of 22 APKs revealed reference the name “Allosh,” which was previously linked to a known Syrian Electronic Army persona. The same name was also found in paths discovered in binaries associated with the SilverHawk infrastructure.

7 out of 71 apps were samples of the SandroRat, AndoServer, and SLRat families. AndoServer samples are purely surveillance software used to spy on the victims, while SLRat is as an Android remote admin tool.

The researchers pointed out that SEA group was active in recent weeks, it has launched DDoS attacks against Belgian media and claimed responsibility for the defacement of PayPal and eBay websites.

“SilverHawk actors initially entered the mobile malware space using the commercial Android surveillance-ware AndroRat, before customizing it and then developing their own mobile tooling.” concludes the analysis. The experts conclude.”It is in line with known TTPs that a new commercial or public spy tool might have been adopted and used by this actor as part of new surveillance efforts, and there are likely more to be discovered,”

Pierluigi Paganini

(SecurityAffairs – SEA, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]