XploitSPY: New Android spyware designed by ethical-ish hackers

-

As the COVID-19 lockdown continues, there has been an increasing number of mobile threats appearing on the threat landscape. Android devices are by far the main targets of threat actors which have been delivering fake apps in the form of malicious .APK files to install banking Trojans, like Cerberus, as well as a number of spyware and SMS worms.

 ESET's malware expert, Lukas Stefanko, along with Malware Hunter Team, have uncovered and analysed an interesting new open-source Android Trojan called XploitSPY. 

According to the researchers the malware has been designed by three ethical hackers from India, who reportedly work for a cybersecurity company. However, because Malware Hunter Team has found it being exploited in the wild, either these developers or other nefarious users have decided to use the malware for their own cybercriminal means.

 I was able to find the site, which uses the Heroku platform-as-a-service (PaaS), the same serice used to host control panels for the spyware:


I went ahead and checked the relationships this domain has on VirusTotal out of curiosity: 

What I found was a number of antivirus detections for active use of XploitSPY in the wild, 10 in total. Along with the hits for XploitSPY was another Android malware called "instaPlus.apk" and "InstaPlusSettings.apk". This was more than likely those using the spyware had renamed it and were masquerading as a fake premium version of Instagram. On the developer's GitHub was a Instagram credential harvesting tool as well: 

Some of XploitSPY's features includes: 

Other security researchers noted that XploitSPY appears to be a fork of another Android malware called L3MON, just with upgraded features for further data capture and active spying capabilities. 

 Here's a view of what the control panels may look like for XploitSPY: 


The group behind XploitSPY are calling themselves XploitWizer and claim to be ethical hackers on their GitHub account and that XploitSPY is for an "educational purpose" only: 


However, giving away what appears to be a very powerful Android spyware, which has fairly low detection ratings on VirusTotal, seems to be a reckless thing to do. Once released to the public, the developers are unable to control what those who download XploitSPY do. It is a kit which is readily made out of the box, which also comes with detailed instrustions on how to help you remain concealed from anyone who may want to find you using it with a VPS.These actions makes many in the InfoSec community wonder how ethical these ethical hackers are.

 Organisations need to make sure company devices are setup with reinforced security policies to defend against these types of threats, especially during the COVID-19 lockdown where users are on home WiFi and mobile data, away from corporate detection systems. 

 I have collected and attached IOCs to my OTX Alienvault account here

Special thanks to Lukas Stefanko of ESET and Malware Hunter Team who have been doing some awesome work spotting these Android spyware and banking Trojans in the wild, quickly analysing, and reporting them publicly. We salute you.  

 References:
https://github.com/XploitWizer/XploitSPY
https://github.com/D3VL/L3MON
https://twitter.com/LukasStefanko/status/1249810055924498432
https://twitter.com/malwrhunterteam/status/1249768400806653952

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more